Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

White House Unveils Plans For "Trusted Identities In Cyberspace"

Soulskill posted more than 4 years ago | from the this-can-only-end-well dept.

Government 202

Presto Vivace writes with news that the Obama administration's cyber-security coordinater, Howard Schmidt, yesterday unveiled a national plan for "trusted" online identities. Schmidt wrote, "The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc.) from a variety of service providers — both public and private — to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.)." You can read the full draft of the plan (PDF), and the White House is seeking public comments on it as well.

cancel ×

202 comments

yet another lobby's success (1, Troll)

Adolf Hitroll (562418) | more than 4 years ago | (#32701862)

wake up, stupid yankees, life is not an opportunity to buy iShite.
You want to be free, to question [whatreallyhappened.com] what they tell you and act upon the treason.

OpenID? (5, Insightful)

koreaman (835838) | more than 4 years ago | (#32701870)

One ID you can use anywhere? Sounds a lot like what the OpenID project is already trying to do. It's a nice concept, but I don't like the idea of anything like this being run by the government. Government interference with the internet seems to be the fastest way to dystopia, these days.

Re:OpenID? (0)

Anonymous Coward | more than 4 years ago | (#32701950)

some of us want dystopia. Just think - underground networks, hacking the gibson and all that jazz. It will be an adventure

Re:OpenID? (4, Insightful)

gclef (96311) | more than 4 years ago | (#32701988)

It's actually a little better and a little worse than what you think. They're proposing setting up a "ecosystem" of identity providers, so commercial organizations will issue identity certs with the gov't just setting the standards they all live by to interoperate, etc. On that front, that isn't as bad as it could have been.

On the other hand, there is an enormous amount of naivete in their "strategy" about how the identity providers will act. Their examples talk about having your cell phone provider be the organization that issues your identity cert for use in this system. What happens when you change providers? When I shift from Verizon to AT&T, can I move the AT&T cert to my Verizon phone? Also, am I forevermore tied to AT&T for my identity verification? What if that company goes bankrupt? What if you *want* to change identity providers? If you can change providers, what happens to the records that provider kept? What about the records that other information providers tied to the old cert? Do they keep the certificate (and therefore the ability to impersonate you online)? What happens if I lose my phone (and therefore lose my cert)?

The effort isn't completely crack-addled, but it is hopelessly naive. I think it'll fail unless it gets a big dose of reality shortly.

Re:OpenID? (1)

Rydia (556444) | more than 4 years ago | (#32702006)

Most of the problems you raise are pretty trivially solved by remembering that it's the government talking about this. AT&T tries to keep your identity to impersonate you? The government can lock AT&T out of the system, or fine the crap out of them, or whatever sanction they want. This actually reminds me somewhat of the records provisions of HIPAA, which are actually pretty good about making sure records are used properly and are given to the people who are supposed to have them (too bad they're all a bunch of incoherent sheafs of paper).

Re:OpenID? (2, Interesting)

gclef (96311) | more than 4 years ago | (#32702076)

If they mentioned any sort of consideration for things like what I was mentioning above, I'd be much more confident about the program. There is no mention of any of this stuff in their strategy doc (I actually read the PDF, I'm sorry to say). That makes me think they haven't considered it at all.

Mis-use by a provider is one thing, and, yes, I'd agree that I'd expect the gov't to deal with it harshly. But institutional helplessness is a very different beast. Situations that go like "I'm sorry, sir, we can't let you use another company's certificates with our phones. You can still get another identity from us, though." wouldn't be a lock-out, but it would make the system an enormous pain in the ass.

Also, if you can't ever change identity providers, it means companies will be guaranteed a revenue stream from you, perpetually. Even if you decide you want to leave Verizon, if they're your identity provider you would *have* to work with them (and probably pay them). Again, if there had been any consideration made for these sorts of issues I'd be less leery of them...but the PDF was this sunny thing that considered none of the cases where this thing fails.

Not sure that reality will be very influential (2, Insightful)

Presto Vivace (882157) | more than 4 years ago | (#32702112)

I think it'll fail unless it gets a big dose of reality shortly. how many things in our society, both public and private, have remained untouched by reality?

Re:Not sure that reality will be very influential (1)

gclef (96311) | more than 4 years ago | (#32702154)

Timing is everything: if it gets that touch of reality *soon*, then it might not fail. If it goes forward with it's present design, then when reality comes it'll be pretty painful.

Re:OpenID? (2, Insightful)

Fartypants (120104) | more than 4 years ago | (#32702290)

I would add political naivete to that list. In an era where Obama's opposition is trying to paint him as an intrusive big government trampler of individual rights, coming out with a program to provide identity cards to people so they can be more easily identified and tracked on the Internet - no matter how well intentioned - is just begging to be used against him.

Re:OpenID? (1)

OnlineAlias (828288) | more than 4 years ago | (#32702488)

Agree completely. On some issues I am quite liberal...this idea is not only dumb technically (we have certs/crypto already, and that is good enough; witness massive expansion of e-commerce), but it is also political suicide.

This is so bad I wonder if the Obama administration is even proposing it, and not a right wing smear job.

Dumb dumb dumb.

