Hard Light Productions Forums
Off-Topic Discussion => General Discussion => Topic started by: Kosh on January 09, 2011, 12:30:21 am
-
lol wut? (http://yro.slashdot.org/story/11/01/08/1227229/Obama-Eyeing-Internet-ID-For-Americans)
"CBS News reports that the Obama administration is currently drafting the National Strategy for Trusted Identities in Cyberspace, which will be released by the president in the next few months. 'We are not talking about a national ID card,' says Commerce Secretary Gary Locke, whose department will be in charge of the program. 'We are not talking about a government-controlled system. What we are talking about is enhancing online security and privacy and reducing and perhaps even eliminating the need to memorize a dozen passwords, through creation and use of more trusted digital identities.' Although details have not been finalized, the 'trusted identity' may take the form of a smart card or digital certificate that would prove online users are who they say they are. These digital IDs would be offered to consumers by online vendors for financial transactions. White House Cybersecurity Coordinator Howard Schmidt says that anonymity and pseudonymity will remain possible on the Internet. 'I don't have to get a credential if I don't want to,' says Schmidt. There's no chance that 'a centralized database will emerge,' and 'we need the private sector to lead the implementation of this.'"
Question, how can a system like this NOT be a huge target for abuse of power, ID theft, etc?
-
ID theft I can see, but power?
Actually, as long as we can still use handles on forums and other places where anonymity is desired or preferred, I don't see a problem. From the looks of that article, it's geared more toward internet vendors and stuff that could really USE accountability.
-
Don't these people ever learn? If it's digital, it's hackable.
-
From what I skimmed of the article it seems totally absurd. Why anyone would willingly centralize their internet security into a single entity I can't imagine...
-
From what I skimmed of the article it seems totally absurd. Why anyone would willingly centralize their internet security into a single entity I can't imagine...
It seems to me that it is an extension of the Real ID, which was a failed attempt at forcing a national id card (with an accompanying centralized database) under the bush administration. Real ID failed because the states refused to go along, but with this system would bypass them entirely.
-
What annoys me is that the whole point of adding organic elements to digital IDs is because there is no such thing as 'random' with a computer. That's why you need to remember your pin number or your password, because it adds a truly random element to the identification process. Remove that random, organic element and you are left with a predictable system, and given enough time, that system can be decoded.
-
Human 'randomness' is actually tremendously predictable as well; a computer can almost certainly do a much better job.
-
Possibly so, but if nothing else, it puts some level of responsiblity to the user themselves to protect their information. If you only need one password to access all your internet resources, all you are doing is putting all your eggs in one basket. No-one with a moderate sense of security uses less than 3 different passwords for their various accounts (3 is a good number because you usually get 3 attempts to enter the password), making one single access point, means that you have a single point of vulnerability, and if that is compromised, your data is blown wide open.
-
Concurred.
-
Human 'randomness' is actually tremendously predictable as well; a computer can almost certainly do a much better job.
Since a computer uses an actual algorithm any math major should be able to reverse engineer it, whereas a human at least has the option of changing their pattern once they realize it.
-
Human 'randomness' is actually tremendously predictable as well; a computer can almost certainly do a much better job.
Since a computer uses an actual algorithm any math major should be able to reverse engineer it, whereas a human at least has the option of changing their pattern once they realize it.
This is not a bad point, but the usual solution is to use an external chaotic source as a random seed; it's pretty trivial to generate a near-truly-random one from a natural phenomenon like radioactive decay or whatever.
There are also enormous tables of truly random digits you can simply feed in to use as said seed.
-
Then you end up with the same problem as a Book Cipher: other people can locate your source.
-
Then you end up with the same problem as a Book Cipher: other people can locate your source.
Right, but a source like radioactive decay does not produce randomness in a historically contingent pattern.
-
"We are not talking about a national ID card" ... "We are not talking about a government-controlled system" ... "There's no chance that 'a centralized database will emerge,'"
And how exactly should we trust this guy given the government's track record on other things? I predict that if this gets implemented, it will eventually become all three of these things, in practice if not in name.
