Slashdot Mirror
White House Releases Trusted Internet ID Plan
angry tapir writes "From the Computerworld article: 'the U.S. government will coordinate private-sector efforts to create trusted identification systems for the Internet, with the goal of giving consumers and businesses multiple options for authenticating identity online, according to a plan released by President Barack Obama's administration.'"
No way, Barry...
Just like a SSN.
Requires Windows (tm) 7 (tm) Professional (tm) using an Intel (tm) chipset supporting a Trusted Platform Module (tm) with keys in escrow by the issuing authority.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
from character.assess.assassinate.censor.gooed.biz.gov
the same guys in the same house of credit cards who told us god would provide unlimited prosperity just a few short yeas ago. alas, now the much touted prosperity must be limited to chosen trusted touted chosen ones. the rest, deleted, as usual, nothing new under god's heaven can't wait. .disarm.leave.trustusonthiswon
thanks. satanic sunday could not be more self-exposing?
A few years back my email account got hacked, they got my yahoo contact list and bombarded people with spam. My solution to this problem was to install Enigmail, om to my Thundeerbird. reader. This program allows me to easily digitally sign all messages. Granted the world is full of people not smart enough to verify a PGP signature but at least they know if the signature block isn't there. It is not from me.
--- Always remember. 99.36% of all statistics are inaccurate.
Never going to work while the security of home PC's is Swiss cheese.
A 7-Eleven store is a small grocery store similar to the stores at gas stations, though I've never seen one with gasoline pumps in front of it.
If you do all your banking online, how do you deposit cash or checks that other individuals give you? Do you mail the checks, and buy money orders with the cash and mail those? And do you refuse to take any job that doesn't direct deposit your paycheck?
Lets give controls of the keys to the Homeland Security.
I'm sure we can trust them with our internet.
Items purchased with trusted ID: Washing machine, PS4, Glycerine, Shower tiles cleaner (flagged combo).
Taxes due on purchases $156.00. Forwarding purchase of glycerine and acid product to FBI for examination.
Here is a disaster waiting to happen! Any bets on how long before this system is compromised? :-(
The format of the Trusted ID will be a nine digit number, separated into three groups by dashes...
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
he is gonna release his birth certificate for anyone to be viewed using this platform, right?
This is just another step in the governments plan to control our online lives. John Locke states that the reason for this plan is that 8.1 million people were victims of identity theft in the US last year. What he fails to mention is that only 11% of that 8.1 million were internet or technology related while over 43% were due to theft of purse or wallet, another large chunk were the result of dumpster diving or other unsavory methods.
Remember how we were just talking about the nasty, gaping, holes in the practice of using CAs to verify SSL certs? How the CAs were largely rent-seeking incompetents with strong market incentives to do inadequate verification while simultaneously trumpeting their security? How there were just too many of them, and a compromise at any served to threaten the security of all SSLed connections?
Well, yeah, that kind of sucks because this plan looks very similar: Some kind of public/private key system, with multiple totally trustworthy(tm) private sector vendors, subject to the twin incentives of trying to establish themselves as one of the 'trusted' trusted identity trustees, so that they get the user fees and user data; but also likely to start getting sloppy on the verification side; because everybody hates a cost center...
Mathematically, most of the hard work has already been done, and the engineering required to put some sort of secure hardware widget, while not something to be left to the naive, isn't exactly terra incognita(smart card ICs, and/or the integrated USB+smartcard chip+optional definitely-not-keylogged-keypad are a well established product category some generations old at this point); but the organizational/economic incentives side of this is pretty much certain to be totally, utterly fucked.
you got it. all of our prayers answered at once. knowing who we can trust simply by accessing our #ed account at youcantrustus.gov to find out just who can, & cannot be trusted, on any given day, as that's subject to change, deepending on if queers are still queer, on any particular day, coinciding with a trusted.gov love to hate focus message, on any given (to us by our trusted (with our lives) rulers) day.
It's going to be "voluntary", but soon enough legislation will be passed that makes it so "questionable websites", such as those associated with porn, will be mandated to require an Internet ID for age verification. And simultaneously the government will know what kind of porn you like to look at and can blackmail you whenever they see fit.
Do you think banks and credit cards do not already report you unofficially to the feds? or when asked (and they are not allowed to say they were asked) do you think they will put up any sort of legal fight? Some librarians did, but mega corps who have working control of the aspects of government they want already - I doubt it; they may in fact volunteer or tell the gov to go after somebody... like Wikileaks for example (the state dept seems to work for the corp interests.)
Yes, the Internet has been a pretty big failure so far. :-) What more "full potential" he's talking about?
It must have been something you assimilated. . . .
