Friday, July 24, 2009

Anti-Sec spoof threatens s'kiddie mayhem

Anti-Sec spoof threatens s'kiddie mayhem

The problem with not giving a verifiable identity is now anyone can claim to be you and there’s no way for you to dispute the claims or actions of an impersonator.

I was thinking about these site defacements by Anti-sec and came up with what I thought could secure or destroy their credibility. If they breached a site they could leave a PGP/GnuPG public key and explain that they’re tired of the copycats and that all future “messages” would be signed by a key that’s signed by this key. The intermediate key should have an expiration no longer than a couple months. In theory, all future attacks can be verified as the work of Anti-sec or not.

That is, unless someone not in Anti-sec beat them to the punch. If someone outside of Anti-sec posted such a key claiming to be Anti-sec, especially noting that they’re tired of the impersonators it goes into an “our word against theirs” situation. The impostor(s) would then have to conduct a few more breaches in the same style as Anti-sec to establish “legitimacy”.

In theory a public key can serve as a verifiable identity but it doesn’t quite work like that. It can really only be used to verify someone has access to the corresponding private key. Someone can throw their key out there claiming to be Brad Pitt and we have to decide whether or not to accept his in-person denial of that claim. Having committed crimes no one from Anti-sec is going to step forward in person, prove they’re Anti-sec (somehow) to make authoritative claims about a public key. I think the difference between private key holder and identity is sufficiently subtle that most people wouldn’t quite perceive the difference. They could stand to lose a lot of credibility.

When you want to be anonymous but still make claims of identity, remember:

No comments:

Post a Comment