Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

US Gov't To Issue Secure Online IDs

Soulskill posted about a year ago | from the you-can-trust-us dept.

United States 205

Hugh Pickens DOT Com writes "Tom Groenfeldt reports in Forbes that the U.S. Postal Service has awarded a contract to SecureKey to implement the Federal Cloud Credential Exchange (FCXX) designed to enable individuals to securely access online services at multiple federal agencies — such as health benefits, student loan information, and retirement benefit information — without the need to use a different password or other digital identification for each service. SecureKey already operates a trusted identity service in Canada using identification keys provided by one of five participating Canadian banks. It allows Canadians to connect with 120 government programs online with no additional user names or passwords for everything from benefits queries to fishing licenses. The SecureKey program is designed to connect identity providers — such as banks, governments, healthcare organizations, and others — with consumers' favorite online services though a cloud-based broker service. The platform allows identity providers and online services to integrate once, reducing the integration and business complexity otherwise incurred in establishing many-to-many relationships."

cancel ×

205 comments

Super Timing (4, Funny)

mtrachtenberg (67780) | about a year ago | (#44636701)

The United States government has never had better timing! I'd sign up now, but I figure you guys have got it covered already, OK?

Re:Super Timing (5, Insightful)

Jeremiah Cornelius (137) | about a year ago | (#44636723)

Read as: "License to use the Internet".

Pretty fucking clever. Soon, you won't be able to get a stock-quote or the latest XKCD without this thing - much less, send an email.

Re:Super Timing (0)

geekoid (135745) | about a year ago | (#44636789)

why would we read it as that? coming up for a single sign in is good efficiency, and cost savings.
IT's for Government Programs, and it's free to the user.

Since the NSA grabs everything anyways, at least if it were a sign on we could end trolls and harassment online.

Re:Super Timing (5, Interesting)

drakaan (688386) | about a year ago | (#44636827)

Plus, it makes identity theft that much more convenient!~

Re:Super Timing (5, Insightful)

FuzzNugget (2840687) | about a year ago | (#44637083)

I was just thinking... a single set of credentials for every online service, what could possibly go wrong?

Re:Super Timing (4, Insightful)

Beardo the Bearded (321478) | about a year ago | (#44637213)

I was just thinking... a single set of credentials for every online service, what could possibly go wrong?

... created by the government and sent to the lowest bidder on a system with no accountability for failure.

We'll be lucky if the oxygen tanks work properly.

Re:Super Timing (1)

The Cat (19816) | about a year ago | (#44636997)

Here's the cunt to explain everything is just fine while we climb into the railroad cars.

Re:Super Timing (3, Funny)

Anonymous Coward | about a year ago | (#44637041)

at least if it were a sign on we could end trolls

We'll all miss you.

Re:Super Timing (4, Insightful)

Anonymous Coward | about a year ago | (#44637433)

why would we read it as that?

Because of past history, the government has been trying to force a national ID on everyone since at least the early 2000's. Remember the Real ID Act?

coming up for a single sign in is good efficiency, and cost savings.

It might be good efficiency, but having a single log in for everything is the absolute worst security model you can have. It would only take one web site infected by malware to compromised your entire online presence. Even us old timers know that you don't put all your eggs in one basket.

Re:Super Timing (1)

profplump (309017) | about a year ago | (#44637653)

One of the purposes of a single-sign-on system is to avoid the need to trust individual services with your credentials; a compromise of any authenticated services should not allow attackers to impersonate you on other services.

Re:Super Timing (1)

denmarkw00t (892627) | about a year ago | (#44638511)

What? Attacker has access to your account on A and so B and C, which use the same credentials, are secure?

Re:Super Timing (2)

tlambert (566799) | about a year ago | (#44638083)

why would we read it as that?

Because of past history, the government has been trying to force a national ID on everyone since at least the early 2000's. Remember the Real ID Act?

FWIW, This is precisely how I read the idea that you'd have a single ID card that would be used with all online services.

Re:Super Timing (2)

alexgieg (948359) | about a year ago | (#44638631)

It's for Government Programs, and it's free to the user.

In that I (will) envy you. Here in Brazil a single sign-on smart card for government services valid for 3 years costs between $100 and $200...

Re:Super Timing (0)

Anonymous Coward | about a year ago | (#44636867)

Many European countries have had TV licenses for a while. Internet licenses are merely a natural progression. It's for your protection and that of the children.

