[FOSDEM] Fake passport at FOSDEM 2016 keysigning?
jurgen at gaeremyn.be
Tue Feb 2 06:30:06 CET 2016
Now let's not go all legal-ballistic on this.
1. The "fake ID" didn't present a fake identification. It was just a
fake document. It did not generate a fake personality.
2. There were plenty of safeguards... if there was SPECIMEN written all
over it, I would call that a small clue. I don't think this would stand
up in court.
Now, let's approach this with a developer's mindset. What happened? The
same thing that happens when peers review code: they review code with a
certain "assumption" and expectaction of what code should do. You'll
need a hacker to actually look into code and find "unintended usages"
for it. If it's a white hat hacker, you're in luck. :)
Between coders, it's frowned upon to go after someone exposing a
vulnerability. Please don't do the same if someone pulls the same trick
I appreciate this happened. For 2 reasons:
1. It shows to me that the aspect "web of trust" can only happen with
people we trust and know. Acting on it with people we only trust blindly
and under time pressure (a line filing is quite some time pressure) is
undermining the whole system. This is actually the main reason I don't
do the keysigning party anymore.
2. When signing a key, you can also designate a level op trust. More
focus should be set on this. I would "completely trust" those people I
already know a long time and in person... I would take the lowest level
of trust when signing a "documented stranger".
Bottom line: it doesn't surprise me that a coder actually exposed this
hack. I'm glad (s)he did this in an ethical way (using their real name,
etc...) and came forward with it. (S)he didn't abuse the fake key e.g.
to inject malicious code into some GIT repository. You have no idea how
many people have done this trick on this or other events but shut up
about it. We should take the hit in dignity and start looking on how to
P.S. I didn't sign this mail intentionally.
On 02-02-16 01:46, Winfried Tilanus wrote:
> On 02/01/2016 11:27 PM, Jens Stomber wrote:
> First of all: I didn't notice the counterfeit passport and signed the
> key. I should have noticed. And this incident is a wake-up call to
> better check the presented ID's before accepting them.
> Secondly, the knowledge about the fake passport brings me in a
> difficult situation. Let me explain that a bit.
> Any attempt to undermine the web of trust, is a serious blow to both
> the open source and the security community. Though the motivation to
> present a fake passport may be noble, its consequences can be severe
> because it undermines an important tool for secure and authenticated
> communication. So only if there are enough safeguards such a 'wakeup
> call' can be done in a ethical way. I think about safeguards like:
> - revoking the offending key /before/ the keysigning event
> - announcing on forehand that, as part of a test, a fake passport may
> be presented
> - revealing all the details right after the key signing event
> The person causing the incident at FOSDEM did not have any safeguards
> like these in place and seemed to have lacked any ethical or legal
> consideration before taking this action. From a legal point of view it
> is fraud to 'present a fake passport as if it is real'. At FOSDEM it
> was done under Belgian jurisdiction and that kind of fraud is
> punishable in Belgium with a jail sentence up to 10 years.
> That brings me to my dilemma: Because of the consequences for the web
> of trust, I would normally file a complaint (for fraud) against
> anybody who presents me a fake id at a key signing party, except when
> this was part of a test with enough ethical (and legal) safeguards. It
> is clear that this action was not a case of malicious intent but mere
> a case of being unthoughtful. But the only way that the person who has
> done this can still make his actions more or less ethical is by still
> revoking the key and by publicly stepping up and making a statement
> about this test. But by doing so, he would provide the evidence for
> his own fraud. I can not demand that from anyone. So I don't believe
> this incident can still be turned into an 'ethical test'.
> I really don't want to file a complaint against a fellow member of the
> open source community. Neither do I want to bring Jens Stomber, Teddy
> Hogeborn or the organisers of FOSDEM in the position of being witness
> of a crime. But at the same time I believe that 'it was unthoughtful'
> is not enough to not do so.
> I honestly don't know how to react on this. I am in a position right
> now, I don't want to be in. I also honestly hope there is an other
> resolution possible then filing a complaint. The best I can do now, is
> to give it some time and to think about it before taking action of any
> with kind regards,
> Winfried Tilanus
> Coba Ritsemastraat 12
> 2642 CD Pijnacker
> The Netherlands
>> Hi, I have been asked to forward this explaination with some
>> backgroundinformation to you:
>> I'd be thankfull if you could forward my response to all (as web.de
>> <http://web.de> won't let me send a mail to so many people).
>> looking back I must say it may not have been the best idea to do
>> this test. But at first I would like to inform you that the "fake"
>> passport was a sample passport,which actually contained correct
>> About the passport: It was made by the same company which actually
>> makes the official documents,there for most people which where
>> only looking at the fancy security features failed here.
>> I would like to remind the people who verify the documents for PGP
>> to actually check if the document makes any sense.Because besides
>> the fact that it was marked "Specimen" (which means example) it
>> had some more noticeable points like:- the number of the passport
>> was KD000000- the countrycode was non existent- there was no
>> country named on the Document- the name of the company which
>> manufactured it was printed on it multiple times
>> Besides that (and yes I know with so many people there it is hard
>> to do so),I would prefer that you check the documents if you don't
>> know them andmaybe have a look at some of the basic security
>> features of the documents like cacert does for example.
>> To the result of the test: From all people who where at the key
>> signing sadly only 20 noticedthat it was a sample Passport, to
>> those I then showed my correct passport.
>> 2016-02-01 20:44 GMT+01:00 Teddy Hogeborn <teddy at recompile.se
>> <mailto:teddy at recompile.se>>:
>> First, please excuse me for this mass unsolicited mailing, but I
>> believe that this will be of interest to you.
>> At the FOSDEM 2016 keysigning, or rather, right after the
>> keysigning event, an unknown person approached me in the hallway
>> and my associate and suggested that they pitied us, and, upon
>> inquiry, admitted that it was due to us now having signed a fake
>> key. When pressed for further details, he would only say that
>> someone unknown to him had confessed to using a false passport,
>> presumably in the keysigning. He would not divulge anything
>> Now, surely this person, i.e. the person with the fake passport
>> who may or may not exist, is willing to come forward and share the
>> results of their experiment? No doubt they will be announcing the
>> details of their stunt, if only to make some point or other? (See
>> also “Do not disrupt Wikipedia to illustrate a point”:
>> In case they are not willing to immediately announce themselves, is
>> anyone else able to shed further light or provide additional
>> /Teddy Hogeborn
>> -- The Mandos Project http://www.recompile.se/mandos
>> Mit freundlichen Grüßen
>> Jens Stomber
>> Schönbergstr. 23
>> 85057 Ingolstadt
>> E-Mail: jens.stomber at gmx.de <mailto:jens.stomber at gmx.de>
>> Jabber: zombb at jabber.ccc.de <mailto:zombb at jabber.ccc.de>
>> Tel.: +49 (0)841 / 37 99 285
>> Mobil: +49 (0)151 / 54 82 82 37
>> Fax: +49 (0)3212 / 1178019
> FOSDEM mailing list
> FOSDEM at lists.fosdem.org
More information about the FOSDEM