[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trouble becoming a member

On Tue, Sep 17, 2002 at 04:51:35PM -0500, Steve Langasek wrote:
> On Tue, Sep 17, 2002 at 02:44:46PM -0600, Joel Baker wrote:
> > > Let me put it another way: they can forge their ID, but it's hard to
> > > forge their face.  With a face-to-face meeting, if the person DOES have
> > > ulterior motives, we now have a much better chance of bringing them to
> > > justice afterwards than if both their identity and their face were
> > > unknown to us.
> > A forged ID can have any face on it you wish; that's sort of the point.
> > Sufficient disguise to fool someone face to face is even more trivial than
> > a fake ID. If someone's going to bother, spending $50 or less in materials
> > (or even a couple of hundred, for a completely nwe kit) isn't going to
> > bother them.
> > Again, if you're going to presume that there is an active attack, you have
> > to presume that the attacker places value on the result, and as such, is
> > willing to put both time and money into it.
> It does not follow that any attacker who places value on the result is
> skilled enough to achieve that result, given watchfulness on the part of
> the Debian community. :)  Risk management is all about /minimizing/
> risks, not eliminating them completely.  If we can make a concerted
> effort to ensure that any risk of attacking the project carries with it a
> corresponding risk of the perpetrator being caught, I think it's
> warranted.

*Any* attacker, no. But it does follow that, if they consider it valuble,
SOME attacker will. The skill set is not that difficult to come by; I'd
estimate it at maybe 5 people out of 400 (the only sample I have direct
access to), or roughly 1% of high school graduates, having the skill set

> A $50 kit isn't going to get you a disguise to believably mask the facial
> features that are most important in identifying people through such
> things as police sketches.  $60 may get you a fake ID from a neighboring
> state, but the whole point is to tighten the web enough so that
> keysigners ARE familiar with the forms of IDs applicants use.  There are
> enough risks with trying to conceal one's identity in a face-to-face
> meeting that stealing a key is probably easier[0]... and that's a sign
> that we're doing things right, IMHO.

Don't do much theater work, do you? $50 of supplies is more than sufficient
(as, in the amount used). I did specify a few hundred, if you must buy a
complete set of the necessary materials (and will have quite a bit left

What do you risk, anyway? Unless the DD also happens to be a LEO, or
suspects foul play beforehand and arranges for one... there isn't a lot
they can do. You go away and try it again somewhere else. All that's really
risked is time and possibly some money.

> Steve Langasek
> postmodern programmer
> [0] Whereas securing a fake Internet identity and photoshopping an ID is
> easier and safer yet by an order of magnitude, which is precisely why it
> shouldn't be accepted as a means of identification.

I disagree. Not that it isn't easier, but I do not concur that it is an
order of magnitude, or even an appreciable factor.
Joel Baker                           System Administrator - lightbearer.com
lucifer@lightbearer.com              http://users.lightbearer.com/lucifer/

Attachment: pgpCwR9eEFfAp.pgp
Description: PGP signature

Reply to: