[FOSDEM] Fake passport at FOSDEM 2016 keysigning?

Pander pander at users.sourceforge.net
Tue Feb 2 17:18:49 CET 2016 

As some organisations allow penetration testing to see if their security
is in order, something similar could be set up for the key signing,
*with* prior knowledge of the FOSDEM organisation and an infrastructure
in place to revoke it at the end of the key signing.

So, for example, one person and only one person, in collaboration with
the organisation, is in there with a fake ID, ID from some else or
incorrect key or whatever. He or she is there in order to validate that
the process works correctly.

An ID with SPECIMEN written all over it is in my view not presenting a
fake document as real, as it is stating that it is a specimen. When
someone does not notice it, then it is about the intention and the
damage done. The intention is to improve the process and the damage done
is zero. So this will, in my layman's view, not something you will get a
conviction over, but you can waste time and money with it.

On 02/02/2016 04:41 PM, Winfried Tilanus wrote:
> On 02-02-16 06:30, Jurgen Gaeremyn wrote:
> 
> Hi,
> 
>> Now let's not go all legal-ballistic on this.
> 
>> 1. The "fake ID" didn't present a fake identification. It was just
>> a fake document. It did not generate a fake personality.
> 
>> 2. There were plenty of safeguards... if there was SPECIMEN written
>> all over it, I would call that a small clue. I don't think this
>> would stand up in court.
> 
> I don't know the jurisprudence in Belgium, but for a Dutch court
> 'presenting a fake document as if it is real' is enough to convict.
> 
> Beside that, I have only seen the fake ID, not the real ID. So I can't
> confirm anymore the identity of this person. (Whoever it is)
> 
>> Now, let's approach this with a developer's mindset. What happened?
>> The same thing that happens when peers review code: they review
>> code with a certain "assumption" and expectaction of what code
>> should do. You'll need a hacker to actually look into code and find
>> "unintended usages" for it. If it's a white hat hacker, you're in
>> luck. :)
> 
>> Between coders, it's frowned upon to go after someone exposing a 
>> vulnerability. Please don't do the same if someone pulls the same
>> trick on you.
> 
> I will never go after and ethical hacker, I even support them when I
> become aware of their activities. Been there, done that. But when a
> hacker shows to be unethical by going off-limit for example by reading
> confidential information or DOSsing a production system, I will file a
> complaint. Been there, done that.
> 
>> I appreciate this happened. For 2 reasons: 1. It shows to me that
>> the aspect "web of trust" can only happen with people we trust and
>> know. Acting on it with people we only trust blindly and under time
>> pressure (a line filing is quite some time pressure) is undermining
>> the whole system. This is actually the main reason I don't do the
>> keysigning party anymore.
> 
> Yes it certainly does show a weakness in the system. I would really
> appreciate full disclosure (including scans of the used documents) so
> I can learn from the incident and discuss with the community on how to
> deal with it.
> 
>> 2. When signing a key, you can also designate a level op trust.
>> More focus should be set on this. I would "completely trust" those
>> people I already know a long time and in person... I would take the
>> lowest level of trust when signing a "documented stranger".
> 
> That would be a way of dealing with this vulnerability in this system.
> 
>> Bottom line: it doesn't surprise me that a coder actually exposed
>> this hack. I'm glad (s)he did this in an ethical way (using their
>> real name, etc...) and came forward with it. (S)he didn't abuse the
>> fake key e.g. to inject malicious code into some GIT repository.
>> You have no idea how many people have done this trick on this or
>> other events but shut up about it. We should take the hit in
>> dignity and start looking on how to patch this.
> 
> The test causes harm, as long as the signatures from the KSP for the
> offending key are in the web of trust. Until it is clear the offending
> key is revoked, I consider this an unethical hack.
> 
> Best wishes,
> 
> Winfried Tilanus
> 
> _______________________________________________
> FOSDEM mailing list
> FOSDEM at lists.fosdem.org
> https://lists.fosdem.org/listinfo/fosdem
>

The content of all messages is the sole responsibility of the author.
More information about the FOSDEM mailing list