Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity As the Great Enabler

Posted by Soulskill on from the imagine-if-you-will dept.

New submitter steve_torquay writes: Last week, President Obama signed a new Executive Order calling for "all agencies making personal data accessible to citizens through digital applications" to "require the use of multiple factors of authentication and an effective identity proofing process." This does not necessarily imply that the government will issue online credentials to all U.S. residents.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) is working towards a distributed identity ecosystem that facilitates authentication and authorization without compromising privacy. NSTIC points out that this is a great opportunity to leverage the technology to enable a wide array of new citizen-facing digital services while reducing costs and hassles for individuals and government agencies alike.

58 comments

  1. Re:Where's Bennett's take? by Anonymous Coward · · Score: 0

    Wow, someone got really worked up about Bennett's opinion pieces. Are you going to post a comment like that to every article?

  2. Done right it's a great idea... by NicBenjamin · · Score: 2, Interesting

    It would be great if you could more easily and securely access more of your tax records, or your Social Security benefits statement. This would also greatly improve things like government contracting.

    OTOH, if the system is hackable then you could easily lose all your data to some guy on another continent.

    Which would be a bad thing.

    1. Re:Done right it's a great idea... by Weirsbaski · · Score: 2

      OTOH, if the system is hackable then you could easily lose all your data to some guy on another continent.

      I resent that- they're perfectly capable of losing our data to some guy on this continent, too.

      --

      I am not a sig.
    2. Re:Done right it's a great idea... by Anonymous Coward · · Score: 0

      NOPE SORRY.
      Identity is not an enabler, in the hands of governments and corporations, it's purely a means of suppression and control and knowledge... OF YOU.

      If YOU want to be in control, YOU will DEMAND to be the first and final authority, custodian, source, broker and owner of your personal data and identity.
      FURTHERMORE, YOU will demand gov/corp each create separate 'identities', aka: nyms, for you in whichever various transactions you see fit.

    3. Re:Done right it's a great idea... by Jane+Q.+Public · · Score: 1

      Done right it's a great idea...

      NO, it is not. It is a terrible idea. There are many reasons why:

      First off, it's based on a premise that is known to be broken: a "web of trust". We already have a very good example of that type of system failing, and failing big time: SSL Certificates.

      SSL Certificates are a web authentication scheme that depend on Certificate Authorities (CAs) to certify that a particular site is legitimate and unique. So far so good. BUT... then a number of problems arose that should be harsh lessons.

      [1] Some CAs sold multiple certificates to the same domain name... a definite no-no.

      [2] Some CAs (even some of the same CAs as above) sold multiple identical certificates to different parties. This is not just a no-no but it completely breaks the whole scheme.

      [3] In a web audit done a couple of years ago, security firms found that as many as 80% of existing SSL Certificates were installed improperly. For example, being installed on a subdomain when it should be installed on the main domain name.

      The upshot is: the CA system is largely (but not completely ) a failure. AND this is the important thing: it hasn't failed because it was badly designed, these failures are all human error. (Including, as in point 2, intentional or fraudulent "error".) So what it boils down to is: the people you are supposed to trust in this "web of trust" have proven to be untrustworthy.

      NSTIC is trying to build an authentication system based on this same basic model: a "web of trust". You are supposed to trust the "authority" responsible for verifying that authentication. We have seen with SSLs how that kind of system can badly fall down. And in this case it's even worse, because the "authority" you are supposed to trust is the government itself.

      When was the last time you knew the people in your government to be worthy of that kind of trust? You've got Eric Holder, the EPA, FCC, FAA all making intrusive and even blatantly illegal regulations. And despite what NSTIC claims, this basically amounts to a kind of "national ID".

      I would never cooperate with such a system, either in the sites I build, or as an individual surfing the web.

      Also, you say it might be a good system "if done right". When was the last time you knew of government doing something like this right?

      Sure: an ObamaCare website that cost nearly $400 Million and is still down a lot. (I am aware the govt. claims that money was not spent on the website, but in fact if you trace the contracts, almost all of it was.)

    4. Re:Done right it's a great idea... by NicBenjamin · · Score: 1

      If you were actually rational about this issue at all you wouldn't have included the ObamaCare bit. The site was a few months late, but has since been a key part of providing health insurance to millions of Americans. Anyone who has actually worked in the private sector for more then a week can list at least three IT roll-outs that were more bungled then that.

      Most of your reasoning falls apart with one simple change: if the Federal government is the only entity issuing certificates, then objections 1 and 2 simply do not exist. Objection 3 still could, but OTOH a massive security breach at the Social Security Administration or IRS would turn almost any hacker into a billionaire, and yet it just doesn't happen.

