Slashdot Mirror
US Gov't To Issue Secure Online IDs
Hugh Pickens DOT Com writes "Tom Groenfeldt reports in Forbes that the U.S. Postal Service has awarded a contract to SecureKey to implement the Federal Cloud Credential Exchange (FCXX) designed to enable individuals to securely access online services at multiple federal agencies — such as health benefits, student loan information, and retirement benefit information — without the need to use a different password or other digital identification for each service. SecureKey already operates a trusted identity service in Canada using identification keys provided by one of five participating Canadian banks. It allows Canadians to connect with 120 government programs online with no additional user names or passwords for everything from benefits queries to fishing licenses. The SecureKey program is designed to connect identity providers — such as banks, governments, healthcare organizations, and others — with consumers' favorite online services though a cloud-based broker service. The platform allows identity providers and online services to integrate once, reducing the integration and business complexity otherwise incurred in establishing many-to-many relationships."
The United States government has never had better timing! I'd sign up now, but I figure you guys have got it covered already, OK?
Because why go through all the trouble of forcing a bunch of companies to give you user data when you can centralize it from the start!
Mission creep.
Pretty soon this will be compulsory to do anything with the government.
Subjects says it all, but I will reiterate.
Fuck. That. Noise.
I was all about this until I got to the Canada part, and then...oh well.
And the really wonderful thing is that they have already used your facebook password and profile as well as your google info to prefill in all your forms..
They already have access to the back end servers. No log in needed.
But it won't make it harder for them either. Maybe they can bypass the FISA courts and those pesky opinions if they can just log into the accounts.
n/t
What could possibly go wrong!
How long until these become mandatory for all websites. Here's how I could see this going down:
...Tinfoil futures are a sure bet....we're losing the internet right in front of our faces.
- First, all major government websites require usage of this.
- As more and more brick-and-mortal government offices close, more and more people start using the id.
- VISA, MasterCard, et al begin requiring these for all online banking.
- Taxable web transactions somehow get tied by law to having to use these.
- Soon, ISPs require you to log in with it periodically, (remember AOL internet 'sessions'?)
- All utilities, bills and such paid online start requiring it.
- Social networks require it for 'think of the children' safety.
'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
What a terrible acronym! How are we supposed to say FCXX anyway?
So, I came up with a better one for them:
Federal User Credential Keyfob (for Your Online Utopia)
WTF are private organizations allowed to issue identities for? Government IDs may be a hassle, but they're the ones with the vested interest in keeping track of people. We don't permit Walmart to issue driver's licenses or passports. We already have a mess with the private CAs on the Internet. Do it once, do it right and keep a monopoly on it. IDs and currency are Government's job! If the Treasury had issued decent ecash, Bitcoin wouldn't have a market and Credit Card Companies wouldn't be adding their 2.9% inflation to every purchase. If the Gov't were to do this right, with closed-loop verification necessary for anybody to do anything with your Identity, and if it were secure it would be a great boon. No more having to notify 42 entities of your change-of-address. Change it once at the Identity agency, and it's changed everywhere. I really doubt they'll manage to get it right though. No, I don't work for the Government. I'm just a guy who hates constantly giving and updating contact info.
Isn't 'SecureKey' the one that got cracked not too many months ago?
Anything for the cancer called "our government" to spread a bit more. How long until it destroys the host and itself with the host?
I'm going to burn it, just like I burned my Obamacare card!
Let me go print one out...can I just relabel the printout I already used? I'm sure it'll work.
[Read as if you're Robert Preston in The Music Man addressing the town]
Now we're all familiar with hot farts here on Slashdot. That sharp exit of heated gas that warms your anus for a few seconds during its escape.
It's a unique sensation, and it's often uncomfortable! But my friends there is another way to fart. Yes, I said another way!
Why just last week I was sittin'. Sittin' in this very chair, browsin' this very site.
Yes I was sittin'. And while I was sittin' I felt that familiar pressure. The pressure we all know all too well. The pressure of a tight little bubble of gas winding it's way through my bowels.
But this time it was different. As I felt that fart knocking on my door I took a look around. I say, I looked around for anyone who would see or smell or hear.
Friends, family, coworkers, even gosh darn strangers. But my friends the coast was clear. Yes I was free and clear to let'r rip!
But I decided to try something a little bit different. I passed on my usual lean and "foof". I opted against the raucous blast. I say I did something just a little bit different that made all the difference in the world.
Oh I leaned to the left. I leaned to the left and raised my right cheek off the chair. I raised it up and I put it back down. Right on the right edge of that chair.
Then I leaned to the right. This time to the right, raising my left cheek up and settin' it down.
Now over there on the left edge of the seat was one ass cheek. And way over there on the right edge was the other.
But right in the middle, free and clear and stretched nice and taught was my anus. And my friends what a glorious, clean pink anus it is. I took that anus and I opened the valve nice and slow. Like openin' a shaken up bottle of pop.
And just like that bottle of pop my anus let out a slow "hisssssssss". Yes a hiss! And as I savored the extended release of that one little fart, I felt a sensation. A sensation like none I'd ever felt before on this green Earth.
There was a coolness. A coolness from that escaping gas that refreshed my anus and rectum better than one of ol' Doc Miller's suppositories. It was a coolness that lasted. Stayed with me all day long! It put a skip in my step and a twinkle in my eye and that's why, my friends, I'm here today. Tellin' you about this new great way to fart.
The virtual "tattoo on the wrist" :-)
Let's hack the shit out of it.
Hey...I'm from Ohio!!!!!
That is all :)
Just remember folks, before Obama got into office he was raving about an internet ID and people that were voting for him were also saying that it was a great idea. Once he got into office he worked onto this program for about half a year or a year and then nobody heard anything about it since. Now, it's coming back and what timing~ Still think this isn't a totalitarian government? I don't think we'll end up like 1984 but it's going to be fucking close.
Maybe it's just bad timing or bureaucratic paralysis or they're just trolling everyone but they have absolutely no credibility on this.
"Soon, you won't be able to get a stock-quote or the latest XKCD without this thing - much less, send an email."
Possible start of WW3 in the middle east, biblical signs coming true..
Mark of the beast, anyone?
now the government can MORE EASILY track everything you do online!
This is how social security numbers started.
Prove anything by multiplying Huge Number times Tiny Number
Not to interrupt the "zOMG internet license" freak out, but isn't this just SSO with 2FA?
Sounds like a *good* thing to me (although it will probably end up costing us way too much.)
for virginity!
Securekey information passes through a cloud, which in effect means we do not know who could be looking at what services we use. The information could be used to find patterns. Canada had a much more secure method a few years ago, whereby no one knew the real identity of the person, except the individual departments or agencies, and that no amalgamation or correlation of the data was permitted by Law. It also allowed individuals to have multiple anonymous accounts to further protect themselves. This is just another way for Governments to monitor what we do, and for those crooked individuals inside, managing it, to possibly commit crimes. Oh Well, just shows you what kind of world we live in now. Big business just found a new way to ream us more .
Identity verification should be a core function of a national government. This can be done right: by creating an agency that does not aggregate data, and serves no other function than to confirm that you are who you say you are when you ask it to. With proper use of two-factor keys and public cryptography, this agency can make data aggregation very difficult: your bank would know you by a different ID# than your cell phone provider, and neither would need to know your name or social security number.
It's true that a corrupt government can do identity verification very badly, turning it into a panopticon. But corporations don't have the longevity, security, or nationwide reach to be able to do the job well, and a corrupt government can simply force corporations to hand over identity data. So in the worst case scenario, identity verification by corporation is no better than by government. And having no centralized authority at all doesn't work either: the fragmentary system we use now is easy to aggregate, and its resistance to identity theft is only as strong as its weakest link -- which is typically very, very weak.
With identity verification managed by government, we can at least use electoral pressure to hold the identity agency responsible for its actions, and fight corruption within it. If it's managed by anyone else, we have no control over it at all.
Everybody's a comedian...
“He’s not deformed, he’s just drunk!”
And good morining to you when you wake up.
Papers please...
1. Will the scheme authenticate both directions (user to authenticator AND authenticator to user)?
2. Will the scheme authenticate all data of a transaction (at least the most relevant bits)?
3. Will the scheme work even where the endpoint device is infected with malware? (Or is there
some strong assurance that such infection cannot occur in bulk?)
4. Do the credentials change with use so replay is impossible?
5. Is the act of authentication required to use positive action by the person authenticating
so that it cannot be done autonomously behind the user's back.
There is too little on the securekey site to tell if any of these are present; there is mention only
of some device plus a password. They speak of secure reading of cards, which in principle is
rubbish for an infected device. There is nothing clear about variability there, and the "password"
bit strongly suggests it is missing. It is also unclear that bidirectional auth exists (by which I do not
mean what SSL claims; people ignore such due to cert expiration and so on).
If these features are missing (and btw they are smple to implement with a cheap token and
a protocol for use), the system will be worse than useless. It will claim security, lull many
into believing the claim, and allow large scale attacks.
If they are present, let's see some explanation of exactly how this works.
For proof, suppose you have a token that generates a display (bump a counter, encrypt with
token-unique key, display perhaps 8-10 digits with each button press).
To auth do these steps: (auth A to B)
1. send token # to B
2. Press button, send 1st half of display to B
3. B synchs its idea of counter with this info, computes display, sends 2nd half of display to A
4. A is told to check this, and STOP if no match.
5. A presses button again, selects a pattern of dsplay digits from the 8-10 displayed ones (with
a pre-agreed-on unique pattern per user) and sends these digits in the agreed on pattern
to B. (This may be only 3 or 4 digits, need not be long)
6. B computes what A should have sent. Match only if the token is right AND the pattern is right.
B also makes sure counter value bumped only by 1.
7. (if signing needed; for buying candy might not be needed): B sends transaction info digest
(maybe amount, few letters of payee) to A
8. A pushes button again, sends values in digit positions to B corresponding to transaction digest
(this can be again short, and B can send coaching info to A).
9. B compares this to its idea of what should have been sent with counter bumped now by 2.
If all steps match you let the auth pass. Otherwise it blocks.
This either works or dies, changes every time, and malware can record what it likes.
As long as token cannot be hacked (make it separate card maybe so there is a physical gap
and user just keys results separately) malware can do as it likes. Party B does need to
do the checks indicated and user A must pay attention at step 4. Users who do this wil
be safe. Transcribing the digits must be required to be manual so malware cannot fake
it (because malware won't know what to send).
This can be approached on some cell phones but with difficulty and some limitations.
(see www.gce.com papers) but greatest safety comes from (minor) hardware
support (which also can cut the number of keystrokes a lot).
If the proposed solution cannot explain itself then it should be regarded with a grain of salt.
... any browser in BSD and Linux? Or will the government be forcing me to buy another computer since I want things to be secure?
now we need to go OSS in diesel cars
Why can't the just tell us what the IDs that NSA already assigns us are?
In the land of the blind, the one-eyed man is king.
I wouldn't be so sure.
The United States is considered one of the easiest places to purchase and sell real property, along with other jurisdictions sticking to the old Common Law rules. What distinguishes the Common Law system from the Civil Law system is that in Civil Law systems the central database is the definitive authority on ownership. In Common Law systems, ownership is a matter of fact to be determined by a court. There are quasi-centralized registries, but they merely act as optimizations... caches.
You would think a single centralized database would be most efficient, but it's not. Dealing with a change in real property ownership in Civil Law countries is often a nightmare, and it's a focus of study by economists in South America and Africa. The problem is that centralized databases don't cope with errors and anomalies very well, and are easier to game. Whereas decentralized systems handles errors much better, especially when you're allowed to present all the relevant information to a judge regarding title in land, not just what the bureaucrats attest to.
For a system like identification, dealing with the common case is trivial. Instead, you want to optimize for the errors and anomalies--basically cases that break the normal rules. That's a much harder problem, and centralization doesn't buy you very much, and in fact can be a bottleneck.
Oh, of course, it is surely more secure for everyone to have a different password for each site they visit.
now we need to go OSS in diesel cars
go f**k yourselves forever
It used to be called an "igovt" login, but now that has become part of the "RealMe" service (https://www.realme.govt.nz/). It's operated in partnership between the Department of Internal Affairs and New Zealand Post. It's the login you need to interact with the NZ Government online, and they make identity services available to businesses.
thanks for deleting my comment immediately, slashdot moderators.
And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name. Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six.
NSA already has the credentials it needs.
As long as it remains voluntary at alls levels. Any hint of compulsion and it's true corporate control of all individuals accessing the internet is exposed.
I guess you missed all those required 3rd party Facebook logins scattering websites anymore. You know the ones, those websites that require you to 'verify your identity' or somesuch by logging into Facebook on their website. If you want to use all the features of many popular websites you must have a Facebook account.
