Re: Red team attacks vs. cracking
Scripsit Gunnar Wolf [EMAIL PROTECTED] Henning Makholm dijo [Wed, May 31, 2006 at 04:10:51AM +0200]: A KSP that depends on there being any pre-existing trust to abuse is *completely worthless* as a KSP whether or not that trust is abused or not. Ummm... There is a certain metric of pre-existing trust that _does_ exist here. Lets go back to Martin's specific case, to exemplify. I'm not saying that the trust does not _exist_, just that it should not be _necessary_ for the proper functioning of the keysigning process. -- Henning Makholm Der er ingen der sigter på slottet. D'herrer konger agter at triumfere fra balkonen når de har slået hinanden ihjel. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Red team attacks vs. cracking
Henning Makholm dijo [Wed, May 31, 2006 at 04:10:51AM +0200]: Scripsit Javier Fernández-Sanguino Peña [EMAIL PROTECTED] I do agree with Manoj that this was *not* a legitimate experiment (i.e. not a red team test) and that Martin *did* abuse our [0] trust [1] A KSP that depends on there being any pre-existing trust to abuse is *completely worthless* as a KSP whether or not that trust is abused or not. Ummm... There is a certain metric of pre-existing trust that _does_ exist here. Lets go back to Martin's specific case, to exemplify. Many people have known Martin in person for several years. The people that do know him already will be very surprised and react right away if he wants to impersonate someone else (as an example, Alexander Schmehl, who was at Debconf and was part of the prepared sheets, but didn't take part in the end at the KSP). Of course, Martin could keep track of who knows him personally, and maybe even extrapolate on who is right away familiar with Alexander, and cleverly switch the fake and real IDs, not to raise suspiciousness. If he is standing in spot 104 (which in our list means between Jeroen and Adeodato - who didn't participate, so Nicolas stands next to him), however, he won't be allowed to present an ID with Alexander's name, as Alexander should have been standing in spot 38 (between me and Rodrigo Gallardo). Ok, so Martin, who is a bad person and a very good and clever actor, will play as he were taking part in the KSP, standing between Rodrigo and me. If somebody comes that probably knows Alexander or him personally, he will pretend he is just hanging around, chatting with people, and not signing keys. But here comes the bit of pre-existing trust we _do_ have: I know personally Alexander, have worked with him and can recognize him easily. And although I haven't talked as much with Martin, I can also easily recognize his face. If he is standing next to me the whole time, even if he is a great actor and doesn't allow me to doubt he is presenting a fake ID, it will be obvious for me he is impersonating somebody else. So, I denounce he is a fake, and nobody signs the fake Alexander's key. Yes, I'm picking the names of two well-known people in the project. It could be easier to impersonate, say, Raúl Odria or Mario Oyorzabal (both of which didn't attend), so this pre-existing trust is limited. But it clearly exists and counts for something, specially in well-connected groups such as ours. And this is an important factor to request people who are well known in the project not to skip the KSP if it happens as it happened this time (and as in the other proposals I've seen). Greetings, -- Gunnar Wolf - [EMAIL PROTECTED] - (+52-55)5623-0154 / 1451-2244 PGP key 1024D/8BB527AF 2001-10-23 Fingerprint: 0C79 D2D1 2C4E 9CE4 5973 F800 D80E F35A 8BB5 27AF -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Red team attacks vs. cracking
Manoj, On Tue, May 30, 2006 at 09:52:11AM -0500, Manoj Srivastava wrote: This is to forestall those of you who seem to be be arguing that the debconf6 KSP crack was a red team attack -- here is how that attack differed from a legitimate red team effort (I have been a member of red teams before, and have lead a number of red team attacks in my time). I don't think this mail is on-topic on -devel, could you please repost it on project? thanks, Michael -- Michael Banck Debian Developer [EMAIL PROTECTED] http://www.advogato.org/person/mbanck/diary.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Red team attacks vs. cracking
Manoj Srivastava [EMAIL PROTECTED] writes: This is to forestall those of you who seem to be be arguing that the debconf6 KSP crack was a red team attack -- here is how that attack differed from a legitimate red team effort (I have been a member of red teams before, and have lead a number of red team attacks in my time). I haven't heard anyone make such a claim. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Red team attacks vs. cracking