  3. Re:Where's Bennett's take? by Anonymous Coward · · Score: 0

    It appears you are speaking to multiple AC personae for this particular style now :)

    NICE ONE GP. Long live Bennett Haselton, frequent contributor.

  4. It's been a long day by killkillkill · · Score: 1

    NSTIC points out that this is a great opportunity to leverage the technology to enable a wide array of new citizen-facing...

    And this week I've probably watched to many movies about our dystopian future. My brain was really expecting that to end with the name of some type of weapon.
    After reading everything again I am still left with a feeling that, while much smaller, it is still a step in that direction.

    1. Re:It's been a long day by Noah+Haders · · Score: 1

      no worries this can still get dystopian on this. probably the best way for NSTIC to secure people's records are through a national id cards. for extra security we better register people's biometrics too. better yet, link all gov interactions (traffic stop, flights, etc) to a national DB. also, for the kids. jumping the shark would be to implant RFID tags, so I won't go there.

    2. Re:It's been a long day by NicBenjamin · · Score: 1

      You're definitely over-reacting. They're not talking about collecting new data, turning data over to law enforcement, or anything like that. This is actualy the opposite of that. It's an attempt to make it easier for you to see what the government has on you.

      Right now you can access your tax records (it's called a tax transcript) online for free, but it's a multi-step process and it's a huge pain in the ass when they start asking trick questions about whether you lived at 3205 Green Rd, or 3105 Green Rd for six months back in '95. Obviously they absolutely have to do that, because the IRS has to know it's sending the records to the right guy.

      What the Feds're trying to do with the Executive order is figure out a) whether there's a way for other government departments to put more records online, and b) if there's a less painful way to identify people before sending them the right data. It's not likely they'll actually succeed, because identity thieves are clever mother-fuckers, but it's nice to see them try.

  5. Another step backwards? by Anonymous Coward · · Score: 0

    Papers please.

  6. Re:Fabulous! by Tablizer · · Score: 1

    Paper and land-line calls subject to fraud also. It's how Steve Jobs got started.

    --
    Table-ized A.I.
  7. Re:Where's Bennett's take? by Anonymous Coward · · Score: 0

    *Distributed social network. Of course what network is not distributed? What in the fuck? Bennett Haselton, frequent contributor.

  8. Keep it to yourselves by Anonymous Coward · · Score: 0

    All the other democratic countries don't want anything to do with anything based in the U.S.A.

  9. Let me guess, it will be based on your SSN by schwit1 · · Score: 3, Insightful

    Any solution that comes from bureaucrats should be immediately discounted.

    I suspect it will be too easy to compromise, inflexible and require antiquated, proprietary technology.

    1. Re:Let me guess, it will be based on your SSN by Anonymous Coward · · Score: 0

      Any solution that comes from bureaucrats should be immediately discounted.

      I suspect that it will be privatized, overpriced and require antiquated, proprietary technology.

      FTFY.

    2. Re:Let me guess, it will be based on your SSN by Anonymous Coward · · Score: 0

      Any solution that comes from bureaucrats should be immediately discounted.

      RTFA. Neither the executive order nor the National Strategy for Trusted Identities talks about a solution coming from the Government. On the contrary, NSTIC states categorically, that the solution must come from the private sector - and has helped kick-start a 501(c)3 private-sector led not-for-profit to do exactly that: https://www.idecosystem.org/

  10. Re:Where's Bennett's take? by Anonymous Coward · · Score: 0

    "I have sucked 30 cocks in 30 minutes. THIRTY. COCKS." -Bennett

  11. first four words by raymorris · · Score: 3, Insightful

    Done right,

    Didn't read the first four words of the summary, eh?

    My career has been in internet security. I now work for a government agency where we teach cyber security to other government workers. I can assure you, it won't be done right.

    1. Re:first four words by sumdumass · · Score: 2

      Is that because you are the instructor? I jest.. seriously I was joking because it was wide open with the wording you used.

      However, you are probably 100% correct. I did the networking and IT for a local county government for a number of years in the past. It was unbelievable that you could give instructions and before the day was out, have them completely ignored by people who thought they knew better.

      For instance, we had a server in another location connected to the main building by T1. The T1 line was scheduled to go down due to something in the nightly backups causing it to disconnect. It didn't actually disconnect but something threw a switch on one of the line cards that caused it to go into a monitor mode which halted communications. Taking it offline was to monitor what was actually being sent when it happened and check the commands the backup process was using to see exactly what and where it was happening with Ethereal (yes before it became wireshark). From the telecom point of view, when they tapped in to monitor the status of the link, it started working. Turns out, a flaky line card started interpreting traffic as commands after it was in constant use for a certain amount of time and it went into this monitor mode sort of by default after if was issues invalid commands enough to fill the buffer.