Re:OpenID? (5, Informative)

Alsee (515537) | more than 4 years ago | (#32702816)

It's a lot worse than you think. I just finished reading the draft. This is an effort to impose Trusted Platform Modules - globally. For those not familiar with Trusted Platform Modules, it all boils down to one simple point. Computers and other electronic devices with each have a Master Key locked inside. A master key locking and controlling operation of the device. The owner is forbidden to know or control the key locking and controlling his devices. That leads to many technically complex results, but the simple point is that you are forbidden to know "your own" master security keys. They describe all sorts of supposed benefits of the system, but the inescapable end fact is that the system is designed to secure your computer against you. The simple simple point is that if you are forbidden to know your own keys then the system is locked against you. You are denied ownership and full control of your own computers.

I made a few very hasty notes from the draft document. Many of these items should scare the shit out of everyone:

Draft page 4, blue box: Identity card for to "anonymous" bloggers, i.e. no anonymous blogs. Identity card for e-mail.

page 15 explicitly states this is based upon the Trusted Platform Module.

Page 19 lists your ELECTRIC COMPANY adopting the system and requiring you to use it to access your account. (Although the DESCRIBED usage is plausibly optional web access)

Page 22 requires new laws "establishing an enforcement mechanism" for this system. Says government services will be used to drive adoption by the public. Says government buying power will be used to drive adoption in the business sector.

Page 23 explicitly names Intellectual Property Protection as a purpose of the system.

Page 24 explicitly states that "the scope of this strategy extends beyond national boundaries". Says the US Federal government must establish programs to execute this strategy. Says the US Federal government is to focus its recourses on influencing national and international standards to carry out this strategy. "Coordinate Federal Government efforts associated with digital identities both domestically and internationally".

Page 25 "cybersecurity is becoming a matter of diplomacy, activities under the strategy intend to address the increased importance of international policy efforts. The Federal Government, by leading and coordinating national efforts, as well as collaborating on international policy efforts, can drive a unified approach to trusted digital identities". "the creation of a global trusted infrastructure" Says the government should fund research and development of these systems and transfer it to the commercial sector.
"Todays environment is driven by a global economy, with transactions occurring without regard to physical or political boundaries; the infrastructure developed under this strategy will, to the extent feasible, be interoperable among these environments, while also respecting the laws and policies of different nations."

Page 26 "The Federal Government is committed to the actions herein and will move forward as a leader, first adopter, and enabler" "The White House will select an agency and hold it accountable for coordinating the processes and organizations that will implement the Strategy".

Page 27 "All levels of Government will play a part in the adoption of the Identity Ecosystem for government services. As a major provider of services spanning individuals, private sector, and other governments, the Federal Government is positioned to enable high impact, high penetration Identity Ecosystem services."

Page 29 says the Federal Government will engage in media campaign activities to persuade the public to accept the system. (I would call it propaganda, though I have no doubt others would disagree with the use of that word.) "Success of the Identity Ecosystem depends on participation from multi-national corporations and global providers in the use of federated identities and that interoperable and scalable to internet levels" - the government intends to use multinational corporations and global internet providers to impose a planet-wide system. It says U.S. presence in international policy and technical bodies must increase to achieve these goals.
Widespread adoption will need comprehensive incentives from the Federal Government, economic incentives to the private sector in tax credits, insurance, grants, and loans.

Page 30 "The Federal Government will also conduct economic analyzes to evaluate needed regulatory changes to critical economic infrastructure sectors." And in particular it cites new regulations for credit card transactions. To be perfectly clear, it cites imposing regulations on credit card transactions as a "Means to Drive Adoption" of this system "across the Nation".

-

GPGAuth + OpenID + Smartcards/E-tokens. (3, Insightful)

elucido (870205) | more than 4 years ago | (#32702068)

http://www.gpgauth.com/ [gpgauth.com] is a good technology. It's open and it's based around GPG. The main thing holding us back is the lack of hardware standards and lack of hardware in general. We should have the hardware in place otherwise a lot of the software will be useless.

We need better smartcards, better e-tokens. The idea of putting identity on our cellphones is stupid. Put it on a card so it can be put in your wallet or hidden if necessary. By putting it in your cellphone it's a huge target for hackers.

OpenID is too damn confusing and fragile. (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32702146)

A few months ago, I wanted to post a question to StackOverflow. It was the first time I was going to submit something, so it was also the first time I had to log in. I was dismayed to see that they had chosen OpenID, rather than letting me quickly create an account specifically with them.

Now, I don't have an account with Google, or Yahoo!, or AOL or one of the numerous other OpenID providers they support. So I had to go through the process of signing up for a Yahoo! account, which was a pain in the ass, to say the least. Then it was back to StackOverflow, so I could log in, and submit my question. Except it didn't work. I couldn't log in. I'd get sent to Yahoo!'s page to log in, and I'd log in there successfully, but I wouldn't be logged-in at StackOverflow.

I really didn't have any time or inclination to figure out what was wrong, so I went through the hassle of creating a Google account. In the end, it was the same problem as with the Yahoo! account. It just wouldn't recognize that I was logged in.

Maybe it's a problem with my browsers (I tried Opera, Safari, Chrome, IE and Firefox for each provider), or maybe it's a problem with my network infrastructure, although I suspect it's a problem with StackOverflow or OpenID.