On Tue, May 30, 2006 at 09:28:19AM -0700, Thomas Bushnell BSG wrote: Manoj Srivastava [EMAIL PROTECTED] writes: This is to forestall those of you who seem to be be arguing that the debconf6 KSP crack was a red team attack -- here is how that attack differed from a legitimate red team effort (I have been a member of red teams before, and have lead a number of red team attacks in my time). I haven't heard anyone make such a claim. Claiming that what Martin did was good since he was showing something useful for our community is equivalent to saying it was a red team attack. Nobody used that term explicitly probably because they are unfamiliar with it. I know what it means, I've done my share of pen-testing to companies. I do agree with Manoj that this was *not* a legitimate experiment (i.e. not a red team test) and that Martin *did* abuse our [0] trust [1] I find this akin to people finding and exploiting web app vulnerabilities (without being payed for by the company and without their approval). To show that webapps are vulnerable. Regards Javier [0] The assistants to the KSP [1] By not providing a *proper* ID as required by the KSP organisers (and all KSPs protocols I've read ). Notice that he himself has described his ID as not being *proper* and that it was the whole point of his excercise. signature.asc Description: Digital signature
Re: Red team attacks vs. cracking
Javier Fernández-Sanguino Peña [EMAIL PROTECTED] writes: Claiming that what Martin did was good since he was showing something useful for our community is equivalent to saying it was a red team attack. Nobody used that term explicitly probably because they are unfamiliar with it. I know what it means, I've done my share of pen-testing to companies. Perhaps some people have argued that it was good what he did; I have not. I have constrained my comments to arguing only that what he did was not, so far as we know, either fraudulent or forgery. What he did may have beneficial consequences, if it encourages people to be more careful in the future, but certainly I would agree that this does not justify it. I am actually quite ambivalent about whether I think what he did was wrong; I think to determine that I would need to read carefully what the KSP organizers said. Martin certainly should follow the protocols established, but I would only count established as being what is actually written down by the KSP organizers, and not just some kind of general unspoken expectation. (Where can I read about those written protocols, if there are any?) I find this akin to people finding and exploiting web app vulnerabilities (without being payed for by the company and without their approval). To show that webapps are vulnerable. Indeed, if he did violate the written rules of the KSP, then it is much like this. (That still doesn't make it forgery, fraud, or dishonesty, however.) At the same time, we should *also* recognize that anyone who signed on the basis of the Transnational Republic ID (unless they have more information about that organization than the rest of us do) has *also* broken the rules of the KSP. Moreover, the harm caused by people who did not properly check the ID is *worse* than the harm caused by not following the written KSP rules (if indeed he didn't follow them). So I ask, ONE MORE TIME, HOPING FOR AN ANSWER: Manoj, did you sign the key on the basis of the Transnational Republic ID? Javier, did you? Thomas
Re: Red team attacks vs. cracking
Javier Fernández-Sanguino Peña [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Claiming that what Martin did was good since he was showing something useful for our community is equivalent to saying it was a red team attack. Nobody used that term explicitly probably because they are unfamiliar with it. I know what it means, I've done my share of pen-testing to companies. I do agree with Manoj that this was *not* a legitimate experiment (i.e. not a red team test) and that Martin *did* abuse our [0] trust [1] Had Martin never mentioned this, it would have been a non-issue. There is no real damage. While signatures may have been based on a non-offical ID, Martin did indeed own the key in question, so the end harm is zero. But Martin decided to publish this experiment. Is this really a bad thing? He proved that KSP are bad for the web of trust. A legitimate attacker could abuse the KSP just as easilly as Martin, but would result in actual damage, and would most likely not have been caught. So, if KSPs are not changed, then the Web of trust becomes effectively worthless. Manoj should be far more concerned about that, then about Martin's demonstration of this. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Red team attacks vs. cracking