Don't worry, they point out that use of the system is completely voluntary. Just like owning a mobile phone or participating in interstate commerce.
All the pussies in this country have proven time and again that they will gladly trade privacy for a false sense of security. Idiots. You might as well get ready for this to pass.
Rather than hittin a journalist site, go direct to the source at
http://www.nist.gov/nstic/
You can trust this isn't a rickroll or a goatse because I'm usin' my trusted internet ID of VLM
The headline made me expect a detailed bit level cryptoanalysis of the new protocol complete with flowcharts, etc. Instead it seems to be the tech equivalent of a bunch of hippies high on weed sitting around a campfire and curing all the worlds ills by talking about them.
More like "whitehouse releases a plan to create a plan for a trusted internet ID plan"
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
It completely dispenses with the password. It is your responsibility to protect your username. If anyone from Nigeria to Nantucket know your identification code, it means they are authorized to do any financial transaction on your behalf. This breakthrough technology makes it possible for the people creating new and exciting contracts under 409 clause to not only draw money from your bank, but also from your brokerage account, and also change your network log in id and to rearrange your netflix queue and use ftp to open your garage doors Imagine! The New possibilities!
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
what i dont trust is the internets.
Politics is Treachery, Religion is Brainwashing
Sounds about right for liberals. You have to have an ID to use the Internet, but not to vote.
People complain about identity theft, people complain about efforts to verify ID.
I just RTFA... and the only question that comes to mind is.... HOW IS THIS ANY DIFFERENT THAN OPENID ?!
Another solution, where there is no problem. Except if you are the government and those pesky humans are doing something that needs to be taxed / regulated / or subsidized.
There are, at current best estimate, at least 200 million fully-compromised systems on the Internet. That number has been monotonically increasing for most of a decade, and there is no reason to expect that trend to change. (And many reasons to expect it to continue.) Not all of those are in the US, of course, but a lot of them are. This is turn means that any credentials present on those systems are now the property of their REAL owners, not the people who mistakenly believe they own them. Which means that even if such a universal ID system was properly designed (unlikely) properly built (unlikely) and properly deployed (extremely unlikely) that its first major effect will be handing over a large number of those IDs to The Bad Guys. The second major effect will be providing major incentives to The Bad Guys to compromise more systems, as the value of such increases with both their usefulness and the value of the data stored on them. The third major effect will be providing major incentives to The Bad Guys to go after any system where these IDs are stored or used, since they now have widespread usefulness, not just localized usefulness. They will be successful some of the time, of course, and we will once again get to hear the refrain of the professional liars who call themselves "spokespeople", as they solemnly intone "Nobody could have foreseen..." I think the biggest usefulness of this scheme will be filtering: anyone supporting it is clearly marking themselves as a security imbecile, should be fired on the spot, blacklisted for life, and never permitted to speak in public again on the topic of security. That won't happen of course. They'll get bonuses. That's how we reward sufficiently grandiose failure in this society.
if you get a cheque, you go to an ATM at the bank and deposit it
ATMs in my town won't take deposits for other banks, including online-only or otherwise out-of-town banks.
One Authentication to rule them all
One Authentication to find them
One Authentication to bring them all
and in darkness to bind them
or maybe
One government to rule them all
One government to find them
One government to bring them all
and in darkness to bind them
But you don't have to give it to anyone - of course they don't have to do business with you if you don't.
Trusted ID? Is that like Obama's much talked about trusted birth certificate?
as soon as you'll need to use it to pay taxes. Many of the taxes that are collected are collected not to keep revenue stream going but to ensure that the information records keep flowing. As soon as you can't pay your taxes online without one of these, it will be over. Since the burden of preparing taxes only keeps going up, most people will gravitate towards the electronic solutions which assist in tax-record preparation. Using this thing will be seen as just part of the cost of doing business.
Any guest worker system is indistinguishable from indentured servitude.
The new version more explicitly emphasizes that the private sector will drive forward the trusted ID market, with government playing a coordinating role, administration officials said.
In other words, it's a Mussolini-style Fascism model.
Consumer participation in trusted ID technologies will be voluntary, they added.
Because nobody is going to force you to use a bank, shop on-line, or send email that will actually make it to somebody else's inbox. Sorry about all those on-line government services that you won't be able to use. You can always hike to one of the brick-and-mortar offices and present your papers in person.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Having a way to authenticate a person as unique is a missing brick in many web applications, especially all the voting applications. I see it as a good thing and I have a hard time seeing how such a tech makes bad scenarios more likely.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Why not just brand everybody with a unique id, and stamp "666" or their foreheads?
I strongly doubt that the Obama administration would be willing to push a plan that eliminates the "business need" for RSA certificates so I guess I will oppose this plan.
