On Tue, Sep 17, 2002 at 04:51:35PM -0500, Steve Langasek wrote: > On Tue, Sep 17, 2002 at 02:44:46PM -0600, Joel Baker wrote: > > > > Let me put it another way: they can forge their ID, but it's hard to > > > forge their face. With a face-to-face meeting, if the person DOES have > > > ulterior motives, we now have a much better chance of bringing them to > > > justice afterwards than if both their identity and their face were > > > unknown to us. > > > A forged ID can have any face on it you wish; that's sort of the point. > > Sufficient disguise to fool someone face to face is even more trivial than > > a fake ID. If someone's going to bother, spending $50 or less in materials > > (or even a couple of hundred, for a completely nwe kit) isn't going to > > bother them. > > > Again, if you're going to presume that there is an active attack, you have > > to presume that the attacker places value on the result, and as such, is > > willing to put both time and money into it. > > It does not follow that any attacker who places value on the result is > skilled enough to achieve that result, given watchfulness on the part of > the Debian community. :) Risk management is all about /minimizing/ > risks, not eliminating them completely. If we can make a concerted > effort to ensure that any risk of attacking the project carries with it a > corresponding risk of the perpetrator being caught, I think it's > warranted. *Any* attacker, no. But it does follow that, if they consider it valuble, SOME attacker will. The skill set is not that difficult to come by; I'd estimate it at maybe 5 people out of 400 (the only sample I have direct access to), or roughly 1% of high school graduates, having the skill set necessary. > A $50 kit isn't going to get you a disguise to believably mask the facial > features that are most important in identifying people through such > things as police sketches. $60 may get you a fake ID from a neighboring > state, but the whole point is to tighten the web enough so that > keysigners ARE familiar with the forms of IDs applicants use. There are > enough risks with trying to conceal one's identity in a face-to-face > meeting that stealing a key is probably easier[0]... and that's a sign > that we're doing things right, IMHO. Don't do much theater work, do you? $50 of supplies is more than sufficient (as, in the amount used). I did specify a few hundred, if you must buy a complete set of the necessary materials (and will have quite a bit left over). What do you risk, anyway? Unless the DD also happens to be a LEO, or suspects foul play beforehand and arranges for one... there isn't a lot they can do. You go away and try it again somewhere else. All that's really risked is time and possibly some money. > Steve Langasek > postmodern programmer > > [0] Whereas securing a fake Internet identity and photoshopping an ID is > easier and safer yet by an order of magnitude, which is precisely why it > shouldn't be accepted as a means of identification. I disagree. Not that it isn't easier, but I do not concur that it is an order of magnitude, or even an appreciable factor. -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://users.lightbearer.com/lucifer/
Attachment:
pgpCwR9eEFfAp.pgp
Description: PGP signature