Re:Super Timing (2)

Jeremiah Cornelius (137) | about a year ago | (#44637353)

As a partial Briton, TV licences are a bad analogy. They subsidise state-funded production and broadcasts.

This is more like a public-speaking licence, or a printing-press licence.

Re:Super Timing (1)

tlambert (566799) | about a year ago | (#44638027)

As a partial Briton, TV licences are a bad analogy. They subsidise state-funded production and broadcasts.

This is more like a public-speaking licence, or a printing-press licence.

Yes, but wouldn't an Internet license subsidize the state funded efforts of honest GCHQ employees attempting to protect you from terrorists? It sounds more like a TV license to me...

Re:Super Timing (0)

Anonymous Coward | about a year ago | (#44638645)

Yes, but wouldn't an Internet license subsidize the state funded efforts of honest GCHQ employees attempting to protect you from terrorists?

The USA already subsidizes that.

Re:Super Timing (0)

Anonymous Coward | about a year ago | (#44636887)

And "Federal DRM" ,and "complete loss of anonymity".

Expect it to be broken to allow "non-law-enforcement-registered" keys within a year of publication, at which point the feds will abandon it like they abandoned SkipJack and the Clipper Chip. And don't forget keeping the technology closed source only reviewed by incompetent people like Dorothy Denning, so they miss all the patent violations.

We've seen this kind of federal registration before, with the Clipper Chip and the fraudulently named "Trusted Computing" which should have been named "Trust Microsoft with Your Keys So They Can Lock You In Computing".

Re:Super Timing (-1)

Anonymous Coward | about a year ago | (#44637149)

Speaking as someone who has used this system in the past that's not what this is at all. All it means is that if you want to access a government service you have the option to log in with a different account which you already possess that has been previously verified. You still have the option to create a username and password combination if you wish, you just have to verify the account in some way(SIN usually). This is because government services are linked to an individual and the old system was even worse(they used to send a pass key by registered mail).

For example if I want to claim UI/EI I can log into the system and make a claim by using SecureKey and logging into my online bank account, once authorized on my banking site it sends a token to the government site that says I am who I say I am.
In the interest of protecting people from identity theft there is little reason to require this on any site except for government services, even then the system is entirely optional as a fairly large portion of the population still doesn't understand computers and the internet.

Re:Super Timing (5, Funny)

lightknight (213164) | about a year ago | (#44637555)

It's cool, they're going to beta it with a key with a chip in it, but by the time the public uses it, it'll just be a barcode that they stamp on your forehead or right hand.

Kind of looks like three sixes, but I'm sure that's just a coincidence.

Re:Super Timing (4, Insightful)

RelaxedTension (914174) | about a year ago | (#44636905)

The NSA wants to streamline it's work with a single foreign key...

Re:Super Timing (0)

slick7 (1703596) | about a year ago | (#44636987)

The NSA wants to streamline it's work with a single foreign key...

The real reason: It's better to issue the security keys than to steal them through PRISM.

Re:Super Timing (2, Funny)

Nrrqshrr (1879148) | about a year ago | (#44637025)

A single key for the Lord Obama, in the land of the NSA where the shadows lie. One Key to rule them all, one Key to find them. One Key to bring them all, and in the darkness bind them.

s/darkness/dnssec/ (0)

Anonymous Coward | about a year ago | (#44637039)

That is all :)

Re: Super Timing (1)

craigminah (1885846) | about a year ago | (#44637423)

This is horrible for many reasons: one login means easy access to all gov't sites to FUBAR someone's life, presents a juicy target for hackers, is "racist" (using Democrats own language about voting ID cards and how they discriminate vs poor), and with NAA buffoonery who wants to trust the US government to not use this for some nefarious reasons. It will start off with gov't sites then be mandated for all other sites akin to Facebook login. Not a fan...

Re: Super Timing (1)

craigminah (1885846) | about a year ago | (#44637437)

NSA, not NAA.

Re: Super Timing (0)

Anonymous Coward | about a year ago | (#44637599)

That's the National Anonymous Agency, even more secret than the NSA.

Brilliant! (0)

Anonymous Coward | about a year ago | (#44636711)

Because why go through all the trouble of forcing a bunch of companies to give you user data when you can centralize it from the start!

Re:Brilliant! (5, Informative)

Anonymous Coward | about a year ago | (#44637359)

Posting AC because I worked on this proposal for one of the seven other candidates for this bid.

The oversight/selection committee for this consisted of people from GSA, NIST, and several other agencies. Speaking as a privacy/security nut myself, I can say their requirements were very privacy-friendly.