I trust VISA and my bank more than I trust my government. I will keep voting my conscience and hopefully one day that will work out.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Arguably, "Identity" is the wrong target(or, if you think that it is the right target, I consider your motives suspect) for many applications:
"Identity" is a polite euphemism for a lot of personal information. For most purposes, it is utter overkill to achieve legitimate ends. Say that I'm buying some booze online. You don't actually need to know my name, age, appearance, etc, etc. You simply need to know that my age > legal age and that my payment is valid. To log into an email account, you don't need to know who I am, you just need to know that I have the key for the account.
There are, in fact, relatively few situations where the entire bundle of information that falls under "Identity" is relevant. Unfortunately, there are virtually no situations where the person you are transacting with wouldn't be happy to have the entire thing, if only for marketing purposes(or worse).
This scheme had better include some interesting zero-knowledge proof related stuff, or it is little more than a privacy giveaway to a number of private sector actors(and, no doubt, the members of the 'intelligence community' with whom they are oh so cooperative).
this shouldn't be possible and regulation is a good way of addressing this, for example by forbidding businesses from using SSNs as record identifiers
Governments are very two-faced on this one, on the one hand they get their panties in a bunch about it yet on the other hand they require it in so many places. Here in Norway I have a unique id assigned to me by the government. Employers report income to the authorities for income tax, so all HR positions have to have it. I can't open a bank account without one. I can't trade stocks or funds without one. Car registry, property registry, pretty much every registry that requires a unique id uses it. There's a central registry that I have to report in when I move, so I get all the local voting rights, pay the right local taxes and so on. Even the card that gives me 3% off at the grocery store and pays out when it reaches a certain amount has to have that ID, because even those 20$ are reported to the government as my asset. Along with audit requirements that means many, many people past and present have to know it. That it's also written on my drivers license in my wallet is the least of my worries. Of course the explanations are all the usual ones, tax fraud, money laundering, mistaken identities and so on. Fair enough but you can't both have your cake and eat it too, if so many people know it then it's not a very well kept secret.
It's not a secret, well kept or otherwise, anymore than your date of birth is. But I am pretty sure that someone cannot create a bank account or get a credit card in your name just because he has found out that non-secret number. The problem they have in the US is that with no national id and with many people not having a passport, companies resort to all sorts of bizarre things to identify people (including the social security number, which was never meant for that purpose, or absurdities like your mother's maiden name, or an electricity bill delivered to your address).
We just transfer money between accounts securely, conveniently and relatively speedily.
You didn't say cheaply. How much do the source bank and destination bank charge for each such transfer?
It is not wise to mail cash. Or did you mean go to the post office and buy a money order? Or did you mean spend all the cash people give you on grocery store gift cards?
People who "go to 7-11 to pay bills" are actually getting money orders to pay for things.
Because they don't want or can't have a bank account.
There are various reasons for each category of such people and the reasons may or may not be valid, but the primary one is because if certain folks have a bank account, it can be attached for past taxes, legal judgments or back child support.
I think I have a Facebook account that will do all that and more.
I have a hard time trusting a proposal like this that comes from an administration that includes a lot of former RIAA and MPAA associates.
The real Sig captains the Northwestern. This one captains
Gets your "trusted" credentials, that would be more damaging, right? Kind of like now -- someone pairing your ss# to your full name is much more dangerous because of the trust factor placed in that. Whereas if they get your Yahoo Mail login they spam all your friends until you close the account or get control of it. I think I would like this to be optional for sure. Let's see how well it works or what a disaster it is before everyone is required to use it to do business with say PayPal -- Google -- etc.
Obama administration wants to remove the anonymity from the internet so they can track everyone for whatever reason.
They have already attempted to make law that you cannot "fake" post on the web.
If the Internets managed to get some sort of unified, 'secure" (rofl) ID of mine, here's what'd happen:
- Slashdot people would sign me up for crap because I use Windows and can't stand the blathering of Linux fanboys.
- 4chan would sign me up for transsexual-based porn, for the lulz, you see.
- Nigerians would ensure that I give my bank account details to several 'princes'.
I trust fully that this would happen; and I trust fully that these side effects are minor compared to what the bumbling government would do.
(Enforcement of use taxes; the death of basic anonymity; tracking of mundane (eg, 'interesting') purchases; et cetera.)
I just want to point out that private industry created the credit reporting service, and now I have to spend money to protect my interest against the shoddy practices of this industry. I don't think it is that fact that people will commit fraud that worries me, but the poor practices that the industry follows that provides no protection against fraud.
The creation of a government credit ID that has anti-fraud measures might be the first step in battling this issue. The second step would be making the credit reporting companies responsible for bearing the cost of cleaning up the effects of identity theft.