Regardless of what the technical problem was, I wasted far too much time just trying to log in to the goddamn StackOverflow site. Authentication is one of the most basic operations of any multiuser and/or networked software system. It's something UNIX has gotten right for 40 years. There's no reason for OpenID to be as shitty as it is.

In the end, I said "fuck it" to StackOverflow. If they want to make it difficult just to log in to their site, I won't use it. I asked my question on a mailing list instead, which worked flawlessly.

Re:OpenID? (1)

noidentity (188756) | more than 4 years ago | (#32702314)

OpenID and many more before it. Apparently people don't want this, especially not from the government. If private industry couldn't do it in a useful way, there's no way government can. Of course, government has the one advantage the others lacked: it can make it illegal to not use it. I look forward to having to use some crappy system which tracks my every action.

Re:OpenID? (2, Insightful)

tverbeek (457094) | more than 4 years ago | (#32702352)

Many people trust private industry a lot less than they trust government. At least governments come up for a public vote every so often.

Re:OpenID? (1, Informative)

noidentity (188756) | more than 4 years ago | (#32702590)

I can refuse to have any dealings with a private company. The government achieves everything by the use of force. I'd much rather have the former.

Re:OpenID? (2, Insightful)

slick7 (1703596) | more than 4 years ago | (#32702778)

Many people trust private industry a lot less than they trust government. At least governments come up for a public vote every so often.

I would trust a car dealer before I would trust a politician and I don't trust car dealers.
Cyber ID's means not having to see the liar's lips move.

"Trust and you will be trusted", said the liar to the fool.

Envision it! (4, Interesting)

neoshroom (324937) | more than 4 years ago | (#32702330)

From the Document Itself:

"Envision It!

An individual voluntarily requests a smart identity card from
her home state. The individual chooses to use the card to
authenticate herself for a variety of online services, including:
        Credit card purchases,
        Online banking,
        Accessing electronic health care records,
        Securely accessing her personal laptop computer,
        Anonymously posting blog entries, and
        Logging onto Internet email services using a
pseudonym."

I always want to use a self-identifying card when anonymously posting blog entries. Seems like this also could be easily abused by a government who conducts warrantless wiretaps and other illicit snooping.

"Imagine a world where individuals can seamlessly access information and services online from a variety of sources - the government, the private sector, other individuals, and even across national borders - with reduced fear of identity theft or fraud, lower probability of losing access to critical services and data, and without the need to manage many accounts and passwords."

Honestly, this doesn't seem like a good idea from a security standpoint either. Let's say I wanted to commit fraud or identity theft or any of the other things this card is supposed to prevent. Now, originally, I would have to compromise your 30 passwords. If I hacked your blog, I wouldn't be able to access your bank account because they have different passwords. Now, if a blackhat hacker hacks this universal access method they get universal access. Scary.

Re:Envision it! (4, Insightful)

tverbeek (457094) | more than 4 years ago | (#32702402)

Yeah, it's like having a master key that unlocks your house, your car, your office, your filing cabinet, your pot and porn stash, your firesafe, your safe deposit box, your storage unit, etc... and keeping that key on a chain around your wrist, where you'll always be sure you have it. Until someone copies it while you're sleeping, and suddenly they have access to everything.

Yet another OpenID (3, Insightful)

iamapizza (1312801) | more than 4 years ago | (#32701876)

So isn't this just another one of those open/secure authentication mechanisms, which means that we're now going to have to remember an ever expanding and potentially insecure methods, instead of passwords, of identifying ourselves to various entities on teh internetz?

Re:Yet another OpenID (5, Insightful)

bendodge (998616) | more than 4 years ago | (#32702632)

It's not even that. I'm shocked that here on Slashdot the first couple dozen posts actually take this seriously. IT'S A TRAP. This should be blatantly obvious. The entire point of this is to get rid of online anonymity, which government and legal trolls hate.

Read this post a few screens up: http://yro.slashdot.org/comments.pl?sid=1699416&cid=32702330 [slashdot.org]

I know President Obama is popular here, but everything his administration has proposed for the Internet has sinister long-term ramifications.

Eric Holder Advocated Internet "Restrictions" [slashdot.org]
The Internet "Kill Switch" [slashdot.org]
Obama's "Internet Czar" [slashdot.org]
Obama's Version of "Net Neutrality" [slashdot.org]

These plans do not exactly champion freedom and free speech. Rather, they seek to slowly erode the power of the online masses.

Trusted? (3, Insightful)

rossdee (243626) | more than 4 years ago | (#32701880)

Who do you Serve, and Who do you Trust

-- Galen the Technomage, B5Crusade

Brought to you by Verizon and Verisign (2, Interesting)

shuz (706678) | more than 4 years ago | (#32701886)

It is good to see that the government are using existing technologies for political talking points. Now if government tries to push something other than SSL I would be disappointed.

passport (1)

Lehk228 (705449) | more than 4 years ago | (#32701890)

but ms passport sucked

Re:passport (1)

hedwards (940851) | more than 4 years ago | (#32702236)

Indeed, they could've made it suck less, but with only one company controlling it, there wasn't really any chance that it wouldn't suck.

Finally an idea from the WH that makes sense. (0)

elucido (870205) | more than 4 years ago | (#32701892)

We do need a mechanism of trusted identities. The identity should be verified biologically through some hardware. No software can replicate the authentication capability of a retina or facial scan. This biological information should be stored on the smartcard along with the password.

My question is what took them so long to switch to smartcards? Passwords have been notoriously insecure and everybody in the information security industry considers passwords to be a joke.

Doesn't the WH have anything better to do? (0)

Anonymous Coward | more than 4 years ago | (#32701960)

We do need a mechanism of trusted identities. The identity should be verified biologically through some hardware. No software can replicate the authentication capability of a retina or facial scan. This biological information should be stored on the smartcard along with the password.

My question is what took them so long to switch to smartcards? Passwords have been notoriously insecure and everybody in the information security industry considers passwords to be a joke.

Unfortunately, you can't revoke your retina... What happens when we figure out how to spoof your eyeball?. Then what? Passwords and keys are fine with me. I don't get the joke about the passwords?

Re:Doesn't the WH have anything better to do? (0, Offtopic)

ubrgeek (679399) | more than 4 years ago | (#32702088)

> I don't get the joke about the passwords

What's not to get? Naked password walks into a bar with a poodle under one arm, and a two-foot salami under the other. The bartender says, I guess you won't be needing a drink. Naked password says...

Re:Doesn't the WH have anything better to do? (1)

elucido (870205) | more than 4 years ago | (#32702106)

Then you use your retina along with your fingerprint.

Sure identity theft is always going to be possible but it would be much harder if they had to get your retina than if they just had to memorize your digits and crack a password.

Re:Doesn't the WH have anything better to do? (3, Insightful)

emt377 (610337) | more than 4 years ago | (#32702336)

Then you use your retina along with your fingerprint.

Sure identity theft is always going to be possible but it would be much harder if they had to get your retina than if they just had to memorize your digits and crack a password.

They don't need your retina. They just need whatever big integer your retina digests to.

Re:Doesn't the WH have anything better to do? (1)

emt377 (610337) | more than 4 years ago | (#32702374)

They don't need your retina. They just need whatever big integer your retina digests to.

In case the conclusion isn't obvious: if they can get you to authenticate using a compromised scanner you'll only be able to handle that breach exactly once - assuming you have a second eye.

Re:Finally an idea from the WH that makes sense. (2, Insightful)

TheSHAD0W (258774) | more than 4 years ago | (#32702034)

I can think of only one way to make transactions nearly completely secure, so that malware cannot spoof or redirect payments - and I doubt our government is smart enough, or willing to pay enough, for such a system. It would require a security dongle with its own display and a yes/no button at a minimum, with a numeric keypad for PIN entry being a useful addition. Without its own display, even if it requires some sort of physical response on the dongle, malware can make the computer show one payee while telling the dongle to authorize another.

Re:Finally an idea from the WH that makes sense. (1)

elucido (870205) | more than 4 years ago | (#32702110)

Who says the government has to pay for it?

We should be able to buy our own dongles. The only thing the government has to pay for is the retina scand and fingerprints, or anything else we want to store on the dongle as authentication. The pin entry + smartcard is good enough for the banking industry and ATM machines.

Re:Finally an idea from the WH that makes sense. (1)

matthiasvegh (1800634) | more than 4 years ago | (#32702134)

theres one big problem with it.. imagine adding that to your code. it would look a bit like this: bool authenticate() { .... } and a result, if the authentication succeeds, one puny bit is changed. seeing as changing other programs' memory beneath them is as simple as firing up cheat engine, a dongle wouldn't help..

Re:Finally an idea from the WH that makes sense. (2, Insightful)

TheSHAD0W (258774) | more than 4 years ago | (#32702646)

Well, no... The idea is, your computer would open a connection between the dongle and the remote server. The connection would be both encrypted and digitally signed by the dongle, making it "impossible" for software on the computer to interfere with the contents of the connection. The dongle would show, on its built-in display, the payee account name and the payment amount, and prompt for pressing a button on the dongle itself (or PIN entry, or retina scan, or whichever). The dongle would then send a signed certificate authorizing the transaction.

This would be fairly complete security, though there are a few caveats: Strength and hardiness of the encryption and signature algorithms, hardiness of the software on the dongle, and the creation of accounts with the same name as the payee. There would be other methods of attack against the server side, but nothing that would be considered the user's fault.

Re:Finally an idea from the WH that makes sense. (0)

Anonymous Coward | more than 4 years ago | (#32702128)

Oh right ... Like emulating retina scanning hardware and sniffing compromised wi-fi. Have fun replacing your eyeballs!

A solution looking for a problem (5, Insightful)

selven (1556643) | more than 4 years ago | (#32701904)

The problem of authenticating yourself many times to different websites is solved by OpenID. The problem of having a secure web identity is also solved - anyone can put a public key on their homepage and sign everything they write. The inclusion of credit cards and electronic health records suggests the true motive for this policy: trying to tie people's internet identities to real life identities. Thanks, but given that the opinions I post here have already earned me 3 'foes' I'd rather not have every potential employer take a look at my Slashdot account.

Re:A solution looking for a problem (4, Informative)

drinkypoo (153816) | more than 4 years ago | (#32702008)

The problem of authenticating yourself many times to different websites is solved by OpenID.

No, it is not. If the OpenID host is compromised then the ID can be used without your permission. That's not "solved".

The inclusion of credit cards and electronic health records suggests the true motive for this policy: trying to tie people's internet identities to real life identities. Thanks, but given that the opinions I post here have already earned me 3 'foes' I'd rather not have every potential employer take a look at my Slashdot account.

There is really no good way to handle this problem because all cryptography is based on trust. Do you trust your government with the ability to forge your identity? Me neither.

Re:A solution looking for a problem (1)

Rydia (556444) | more than 4 years ago | (#32702012)

"anyone can put a public key on their homepage and sign everything they write."

You have an interesting definition of "anyone."

Re:A solution looking for a problem (1)

Danathar (267989) | more than 4 years ago | (#32702046)

Yes, but who says you actually ARE who you say you are in your ID? That problem (of having a certificate that is signed by an authority that has physically verified your identity) is actually a more difficult problem in my opinion. Not that it can't be done, but that a central authority that everybody trusts to verify your ACTUAL identity is needed.

No central authority is needed. (1)

elucido (870205) | more than 4 years ago | (#32702148)

You verify your identity by smartcard. We don't need a central authority to do it for us when we can just put our card into our reader and enter a pin.

When you go to an ATM do you need a central authority to verify your identity with a certificate?

Re:No central authority is needed. (1)

OolimPhon (1120895) | more than 4 years ago | (#32702256)

When you go to an ATM do you need a central authority to verify your identity with a certificate?

No, but then neither does the thief who shoulder-surfed your pin and then stole your card.

Re:No central authority is needed. (1)

elucido (870205) | more than 4 years ago | (#32702342)

How many bank accounts have been hacked in this way?

Re:No central authority is needed. (0)

Anonymous Coward | more than 4 years ago | (#32702556)

The bank is the central authority,

Since all the ATM card says is "The holder of this card and this pin is authorized to transact with this account (or these accounts)"

Re:A solution looking for a problem (1)

khallow (566160) | more than 4 years ago | (#32702168)

Not that it can't be done, but that a central authority that everybody trusts to verify your ACTUAL identity is needed.

There is no central authority that everybody trusts. For example, if I deal drugs or launder money, I'm not going to trust the US government to authenticate my transactions.

Re:A solution looking for a problem (4, Insightful)

selven (1556643) | more than 4 years ago | (#32702526)

You are assuming that one of my identities is the "actual" me and that all the others are pseudonyms. I reject this view, and believe that 'selven' is an identity on equal footing with the one on my passport. People call me (insert my so-called 'real name' here) therefore I am that person. People call me 'selven' therefore I am also selven. There is nothing inherently more real about one name than the other. So if I set up a public key and start signing all of my posts, anyone who knows my public key can prove that any of my posts was in fact made by me (or with my permission). People who have an established relationship with and trust 'selven' do not need to know my other identity in order to deal with me.

We need hardware authentication. (1)

elucido (870205) | more than 4 years ago | (#32702072)

Anybody can log in as you and nobody knows any better.

Re:A solution looking for a problem (1)

IntlHarvester (11985) | more than 4 years ago | (#32702268)

If you can't think of any useful applications of internet identity beyond posting on Slashdot, you probably should stop posting and take a long walk outdoors. Seriously, nobody cares who you are here.

Re:A solution looking for a problem (1)

Kirijini (214824) | more than 4 years ago | (#32702756)

...given that the opinions I post here have already earned me 3 'foes'...

You know, in the slashdot friends/foes system, you choose your foes [slashdot.org] . So if you have three of them, it's because you disliked their opinions.

Perhaps you mean you've earned three "freaks"?

/nitpick

Got a link? (5, Funny)

paiute (550198) | more than 4 years ago | (#32701908)

I need to download a German accented voice so when my computer says, "Your papers, please." it will sound authentic.

Re:Got a link? (1)

ducomputergeek (595742) | more than 4 years ago | (#32702126)

Ausweis Bitte!

Not to be paranoid but... (2, Insightful)

Anonymous Coward | more than 4 years ago | (#32701912)

Why not just tattoo a barcode on the back of my neck and inject and RFID tag into my left wrist and be done with it.

Re:Not to be paranoid but... (0)

Anonymous Coward | more than 4 years ago | (#32702458)

"One ID to rule them all, and into darkness bind them" - If you have but one ID, it can easily be revoked...

Finally the missing element in "trust" (0)

Anonymous Coward | more than 4 years ago | (#32701920)

The Department of Homeland Security (DHS), a key partner in the development of the strategy

Who says i trust the white house? (0, Insightful)

Anonymous Coward | more than 4 years ago | (#32701930)

Really now... Of all the orgs i'd let have anything to do with 'trust'. The whitehouse isnt in the top thousand.

Unless it's more along the lines of ''I trust them to fuckup completely and blame someone else''.

Seems an appropriate time. (1)

Spazntwich (208070) | more than 4 years ago | (#32701974)

They can trust the identity of deez nuts.

Go easy on me, moderators.

Trust? (2, Insightful)

markdavis (642305) | more than 4 years ago | (#32701978)

>where individuals and organizations can complete online transactions with confidence,
>trusting the identities of each other and the identities of the infrastructure that the transaction runs on

I see, so we just hand over the keys to our online identities and trust the Federal Government instead. Right. And what if we would rather not trust them? Some of us might not want the Fed having access to everything we do. And if such a plan gains traction, you can bet that sites will jump on it and consumers won't have any choice but to use such a system or be denied access to more and more online stuff.

Re:Trust? (0)

Anonymous Coward | more than 4 years ago | (#32702026)

Microsoft passport (and many others) are basically the same thing. I don't want a Microsoft passport, even if it is required for helpful things like reporting bugs in there software, and I thrust the US government a whole lot less then Microsoft.

a digital certificate on their cell phone... (1)

Banichi (1255242) | more than 4 years ago | (#32701986)

Sounds like some companies are lobbying for the burden of verification to be put on the consumer, not the provider. Like Verisign (et al) in reverse.

I like things the way they are now, because I don't have to provide an explicit identification to anyone I don't need to.

Re:a digital certificate on their cell phone... (0)

Anonymous Coward | more than 4 years ago | (#32702100)

Adding to your point, the reason people are victims of identity theft is because they give out too much information to the web. And the government's solution is to give more? I'm sorry, but I like not having to give my social and birth date every time I buy a book on Amazon...

Good idea (1)

taucross (1330311) | more than 4 years ago | (#32701990)

Sounds like a great idea. There's room on the internet for any such initiative - so much room, in fact, that it's likely that this will affect no-one except those who choose it.

Re:Good idea (0)

Anonymous Coward | more than 4 years ago | (#32702518)

Uh, you are a dork

No one will be allowed to choose. Ultimately the govt will conzrol all access to the internet. This will lead to having to register you website with a govt weenie. Couple this control over websites and all transactions with the 'kill switch' bill in congress and you have the internet version of the 3rd Reich

Don't like (2, Interesting)

Dogun (7502) | more than 4 years ago | (#32702000)

I think a 'strong identity' transactional system likely requires a secret known to a user, paired with a hardware device that can be remotely disabled, and is difficult to tamper with and lift the user's keypair from, even with the user's password. I think that can be built, but the 'remote kill' potential is alarming in the context of a national (or more than national) strong-identity system. In order to be reliable, parties will have to check transactions against some sort of central database, which is a serious privacy concern.

My suspicion is that any system you attempt to use for this purpose is immensely more useful when you ditch the 'strong identity' requirement, as a strong transactional system is good at preventing fraud, and with no (or limited) identity tied to a transaction, there is no substantial risk to privacy, data disclosure, etc, which are the stated goals of the plan.

Sounds great! (2, Funny)

Zedrick (764028) | more than 4 years ago | (#32702002)

I wish my government would do something similar, like calling for the creation of flying ponies for everyone. No, wait - flying invisible ponies for everyone! I'm sure there would be no problem getting reality to comply with government wishes.

Re:Sounds great! (1)

Dogun (7502) | more than 4 years ago | (#32702048)

There's nothing infeasible about the desire for a system of this sort. Obviously, limitations are bound to exist, but this is not pipe-dream territory.

Re:Sounds great! (0)

Anonymous Coward | more than 4 years ago | (#32702272)

Your government already created invisible flying ponies for everybody, and the program has been a great success. What's that? You can't see any ponies? Well, duh.

Re:Sounds great! (0)

Anonymous Coward | more than 4 years ago | (#32702740)

This reminds me of a Dilbert cartoon, where the marketing droids ask Dilbert when he can finish the cloak of invisibility, and then the marketing droids announce with pride that they were art history majors in college. Most politicians and bureaucrats remind me of the marketing droids in that cartoon. Their perception of reality rarely aligns with actual reality, and they have little or no clue what is possible or how to implement it.

I don't think I'd really trust *anyone* to do this (1)

symbolic (11752) | more than 4 years ago | (#32702018)

Certainly not the government. Our "trust" has recently netted us one economic disaster, and one industrial catastrophe. I realize that the current method isn't optimal, but he who has the information, has the control. That having been said, I'd like to retain as much control as possible, especially when it comes to information that can be easily stored, profiled, shared, etc. One of *anything*, I'd argue, is a bad choice. Something about eggs, baskets, human nature, greed, power, etc.

Its very simple (1)

mpickut (721322) | more than 4 years ago | (#32702022)

What the government creates the government controls.

Re:Its very simple (1)

SwashbucklingCowboy (727629) | more than 4 years ago | (#32702250)

Yeah, just look at the Internet. Oh

Oh wait...

Reinventing the wheel, much? (1)

Grey Loki (1427603) | more than 4 years ago | (#32702038)

Sounds like they're just trying to create a proprietary government-owned, -controlled and -legislated OpenID/PGP network. This is still a stupid idea - The reason my account isn't my real name is that I want a disconnect between my activities online and my activities in meatspace.

Re:Reinventing the wheel, much? (1)

AHuxley (892839) | more than 4 years ago | (#32702248)

The good old days when every phone ended in a street address to traced, tapped and further actions taken over time.

Itsatrap (3, Insightful)

davegravy (1019182) | more than 4 years ago | (#32702044)

At fist such a system would be opt-in. Then it would gradually become mandatory in the name of fighting pedophilia (think of the children!) Then you can kiss online anonymity goodbye.

Re:Itsatrap (1)

elucido (870205) | more than 4 years ago | (#32702084)

who is "they"? And how would they force you to log into 4chan?

Quite a few problems (4, Insightful)

king neckbeard (1801738) | more than 4 years ago | (#32702124)

1. I don't trust the government to be competent with this
2. I don't trust the government to not abuse this power
The government is perhaps the single most important entity to protect yourself from. If cashflows and internet security are under the government's thumb, then contaband and actions to protect yourself from the government are going to be much harder to come by. I don't want a government ID credit card, I want a closer equivalent to cash, so i can make online purchases with LESS of a paper trail.

side benefits (1)

bl8n8r (649187) | more than 4 years ago | (#32702204)

having a government run operation where I can safely store my name, address, soc. # and ip address sounds awesome. It will bring states an easier way to collect sales tax for my online purchases too which will save me some time filing out my taxes every year. Since it's run by the us gov, I'm sure they'll have a reputable source overseeing the security of the system also. You know, like Diebold or maybe Blackwater.

Great (0)

Anonymous Coward | more than 4 years ago | (#32702214)

Great! Now we can vote online directly on all issues most frequently. Since most of us are more educated, and capable of casting intelligent votes. We no longer have to rely on one or two potentially crazy representatives. Goodbye bribery! Lol! Ya right!

Seriously though. I picture an online system where we can subscribe to categories of interest (eg. Technology) and get a list of issues to vote on at the federal, state, and local. I won't be happy until the founding fathers idea of giving the people as much direct representation as possible is restored. We no longer ride horses and can't read, we should be representing ourselves.

Does not sound very confident (1)

l2b (40934) | more than 4 years ago | (#32702228)

More spew from some NoBama pseudogeek.

From the Executive Summary:

"The Identity Ecosystem reduces the risk of exploitation of information by unauthorized access through more robust access control techniques." (pgs 4-5)

If the author is this tentative in the Executive Summary, I don't have much confidence that the result will be anything solid.

Besides, the EFF and such should oppose the imposition of any government identity 'mandates'. I know this draft says that "participation in the Identity Ecosystem is voluntary for both organizations and individuals", but we all know how these things grow up into requirements.

Missing tag (0)

Anonymous Coward | more than 4 years ago | (#32702232)

And where's the what_could_possibly_go_wrong tag? :)

ID theft (0)

Anonymous Coward | more than 4 years ago | (#32702242)

Given how wonderful gov. regs are at dealing with plain old identity theft, imagine just how well this is going to work out.

Hmmm (1)

Grimmreaper74 (1014291) | more than 4 years ago | (#32702286)

Getting closer to the mark of the beast...

Your plan advocates a (2, Interesting)

Anonymous Coward | more than 4 years ago | (#32702312)

Your plan advocates a

(x) technical (x) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

(x) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
(x) Susceptibility of protocols other than SMTP to attack
(x) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(x) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(x) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
(x) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(x) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
(x) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

And just what happens.... (1)

mark-t (151149) | more than 4 years ago | (#32702380)

.... when it is compromised?

Can you say single point of failure?

Internet Citizenship (0)

Anonymous Coward | more than 4 years ago | (#32702396)

I believe this is being approached the wrong way. The internet is its own virtual country and doesn't translate to physical boundaries. And as such will only be able to define itself by itself, and not by some outside agency. The internet is more like the old west, with complete anons and outlaws and will always be the out west. But just like the days of old, groups of people got together and formed territories, and those join to form larger states, and self governance and all its other issues where created. So basically what i in-vision is an internet government with internet citizenship, and where those identities can be judged and tried with penalties of not being able to use said country.

Hmmm... (1)

mace9984 (1406805) | more than 4 years ago | (#32702446)

And we'll take this ID, and implant it under your hand, or, if you're really "cool", we'll put it under your forehead. We'll expand it to track your finances, so you only use that when you shop anywhere too! (It's the end of the world as we know it....)

The end of anonymity (2)

nurb432 (527695) | more than 4 years ago | (#32702468)

This is what we are witnessing. And its going out with applause and support. :(

Great... (1, Insightful)

Anonymous Coward | more than 4 years ago | (#32702504)

Hack once, access all

Fighting the Anonymous Cowards (5, Insightful)

roman_mir (125474) | more than 4 years ago | (#32702528)

Read this proposal for what it is: a different way to name an attempt of removing anonymity from the web.

The NSTIC, which is in response to one of the near term action items in the President's Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. ...

- I am sure this is going to be made a requirement for a site to operate at some point, add this to the 'Internet kill switch', add the Patriot Act to it, multiply by Home Land Security and don't forget to factor in the rendition, you are going to have an interesting situation.

The President will be able to shut down portions of the Internet, he will be able to identify who was saying what and when, this entire thing reeks of totalitarianism - complete control by the government over the dissemination of information and total knowledge of who was saying what on which topic plus ability to take action - shut down the dissenting portions of the web and then 'taking the necessary care' of those, who dare to oppose the government in any way, be it direct opposition to specific policies or be it simply providing information to the people that government wants to keep quiet and providing a forum to discuss this information.