Joe Smith [EMAIL PROTECTED] writes: So, if KSPs are not changed, then the Web of trust becomes effectively worthless. Manoj should be far more concerned about that, then about Martin's demonstration of this. Personally, I'm especially worried about the developers who were taken in by the Transnational Republic ID. So, can we have a fess up time now? Manoj, did you sign the key on this basis? The people who we really shouldn't trust are the ones who thought the Transnational Republic is a real country, or didn't bother to check. Manoj has already admitted that he doesn't bother to check as a rule, but hasn't said whether in fact he was taken in and signed the key on this basis. Manoj, you? Thomas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Red team attacks vs. cracking
also sprach Javier Fernández-Sanguino Peña [EMAIL PROTECTED] [2006.05.30.1920 +0200]: I do agree with Manoj that this was *not* a legitimate experiment (i.e. not a red team test) and that Martin *did* abuse our [0] trust [1] I acknowledge this and would like to apologise to everyone. My experiment was indeed not at all prepared. I am very pleased, however, with the result. Should I ever conduct something similar in the future (I don't have any plans), I will follow a protocol based on the one suggested by Manoj. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system menschen, welche rasch feuer fangen, werden schnell kalt und sind daher im ganzen unzuverlässig. - friedrich nietzsche signature.asc Description: Digital signature (GPG/PGP)
Re: Red team attacks vs. cracking
also sprach Thomas Bushnell BSG [EMAIL PROTECTED] [2006.05.30.2002 +0200]: Personally, I'm especially worried about the developers who were taken in by the Transnational Republic ID. So, can we have a fess up time now? Manoj, did you sign the key on this basis? He did not. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system arguments are extremely vulgar, for everyone in good society holds exactly the same opinion. -- oscar wilde signature.asc Description: Digital signature (GPG/PGP)
Re: Red team attacks vs. cracking
On Tuesday 30 May 2006 10:40, Joe Smith wrote: But Martin decided to publish this experiment. Is this really a bad thing? He proved that KSP are bad for the web of trust. Isn't what Martin and this thread actually demonstrated is that signing keys based on IDs you cannot reasonably authenticate as real, with a focus on quantity instead of quality among KSP participants is the real problem at hand? Even the guy at 7-Eleven has the big book of north american ID cards with pictures and descriptions of what makes a real one for when they encounter an ID that they've never seen before. Surely Debian can do as well as the guy selling cigarettes and beer at the 7-Eleven when it comes to verification... -- Paul Johnson Email and IM (XMPP Google Talk): [EMAIL PROTECTED] Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber pgpLY2p77Nn1U.pgp Description: PGP signature
Re: Red team attacks vs. cracking
also sprach Paul Johnson [EMAIL PROTECTED] [2006.05.30.2120 +0200]: Even the guy at 7-Eleven has the big book of north american ID cards with pictures and descriptions of what makes a real one for when they encounter an ID that they've never seen before. Surely Debian can do as well as the guy selling cigarettes and beer at the 7-Eleven when it comes to verification... fun context=true story I once had the 7-Eleven guy refuse my German driver's licence, because it had VOID printed over it in this very book /fun The idea is a nice one, let's compile a book with descriptions of valid IDs. However, this really won't help at all during a KSP. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer and author: http://debiansystem.info `. `'` `- Debian - when you have better things to do than fixing a system Most Intelligent Customers Realise Our Software Only Fools Them. signature.asc Description: Digital signature (GPG/PGP)
Re: Red team attacks vs. cracking
On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote: Even the guy at 7-Eleven has the big book of north american ID cards with pictures and descriptions of what makes a real one for when they encounter an ID that they've never seen before. Surely Debian can do as well as the guy selling cigarettes and beer at the 7-Eleven when it comes to verification... How can you check if an ID card is real based only on what is written on the card, even if it has all the hallmarks mentioned in that book? See, if you visit a bazaar, I bet a helpful guy with a Russian accent can sell you a perfectly valid passport for less than $50. Several years ago, a friend of mine actually asked someone at the Stadion 10-lecia in Warsaw, and was led to a guy with a number of blank Polish IDs for ~$25 each... That's about what checking government-issued IDs is worth. -- 1KB // Microsoft corollary to Hanlon's razor: // Never attribute to stupidity what can be // adequately explained by malice. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Red team attacks vs. cracking
On Tuesday 30 May 2006 13:02, Adam Borowski wrote: On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote: Even the guy at 7-Eleven has the big book of north american ID cards with pictures and descriptions of what makes a real one for when they encounter an ID that they've never seen before. Surely Debian can do as well as the guy selling cigarettes and beer at the 7-Eleven when it comes to verification... How can you check if an ID card is real based only on what is written on the card, even if it has all the hallmarks mentioned in that book? If you don't trust the ID, you don't sign the key. But having the book to be able to get a bad feeling about the ID from sure beats the apparent current system of Sign the key and hope the ID is for real. See, if you visit a bazaar, I bet a helpful guy with a Russian accent can sell you a perfectly valid passport for less than $50. Several years ago, a friend of mine actually asked someone at the Stadion 10-lecia in Warsaw, and was led to a guy with a number of blank Polish IDs for ~$25 each... That's about what checking government-issued IDs is worth. Perhaps in that part of the world, yes. -- Paul Johnson Email and IM (XMPP Google Talk): [EMAIL PROTECTED] Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber pgpPuTShOxbea.pgp Description: PGP signature
Re: Red team attacks vs. cracking
Paul Johnson wrote: See, if you visit a bazaar, I bet a helpful guy with a Russian accent can sell you a perfectly valid passport for less than $50. Several years ago, a friend of mine actually asked someone at the Stadion 10-lecia in Warsaw, and was led to a guy with a number of blank Polish IDs for ~$25 each... That's about what checking government-issued IDs is worth. Perhaps in that part of the world, yes. Oh, THAT part of the world. Wait a minute, what part of the world? Can you name any country in which you cannot buy fake IDs? I might have misunderstood you, but you comment sounded like an insult towards Eastern Europe. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Red team attacks vs. cracking
This one time, at band camp, Paul Johnson said: On Tuesday 30 May 2006 13:02, Adam Borowski wrote: See, if you visit a bazaar, I bet a helpful guy with a Russian accent can sell you a perfectly valid passport for less than $50. Several years ago, a friend of mine actually asked someone at the Stadion 10-lecia in Warsaw, and was led to a guy with a number of blank Polish IDs for ~$25 each... That's about what checking government-issued IDs is worth. Perhaps in that part of the world, yes. What are you talking about, that part of the world? Teenagers where you're from don't have fake IDs? I know I did when I was a teenager in Philadelphia. They may not have been printed on authentic passport blanks, but they were close enough to fool people who looked at them for a living. I'm not really sure why the idea that ID's are forgeable is so surprising, though. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Re: Red team attacks vs. cracking
On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote: On Tuesday 30 May 2006 13:02, Adam Borowski wrote: See, if you visit a bazaar, I bet a helpful guy with a Russian accent can sell you a perfectly valid passport for less than $50. Several years ago, a friend of mine actually asked someone at the Stadion 10-lecia in Warsaw, and was led to a guy with a number of blank Polish IDs for ~$25 each... That's about what checking government-issued IDs is worth. Perhaps in that part of the world, yes. As opposed to California, where per the news story I heard a couple weeks ago, a counterfeit state ID good enough to elude an arrest warrant can be had for $100-$200? Thanks for playing, you arrogant jerk. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Re: Red team attacks vs. cracking
On Tuesday 30 May 2006 14:26, Steve Langasek wrote: On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote: On Tuesday 30 May 2006 13:02, Adam Borowski wrote: See, if you visit a bazaar, I bet a helpful guy with a Russian accent can sell you a perfectly valid passport for less than $50. Several years ago, a friend of mine actually asked someone at the Stadion 10-lecia in Warsaw, and was led to a guy with a number of blank Polish IDs for ~$25 each... That's about what checking government-issued IDs is worth. Perhaps in that part of the world, yes. As opposed to California, where per the news story I heard a couple weeks ago, a counterfeit state ID good enough to elude an arrest warrant can be had for $100-$200? California's it's own little world, generally speaking if you assume the worst in Americans, you're describing Californians. -- Paul Johnson Email and IM (XMPP Google Talk): [EMAIL PROTECTED] Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber pgpalcZHcRjmu.pgp Description: PGP signature