This system is intended to allow people to use third-party authentication mechanisms (provided by Equifax, etc.) to access government systems. The kicker is that neither side is allowed to know who the other side is. The FCCX is intended to be an anonymizer-like service to completely disassociate the public information from the federal systems.

Regardless of what some other agencies are doing (illegally, immorally, etc.), these guys were really striving - at least in the RFQ/RFP - to do it the right way.

Re:Brilliant! (1)

camperdave (969942) | about a year ago | (#44637969)

What about foreign nationals, and folks from outside the US who want to use US websites?

Re:Brilliant! (3, Informative)

Anonymous Coward | about a year ago | (#44638491)

Same AC.

Depends on the site and the level of authentication required. INS will have a different requirement than the IRS, for instance. Different identification services will use varying levels of identification for enrollment, and FCCX will pass on the level of assurance to the relying party. It's a complex system. I don't know how the bid winners will handle the back end, but there's a lot of new tech that needs to be developed. (How do you give data to two parties without telling each who the other is, when you're not supposed to know the content of the message? Not an easy problem.)

Two words (0)

Anonymous Coward | about a year ago | (#44636737)

Mission creep.

Pretty soon this will be compulsory to do anything with the government.

Re:Two words (1)

fustakrakich (1673220) | about a year ago | (#44637019)

It will be compulsory to do anything...

Re:Two words (1)

hedwards (940851) | about a year ago | (#44637477)

Then don't vote for politicians that are for securing the country at all cost. Honestly, if the GOP candidates wouldn't be so quick to take away our freedoms, it would be a lot easier to find somebody to vote for that would have more of a spine. But, ultimately, we ended up with Obama who was far less scary than either Romney or McCain in this area, but falls well short of what a reasonable politician should be doing with personal Liberties.

Re:Two words (1)

lightknight (213164) | about a year ago | (#44637627)

Yeah...see, I don't know...as a tech, if I survive any AI that emerges, I stand a fair chance of being employed / living well enough. On the other hand, from a system's standpoint, while integrating several systems together can be magical, it also almost guarantees at least one dooms day in your future (one hour of outage = so much pain, so much bureaucrats complaining, so many developers quitting). Like anything precious / useful, you want to stash several copies around, for safe keeping, and let them be relatively independent (so a failure at one site doesn't take everything down).

Yeah, I plan on being dead if this thing ever comes into being. I just don't "believe" our government has enough trust to do this right now. Gotta mend some fences first.

No (0)

Chuggzugg (997246) | about a year ago | (#44636741)

Subjects says it all, but I will reiterate.

Fuck. That. Noise.

So close (1)

djupedal (584558) | about a year ago | (#44636749)

I was all about this until I got to the Canada part, and then...oh well.

Government Efficiency (2)

rijrunner (263757) | about a year ago | (#44636751)

And the really wonderful thing is that they have already used your facebook password and profile as well as your google info to prefill in all your forms..

Probably not for NSA (1)

TyFoN (12980) | about a year ago | (#44636763)

They already have access to the back end servers. No log in needed.

But it won't make it harder for them either. Maybe they can bypass the FISA courts and those pesky opinions if they can just log into the accounts.

Re:Probably not for NSA (2)

AHuxley (892839) | about a year ago | (#44637701)

Re: bypass the FISA courts.
Thats the idea of the 'cloud' vision - every system on the same network with an understanding of how to get the data out in realtime.
Where the NSA seemed to have problems is the need for some legal domestic front cover e.g. FBI to be the name on their pipe.
With a system like this, so many groups get legal data, the NSA will never have to wait, be dependant on one stream again.
ie privacy will work both ways - nobody will really know who is getting the data 'out' just that the "credential management" worked. It seems to be a new vision of an older idea https://en.wikipedia.org/wiki/Prosecutor's_Management_Information_System [wikipedia.org]
More at http://www.wired.com/wired/archive/1.01/inslaw.html?topic=&topic_set= [wired.com]
http://consortiumnews.com/2013/07/11/prisms-controversial-forerunner/ [consortiumnews.com]
Welcome to a very legal https://en.wikipedia.org/wiki/Main_Core [wikipedia.org]

Ihre Papiere Bitte! (1)

Anonymous Coward | about a year ago | (#44636765)

n/t

What? (0)

Anonymous Coward | about a year ago | (#44636771)

What could possibly go wrong!

Re:What? (0)

Skapare (16644) | about a year ago | (#44638013)

It will be cracked 5 months after they start using it. We'll hear that they are sitting on that news about 3 months after that.