I feel like I've seen this somewhere... (1)

cybrodroid (1842676) | more than 4 years ago | (#32702538)

I agree that we need to make a few changes to prevent the decline of the country, but I'm not sure if that should include becoming Korea.

Voluntary eh? (3, Insightful)

fluffy99 (870997) | more than 4 years ago | (#32702558)

Except you'll probably be required by the states (who are held hostage by federal funding) to have one to get a drivers license or benefits. This is yet another back-door attempt to institute a national ID card, except this would also happen to let the govt decrypt all your transactions.

Re:Voluntary eh? (1)

Bruha (412869) | more than 4 years ago | (#32702678)

What on earth do you call your Social Security # then? It's used for virtually any transaction now days. Credit, Health, Government. The only thing that does not require it is buying groceries.

I want this (0)

NonSequor (230139) | more than 4 years ago | (#32702588)

Let me disclose up front: I work with personal information.

Our current identity infrastructure blows goats. If you know someone's name, social security number, date of birth, and mother's maiden name, then for all practical purposes, you are that person.

Never mind that those identifiers are easy to obtain and never mind that the problem of verifying that a person is who they say they are can easily be solved using a web of trust model based on their relationships with durable entities (e.g. I have a record in my phone provider's database with my name and address, I have a record in my bank's database with my name and address, I pay rent each month under my name with that same address).

I shouldn't have to worry about some assclown who doesn't answer my phone or receive my mail getting a credit card linked to my credit score. This isn't a hard problem it just requires some infrastructure. And if you think solving this problem is a threat to anonymity on the internet, you're clueless.

Re:I want this (0)

Anonymous Coward | more than 4 years ago | (#32702664)

Solving THAT particular problem that you mention may not necessarily be a threat to anonymity on the internet - but the US (and other western) governments, and their plans for the internet (including this) certainly are, and if you can't see that, you're clueless.

Re:I want this (1)

NonSequor (230139) | more than 4 years ago | (#32702782)

Solving THAT particular problem that you mention may not necessarily be a threat to anonymity on the internet - but the US (and other western) governments, and their plans for the internet (including this) certainly are, and if you can't see that, you're clueless.

Establishing an infrastructure for allowing people to identify themselves in their dealings with commercial entities is a different thing from requiring people to identify themselves in online forums. Confusing the two is silly.

NOBODY WANTS THIS... (4, Interesting)

Panaflex (13191) | more than 4 years ago | (#32702684)

I should know, we spent 3 years building the most secure commercial internet authentication system, with a 5 site redundant cloud of authentication services. 3 of 5 sites were necessary to pass an authentication, so we could handle two complete site thefts, or two complete site disasters and still authenticate safely (auth material was split utilizing a secret sharing algorithm). Each of our data sites were military-grade EMI/Faraday cages, under separate corporate ownerships.

In other words we spend millions on building the easiest & safest way to authenticate a user on the 'net, with most of that on auditing, code reviews, facility buildout etc...

And nobody wanted it!! Not for any price... not even for 50 cents/user a year!! Banks said users would NEVER type in two passwords,... HA!

This is part one of the plan.. (2, Insightful)

bagofbeans (567926) | more than 4 years ago | (#32702688)

..where the common ID is voluntary, reasonable, useful.
Part two is the law forcing all ecommerce to use the ID for taxation.
Part three is the law forcing all political discourse comment (blogs etc) to use the ID to protect the children and prevent terrorism.

Never used a real name on the internet. (1)

leuk_he (194174) | more than 4 years ago | (#32702718)

Most of you never use a real name on the internet. I use this alias "leuk_he" for over 10 years.

Why? because what you put on the internet can never be deleted. And because you cannot be sure how some internet forum will use your privacy. Privalcy never was very important on the internet. And this was worked arround all this time by using handles/aliases. THere is a new generation now that freely uses their real name on facebook. But those same induviduals will bump their head in 5 year because a new boss will be able to find their view on vampires a little bit disturirbing.

A real-ID on internet will only make this privacy thing more urgent.

--leuk_he

Huh (1)

Hognoxious (631665) | more than 4 years ago | (#32702772)

For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords

I don't mind having to remember an ever expanding list of usernames and passwords. And I don't see how that's more insecure than something with a single point of failure.

Individualized Internet kill switches (1)

impeach (1760162) | more than 4 years ago | (#32702794)

Mark Klein, the retired AT&T communications technician, whistleblew the existence of secret NSA spy rooms with data-mining equipment called a Narus STA 6400, "known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets". Senator Lieberman promises the "Internet kill switch" is not really a kill switch and won't be abused like that. The same specious promises were made about not abusing the PATRIOT Act. Lieberman's Enemy Belligerent Act allows for disappearing even American's, without due peocess, into a black hole. If people can be physically disappeared, why not virtually, too? Add to those, the massive NSA data centers, now under construction. You have a recipe for disappearing dissidents and upstarts and most especially, whistleblowers. Think Wikileaks, etc.

One Step Closer (2, Interesting)

Russianspi (1129469) | more than 4 years ago | (#32702806)

I almost checked the "Post Anonymously" button on principle, but the difference is that I can choose what part of my identity to share with Slashdot. I just finished reading How to Access the Internet, A Guide from 2015 [blogoscoped.com] when I flipped to Slashdot and saw this article. Here's the first step. Creepy.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...