-
Human 'randomness' is actually tremendously predictable as well; a computer can almost certainly do a much better job.
If human randomness is tremendously predictable, many of the world's problems would have been solved already, without any side effects. Now, if we solve a problem (such as a food crisis), we cause another problem (economic crisis in same area, which is then followed by another food crisis). If human randomness was so predictable, then all those complicated financial programs people used before the credit crunch would have worked or never have existed.
-
:wtf:
Fine, base your computer's security on the world's economy then. I'll stick with random and computer-generated pseudorandom numbers.
And passwords, but I won't claim they're random.
-
And passwords, but I won't claim they're random.
Because I just can't help it (http://www.youtube.com/watch?v=a6iW-8xPw3k)
-
And passwords, but I won't claim they're random.
Because I just can't help it (http://www.youtube.com/watch?v=a6iW-8xPw3k)
You will probably appreciate this - http://blogs.wsj.com/digits/2010/12/13/the-top-50-gawker-media-passwords/
-
Awesome :yes:
-
The infographic is a bit deceptive, in that only 3% of the total passwords were 'password', '123456', and '12345678'. But it's still a laugh.
-
Eh. Some of those will be fake aliases as well. I personally have half a dozen fake emails/random accounts on forums with passwords like asdf1234 or some variant of that. I'm guessing I'm not the only one out there that does this.
(I only have 1 account on HLP though, don't shoot me)
OT: This proposal seems dumb to me. It also seems like something that's going to happen naturally if augmented reality systems start really taking off.
-
If human randomness is tremendously predictable, many of the world's problems would have been solved already, without any side effects. [...] If human randomness was so predictable, then all those complicated financial programs people used before the credit crunch would have worked or never have existed.
Off-topic...
Human randomness (i.e. human behavior) is eminently predictable. The problem is that people ignore, or refuse to learn, the lessons of history. Or they sacrifice long-term stability for short-term gains. Congress tried to do something about FNMA and FDMC at least two years before they collapsed. One of the Federal Reserve governors warned that loose mortgage policies would lead to a housing crash way back in 2000. And the national debt has been a topic of discussion ever since this country was founded.
-
would work better in theory than in practice?
-
would work better in theory than in practice?
Even if it were to work better in theory than in practice, what exactly is the point of it? To track everything we do? I'm not seeing what good can possibly come out of it even theoretically.
-
I think the govt. is just trying to create something to show the Americans that they are doing something to better secure the people...it's not really about the effectiveness. As long as they show the people that they are doing something, the people (aka avg. joes) will be content. Like the saying goes, "It's the thought that counts...", er something along those lines.
-
If that is the case, I really wish they'd use their brains to work on more important matters...
-
This sort of thing doesn't have to be a cornucopia of ID theft, power abuse etc.
Around here, we've actually had an ID scheme for online banking and the like for a while now, and it is implemented in such a way that I don't see any real potential for abuse: There are no ID cards. There are no chips. What you get is a card with some 300 or so unique codes on it, which are used as a one time pad (along with a personal login name and password, which are really only used to identify which set of codes your bank or whatever will be comparing against) when logging on to any banking, tax-related or whatever website. Once a key is used, it is discarded for good, meaning that you can actually do online banking from any public computer and still have no fear of unsavoury elements nicking your password. Because said password no longer works. And whenever your code-card gets down to 10 or so codes remaining, a new one is automatically mailed to you in an anonymous envelope, so you never run the risk of running out. And the entire card can be blocked with a single phone call, should you lose it.
Since there's no personal information involved, there's no ID to steal. And yet, it will uniquely identify you to any website where you need secure and reliable authentication. Admittedly, it is a bit more cumbersome than your regular website logins, but I'll take the security.
-
Germany has already something similar rolling out. (When you get a new ID card you can choose if you want it to have cyberspace functionality or not... you get to pay 20 bucks either way tho lol).