Security concerns (-1)

Anonymous Coward | about a year ago | (#44636777)

Knowing how many of Americans use horrible horrible passwords, i'm sure having one password connected to a persons entire information and accounts is a GREAT idea.
Also, that one system could be attacked, and the attackers would be able to access millions of US citizens IDs.

Re:Security concerns (1)

Skapare (16644) | about a year ago | (#44638069)

Oh, of course, it is surely more secure for everyone to have a different password for each site they visit.

Future Mandatory Requirement (5, Insightful)

cosm (1072588) | about a year ago | (#44636787)

How long until these become mandatory for all websites. Here's how I could see this going down:

- First, all major government websites require usage of this.
- As more and more brick-and-mortal government offices close, more and more people start using the id.
- VISA, MasterCard, et al begin requiring these for all online banking.
- Taxable web transactions somehow get tied by law to having to use these.
- Soon, ISPs require you to log in with it periodically, (remember AOL internet 'sessions'?)
- All utilities, bills and such paid online start requiring it.
- Social networks require it for 'think of the children' safety.

...Tinfoil futures are a sure bet....we're losing the internet right in front of our faces.

Re:Future Mandatory Requirement (0)

Anonymous Coward | about a year ago | (#44636939)

So start your own internet. No one says you have to use TCP/IP or online banking.

Re:Future Mandatory Requirement (1)

lightknight (213164) | about a year ago | (#44637677)

Will do. Going to call mine the LightNet, and it's going to have hookers, blackjack, poker, a search engine that is both completely uncensored and returns relevant results, and a NNTP server that hosts all the alt.binaries.* groups. Peering agreements start at 1 Gbps.

Re:Future Mandatory Requirement (4, Interesting)

TheNarrator (200498) | about a year ago | (#44636945)

You just have to send your id in the bottom 64 bits of your ipv6 address to access the internet. Why make the address space so large unless you were going to stuff authentication credentials into every packet? Then they could easily just turn you off whenever necessary.

That does it! (0)

Anonymous Coward | about a year ago | (#44636977)

I'm going to burn it, just like I burned my Obamacare card!

Let me go print one out...can I just relabel the printout I already used? I'm sure it'll work.

Re:Future Mandatory Requirement (-1, Troll)

cold fjord (826450) | about a year ago | (#44637327)

Pretty sobering since most people on Slashdot cheer the same government taking control of their healthcare and medical records.

Re:Future Mandatory Requirement (1)

AHuxley (892839) | about a year ago | (#44637897)

Healthcare cost and detailed medical records are usually at a hospital and do get legally shared cold. With US tax payers paying for ever more the IRS will be used to track the very complex billing and vast new spending.
Most countries do hint that when you get payments and services from the gov, the gov will like to know who you are, if your eligible and lots of other data.
Track costs and diseases, is the person a veteran, on disability, very poor, very rich, too old, the quality of care needed, time taken, meds needed, equipment used, all paid for by tax payers.
This new US vision of data control seems to allow the US gov and friends to bring in banks, other governments- ie way beyond just US socialized medicine.

Better Acronym (5, Funny)

PincushionMan (1312913) | about a year ago | (#44636791)

What a terrible acronym! How are we supposed to say FCXX anyway?

So, I came up with a better one for them:
Federal User Credential Keyfob (for Your Online Utopia)

Re:Better Acronym (3, Funny)

Em Adespoton (792954) | about a year ago | (#44636923)

What a terrible acronym! How are we supposed to say FCXX anyway?

So, I came up with a better one for them:

Federal User Credential Keyfob (for Your Online Utopia)

In Capitalist America, government FCXX you?

Re:Better Acronym (0)

Anonymous Coward | about a year ago | (#44638247)

FCXX is pronounced "fucks". If you want to use it in a sentence "Look at the amount of FCXX I give towards what we call our government"

I would say... (-1)

Anonymous Coward | about a year ago | (#44636801)

Take your IDs and go fuck yourself.

Why banks and healthcare providers? (2)

jdigriz (676802) | about a year ago | (#44636901)

WTF are private organizations allowed to issue identities for? Government IDs may be a hassle, but they're the ones with the vested interest in keeping track of people. We don't permit Walmart to issue driver's licenses or passports. We already have a mess with the private CAs on the Internet. Do it once, do it right and keep a monopoly on it. IDs and currency are Government's job! If the Treasury had issued decent ecash, Bitcoin wouldn't have a market and Credit Card Companies wouldn't be adding their 2.9% inflation to every purchase. If the Gov't were to do this right, with closed-loop verification necessary for anybody to do anything with your Identity, and if it were secure it would be a great boon. No more having to notify 42 entities of your change-of-address. Change it once at the Identity agency, and it's changed everywhere. I really doubt they'll manage to get it right though. No, I don't work for the Government. I'm just a guy who hates constantly giving and updating contact info.

Re:Why banks and healthcare providers? (0)

Anonymous Coward | about a year ago | (#44637031)

I suspect companies aren't really issuing new identities but just issuing digital verifications of government identities. Your bank will probably only issue you a cert in the same name as your birth certificate/passport, so the government is still the root. I agree that it would be better for the DMV to issue digital IDs directly rather than going through some third party, but it would probably take 20 years and $100B to set up that system. There is already the NSTIC project, but last I checked it wasn't going anywhere interesting.

Re:Why banks and healthcare providers? (0)

Anonymous Coward | about a year ago | (#44637043)

Because banks and Healthcare providers provide services that are highly regulated by the feds.

Re:Why banks and healthcare providers? (0)

Anonymous Coward | about a year ago | (#44637103)

...so they can verify the identities of people logging into their services... because there are legal requirements around them? You know... so only you can transfer money out of your bank account... and only you can see your health records... crazy, eh?

Re:Why banks and healthcare providers? (0)

Anonymous Coward | about a year ago | (#44637355)

You poor ignorant slut.

Re:Why banks and healthcare providers? (0)

AHuxley (892839) | about a year ago | (#44638151)

Track costs and diseases, is the person too old, the quality of care needed.
Say your old, poor on a gov pension, will your gov healthcare provider even mention the option of costly ongoing, personalised cancer drugs?
The 'free' operation went fine, you can go home now with just the cheap pain drugs, see your local dr.
Large legal databases give cleared groups vast amounts of details on a person with no more oversight.
The other aspect is Canada, you dont want to go to war, no more simple 'return to the USA' law.
Tracking 'any' US citizen in Canada legally would be very easy from the USA for any reason without the bureaucracy in the Canada knowing too much.
Rationed services locally, no more tempting US draft evasion, no moving between Canada and the USA without complex shared database questions.
Small banking transactions at a very low amount can be tracked well before after or during any tax audit (financial and/or political changes noted).

SecureKey (0)

Anonymous Coward | about a year ago | (#44636917)

Isn't 'SecureKey' the one that got cracked not too many months ago?

When Has Our Gov Done ANYTHING Right? (0)

ioconnor (2581137) | about a year ago | (#44636973)

Anything for the cancer called "our government" to spread a bit more. How long until it destroys the host and itself with the host?

Re:When Has Our Gov Done ANYTHING Right? (1)

Anonymous Coward | about a year ago | (#44637123)

Good luck doing without one. Have you ever tried living in a commune with "no government"?

Larry Niven did an interesting fictional account of this in "Cloak of Anarchy", http://www.larryniven.net/stories/cloak_of_anarchy.shtml.

Re:When Has Our Gov Done ANYTHING Right? (1)

Anonymous Coward | about a year ago | (#44637981)

Because that's how we can tell if something will work or not - by looking to a made up story about it.

Cool Farts (1, Insightful)

sexconker (1179573) | about a year ago | (#44636983)

[Read as if you're Robert Preston in The Music Man addressing the town]

Now we're all familiar with hot farts here on Slashdot. That sharp exit of heated gas that warms your anus for a few seconds during its escape.
It's a unique sensation, and it's often uncomfortable! But my friends there is another way to fart. Yes, I said another way!

Why just last week I was sittin'. Sittin' in this very chair, browsin' this very site.
Yes I was sittin'. And while I was sittin' I felt that familiar pressure. The pressure we all know all too well. The pressure of a tight little bubble of gas winding it's way through my bowels.

But this time it was different. As I felt that fart knocking on my door I took a look around. I say, I looked around for anyone who would see or smell or hear.
Friends, family, coworkers, even gosh darn strangers. But my friends the coast was clear. Yes I was free and clear to let'r rip!

But I decided to try something a little bit different. I passed on my usual lean and "foof". I opted against the raucous blast. I say I did something just a little bit different that made all the difference in the world.

Oh I leaned to the left. I leaned to the left and raised my right cheek off the chair. I raised it up and I put it back down. Right on the right edge of that chair.
Then I leaned to the right. This time to the right, raising my left cheek up and settin' it down.

