Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×

229 comments

Thanks, but no thanks... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#35849052)

No way, Barry...

Re:Thanks, but no thanks... (1)

Compaqt (1758360) | more than 3 years ago | (#35849530)

Remember the days when only dictatorships required "Internet drivers licenses" to access the Internet?

From TFA: "entirely voluntary" (4, Insightful)

Anonymous Coward | more than 3 years ago | (#35849066)

Just like a SSN.

Re:From TFA: "entirely voluntary" (1)

bitbucketeer (892710) | more than 3 years ago | (#35849282)

Probably more like EDIPI: .

Re:From TFA: "entirely voluntary" (4, Insightful)

tripleevenfall (1990004) | more than 3 years ago | (#35849336)

My guess is this will go from "great, safe option" to "suggested" to "merged with your SSN and required" to "Used to search for and track 'potential domestic terrorists'".

Probably won't take too long either.

Re:From TFA: "entirely voluntary" (-1)

Anonymous Coward | more than 3 years ago | (#35849644)

Your guess. And you're such an expert. Anything else you've predicted?

SSN is not voluntary (1)

frnic (98517) | more than 3 years ago | (#35849540)

But you don't have to give it to anyone - of course they don't have to do business with you if you don't.

Re:From TFA: "entirely voluntary" (1)

cinderblock (1102693) | more than 3 years ago | (#35849568)

Exactly. Except secure.

Instead of farming the job out to private corporations, a government agency should be in charge of it. One with a large web presence. They maintain you public key and force you to update keys regularly. (Opt-in of course, if you want the benefits of the secure online identity). There would also be physical locations, maybe just extend the DMV's job (I know, shoot me) or some other agency that is already in the business of authenticating people that would serve as the human fallback that the masses need to fix any security issues.

Private corporations could try to step into the personal key managing business. We just can't trust private industry to keep the people's interest's at heart. That is what the government is (supposed to be) for. And regulation of the private industry that would handle this would just be a slow and wasteful alternative.

Re:From TFA: "entirely voluntary" (1)

Anne Thwacks (531696) | more than 3 years ago | (#35849650)

Cos no one can hack into US government computers, not even Gary McKinnon!

Let me guess (2, Insightful)

calmofthestorm (1344385) | more than 3 years ago | (#35849086)

Requires Windows (tm) 7 (tm) Professional (tm) using an Intel (tm) chipset supporting a Trusted Platform Module (tm) with keys in escrow by the issuing authority.

Re:Let me guess (2)

vuke69 (450194) | more than 3 years ago | (#35849108)

Too many (tm)s, I'll pass.

Re:Let me guess (-1, Troll)

Anonymous Coward | more than 3 years ago | (#35849122)

BS...

In some european countries it already exists. Like in Holland we've a "DigID", which is used for on-line services
incl. sending in your tax form.

US is way behind online services. If I'm not mistaken you guys still have to go to 711 to pay your electricity bill.

Hello... online banking ?

Re:Let me guess (1)

calmofthestorm (1344385) | more than 3 years ago | (#35849134)

All these services are available in the US, though they're not really secure at all. I've never been to a 711 in my life (it's a gas station right?) and do all my banking online.

Doing all your banking online (1)

tepples (727027) | more than 3 years ago | (#35849174)

A 7-Eleven store is a small grocery store similar to the stores at gas stations, though I've never seen one with gasoline pumps in front of it.

If you do all your banking online, how do you deposit cash or checks that other individuals give you? Do you mail the checks, and buy money orders with the cash and mail those? And do you refuse to take any job that doesn't direct deposit your paycheck?

Re:Doing all your banking online (1)

calmofthestorm (1344385) | more than 3 years ago | (#35849212)

I've never been offered a job that didn't direct deposit my paycheck and I've been working since high school. BoA has a smartphone app for depositing checks by taking a picture, and usually I just hand off cash or keep track of debts on whiteboards/Google Docs with my friends and take turns paying. Never heard of a money order except on those cheesy TV informericals. I got my first checking account earlier this year. Move money around from various accounts via HSBC online. They even have an option to pay someone, they'll either direct deposit or mail them a check -- you just put in name, address, and amount. It's how I paid my rent last year.

Part of it is I basically refuse to deal with dead-tree paperwork, but I've never really had to compromise this principle. If you shop around you can find all the services you need. One reason I'm pissed about this plan is I expcet to see required windows-only crapware installed just to do tasks I've become accustomed to.

Re:Doing all your banking online (1)

zippthorne (748122) | more than 3 years ago | (#35849268)

I believe there are apps out there for a few banks that let you take picture of a check with your smartphone, and it registers it and deposits it.. I'm not sure if it works for personal checks, though, but who uses those any more?

Re:Doing all your banking online (2)

tepples (727027) | more than 3 years ago | (#35849534)

I'm not sure if it works for personal checks, though, but who uses those any more?

People who have been paying utility bills for decades by mailing a paper check. I've got a couple in my family.

And how else does one person pay another person through the mail, such as money included with a birthday card? Most individuals don't take credit cards. Or have gifts included with birthday cards moved to Walmart gift cards? Or have people stopped celebrating birthdays [spotlightm...ies.org.uk] where you live?

Re:Doing all your banking online (1)

nschubach (922175) | more than 3 years ago | (#35849704)

I'm not a Jehovah's Witness, but our family has pretty much never celebrated birthday's and other holidays (except Christmas). My parents (who are on again/off again Christian religious) visit me on mine and we go eat, but my brothers and I do not do anything besides Christmas... and that's good enough for me.

Re:Doing all your banking online (1)

isopropanol (1936936) | more than 3 years ago | (#35849730)

People who pay rent.

Re:Doing all your banking online (1)

Gerzel (240421) | more than 3 years ago | (#35849284)

Depending on the field you wouldn't be refusing much.

Direct deposit is a fairly standard option and is even available to many small businesses.

Re:Doing all your banking online (1)

SpiralSpirit (874918) | more than 3 years ago | (#35849288)

if you get a cheque, you go to an ATM at the bank and deposit it, or to the teller and do the same thing. I'm not really sure where you're getting this 7-11 thing. I live in canada and the only reason to go to 7-11 is slurpees.

Deposits for banks with no ATM in town (1)

tepples (727027) | more than 3 years ago | (#35849488)

if you get a cheque, you go to an ATM at the bank and deposit it

ATMs in my town won't take deposits for other banks, including online-only or otherwise out-of-town banks.

Re:Deposits for banks with no ATM in town (1)

QuoteMstr (55051) | more than 3 years ago | (#35849634)

Most banks let you make deposits by mail [citibank.com] .

Re:Doing all your banking online (2)

calmofthestorm (1344385) | more than 3 years ago | (#35849496)

You backward canucks still get your slurpees in stores? In America we order and enjoy them online! No need to leave the sofa and no mess.

Re:Doing all your banking online (1)

ZankerH (1401751) | more than 3 years ago | (#35849430)

People still use checks? I haven't seen one since the mid-90s, and I've had the displeasure of holding jobs that involved handling other people's money for most of that time.

Re:Doing all your banking online (2)

Sporkinum (655143) | more than 3 years ago | (#35849580)

Any time a business or utility charges a fee for electronic payment, you can bet they are going to get a check from me. .44 cents beats the $5 or so they charge for electronic payments. Same thing with efiling state taxes. If the state wants me to efile, make it cheaper than .44 cents. Right now, it's between $10 and $20 to efile depending on who does it.

Re:Doing all your banking online (1)

e9th (652576) | more than 3 years ago | (#35849654)

I pay my housekeeper and gardener by check. Neither of them accept credit cards, and it cuts down on the amount of cash I need to keep around.

Re:Doing all your banking online (1)

Pax681 (1002592) | more than 3 years ago | (#35849734)

A 7-Eleven store is a small grocery store similar to the stores at gas stations, though I've never seen one with gasoline pumps in front of it.

i was in Denver last october/november and there were 711's aplenty with pumps in front bud.

maybe it just depends on your locale

Re:Doing all your banking online (1)

metrix007 (200091) | more than 3 years ago | (#35849844)

The rest of the world moved past checks about 10 years ago. We just transfer money between accounts securely, conveniently and relatively speedily.

What money transfer fee? (1)

tepples (727027) | more than 3 years ago | (#35849894)

We just transfer money between accounts securely, conveniently and relatively speedily.

You didn't say cheaply. How much do the source bank and destination bank charge for each such transfer?

Re:Let me guess (1)

tripleevenfall (1990004) | more than 3 years ago | (#35849344)

I think one point of this "service" is that it will lay the groundwork for the government to tax the internet without having to go through the legislative process. At least not until they are just one step away.

Re:Let me guess (0)

Anonymous Coward | more than 3 years ago | (#35849160)

> Hello... online banking ?

Huh? I'm in the US and have been using onlne banking since sometime in the 90's.

Re:Let me guess (0)

Anonymous Coward | more than 3 years ago | (#35849226)

BS...

In some european countries it already exists. Like in Holland we've a "DigID", which is used for on-line services
incl. sending in your tax form.

US is way behind online services. If I'm not mistaken you guys still have to go to 711 to pay your electricity bill.

Hello... online banking ?

Holland is way behind online services. If I'm not mistaken you guys have no idea what you're talking about and make inferences based on your tarot cards on what is going on in the US.

Hello... online news?

Re:Let me guess (0)

Anonymous Coward | more than 3 years ago | (#35849412)

Your DigID is called an electronic signature here. It requires your SSN and a pin number that you choose.

Re:Let me guess (5, Insightful)

iluvcapra (782887) | more than 3 years ago | (#35849214)

After reading the document, there really aren't any system requirements, specific technology or any kind of actual implementation, all it really does is set out some goals and establish a certain vocabulary. It's utterly anodyne and will probably die before being considered because it sets out concrete goals for private companies that handle identifying data:

Limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements;
Limit the use of the individual’s data that is collected and transmitted to specified purposes;
Be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification; and
Provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused

Surely this is the thin end of the wedge of tyranny.

Re:Let me guess (3, Insightful)

jd (1658) | more than 3 years ago | (#35849362)

Since all tyrannies require those tyrranized to still be breathing, oxygen is the thin end of the wedge to tyranny. (In other words, almost anything can be dual-purposed for "good" and "evil", so almost anything can be considered the thin end of some wedge or other. It renders that entire line of reasoning pointless.)

Re:Let me guess (1)

iluvcapra (782887) | more than 3 years ago | (#35849392)

* <------- sarcasm

Depiction of "you" elided for brevity.

Re:Let me guess (1)

icebike (68054) | more than 3 years ago | (#35849708)

After reading the document, there really aren't any system requirements, specific technology or any kind of actual implementation, all it really does is set out some goals and establish a certain vocabulary. It's utterly anodyne and will probably die before being considered because it sets out concrete goals for private companies that handle identifying data

Actually the more you read on it the evil less it sounds.

It requires on-device credentials (files, private keys, or some such).
It transmits no-passwords, instead using one-time keys calculated and negotiated for a single use.
It uses third party authentication.
It requires user control of exactly which data elements are to be shared.
Passwords would presumable be required to decrypt/access your own on-device credential cache.

So, basically you have something like Kerberos [wikipedia.org] where any number of different private/commercial entities offer authentication services (for a fee) which can be used on any number of websites to verify authenticity and identity for purchases, banking, money transfers (NFC [wikipedia.org] ), etc. Your bank may enter into this business, or maybe Google, or PayPal, or your Credit Card company.

The feds are involved to establish the rules, enforce privacy, and [tinfoil] assure government backdoors [/tinfoil].

There are already private companies in the identity space (Thwate Verisign, et al) although they concentrate their efforts on the server side. These companies, and your bank, could easily move into this space.

It would be best if it could be mandated that the methods be fully public domain, visible, and open. Anything that will not withstand public scrutiny of every bit of authentication transaction code will not survive in the real world. Put 100,000 pairs of eyes on the code and it has a chance of being bullet proof.

Down side: When someone steals your smartphone and somehow obtains your password to unlock your credentials, you will be hard pressed to prove it was not YOU who emptied your bank account. But such an attack requires access to your device AND your password, as opposed to the current situation where simple knowledge of your credit card number is often enough to siphon off your funds, with some merchant eating the bulk of the loss.

This won't die, because businesses need it.

Fraud and identity theft are becoming rampant. NFC is the next big thing for phones (smartphones AND feature phones) and credit cards are notoriously insecure.

Having the government involved is a tactical mistake due to the mistrust of government agencies due to repeated abuses. It would be better to just form an open commission of banks, security experts, and user groups and credit card clearing companies and let them work it out in the OPEN.

Re:Let me guess (1)

dasdrewid (653176) | more than 3 years ago | (#35849874)

Be accountable for how information is actually used and provide mechanisms for compliance, audit, and verification; and Provide effective redress mechanisms for, and advocacy on behalf of, individuals who believe their data may have been misused

Considering we still haven't managed to do this for our electronic voting systems, I foresee a long future of this not happening if they actually put this in as one of the requirements...

Re:Let me guess (1)

tqk (413719) | more than 3 years ago | (#35849266)

Requires Windows (tm) 7 (tm) Professional (tm) using an Intel (tm) chipset supporting a Trusted Platform Module (tm) with keys in escrow by the issuing authority.

I thought we'd decided not to reinvent wheels: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x48EE77B1AC94E4B7 [mit.edu]

Re:Let me guess (1)

calmofthestorm (1344385) | more than 3 years ago | (#35849302)

Thing is the GNU foundation doesn't make large contributions to various political campaigns, so it's products aren't MSXZYJLAMP certified.

Re:Let me guess (1)

tqk (413719) | more than 3 years ago | (#35849432)

Thing is the GNU foundation doesn't make large contributions to various political campaigns ...

Why is it that this is common knowledge on /., yet this seems never to end up on the nightly news shows?

Oh, I forgot, I don't watch those (very often).

Is the US' really broken and bought by and in the pockets of special interests, or is that just /.'s perception? From this Canuck's point of view, ever since I heard of Senator Byrd, I'm inclined to believe this. I never imagined this could happen when I was a kid.

more like a trustdead list of suspects (-1)

Anonymous Coward | more than 3 years ago | (#35849114)

from character.assess.assassinate.censor.gooed.biz.gov

the same guys in the same house of credit cards who told us god would provide unlimited prosperity just a few short yeas ago. alas, now the much touted prosperity must be limited to chosen trusted touted chosen ones. the rest, deleted, as usual, nothing new under god's heaven can't wait. .disarm.leave.trustusonthiswon

thanks. satanic sunday could not be more self-exposing?

Re:more like a trustdead list of suspects (0)

Anonymous Coward | more than 3 years ago | (#35849152)

You missed your snowclone [faqs.org] a bit.

Trusted ID (1)

umask077 (122989) | more than 3 years ago | (#35849124)

A few years back my email account got hacked, they got my yahoo contact list and bombarded people with spam. My solution to this problem was to install Enigmail, om to my Thundeerbird. reader. This program allows me to easily digitally sign all messages. Granted the world is full of people not smart enough to verify a PGP signature but at least they know if the signature block isn't there. It is not from me.

Re:Trusted ID (0)

Anonymous Coward | more than 3 years ago | (#35849190)

And sadly, this solution wont prevent that from happening in the first place. More tax dollars to waste.

Re:Trusted ID (3, Informative)

icebike (68054) | more than 3 years ago | (#35849762)

And sadly, this solution wont prevent that from happening in the first place. More tax dollars to waste.

Except there are very little tax dollars involved. The effort is to be largely private.

And if you needed secure credentials to get into your yahoo account, it would certainly go a long way toward preventing it from happening in the first place. Previously all they had to do was guess your (weak) password. With this, they would need certificates/keys stored on your computer AND your password to unlock these.