I would only support the idea of an Internet ID if I wasn't responsible for undoing the message associated with fraud committed against my ID.
Did anyone else read the title like this at first glace?
It will be the greatest system ever devised!
Provided it doesn't cost too much, or impact jobs.
Only the dead have seen the end of War. - Plato
If he's accepting payment by such archaic methods then by definition he isn't doing all his banking online.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Only 30 seconds after a 50 MegaTonne nuke from a Russian ICBM slams DC, White House ground zero, and atomizes Barak Hussian Obama, aka Barak-O-Vision, aka Obama-Nation, aka Barry the former symbol for bi-racial couplings.
our website: http://www.happyshopping100.com/ watches price 75$ Air jordan(1-24)shoes $30 Nike shox(R4,NZ,OZ,TL1,TL2,TL3) $35 Hndbags(Coach lv fendi d&g) $35 Tshirts (Polo ,ed hardy,lacoste) $16
Jean(True Religion,ed hardy,coogi) $30
Sunglasses(Oakey,coach,gucci,Armaini) $15
New era cap $10
Bikini (Ed hardy,polo) $25
FREE SHIPPING,accept paypal
free shipping
accept paypal credit card
lower price fast shippment with higher quality
BEST QUALITY GUARANTEE!!
SAFTY & HONESTY GUARANTEE!!
FAST & PROMPT DELIVERY GUARANTEE!!
**** http://www.happyshopping100.com/ ***
What I like about the current mess of different usernames and passwords for different sites, entrust card, RSA tokens etc is that any identity theft is likely to be rather limited. With a Internet ID plan it makes it possible for someone to take an entire identity in one hit, along with all your money and likely better lock you out of getting it back.
This is going become prime target for identity theft, I can tell by the lack of language even acknoledging security issues let alone addressing how it may be kept safe.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
fucking socialist gay nigger
The problem with federated trust used in this way is that it does not give the end user any confidence they are communicating with the party they think they are.
Yea great so you can use the same credentials to login everywhere... Except what happens when a malicious site masquerading as your favorite online store starts accepting open id credentials?
All of the current federated systems as deployed right now rely on SSL CAs to establish trust.. They don't actually solve any security problems in their own right or address any of the core trust issues surrounding CAs.
I mean, this isn't; Al Gore's White House. Did Obama sweat out this scheme? Was it planned in the White House? Reading on a few paragraphs one sees "Commerce Secretary Gary Locke said at an NSTIC release event hosted by the U.S. Chamber of Commerce". So it was actually the Dept of Commerce. Sure, they announced it at the White House, but so what? That's hardly the most important thing, why put it in the headline?
This tendency of Americans to characterise every act of the Federal Government as "Barack Obama" is quite weird, almost medieval. And misleading, I think. It's pretty likely most policies are created and executed by career bureaucrats, the Commence Secretary who announced it and the President (who is probably barely aware of it) have basically nothing to do with it.
Defeating this will be as simple as starting a "grass roots" (astroturfing) campaign declaring this an Orwellian Obama conspiracy against freedom. It would be dirt simple to get the ultra-right charged up about this, especially if a Muslim conspiracy could be worked in or at a minimum declare the program anti-Christian (think mark of the beast). This should get most of the know-nothing Teabag simpletons onboard. It's time these morons were actually put to _good_ use, rather than just destroying the US. It would be worth the PR some young-Earther, keep-America-white-and-pure dipshit would get leading this movement to defeat this idea resoundingly.
does anyone actually even trust the white house / us government
This is not a problem the government should be solving. I think businesses should be responsible for keeping their customers' information secure through robust implementations. For instance, use a site-supplied on-screen keyboard that rearranges itself with every mouse click for a password that sends the information encrypted. Whenever any action is taken on the account, the password needs to be supplied through that interface. It's a PITA for the user, but it prevents most common attempts at hacking an account because in order for them to change account information or perform any action with the account would require them to know the password. Keyloggers (or things that record mouse positioning and clicks) won't work, and they'd have to intercept the encrypted password and unencrypt it in order to really do any damage. Even stealing session credentials wouldn't get a hacker very far because they'd still need to know the password to do anything.
I guess it might be possible to steal the traffic and inject different information while keeping the password intact, but I'm pretty sure that can be avoided based on clever encryption key generation (the encryption key could be generated differently based on which type of action you're performing, and the content of information being sent, like using a hashing algorithm on the contents or something).
I'm no computer security expert, but this seems way more secure than what the government is proposing.
In what country do even children get their allowance through direct deposit, and lemonade stands take plastic or other electronic payment? And what's its immigration policy like?