Now over there on the left edge of the seat was one ass cheek. And way over there on the right edge was the other.
But right in the middle, free and clear and stretched nice and taught was my anus. And my friends what a glorious, clean pink anus it is. I took that anus and I opened the valve nice and slow. Like openin' a shaken up bottle of pop.

And just like that bottle of pop my anus let out a slow "hisssssssss". Yes a hiss! And as I savored the extended release of that one little fart, I felt a sensation. A sensation like none I'd ever felt before on this green Earth.

There was a coolness. A coolness from that escaping gas that refreshed my anus and rectum better than one of ol' Doc Miller's suppositories. It was a coolness that lasted. Stayed with me all day long! It put a skip in my step and a twinkle in my eye and that's why, my friends, I'm here today. Tellin' you about this new great way to fart.

Re:Cool Farts (0)

Anonymous Coward | about a year ago | (#44638343)

Is that original? That's actually fairly clever for a bodily function troll.

at last! (1)

mexsudo (2905137) | about a year ago | (#44637009)

The virtual "tattoo on the wrist" :-)

lol (0)

Anonymous Coward | about a year ago | (#44637027)

Let's hack the shit out of it.

Hey...I'm from Ohio!!!!!

Obama wanted this before he got into office (0)

Anonymous Coward | about a year ago | (#44637071)

Just remember folks, before Obama got into office he was raving about an internet ID and people that were voting for him were also saying that it was a great idea. Once he got into office he worked onto this program for about half a year or a year and then nobody heard anything about it since. Now, it's coming back and what timing~ Still think this isn't a totalitarian government? I don't think we'll end up like 1984 but it's going to be fucking close.

They have ZERO credibility on this point (1)

gelfling (6534) | about a year ago | (#44637091)

Maybe it's just bad timing or bureaucratic paralysis or they're just trolling everyone but they have absolutely no credibility on this.

Well shit. (0)

Anonymous Coward | about a year ago | (#44637153)

"Soon, you won't be able to get a stock-quote or the latest XKCD without this thing - much less, send an email."

Possible start of WW3 in the middle east, biblical signs coming true..

Mark of the beast, anyone?

YES, THIS IS WHAT WE NEED (1)

Xicor (2738029) | about a year ago | (#44637157)

now the government can MORE EASILY track everything you do online!

Re:YES, THIS IS WHAT WE NEED (1)

Xicor (2738029) | about a year ago | (#44637163)

i wont care about secure government ids until they start allowing online voting

Re:YES, THIS IS WHAT WE NEED (1)

Freddybear (1805256) | about a year ago | (#44637895)

ID may be required for everything except voting - for that it's racist.

Re:YES, THIS IS WHAT WE NEED (1)

Xicor (2738029) | about a year ago | (#44638121)

how is that racist? it is a government id for all citizens? if you are now going to tell me that some races are too poor to have internet, im going to tell you that you are a racist...everyone in the country has access to internet in some form or fashion by now. you can go to a coffee shop and get free internet for gods sake

SSN, please (2)

Tokolosh (1256448) | about a year ago | (#44637241)

This is how social security numbers started.

SSO? (0)

Anonymous Coward | about a year ago | (#44637375)

Not to interrupt the "zOMG internet license" freak out, but isn't this just SSO with 2FA?

Sounds like a *good* thing to me (although it will probably end up costing us way too much.)

Fucking... (1)

Mister Liberty (769145) | about a year ago | (#44637399)

for virginity!

Not Secure, and definitly not private (1)

techno_dan (591398) | about a year ago | (#44637497)

Securekey information passes through a cloud, which in effect means we do not know who could be looking at what services we use. The information could be used to find patterns. Canada had a much more secure method a few years ago, whereby no one knew the real identity of the person, except the individual departments or agencies, and that no amalgamation or correlation of the data was permitted by Law. It also allowed individuals to have multiple anonymous accounts to further protect themselves. This is just another way for Governments to monitor what we do, and for those crooked individuals inside, managing it, to possibly commit crimes. Oh Well, just shows you what kind of world we live in now. Big business just found a new way to ream us more .

Yes. (4, Insightful)

goodmanj (234846) | about a year ago | (#44637527)

Identity verification should be a core function of a national government. This can be done right: by creating an agency that does not aggregate data, and serves no other function than to confirm that you are who you say you are when you ask it to. With proper use of two-factor keys and public cryptography, this agency can make data aggregation very difficult: your bank would know you by a different ID# than your cell phone provider, and neither would need to know your name or social security number.

