[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trouble becoming a member

On Tue, Sep 17, 2002 at 06:00:08PM -0500, Steve Langasek wrote:
> On Tue, Sep 17, 2002 at 04:36:39PM -0600, Joel Baker wrote:
> > > A $50 kit isn't going to get you a disguise to believably mask the facial
> > > features that are most important in identifying people through such
> > > things as police sketches.  $60 may get you a fake ID from a neighboring
> > > state, but the whole point is to tighten the web enough so that
> > > keysigners ARE familiar with the forms of IDs applicants use.  There are
> > > enough risks with trying to conceal one's identity in a face-to-face
> > > meeting that stealing a key is probably easier[0]... and that's a sign
> > > that we're doing things right, IMHO.
> > Don't do much theater work, do you? $50 of supplies is more than sufficient
> > (as, in the amount used). I did specify a few hundred, if you must buy a
> > complete set of the necessary materials (and will have quite a bit left
> > over).
> Actually, I have done some theater work, and not many stage makeup jobs
> I've seen are seamless enough (even setting aside the fact that stage
> makeup is intended for much different lighting conditions) to pass for
> real flesh up close.  To pull that off requires a lot more than just $50
> in supplies, it requires a serious investment of time.  If someone's
> *that dedicated*, we're probably not going to keep them out no matter
> what.  But that's not a casual attack.  Our system should be good enough
> to keep out casual attackers.

And there is theatrical makeup specifically for "up close" work, too.
Street theater, etc. I assert that the people with the skills to make a
believeable ID *and* pass the Debian skills checks *and* convince someone
to let them use a signed ID is sufficient to keep out 'casual' attackers,
and that beyond casual, as you note, we cannot defend against it.

> > What do you risk, anyway? Unless the DD also happens to be a LEO, or
> > suspects foul play beforehand and arranges for one... there isn't a lot
> > they can do. You go away and try it again somewhere else. All that's really
> > risked is time and possibly some money.
> You think someone who'd already been caught out once would try *again*
> when the community is abuzz with the news that someone tried to
> infiltrate Debian? :)

Why not? It's not like keysigning would stop; they wouldn't, if they were
smart, try it in the same area again anytime soon, but there's no reason to
assume that getting caught once means they go away.

> If you wear a disguise while lying your way into the keyring, the danger
> is that your peer will notice.  If you don't wear a disguise, the danger
> is that once you've gotten in and done the damage, there's someone who
> can describe you to the authorities.  Anyone who tries to pull off a
> deception in light of these risks is either good enough that we'll never
> catch them, or foolish enough that the one physical meeting is likely to
> be enough to let us catch them.  In contrast, creating an Internet
> persona and doing some Photoshop work is VERY low-risk, especially for
> the type of casual attacker most likely to have the skillset to try to
> infiltrate the project -- namely, a script kiddie.

I assert that the physical meeting is not necessarily to catching them, and
that the average script kiddie will still have problems passing the various

However, we've now gone in circles for 2-3 rounds, and I don't think
either of us is going to convince the other. The method appears to be used
sufficiently often that folks probably need to decide whether they are
willing to lose potential developers over it by restricting it to basically
being a no-go. Since, after all, the only verification that someone *can't*
meet a DD for a keysigning is their word - so if you allow it *at all*, you
must assume someone trying to go that route can lie convincingly enough to
get someone to allow it.

Having a weak link that isn't used often remains a weak link, and limits
the security of the process overall, for exactly those reasons - an active
attack *will* seek to compromise that weak link. If you're not going to
prohibit photo ID signatures entirely, there is little reason to avoid
using them any time it is problematic. I have to assume that the exemption
is there specifically because the origional process decided that the risk
was acceptable, in the name of gaining DDs.
Joel Baker                           System Administrator - lightbearer.com
lucifer@lightbearer.com              http://users.lightbearer.com/lucifer/

Attachment: pgpLluJA6qYXC.pgp
Description: PGP signature

Reply to: