[FOSDEM] Fake passport at FOSDEM 2016 keysigning?

Winfried Tilanus winfried at tilanus.com
Tue Feb 2 16:41:54 CET 2016

Hash: SHA512

On 02-02-16 06:30, Jurgen Gaeremyn wrote:


> Now let's not go all legal-ballistic on this.
> 1. The "fake ID" didn't present a fake identification. It was just
> a fake document. It did not generate a fake personality.
> 2. There were plenty of safeguards... if there was SPECIMEN written
> all over it, I would call that a small clue. I don't think this
> would stand up in court.

I don't know the jurisprudence in Belgium, but for a Dutch court
'presenting a fake document as if it is real' is enough to convict.

Beside that, I have only seen the fake ID, not the real ID. So I can't
confirm anymore the identity of this person. (Whoever it is)

> Now, let's approach this with a developer's mindset. What happened?
> The same thing that happens when peers review code: they review
> code with a certain "assumption" and expectaction of what code
> should do. You'll need a hacker to actually look into code and find
> "unintended usages" for it. If it's a white hat hacker, you're in
> luck. :)
> Between coders, it's frowned upon to go after someone exposing a 
> vulnerability. Please don't do the same if someone pulls the same
> trick on you.

I will never go after and ethical hacker, I even support them when I
become aware of their activities. Been there, done that. But when a
hacker shows to be unethical by going off-limit for example by reading
confidential information or DOSsing a production system, I will file a
complaint. Been there, done that.

> I appreciate this happened. For 2 reasons: 1. It shows to me that
> the aspect "web of trust" can only happen with people we trust and
> know. Acting on it with people we only trust blindly and under time
> pressure (a line filing is quite some time pressure) is undermining
> the whole system. This is actually the main reason I don't do the
> keysigning party anymore.

Yes it certainly does show a weakness in the system. I would really
appreciate full disclosure (including scans of the used documents) so
I can learn from the incident and discuss with the community on how to
deal with it.

> 2. When signing a key, you can also designate a level op trust.
> More focus should be set on this. I would "completely trust" those
> people I already know a long time and in person... I would take the
> lowest level of trust when signing a "documented stranger".

That would be a way of dealing with this vulnerability in this system.

> Bottom line: it doesn't surprise me that a coder actually exposed
> this hack. I'm glad (s)he did this in an ethical way (using their
> real name, etc...) and came forward with it. (S)he didn't abuse the
> fake key e.g. to inject malicious code into some GIT repository.
> You have no idea how many people have done this trick on this or
> other events but shut up about it. We should take the hit in
> dignity and start looking on how to patch this.

The test causes harm, as long as the signatures from the KSP for the
offending key are in the web of trust. Until it is clear the offending
key is revoked, I consider this an unethical hack.

Best wishes,

Winfried Tilanus

Version: GnuPG v2


More information about the FOSDEM mailing list