Even now you can set a switch in Gmail that insists all access to it be via ssl so that your password never travels over the net in cleartext. This might be even better than that option, as one-time keys can be negotiated of any length which would be unique for each session.

However, login is not the focus of this effort. Banking and on-line purchases are.

Re:Trusted ID (1)

sakdoctor (1087155) | more than 3 years ago | (#35849338)

but at least they know if the signature block isn't there. It is not from me.

Yeah, I do something similar.

^_^

Never going to work. (1)

Anonymous Coward | more than 3 years ago | (#35849132)

Never going to work while the security of home PC's is Swiss cheese.

Re:Never going to work. (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#35849308)

Never going to work while the security of home PC's is Swiss cheese.

Not to worry. Palladium, er, I mean the 'Next Generation Secure Computing Base', er... umm... the 'Trusted Computing Group' will save us from that(and the evils of piracy and software that isn't signed by Verisign!)

Re:Never going to work. (1)

JeanInMontana (2020420) | more than 3 years ago | (#35849592)

Agree, security starts at home. If it stops companies like Comodo with a history of bad business practices from being allowed to issue SSL certificates it's worth it.

Oooh I know! (5, Funny)

Haedrian (1676506) | more than 3 years ago | (#35849176)

Lets give controls of the keys to the Homeland Security.

I'm sure we can trust them with our internet.

Taxes, spying, control. (5, Insightful)

assemblerex (1275164) | more than 3 years ago | (#35849180)

Items purchased with trusted ID: Washing machine, PS4, Glycerine, Shower tiles cleaner (flagged combo).
Taxes due on purchases $156.00. Forwarding purchase of glycerine and acid product to FBI for examination.

Nothing new, fool (0)

Anonymous Coward | more than 3 years ago | (#35849332)

Do you think banks and credit cards do not already report you unofficially to the feds? or when asked (and they are not allowed to say they were asked) do you think they will put up any sort of legal fight? Some librarians did, but mega corps who have working control of the aspects of government they want already - I doubt it; they may in fact volunteer or tell the gov to go after somebody... like Wikileaks for example (the state dept seems to work for the corp interests.)

Re:Taxes, spying, control. (2)

enormouspenis (741718) | more than 3 years ago | (#35849542)

...Trusted ID suspended pending completion of examination of email content and all online activities using government issued ID. Legal hearing required to restore online privileges.

And now... (0)

Anonymous Coward | more than 3 years ago | (#35849196)

Here is a disaster waiting to happen! Any bets on how long before this system is compromised? :-(

Re:And now... (1)

icebike (68054) | more than 3 years ago | (#35849796)

SSH, and Kerberos have been compromised multiple times, and rapidly fixed each time.

If its open source, even if your Ebay account is compromised, all they get is your Public Key and an encrypted file full of gibberish.

The format (5, Funny)

TheSpoom (715771) | more than 3 years ago | (#35849204)

The format of the Trusted ID will be a nine digit number, separated into three groups by dashes...

so now that they "trust" it (-1, Troll)

Anonymous Coward | more than 3 years ago | (#35849208)

he is gonna release his birth certificate for anyone to be viewed using this platform, right?

Re:so now that they "trust" it (1)

psithurism (1642461) | more than 3 years ago | (#35849476)

If people can't see this: http://msgboard.snopes.com/politics/graphics/birth.jpg [snopes.com] , realize that birth announcements were made in the local papers, and notice that multiple agencies have put investigating it's legitimacy and found it real, then no amount of convincing that trustedID is trustable is going to convince them.

If I have to bring at least two newspaper articles, several sworn officials, several in depth investigations and court rulings in support of my identity to prove myself for an amazon purchase and it is still not enough, I don't think I am going to adopt that system.

They need to use the right statistics (3, Informative)

chimerafun (1364591) | more than 3 years ago | (#35849250)

This is just another step in the governments plan to control our online lives. John Locke states that the reason for this plan is that 8.1 million people were victims of identity theft in the US last year. What he fails to mention is that only 11% of that 8.1 million were internet or technology related while over 43% were due to theft of purse or wallet, another large chunk were the result of dumpster diving or other unsavory methods.

Re:They need to use the right statistics (3, Informative)

iluvcapra (782887) | more than 3 years ago | (#35849354)

What he fails to mention is that only 11% of that 8.1 million were internet or technology related while over 43% were due to theft of purse or wallet, another large chunk were the result of dumpster diving or other unsavory methods.

It works both ways though: you can create an online account or forge the identity of someone else with nothing more than what is in a wallet. People dumpster dive or steal wallets, and then use the Internet to create false accounts with the information in a wallet or discarded credit application. The problems with validating identity allow a thief to turn a stolen wallet into a stolen identity, this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers, or requiring three-factor auth for credit transactions.

The document in the TFA proposes no central repository or government database, and proposes a private system that's only regulated by the government to prevent fraud and set minimum standards. Your characterization of the proposal is a strawman.

Re:They need to use the right statistics (1)

Kjella (173770) | more than 3 years ago | (#35849666)

this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers

Governments are very two-faced on this one, on the one hand they get their panties in a bunch about it yet on the other hand they require it in so many places. Here in Norway I have a unique id assigned to me by the government. Employers report income to the authorities for income tax, so all HR positions have to have it. I can't open a bank account without one. I can't trade stocks or funds without one. Car registry, property registry, pretty much every registry that requires a unique id uses it. There's a central registry that I have to report in when I move, so I get all the local voting rights, pay the right local taxes and so on. Even the card that gives me 3% off at the grocery store and pays out when it reaches a certain amount has to have that ID, because even those 20$ are reported to the government as my asset. Along with audit requirements that means many, many people past and present have to know it. That it's also written on my drivers license in my wallet is the least of my worries. Of course the explanations are all the usual ones, tax fraud, money laundering, mistaken identities and so on. Fair enough but you can't both have your cake and eat it too, if so many people know it then it's not a very well kept secret.

Re:They need to use the right statistics (0)

Anonymous Coward | more than 3 years ago | (#35849768)

This is why identification and authentication must not be conflated.

It's not a secret, don't use it to authenticate (1)

js_sebastian (946118) | more than 3 years ago | (#35849878)

this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers

Governments are very two-faced on this one, on the one hand they get their panties in a bunch about it yet on the other hand they require it in so many places. Here in Norway I have a unique id assigned to me by the government. Employers report income to the authorities for income tax, so all HR positions have to have it. I can't open a bank account without one. I can't trade stocks or funds without one. Car registry, property registry, pretty much every registry that requires a unique id uses it. There's a central registry that I have to report in when I move, so I get all the local voting rights, pay the right local taxes and so on. Even the card that gives me 3% off at the grocery store and pays out when it reaches a certain amount has to have that ID, because even those 20$ are reported to the government as my asset. Along with audit requirements that means many, many people past and present have to know it. That it's also written on my drivers license in my wallet is the least of my worries. Of course the explanations are all the usual ones, tax fraud, money laundering, mistaken identities and so on. Fair enough but you can't both have your cake and eat it too, if so many people know it then it's not a very well kept secret.

It's not a secret, well kept or otherwise, anymore than your date of birth is. But I am pretty sure that someone cannot create a bank account or get a credit card in your name just because he has found out that non-secret number. The problem they have in the US is that with no national id and with many people not having a passport, companies resort to all sorts of bizarre things to identify people (including the social security number, which was never meant for that purpose, or absurdities like your mother's maiden name, or an electricity bill delivered to your address).

Re:They need to use the right statistics (2)

icebike (68054) | more than 3 years ago | (#35849866)

>It works both ways though: you can create an online account or forge the identity of someone else with nothing more than what is in a wallet. People dumpster dive or steal wallets, and then use the Internet to create false accounts with the information in a wallet or discarded credit application. The problems with validating identity allow a thief to turn a stolen wallet into a stolen identity, this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers, or requiring three-factor auth for credit transactions.

The document in the TFA proposes no central repository or government database, and proposes a private system that's only regulated by the government to prevent fraud and set minimum standards. Your characterization of the proposal is a strawman.

Exactly right. At least Somebody here gets it.

Furthermore even if a stolen wallet is used to create an identity, they couldn't use it to access your bank account, because your bank already knows that this account is locked by a different authenticated identity. You can easily prove you didn't order those 15 60-inch TVs because its not your Secure ID.

So many people here rush to judgment. Or worse, the decry this effort while propping up PGP, not realizing that it is essentially the same thing, with a more reliable web of trust. Its like having your Bank sign your PGP credentials used to purchase on-line.

Fantastic. (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#35849296)

Remember how we were just talking about the nasty, gaping, holes in the practice of using CAs to verify SSL certs? How the CAs were largely rent-seeking incompetents with strong market incentives to do inadequate verification while simultaneously trumpeting their security? How there were just too many of them, and a compromise at any served to threaten the security of all SSLed connections?

Well, yeah, that kind of sucks because this plan looks very similar: Some kind of public/private key system, with multiple totally trustworthy(tm) private sector vendors, subject to the twin incentives of trying to establish themselves as one of the 'trusted' trusted identity trustees, so that they get the user fees and user data; but also likely to start getting sloppy on the verification side; because everybody hates a cost center...

Mathematically, most of the hard work has already been done, and the engineering required to put some sort of secure hardware widget, while not something to be left to the naive, isn't exactly terra incognita(smart card ICs, and/or the integrated USB+smartcard chip+optional definitely-not-keylogged-keypad are a well established product category some generations old at this point); but the organizational/economic incentives side of this is pretty much certain to be totally, utterly fucked.

Re:Fantastic. (1)

jd (1658) | more than 3 years ago | (#35849420)

It depends on the details, none of which exist yet. The theorietical benefit of a quango is that because they can get some/all income via taxes, they should be able to do a better job. Market forces dictate that a private company can NEVER do a better job than the market will bear and it is clear from the multitude of SSL disasters over time (I'm including Verisign's handing out of Microsoft's private keys in the early days) that the market won't tolerate quality work at all. A quango has no such limitation. However, for precisely the same reason, the market can't dictate a minimum level of quality either, but someone has to and it has to be exceedingly high. The quangos that are a disaster are the ones with no oversight to ensure that quality control.

Re:Fantastic. (1)

iluvcapra (782887) | more than 3 years ago | (#35849602)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"the organizational/economic incentives side of this is pretty much certain to be totally, utterly fucked"

The two ways you can approach incentives are (1) make the penalties for data breaches much more severe, to the extent that private companies that keep personal data must safeguard it, and (2) make a bunch of rules that govern how personal data can be collected and used, how much information you need in order to consider a transaction bona fide. Both have their limits -- make (1) too strong and you'll scare companies off the Internet, because data breaches are unavoidable. Get too crafty with (2) and you might make compliance so complicated you'll also scare companies out of offering services.

A real question is, do people actually need secure online identities that map to real humans? It's pretty clear that you absolutely need secure ways to map information to checking account numbers, credit cards, facebook profiles, host logins, all that good stuff, but do you need something that ultimately points to a person? If you do then there's a huge potential for rent-seeking, since the identity and your sole right to use it is a kind of patent, a created and indefeasible proprietary interest, something you can't do without, and is only useful insofar as protected by state power. Whenever you're forced to use something that must be maintained and cannot be disposed of or sold, you're in rent territory.

The best way to avoid these is with localism and webs of trust. It'd be great if our credit card companies all staged keysigning parties and only corresponded with us in signed emails, but most people don't understand the technology, and most people don't really understand how *trust* works. They just want something simple and for someone else to make it safe for them, thus the government has gotten involved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)

iEYEARECAAYFAk2rPe0ACgkQdILWxH wGqZeM4wCeOurkI4ysnyO3Avvab6vpoLkN
soIAn0ax1r4xkl5Xov2if7imOPlcA0o4
=fsi9
-----END PGP SIGNATURE-----

(spaces added to signature to appease slashdot's filter)

finally the genuine 'mark.of.the.beast.gov'? (-1)

Anonymous Coward | more than 3 years ago | (#35849306)

you got it. all of our prayers answered at once. knowing who we can trust simply by accessing our #ed account at youcantrustus.gov to find out just who can, & cannot be trusted, on any given day, as that's subject to change, deepending on if queers are still queer, on any particular day, coinciding with a trusted.gov love to hate focus message, on any given (to us by our trusted (with our lives) rulers) day.

Voluntary? LOL (2)

Glarimore (1795666) | more than 3 years ago | (#35849326)

It's going to be "voluntary", but soon enough legislation will be passed that makes it so "questionable websites", such as those associated with porn, will be mandated to require an Internet ID for age verification. And simultaneously the government will know what kind of porn you like to look at and can blackmail you whenever they see fit.

Re:Voluntary? LOL (2)

vlm (69642) | more than 3 years ago | (#35849490)

It's going to be "voluntary", but soon enough legislation will be passed that makes it so "questionable websites", such as those associated with porn, will be mandated to require an Internet ID for age verification. And simultaneously the government will know what kind of porn you like to look at and can blackmail you whenever they see fit.

You would think the nice heroically ethical guys at the ISPs and/or CC companies and/or tracking and marketing companies would have thought of this money making business model a long time ago... The lack of (known) implementations of this business model, indicates something about its likelihood of success.

Unrealized potential? (2)

fahrbot-bot (874524) | more than 3 years ago | (#35849342)

From TFA:

Because of online fraud, many people don't trust the Internet, Locke added. "It will not reach its full potential -- commercial or otherwise -- until users and consumers feel more secure than they do today when they go online,"

Yes, the Internet has been a pretty big failure so far. :-) What more "full potential" he's talking about?

it's optional (1)

hugg (22953) | more than 3 years ago | (#35849356)

Don't worry, they point out that use of the system is completely voluntary. Just like owning a mobile phone or participating in interstate commerce.

Re:it's optional (1)

TheGratefulNet (143330) | more than 3 years ago | (#35849772)

I don't own a mobile phone.

really. no kidding.

I'm online almost all the time when home. what is it with you kids (...) that you have to be 100.0% online?

I have no phone; especially not a 'smart' phone. look how much time and aggrivation I've saved, not to mention I own a lot more of my private life. the less it leaves traces here and there, the more privacy I keep. I like that.

you enjoy your little phone, there. I'll enjoy my peace of mind and the extra $1k a year I am saving.

This pisses me off (0)

Anonymous Coward | more than 3 years ago | (#35849360)

All the pussies in this country have proven time and again that they will gladly trade privacy for a false sense of security. Idiots. You might as well get ready for this to pass.

Direct link (5, Informative)

vlm (69642) | more than 3 years ago | (#35849378)

Rather than hittin a journalist site, go direct to the source at

http://www.nist.gov/nstic/ [nist.gov]

You can trust this isn't a rickroll or a goatse because I'm usin' my trusted internet ID of VLM

The headline made me expect a detailed bit level cryptoanalysis of the new protocol complete with flowcharts, etc. Instead it seems to be the tech equivalent of a bunch of hippies high on weed sitting around a campfire and curing all the worlds ills by talking about them.

More like "whitehouse releases a plan to create a plan for a trusted internet ID plan"

Uses advanced protection technology. (4, Funny)

140Mandak262Jamuna (970587) | more than 3 years ago | (#35849382)

Most people are familiar with the out dated ancient technology used by most computer users. The username + password system. Basically any one can know your username. But only you know the password. That is the basic idea of protection in this system. Cyber security experts are nearly unanimous in saying this does not provide for adequate security. So the new system has been founded on a fantastic new paradigm

It completely dispenses with the password. It is your responsibility to protect your username. If anyone from Nigeria to Nantucket know your identification code, it means they are authorized to do any financial transaction on your behalf. This breakthrough technology makes it possible for the people creating new and exciting contracts under 409 clause to not only draw money from your bank, but also from your brokerage account, and also change your network log in id and to rearrange your netflix queue and use ftp to open your garage doors Imagine! The New possibilities!

i trust myself... (1)

FudRucker (866063) | more than 3 years ago | (#35849398)

what i dont trust is the internets.

Typical (2, Insightful)

Anonymous Coward | more than 3 years ago | (#35849400)

Sounds about right for liberals. You have to have an ID to use the Internet, but not to vote.

Catch-22 (1)

NiceGeek (126629) | more than 3 years ago | (#35849406)

People complain about identity theft, people complain about efforts to verify ID.

Re:Catch-22 (1)

Noughmad (1044096) | more than 3 years ago | (#35849638)

To summarize the summary of the summary:

People complain.

Re:Catch-22 (2)

nschubach (922175) | more than 3 years ago | (#35849750)

The only people I've seen complain about identity theft were on TV in a commercial for the company selling identity theft protection.

OpenID ? (1)

gmiernicki (1621899) | more than 3 years ago | (#35849414)

I just RTFA... and the only question that comes to mind is.... HOW IS THIS ANY DIFFERENT THAN OPENID ?!

Re:OpenID ? (2)

vlm (69642) | more than 3 years ago | (#35849454)

I just RTFA... and the only question that comes to mind is.... HOW IS THIS ANY DIFFERENT THAN OPENID ?!

Let me give you a little analogy here, you know how your average high tech redneck installs drupal with a little apt-get install (more or less) but a govt install of a drupal site costs the govt $50M in consultative fees?

Well, yer average high tech redneck would implement openid with a little "apt-get install libopenid-ruby" and, admittedly, some hours spent running vim, but this here is gonna cost the govt about $50M in consultative fees.

Another solution, where there is no problem. (0)

Anonymous Coward | more than 3 years ago | (#35849438)

Another solution, where there is no problem. Except if you are the government and those pesky humans are doing something that needs to be taxed / regulated / or subsidized.

It's not that it will fail; it's already failed (3, Insightful)

Arrogant-Bastard (141720) | more than 3 years ago | (#35849462)

There are, at current best estimate, at least 200 million fully-compromised systems on the Internet. That number has been monotonically increasing for most of a decade, and there is no reason to expect that trend to change. (And many reasons to expect it to continue.) Not all of those are in the US, of course, but a lot of them are. This is turn means that any credentials present on those systems are now the property of their REAL owners, not the people who mistakenly believe they own them. Which means that even if such a universal ID system was properly designed (unlikely) properly built (unlikely) and properly deployed (extremely unlikely) that its first major effect will be handing over a large number of those IDs to The Bad Guys. The second major effect will be providing major incentives to The Bad Guys to compromise more systems, as the value of such increases with both their usefulness and the value of the data stored on them. The third major effect will be providing major incentives to The Bad Guys to go after any system where these IDs are stored or used, since they now have widespread usefulness, not just localized usefulness. They will be successful some of the time, of course, and we will once again get to hear the refrain of the professional liars who call themselves "spokespeople", as they solemnly intone "Nobody could have foreseen..." I think the biggest usefulness of this scheme will be filtering: anyone supporting it is clearly marking themselves as a security imbecile, should be fired on the spot, blacklisted for life, and never permitted to speak in public again on the topic of security. That won't happen of course. They'll get bonuses. That's how we reward sufficiently grandiose failure in this society.

Re:It's not that it will fail; it's already failed (1)

Aldenissin (976329) | more than 3 years ago | (#35849566)

Please user paragraphs, it makes it easier to read/parse, thanks!

Exactly, if they wan't to plan to do something, how about educate about sound security period. I don't care if Microsoft employs 88,000 people. What is the opportunity cost in feeding their monopoly to society and business? Competition is a good thing. We need the government to push things open things like Linux, and in time even better will come along if everything is not so regulated to death, allowing for other monopolies to rise up.

one rule to rule them all (0)

Anonymous Coward | more than 3 years ago | (#35849508)

One Authentication to rule them all
One Authentication to find them
One Authentication to bring them all
and in darkness to bind them

or maybe

One government to rule them all
One government to find them
One government to bring them all
and in darkness to bind them

Trusted what? (0, Funny)

Anonymous Coward | more than 3 years ago | (#35849584)

Trusted ID? Is that like Obama's much talked about trusted birth certificate?

all the talk about it being voluntary will stop (1)

superwiz (655733) | more than 3 years ago | (#35849606)

as soon as you'll need to use it to pay taxes. Many of the taxes that are collected are collected not to keep revenue stream going but to ensure that the information records keep flowing. As soon as you can't pay your taxes online without one of these, it will be over. Since the burden of preparing taxes only keeps going up, most people will gravitate towards the electronic solutions which assist in tax-record preparation. Using this thing will be seen as just part of the cost of doing business.

Public-private partnerships (1)

Curunir_wolf (588405) | more than 3 years ago | (#35849610)

The new version more explicitly emphasizes that the private sector will drive forward the trusted ID market, with government playing a coordinating role, administration officials said.

In other words, it's a Mussolini-style Fascism model.

Consumer participation in trusted ID technologies will be voluntary, they added.

Because nobody is going to force you to use a bank, shop on-line, or send email that will actually make it to somebody else's inbox. Sorry about all those on-line government services that you won't be able to use. You can always hike to one of the brick-and-mortar offices and present your papers in person.