Chaos Computer Club took 30 mins to hack a sample card (showcased it on TV even) and open a bank account with the ID... all that needs to be said really. The US version won't be any different.
In related news, corporations still have a massive interest in tracking real IDs on the net to be able to microcharge you for everything and anything and effectively and the area of a "free web" forever.
This definitely is a first step into that direction. Once the system would be in widespread use it's not that farfetched to see it changed to be "mandatory" at some point.
(And if you like conspiratory theories, you propably are already wondering when the big cyberspace based fear mongering will start on the news to make us all welcome a mandatory "secrure" (lol) ID.)
-
This sort of thing doesn't have to be a cornucopia of ID theft, power abuse etc.
Around here, we've actually had an ID scheme for online banking and the like for a while now, and it is implemented in such a way that I don't see any real potential for abuse: There are no ID cards. There are no chips. What you get is a card with some 300 or so unique codes on it, which are used as a one time pad (along with a personal login name and password, which are really only used to identify which set of codes your bank or whatever will be comparing against) when logging on to any banking, tax-related or whatever website. Once a key is used, it is discarded for good, meaning that you can actually do online banking from any public computer and still have no fear of unsavoury elements nicking your password. Because said password no longer works. And whenever your code-card gets down to 10 or so codes remaining, a new one is automatically mailed to you in an anonymous envelope, so you never run the risk of running out. And the entire card can be blocked with a single phone call, should you lose it.
Since there's no personal information involved, there's no ID to steal. And yet, it will uniquely identify you to any website where you need secure and reliable authentication. Admittedly, it is a bit more cumbersome than your regular website logins, but I'll take the security.
Huh. Mailmen are going to rule the world.
....
I didn't see it coming. :P
-
Except the mailman would also need to somehow get your personal login to go with the one-time pad. Oh, and there's an activation code for each pad which mailed seperately too, so he'd need that as well. It really is quite a secure system. Granted, nothing's going to be 100% when not dealing with things in person (and not even then for that matter), but I think it's about as close as you can get.
So for example, assuming the mailman really did want access to your online banking account, he'd need to:
A) Intercept the key card, which is not credit card sized nor made of plastic (though it is thinly laminated) and so isn't readily identifiable in an envelope.
B) Intercept the activation code, which is in a different envelope sent at a different time, and is simply a scrap of paper with some alphanumerical characters on it.
C) Get a keylogger onto a computer you use to access your online banking, tax returns or whatever, and grab your personal login.
D) Pull all this off before you start wondering where your new key card is and call to have it blocked.
Alternatively replace A and B with stealing an already activated key card, in which case he'd have to be very fast indeed in grabbing the money since it only takes a phone call to block it. And he'd still need to do C. And of course he'd need to know which bank you use, but being the mailman I think we can assume this to be true.
And as for ID theft, the key cards being one time pads basically rules it out. Yes, if you went through the steps above you'd get access to some personal information, but the moment the key card is blocked you lose access, and there's nothing you could do to prevent the correct owned from regaining control. He simply gets a new key card, and he's back on top - And you can't use the key card to change the address new cards are sent to.
[Edit: Added example]
-
If that is the case, I really wish they'd use their brains to work on more important matters...
Sometimes when the govt. does use its brains properly, the dumb ones fight against it stating all sorts of reasons. Hence why nothing ever gets done on time...if at all :(
-
Germany has already something similar rolling out. (When you get a new ID card you can choose if you want it to have cyberspace functionality or not... you get to pay 20 bucks either way tho lol).
Chaos Computer Club took 30 mins to hack a sample card (showcased it on TV even) and open a bank account with the ID... all that needs to be said really. The US version won't be any different.
It doesn't have to be that crappy though. No doubt the Germans did the exact same thing the British do with all their big government computer projects. Hand it out to the lowest bidder, accept massive cost over runs, and end up with a shoddy product that's not fit for purpose.