      Well, long story short, both offices used servers in each other office so we told them they would not be accessible, what drives they couldn't save to instead, and so on. One office got their entire internet through the T1 from the other office. Not more than 30 minutes after the meeting and informing everyone and 10 minutes after taking the T1 off line, I started getting calls that things were blowing up all over both offices. Stopping what I was doing to check it out, it was all shit that they couldn't access on the other servers that we just told them they couldn't access. One of the more persistent calls was about not having internet access after just being told they would lose internet access for about an hour. We had to run our tests twice because someone in the other building decided to unplug and "reset" the Adtran DSU/CSU unit because it works when their internet at home goes out (someone thought it was a cable modem or something).

      Granted these were county employees. But I do not expect it to be much different with any other government entity. Nice people, but their day was pretty much drone work and they couldn't seem to deviate even after being told they would have to. It would have been nice if the county would have approved the overtime to do this after hours but for some reason it was cheaper to pay an entire workforce to do nothing for a few hours than a few telecom employees and one IT contract employee overtime.

    2. Re:first four words by Anonymous Coward · · Score: 0

      If that's the worst you've got, then government offices sound like they're better run than any company I've seen that has more than a handful of people.

    3. Re:first four words by Christopher_T. · · Score: 1

      "done right" I wish I could mod this "sad but true". There's really not a lot of incentive to keep other people's data private.

  12. Executive Orders by Anonymous Coward · · Score: 0

    What are all these 'Executive Orders'?

    Is the USA a dictatorship run by the President, or a democracy run by Congress, or a schizophrenic mixup?

    1. Re:Executive Orders by Anonymous Coward · · Score: 0

      No one knows anymore

    2. Re:Executive Orders by CaptQuark · · Score: 3, Informative
      The USA is a representative democracy, run by politicians who were voted into office by people who slept through civics class. {/sarcasm}

      What are all these 'Executive Orders'?

      That question could have been answered faster with a Google search than it took you to type it.

      Is the USA a dictatorship run by the President, or a democracy run by Congress, or a schizophrenic mixup?

      That is a much more open-ended question and you will find all sorts of theories on the inter-tubes that will attempt to sway you to their particular world view. Good luck making sense of the cacophony of opinions you will find.


      The short answer: This Executive Order is instructions to the executive branch (people that work for him) to ask for more secure forms of ID before giving them money or personal information.

  13. NZ is ahead of US here.. by Anonymous Coward · · Score: 0

    Something like "Real Me" that the New Zealand government operates would be useful.

  14. Re:Where's Bennett's take? by Anonymous Coward · · Score: 0

    what network is not distributed?

    Loopback.

  15. "distributed identity ecosystem" by Anonymous Coward · · Score: 0

    This article is thick with newspeak.

    For fucks sakes just call it a distributed identity system and that's enough.

  16. Re:Where's Bennett's take? by Anonymous Coward · · Score: 0

    > working towards a distributed identity ecosystem that facilitates authentication and authorization without compromising privacy.

    Sounds like he is out there in the field lobbying for all of us!

  17. Re:Oh'Bummer by Anonymous Coward · · Score: 0

    Maybe a little worse than Carter, true. But a hell of a lot better than Bush (Jr. or Sr.), Reagan, or Nixon.

  18. Someone stole my identity by Anonymous Coward · · Score: 0

    I am Mr. Anonymous Coward, and I believe someone on your website has been posting in my name!

  19. Re:Oh'Bummer by sumdumass · · Score: 2

    You obviously weren't around for Carter or capable of reading about history.

    Nixon was better than Carter- even on liberal policies implemented ffs. And I think we can all agree that both shrubs and the actor was better than Nixon.

  20. Re: Where's Bennett's take? by Anonymous Coward · · Score: 0

    I don't think that's a direct quote. You really do underestimate him. I believe he said 50 in 30 minutes.

  21. Its not about Access, its about state control by Anonymous Coward · · Score: 0

    Just another brick in the wall for the Police state. This has Zip to do with accessibility and security, unless your apart of TPTB.

  22. It isn't being done right for starters by Anonymous Coward · · Score: 0

    It's actually a uniformly bad thing with a bit of shiny of newfangled intarwebbertubes polish on it. To show this, let me start with an illustration.