Re: Red team attacks vs. cracking
On Tuesday 30 May 2006 14:15, Linas Žvirblis wrote: Paul Johnson wrote: See, if you visit a bazaar, I bet a helpful guy with a Russian accent can sell you a perfectly valid passport for less than $50. Several years ago, a friend of mine actually asked someone at the Stadion 10-lecia in Warsaw, and was led to a guy with a number of blank Polish IDs for ~$25 each... That's about what checking government-issued IDs is worth. Perhaps in that part of the world, yes. Oh, THAT part of the world. Wait a minute, what part of the world? Can you name any country in which you cannot buy fake IDs? I might have misunderstood you, but you comment sounded like an insult towards Eastern Europe. No, I'm saying that the availability and penalties for a fake ID vary enough by international jurisdiction that what may be true for eastern Europe is not necessarily true for the rest of the world. If you want to construe an observation about variations in availability of certain goods and services as an insult, so be it, but that was not the intent. -- Paul Johnson Email and IM (XMPP Google Talk): [EMAIL PROTECTED] Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber pgpe5NisdV5Ce.pgp Description: PGP signature
Re: Red team attacks vs. cracking
On Tue, May 30, 2006 at 10:32:15AM -0700, Thomas Bushnell BSG wrote: I am actually quite ambivalent about whether I think what he did was wrong; I think to determine that I would need to read carefully what the KSP organizers said. Martin certainly should follow the protocols established, but I would only count established as being what is actually written down by the KSP organizers, and not just some kind of general unspoken expectation. (Where can I read about those written protocols, if there are any?) From http://debconf6.debconf.org/ksp/ksp-dc6.html: The next step is to verify each participant's identity by checking preferably a passport or, alternatively, some other form of government issued ID. Please don't show very old, doubtful or easy-to-fake documents as people will not sign your key if you do so. I guess that answers the questions you brought up in your e-mail. An ID from a political party is *not* a government issued ID and *is* a doubtful document. Regards Javier signature.asc Description: Digital signature
Re: Red team attacks vs. cracking
On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote: On Tuesday 30 May 2006 13:02, Adam Borowski wrote: On Tue, May 30, 2006 at 12:20:14PM -0700, Paul Johnson wrote: Even the guy at 7-Eleven has the big book of north american ID cards with pictures and descriptions of what makes a real one for when they encounter an ID that they've never seen before. How can you check if an ID card is real based only on what is written on the card, even if it has all the hallmarks mentioned in that book? If you don't trust the ID, you don't sign the key. But having the book to be able to get a bad feeling about the ID from sure beats the apparent current system of Sign the key and hope the ID is for real. What I mean is, it makes no sense to believe that IDs provide any real security. I would rather trust some common sense. A brief Google search on the person's name where you look at page 6 and pick something that the person whose key you're signing should know. For example, my name is pretty popular, but it's still pretty easy to pick a reference to me. Taking a few random links yields: * an ELinks patch for a bug with xterm detection = ask me what was wrong * a translation of a task from the Polish Olympiad in Informatics, the task was authored by me = ask me to briefly describe a solution for the task * a Usenet-to-webforum mirror of r.g.r.nethack with a post about termrec, my enhanced implementation of ttyrec = you can assume that the upstream of a piece of software will know its inner workings pretty well Generally, you can learn a few things about the person you're trying to impersonate, but there is no way you can know everything. And the real person can describe things in detail... Thus, given: A) someone with a government-issued ID, or B) someone with a random card that bears a photo: a chess club card, a Transnational Republic passport, etc I see hardly any difference between person A and B. I would trust common sense, not any passport. See, if you visit a bazaar, I bet a helpful guy with a Russian accent can sell you a perfectly valid passport for less than $50. [...] That's about what checking government-issued IDs is worth. Perhaps in that part of the world, yes. Yes, you're right. In the US, the ID may set me back perhaps even $100 or more. And the point is...? Cheers and schtuff, -- 1KB // Microsoft corollary to Hanlon's razor: // Never attribute to stupidity what can be // adequately explained by malice. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Red team attacks vs. cracking