It sounds like corporate control to me.
Trying to go beyond the surrounding paranoia: I understand this to be a federated identity network, probably based on SAML. Is that right?
What a wonderful idea.....
Given the very little privacy we have left supported by the pesky userid and passwords.... Let's just give total control of our access to everything to the government. Because it will make us safer....
Because we can trust them.....
I hope people are aware that the postal service's imaging systems are piped to the NSA as well.... They have had such access for decades.
I'm sure they can piggy back on the network connection to grant access to all the authentication credentials as well.
Because we can trust them....
http://www.gnu.org/philosophy/right-to-read.html
Once your extreme views become fact, you're no longer a crackpot.
"Reality is that which, when you stop believing in it, doesn't go away." - Philip K. Dick
The best types of objection to this trend include unified-marriage-identification practices and IRC. The worst aspect of this trend is it leads toward nationalized RFID, which is Biblical. Another biblical thing is coming true today: [gaza palestine's only agenda the abolition of israel.] An obvious concern citizens will have is [does the government have enough FLOPS to break its own RSA?]
WTF I thought April 1st was months ago....
All online federal services trusting a single cloud based service to figure out who the users are.
Every user's access to every federal system logged in a single cloud based service.
Every identity provider trusting a single cloud service with user PII.
I wonder what "FCCX Trusted Credentials" will sell for online. Less than credit card numbers I suspect.
A tracking device
If voter ID is considered racist, wouldn't this also be racist?
In other news, HuffPo plans to ban anonymous posting, and phase in a requirement for a secure government-issued ID for all posters...
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
So which major defense contractor has the multibillion dollar contract to implement this? I won't worry. It'll get over budget and behind schedule so fast (due to no actual work being done) that it will be axed before anywhere near completion.
The only thing worse than a Democrat is a Republican.
...how much I wanted the government to require me to use their identification online. Surely this was a great concern for every user of Federal systems, to have a single unified ID. We all demanded this so much that the government just had to respond and give us that which we truly wanted and needed!
Thank you Barack Obama for spending my tax money on this!
The reason for the U.S.A. push for this is to connect-the-dots of legal citizens of the U.S.A. in order for the Federal Government to commits acts of blackmail, extortion, grand theft and murder against the most hated enemy of the Federal Government to the U.S.A., the legal citizens of the U.S.A.
Obama must be jerking off in front of a poster of Richard M. Nixon while reading this news.
This is just the first part of the 2 factor authentication. Once it is in place and they have you hooked then they will say well ok it is not that secure so we are going to ask you to put your DNA on file and all computers will start shipping with sensors to confirm your DNA.
I can get Verisign to store my public key and people who get my public key and attested identiy can ask Verisign if the person who has that key has the same identity.
That verifies my identity with a trusted third party.
Verisign do NOT get my private key nor any password to that private key.
If this scheme allows me to submit my public key THAT I GENERATE MYSELF and assert that this key is mine and me on the internet, then that's fine.
If this scheme is "We will give you an account here which we will use to attest you are who you say you are if you use the key we give you", then it is NOT ACCEPTABLE. Because I then have to trust this third party, rather than have others use that third party for verification they can trust me.
I could not help but think....
Three Master Keys for the Agencies under the Executive
Seven for the Security Council in the Congress Hall
Nine for the Justice supporting no warrants
One for the President on his Dark Throne
In the Land of States where Freedom dies
One Key to Rule rule them all, One Key to silence them
One Key to subject them all and in subjugation bind them
In the Land of States where Freedom dies
how is that racist? it is a government id for all citizens? if you are now going to tell me that some races are too poor to have internet, im going to tell you that you are a racist...everyone in the country has access to internet in some form or fashion by now. you can go to a coffee shop and get free internet for gods sake
#facepalm
There are urban neighborhoods without a Starbucks, without a Panera, heck even without a wifi-equipped McD's. And there are plenty of (poor) people who still live in rural areas where nobody provides those free services either.
What you said sounds like another over-privileged B who suggested the peasants who had no bread should eat cake instead for gods sake.
Number of the... Oh, nevermind.
Fantastic, just another way for the government to track our every move and leaves our personal information vulnerable for hackers to access. Sure it would be extremely convenient, but is that worth your privacy?