Re:Public-private partnerships (1)

iluvcapra (782887) | more than 3 years ago | (#35849774)

Because nobody is going to force you to use a bank, shop on-line, or send email that will actually make it to somebody else's inbox. Sorry about all those on-line government services that you won't be able to use. You can always hike to one of the brick-and-mortar offices and present your papers in person.

Freedom isn't free. If you really want to live a life unfettered by a verifiable identity, that choice has real consequences for the sort of lifestyle you can enjoy, the sort of trust others will be willing to grant you, and the sort of financial transactions people will be willing to make with you.

Why not ? (2)

Yvanhoe (564877) | more than 3 years ago | (#35849636)

Having a way to authenticate a person as unique is a missing brick in many web applications, especially all the voting applications. I see it as a good thing and I have a hard time seeing how such a tech makes bad scenarios more likely.

Re:Why not ? (1)

vlm (69642) | more than 3 years ago | (#35849758)

I have a hard time seeing how such a tech makes bad scenarios more likely.

Think about a MITM attack implemented serverside on a weak server, proxying thru to a 3rd party strong server. The most secure system that uses a global auth system can only be as secure as the least secure system in the universe because the least secure system can get owned, have a MITM proxy stuck on it that talks to the most secure system.

In even more detail, spelling it all out ... the "small town journal" newspaper installs global auth so letters to the editor cannot get forged in someone elses name, people can not vote multiple times in online polls, subscription renewal, etc. Since they're a small town journal newspaper, as the name implies, they don't care too much about security ... so ... some hacker could break in and falsely make someone unwittingly vote to select the official town pie flavor to be "sh!t sandwich" for the county fair, who really cares, no one would ever do that, so security on our server doesn't really matter, says the PHB, right? Until the newspaper server gets owned. Whoops. Now every time Aunt Mildred tries to click on a poll to select "apple pie", she logs in ... to something, but its not the newspaper, but the server side proxies a connection to connect to, for example, TBTF-Bank.com. If Aunt Mildred has an account at TBTF-Bank.com, then the proxy server at the smalltown newspaper is now authenticated as if it, were her. So all her balances are wired to some bank account in the Caymans. Ooops. When she calls to complain, there's even Federal Standard Proof that it was her who logged in and authenticated, at least until they notice the reverse DNS of her request came from... and even that can be worked around if you have a cooperative bot net where at least one bot exists in "cablemodem space"

Because you can't assume there exists no server admin with an intellectual capacity of a sea slug or below, and there is no way theoretically possible to work around the MITM problem, you cannot use the system to auth anything at or above sea slug level. As a general class, this technology will never be used for much other than maybe some .gov sites, or reality show america's choice online contestant voting, etc.

Is this what it pretends to be, or something else? (1)

whizbang77045 (1342005) | more than 3 years ago | (#35849714)

Why not just brand everybody with a unique id, and stamp "666" or their foreheads?

RSA Out of Business? (1)

laing (303349) | more than 3 years ago | (#35849748)

If you extend this policy to all businesses and persons then everyone will have a trusted identity and there will no longer be a need for costly server certificates on web servers. If this is true then I will support the adoption of this "Trusted Internet ID" plan. Alternatively, if this is just another "bolted on" form of security that still requires the legacy RSA certificates, I will not support this plan.

I strongly doubt that the Obama administration would be willing to push a plan that eliminates the "business need" for RSA certificates so I guess I will oppose this plan.

Sadly, I trust Verified by Visa more (2)

Shivetya (243324) | more than 3 years ago | (#35849786)

I trust VISA and my bank more than I trust my government. I will keep voting my conscience and hopefully one day that will work out.

Hmm... (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#35849794)

Arguably, "Identity" is the wrong target(or, if you think that it is the right target, I consider your motives suspect) for many applications:

"Identity" is a polite euphemism for a lot of personal information. For most purposes, it is utter overkill to achieve legitimate ends. Say that I'm buying some booze online. You don't actually need to know my name, age, appearance, etc, etc. You simply need to know that my age > legal age and that my payment is valid. To log into an email account, you don't need to know who I am, you just need to know that I have the key for the account.

There are, in fact, relatively few situations where the entire bundle of information that falls under "Identity" is relevant. Unfortunately, there are virtually no situations where the person you are transacting with wouldn't be happy to have the entire thing, if only for marketing purposes(or worse).

This scheme had better include some interesting zero-knowledge proof related stuff, or it is little more than a privacy giveaway to a number of private sector actors(and, no doubt, the members of the 'intelligence community' with whom they are oh so cooperative).

Re:Hmm... (1)

vlm (69642) | more than 3 years ago | (#35849892)

Say that I'm buying some booze online. You don't actually need to know my name, age, appearance, etc, etc. You simply need to know that my age > legal age and that my payment is valid.

You also need to verify the shipping address is linked to your id, and not some teenagers address. Security; its always harder than it appears.

There are about eighty zillion other "straw buyer" attack scenarios using valid auth credentials. There are also many orders of magnitude more "straw buyer" attacks that are possible with faked / stolen / impersonated / coerced auth credentials. At least some of those attacks can not be prevented, but can be tracked down afterwards, given "lots of info".

There is some legal liability unless you gather all the info you can get... Unless you do that, someone could set up "MailBoozeToFifteenYearOlds.com" and intentionally "forget" to store all the information.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...