On Tue, May 30, 2006 at 01:40:39PM -0400, Joe Smith wrote: Is this really a bad thing? He proved that KSP are bad for the web of trust. A legitimate attacker could abuse the KSP just as easilly as Martin, but would result in actual damage, and would most likely not have been caught. Ask yourself: is it a good thing to covertly attack X? Is it good to then publish of the results [1] claiming^Wboasting that you have broken X? Do you really need to be proven that X can be broken? Now change X to KSP or Web server of company Y or (your country's) national security servers. What are your answers? In the place I work at, attacks are only done either on your head (that's what attack trees [0] and risk analysis are for) or with the keyboard (or phone) after whomever is in charge of X has asked for, acknowledged and *approved* the attack. Why? Because given enough resources (money, time, you name it) most attacks will succeed against X. So the question is not *if* you can break X but *when* and *how* can you break it. The attack is introduced to see if there could be changes implemented to make it more difficult for a wannabe attacker or to detect an ongoing attack and, consequently, minimise the risk. We are not talking about national security or public safety here, if Martin wanted to prove that attacks against KSPs can happen he could have managed his attack in an open way (as Manoj said contact management and get their approval) and then use that to enlighten us all. What he did is wrong (and dishonest), even if the end result is good: these long threads, knowledgeable people discussing the effectiveness of KSPs and non-knowledgeable people getting a clue. You might think that the ends justify the means [2], I don't. Regards Javier [0] http://www.schneier.com/paper-attacktrees-ddj-ft.html [1] I will call it publish even if it was done in a rather obscure way. Not all developers are required to read Martin's blog, they are only required to read d-devel-announce [2] Google found this Wired article for me, which is nice: http://www.wired.com/news/politics/0,1283,58082,00.html signature.asc Description: Digital signature
Re: Red team attacks vs. cracking
Javier Fern?ndez-Sanguino Pe?a [EMAIL PROTECTED] wrote: Is this really a bad thing? He proved that KSP are bad for the web of trust. A legitimate attacker could abuse the KSP just as easilly as Martin, but would result in actual damage, and would most likely not have been caught. Ask yourself: is it a good thing to covertly attack X? Is it good to then publish of the results [1] claiming^Wboasting that you have broken X? Do you really need to be proven that X can be broken? Now change X to KSP or Web server of company Y or (your country's) national security servers. What are your answers? I have no opinion that I wish to state in this *particular* case, but in general, I support it. I like this page: http://www.dataloss.net/papers/how.defaced.apache.org.txt From the bottom of the page: We would like to compliment the Apache admin team on their swift response when they found out about the deface, and also on their approach, even calling us 'white hats' (we were at the most 'grey hats' here, if you ask us). I'm not saying everybody should be as accommodating as the ASF when their security gets compromised, but if somebody *does* hack you, then tells you how they did it, and they doesn't invade your privacy or do any harm to your stuff, then they have done you a service. [1] I will call it publish even if it was done in a rather obscure way. Not all developers are required to read Martin's blog, they are only required to read d-devel-announce If Martin didn't tell the debian team right away after he illegally crossed the fence, then that was irresponsible, but I still have no opinion as to what should be done with him. - Tyler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Red team attacks vs. cracking
On Tue, May 30, 2006 at 03:11:23PM -0700, Paul Johnson wrote: On Tuesday 30 May 2006 14:26, Steve Langasek wrote: On Tue, May 30, 2006 at 01:57:18PM -0700, Paul Johnson wrote: On Tuesday 30 May 2006 13:02, Adam Borowski wrote: See, if you visit a bazaar, I bet a helpful guy with a Russian accent can sell you a perfectly valid passport for less than $50. Several years ago, a friend of mine actually asked someone at the Stadion 10-lecia in Warsaw, and was led to a guy with a number of blank Polish IDs for ~$25 each... That's about what checking government-issued IDs is worth. Perhaps in that part of the world, yes. As opposed to California, where per the news story I heard a couple weeks ago, a counterfeit state ID good enough to elude an arrest warrant can be had for $100-$200? California's it's own little world, generally speaking if you assume the worst in Americans, you're describing Californians. plonk -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Re: Red team attacks vs. cracking