It's true that a corrupt government can do identity verification very badly, turning it into a panopticon. But corporations don't have the longevity, security, or nationwide reach to be able to do the job well, and a corrupt government can simply force corporations to hand over identity data. So in the worst case scenario, identity verification by corporation is no better than by government. And having no centralized authority at all doesn't work either: the fragmentary system we use now is easy to aggregate, and its resistance to identity theft is only as strong as its weakest link -- which is typically very, very weak.

With identity verification managed by government, we can at least use electoral pressure to hold the identity agency responsible for its actions, and fight corruption within it. If it's managed by anyone else, we have no control over it at all.

I suppose you had a dream? (0)

Mister Liberty (769145) | about a year ago | (#44637561)

And good morining to you when you wake up.

Re:Yes. (1)

lightknight (213164) | about a year ago | (#44637729)

Whoa, whoa, whoa. Identity validation within reason. Remember, the core of this government is already outlined by its Constitution. Anything beyond what is needed to implement, to a reasonable degree, the services laid out therein, is going overboard. I.e. it's experiencing either a mid-life crisis ("Tell me I'm still pretty!") or it's experiencing some OCD ("This pencil tip could be sharper...let me get out my pencil sharpening toolkit").

Re:Yes. (1)

rtb61 (674572) | about a year ago | (#44637961)

As long as it remains voluntary at alls levels. Any hint of compulsion and it's true corporate control of all individuals accessing the internet is exposed.

Already here (0)

Anonymous Coward | about a year ago | (#44638635)

As long as it remains voluntary at alls levels. Any hint of compulsion and it's true corporate control of all individuals accessing the internet is exposed.

I guess you missed all those required 3rd party Facebook logins scattering websites anymore. You know the ones, those websites that require you to 'verify your identity' or somesuch by logging into Facebook on their website. If you want to use all the features of many popular websites you must have a Facebook account.

It sounds like corporate control to me.

Property Systems (1)

Anonymous Coward | about a year ago | (#44638023)

I wouldn't be so sure.

The United States is considered one of the easiest places to purchase and sell real property, along with other jurisdictions sticking to the old Common Law rules. What distinguishes the Common Law system from the Civil Law system is that in Civil Law systems the central database is the definitive authority on ownership. In Common Law systems, ownership is a matter of fact to be determined by a court. There are quasi-centralized registries, but they merely act as optimizations... caches.

You would think a single centralized database would be most efficient, but it's not. Dealing with a change in real property ownership in Civil Law countries is often a nightmare, and it's a focus of study by economists in South America and Africa. The problem is that centralized databases don't cope with errors and anomalies very well, and are easier to game. Whereas decentralized systems handles errors much better, especially when you're allowed to present all the relevant information to a judge regarding title in land, not just what the bureaucrats attest to.

For a system like identification, dealing with the common case is trivial. Instead, you want to optimize for the errors and anomalies--basically cases that break the normal rules. That's a much harder problem, and centralization doesn't buy you very much, and in fact can be a bottleneck.

Re:Property Systems (1)

Anonymous Coward | about a year ago | (#44638075)

Just to follow up, the seemingly "messy" common law property rules are considered so superior that even China is adopting them. China is cherry-picking legal regimes from various counties, and when it comes to property and contracts they're choosing Anglo-American common law.

When it comes to regulatory regimes, though, China looks to Europe.

Re:Yes. (1)

Zontar The Mindless (9002) | about a year ago | (#44638419)

But corporations don't have the longevity, security, or nationwide reach to be able to do the job well...

I am mostly with you, but I think someone needs to point out that:

Corporations can and often do outlive humans.

Corporations are often better at securing their own data than governments are theirs.

Corporations not only have nationwide reach, many of them have an international reach.

Re:Yes. (1)

AHuxley (892839) | about a year ago | (#44638585)

Think back to Australia over the past 30 years.
http://en.wikipedia.org/wiki/Australian_Transaction_Reports_and_Analysis_Centre [wikipedia.org]
Established in 1989 for realtime banking tracking. Every digital movement of cash (~A$10,000) was watched.
http://en.wikipedia.org/wiki/100_point_check [wikipedia.org] again back to ~1988 for building a layers of documentary proof of identity for banking, pensions, later Subscriber Identity Modules (SIMS)...
Reciprocal healthcare agreements between Australia and New Zealand.
The problem I see in the US, UK, Australia, Canada is a new layer of legal "Star Chamber" national security structure.
No fly, PTSD (Posttraumatic stress disorder) no buy lists, DEA, IRS, NSA... with no cheap/legal way of correcting false data that becomes very restricting.

