[FOSDEM] Fake passport at FOSDEM 2016 keysigning?

[Winfried Tilanus]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 02-02-16 06:30, Jurgen Gaeremyn wrote:

Hi,

> Now let's not go all legal-ballistic on this.
> 
> 1. The "fake ID" didn't present a fake identification. It was just
> a fake document. It did not generate a fake personality.
> 
> 2. There were plenty of safeguards... if there was SPECIMEN written
> all over it, I would call that a small clue. I don't think this
> would stand up in court.

I don't know the jurisprudence in Belgium, but for a Dutch court
'presenting a fake document as if it is real' is enough to convict.

Beside that, I have only seen the fake ID, not the real ID. So I can't
confirm anymore the identity of this person. (Whoever it is)

> Now, let's approach this with a developer's mindset. What happened?
> The same thing that happens when peers review code: they review
> code with a certain "assumption" and expectaction of what code
> should do. You'll need a hacker to actually look into code and find
> "unintended usages" for it. If it's a white hat hacker, you're in
> luck. :)
> 
> Between coders, it's frowned upon to go after someone exposing a 
> vulnerability. Please don't do the same if someone pulls the same
> trick on you.

I will never go after and ethical hacker, I even support them when I
become aware of their activities. Been there, done that. But when a
hacker shows to be unethical by going off-limit for example by reading
confidential information or DOSsing a production system, I will file a
complaint. Been there, done that.

> I appreciate this happened. For 2 reasons: 1. It shows to me that
> the aspect "web of trust" can only happen with people we trust and
> know. Acting on it with people we only trust blindly and under time
> pressure (a line filing is quite some time pressure) is undermining
> the whole system. This is actually the main reason I don't do the
> keysigning party anymore.

Yes it certainly does show a weakness in the system. I would really
appreciate full disclosure (including scans of the used documents) so
I can learn from the incident and discuss with the community on how to
deal with it.

> 2. When signing a key, you can also designate a level op trust.
> More focus should be set on this. I would "completely trust" those
> people I already know a long time and in person... I would take the
> lowest level of trust when signing a "documented stranger".

That would be a way of dealing with this vulnerability in this system.

> Bottom line: it doesn't surprise me that a coder actually exposed
> this hack. I'm glad (s)he did this in an ethical way (using their
> real name, etc...) and came forward with it. (S)he didn't abuse the
> fake key e.g. to inject malicious code into some GIT repository.
> You have no idea how many people have done this trick on this or
> other events but shut up about it. We should take the hit in
> dignity and start looking on how to patch this.

The test causes harm, as long as the signatures from the KSP for the
offending key are in the web of trust. Until it is clear the offending
key is revoked, I consider this an unethical hack.

Best wishes,

Winfried Tilanus

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJWsM5CAAoJEHZ7UH0X6LdcTOUP/jKPPf0bVYdkkqOQ+Y6PB1vF
VjSUxEBhS5FP28xjOEjKgbnuuHeqFo+Ug82lvoQ2WvtaISoa4bD6/Kmdt+L/kt2M
ZE2lLC6i9nbBuRTbf2yaMhEH2TYEZWnTffMz7ffqdxy1mvjRierpKRN8jeAUBb+Y
+KPBMLButm/VFES7ibyPd3Vyyy54E05qfXeuZWVn9t0IE7qvfUKRe9AA4AI+CY9n
B0iPs8PNbPfWA6MqtWijz8UHjmzLWFAIEC4VS+isCJjXt75N/ApAtDRuLY5Pbp1X
2XvG57DmQBv8/EcOrZLMUd6eIWPI/tu6F5C1zvXY3jMTFbS7WHjy4Seb9TQsHQGh
R447Mt1ttrb9Dpdr8K9ljwviezUUk0JocBrmlvfSlDpQegBIw9nA6BapfmnYzj5Z
biFenTgvL9Sdv11Hhxl3Qho4zDaBF9Z7bbimDYzEuxeIi4tkvpn307IJ9PcjRsL9
G7WPmhi6RAHPu1ioxy07ishy/u/Hwp32YeLaSmLXTNaB8s2woUB+mpQcP0izqSXg
M+x3VlOYRWSxXNUd9dwF33mtj5dbkfpSXDWkS0KeQz+hoic6CwqgZC6Gzi314uia
pT7YIeLU162ngIlgebMloYFge7mM2ULb6bjK6/hGZ+ni+B1lWQqtgSF+2akUDNAt
ZkaSDKaXFOyvOgfORwhQ
=5D+n
-----END PGP SIGNATURE-----