On Tuesday 30 May 2006 16:02, Javier Fernández-Sanguino Peña wrote: We are not talking about national security or public safety here, if Martin wanted to prove that attacks against KSPs can happen he could have managed his attack in an open way (as Manoj said contact management and get their approval) and then use that to enlighten us all. On the other hand, in real life, people who are out there to deliberately harm the web of trust for whatever reason do not do so by contacting management and getting approval first. Attacks in the real world don't happen with warning, so why should security only happen with warning or by accident? -- Paul Johnson Email and IM (XMPP Google Talk): [EMAIL PROTECTED] Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber pgpOC7Ci6vBBk.pgp Description: PGP signature
Re: Red team attacks vs. cracking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 30 May 2006 15:09:25 -0700 Paul Johnson [EMAIL PROTECTED] wrote: On Tuesday 30 May 2006 14:15, Linas Žvirblis wrote: Paul Johnson wrote: See, if you visit a bazaar, I bet a helpful guy with a Russian accent can sell you a perfectly valid passport for less than $50. Several years ago, a friend of mine actually asked someone at the Stadion 10-lecia in Warsaw, and was led to a guy with a number of blank Polish IDs for ~$25 each... That's about what checking government-issued IDs is worth. Perhaps in that part of the world, yes. Oh, THAT part of the world. Wait a minute, what part of the world? Can you name any country in which you cannot buy fake IDs? I might have misunderstood you, but you comment sounded like an insult towards Eastern Europe. No, I'm saying that the availability and penalties for a fake ID vary enough by international jurisdiction that what may be true for eastern Europe is not necessarily true for the rest of the world. If you want to construe an observation about variations in availability of certain goods and services as an insult, so be it, but that was not the intent. We have to remember, after all, that severe fines and penalties are enough to deter people from doing bad things on the black market. This is why there are no illegal drugs in the United States. Jacob -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEfOHgkpJ43hY3cTURAtDDAKCEXnPZ7UQqM4s0pYaqvStc4huZfwCgjynU HNxQg1SXgAQ7+Y/iHqAZWFo= =a9NF -END PGP SIGNATURE-
Re: Red team attacks vs. cracking
Javier Fernández-Sanguino Peña [EMAIL PROTECTED] writes: On Tue, May 30, 2006 at 10:32:15AM -0700, Thomas Bushnell BSG wrote: I am actually quite ambivalent about whether I think what he did was wrong; I think to determine that I would need to read carefully what the KSP organizers said. Martin certainly should follow the protocols established, but I would only count established as being what is actually written down by the KSP organizers, and not just some kind of general unspoken expectation. (Where can I read about those written protocols, if there are any?) From http://debconf6.debconf.org/ksp/ksp-dc6.html: The next step is to verify each participant's identity by checking preferably a passport or, alternatively, some other form of government issued ID. Please don't show very old, doubtful or easy-to-fake documents as people will not sign your key if you do so. I guess that answers the questions you brought up in your e-mail. An ID from a political party is *not* a government issued ID and *is* a doubtful document. Indeed, but it doesn't sound like he violated the rules. This was worded as a suggestion, not as a demand. Indeed, notice that the people who signed the key violated it just as much as he did. Where is the hue and cry against them? I still want to know who they are, because it is *their* signatures I have to start distrusting. Thomas
Re: Red team attacks vs. cracking
Scripsit Javier Fernández-Sanguino Peña [EMAIL PROTECTED] I do agree with Manoj that this was *not* a legitimate experiment (i.e. not a red team test) and that Martin *did* abuse our [0] trust [1] A KSP that depends on there being any pre-existing trust to abuse is *completely worthless* as a KSP whether or not that trust is abused or not. Shooting the messenger will not change that, however loudly you try to make it look as if it was his fault that the thing is so broken that betrayal of trust is even a meaningful term to apply to any behavior a KSP participant coul exhibit. -- Henning Makholm Jeg har tydeligt gjort opmærksom på, at man ved at følge den vej kun bliver gennemsnitligt ca. 48 år gammel, og at man sætter sin sociale situation ganske overstyr og, så vidt jeg kan overskue, dør i dybeste ulykkelighed og elendighed. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