Secure online (1)

fustakrakich (1673220) | about a year ago | (#44637549)

Everybody's a comedian...

Jackboot nostalgia (1)

hsmyers (142611) | about a year ago | (#44637583)

Papers please...

Does the scheme have these features: (0)

Anonymous Coward | about a year ago | (#44637633)

1. Will the scheme authenticate both directions (user to authenticator AND authenticator to user)?
2. Will the scheme authenticate all data of a transaction (at least the most relevant bits)?
3. Will the scheme work even where the endpoint device is infected with malware? (Or is there
some strong assurance that such infection cannot occur in bulk?)
4. Do the credentials change with use so replay is impossible?
5. Is the act of authentication required to use positive action by the person authenticating
so that it cannot be done autonomously behind the user's back.

There is too little on the securekey site to tell if any of these are present; there is mention only
of some device plus a password. They speak of secure reading of cards, which in principle is
rubbish for an infected device. There is nothing clear about variability there, and the "password"
bit strongly suggests it is missing. It is also unclear that bidirectional auth exists (by which I do not
mean what SSL claims; people ignore such due to cert expiration and so on).

If these features are missing (and btw they are smple to implement with a cheap token and
a protocol for use), the system will be worse than useless. It will claim security, lull many
into believing the claim, and allow large scale attacks.

If they are present, let's see some explanation of exactly how this works.

For proof, suppose you have a token that generates a display (bump a counter, encrypt with
token-unique key, display perhaps 8-10 digits with each button press).

To auth do these steps: (auth A to B)
1. send token # to B
2. Press button, send 1st half of display to B
3. B synchs its idea of counter with this info, computes display, sends 2nd half of display to A
4. A is told to check this, and STOP if no match.
5. A presses button again, selects a pattern of dsplay digits from the 8-10 displayed ones (with
a pre-agreed-on unique pattern per user) and sends these digits in the agreed on pattern
to B. (This may be only 3 or 4 digits, need not be long)
6. B computes what A should have sent. Match only if the token is right AND the pattern is right.
B also makes sure counter value bumped only by 1.
7. (if signing needed; for buying candy might not be needed): B sends transaction info digest
(maybe amount, few letters of payee) to A
8. A pushes button again, sends values in digit positions to B corresponding to transaction digest
(this can be again short, and B can send coaching info to A).
9. B compares this to its idea of what should have been sent with counter bumped now by 2.

If all steps match you let the auth pass. Otherwise it blocks.

This either works or dies, changes every time, and malware can record what it likes.
As long as token cannot be hacked (make it separate card maybe so there is a physical gap
and user just keys results separately) malware can do as it likes. Party B does need to
do the checks indicated and user A must pay attention at step 4. Users who do this wil
be safe. Transcribing the digits must be required to be manual so malware cannot fake
it (because malware won't know what to send).

This can be approached on some cell phones but with difficulty and some limitations.
(see www.gce.com papers) but greatest safety comes from (minor) hardware
support (which also can cut the number of keystrokes a lot).

If the proposed solution cannot explain itself then it should be regarded with a grain of salt.

Will this work on ... (1)

Skapare (16644) | about a year ago | (#44637941)

... any browser in BSD and Linux? Or will the government be forcing me to buy another computer since I want things to be secure?

Doesn't NSA do this already? (1)

rssrss (686344) | about a year ago | (#44638019)

Why can't the just tell us what the IDs that NSA already assigns us are?

my response to the us gov? (0)

Anonymous Coward | about a year ago | (#44638135)

go f**k yourselves forever

The New Zealand goverment also does this. (0)

Anonymous Coward | about a year ago | (#44638137)

It used to be called an "igovt" login, but now that has become part of the "RealMe" service (https://www.realme.govt.nz/). It's operated in partnership between the Department of Internal Affairs and New Zealand Post. It's the login you need to interact with the NZ Government online, and they make identity services available to businesses.

hey (0)

Anonymous Coward | about a year ago | (#44638205)

thanks for deleting my comment immediately, slashdot moderators.

Let him that hath understanding... (0)

Anonymous Coward | about a year ago | (#44638289)

And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name. Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six.

Score:-1, Redundant (0)

Anonymous Coward | about a year ago | (#44638583)

NSA already has the credentials it needs.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...