    "hackable" is a stupid thing to say. What is "hacking" exactly? The lawmakers sure don't know but have criminalised it regardless, to the point that calling yourself a "hacker" cost you your fourth amendment rights -- even if you ment the hatless original kind of hacker, as opposed to the hatted s'kiddies playing cowboys and injuns with global and national digital security. And that's not the end of it: Since "hacking" is not defined by law, the prosecution is free to fill it in with any whichever story they like. This empowers law enforcement to enforce as they see fit, on a whim even, and makes it harder or even impossible to defend yourself from some government official looking to fill his quota.

    This is bad law.

    It isn't the only such bad law, either.

    The NSTIC effort is equally poorly done. No clear idea of identity except that since it's ment to be easy to clerks and bureaucrats (also "user friendly", maybe) and so it just borrows the idea that you have exactly one identity. This isn't true for anyone, and clinging to the notion can actually hurt you quite a lot, something we're starting to learn now that it is harder to keep separate our various "faces" we use for different circles of acquintances. Think getting fired for social posts, and worse, much worse.

    So yes, if the system allows your identity to be used by someone else, that would be bad indeed, moreso the worse for being a (forcibly) trusted, government-provided, all-singing-and-dancing computer-y digital and therefore untouchable system. But that is actually but one of its lesser problems, as bad as it is.

    Remember that the government is deliberately hobbled for a reason. The reasons remain valid even though technology is making the status quo harder to maintain. If you want to fix government, this thing is not the place to start. Instead, just get rid of at least half the agencies and then halve the remaining headcount again. That should force a rethink on just what the government is doing and should be doing.

    This thing is not the place to start to improve government.

  23. Re:Oh'Bummer by rcharbon · · Score: 1

    No, we can't.

  24. And how do you get your online ID by Anonymous Coward · · Score: 0

    Oh great make ALL your info accessible to anyone who can hack this - no longer restrict access and count on their new ID system to prevent the info being stolen.

    Will this work as well as the Obamacare web system ??

    And to get your ID for this system, what hoops will you have to jump through to get it (assuming its not weak and worthless)

    Setting up for online voting which will make stealing elections even easier for the leftists

    "It doesnt matter how many people you let vote, it is WHO does the counting" -- Joseph Stalin

  25. What a joke. by Anonymous Coward · · Score: 0

    This,coming from the party that fights tooth and nail against voter ID requirements???? ROFLPMP!

  26. nobody was in charge by raymorris · · Score: 1

    In my opinion, healthcare.gov failed so miserably primarily because nobody at HHS was in charge of the project, while several people at HHS felt that they had the authority to mandate adding new features. Apparently nobody was responsible for keeping it on schedule, and therefore saying "no" to various requests, or alternatively telling the president "if we do this, it will take another year to complete".

    Nobody at the lead contractor seemed to have that role either. Everybody knew that it had scope-creeped far beyond what could be done in the allotted time (given the chosen organization*) , but nobody was clearly responsible for reducing the scope or extending the schedule.

    * It _might_ have been possible to get it done in time with all essential features working had the lead contractor built only a skeleton, a framework, with carefully and fully defined interfaces, then had small teams author each component to the interface.

    1. Re:nobody was in charge by Dragon+Bait · · Score: 1

      In my opinion, healthcare.gov failed so miserably primarily because nobody at HHS was in charge of the project, ....

      How many lines of legalize was the Affordable Care Act? Just translating the ACA into requirements would take longer than the time allotted to getting the web site up and working --- and then you need at least one individual who completely understands the sometimes conflicting requirements.

      No. The web site was doomed before it even began.

  27. more government information online by mstrcat · · Score: 1

    I think I would rather they concentrate on putting more government information online, making government more open rather than implementing systems to make citizens prove who they are.

  28. Our last, best hope is inertia and apathy by Anonymous Coward · · Score: 0

    So we're down to the inertia and apathy of career government employees to save us from this nightmare? Surely a lame-duck President's order will be ignored and put off as long as possible by career bureaucrats who know a new President in a few years won't even know this order was ever given, and nothing will come of this.

    Otherwise, a single point of failure like this is downright scary. And we all know how well the government does SecurID, healthcare.gov, and so on.

  29. Great by NotInHere · · Score: 1

    is NSA now my backup service? Does this also apply for EU citizens?

  30. Got Bandwidth? by Anonymous Coward · · Score: 0

    This newfangled government information system better work with dialup ... cos that's all we got around here.

  31. We all have more than one identity, and need more by davecb · · Score: 1

    I'm David in general, DCB at work (there are lots of Daves), Orv as a nickname, Uncle Dave to my nephew when he was little, Mr Collier to all sorts of illiterate clerks. I have a pen-name, and a bunch of versions of my name required by email providers. My name also changed when I got married, as did my wife's.

    When dealing with vendors I don't necessarily trust, I'm just "sir" and pay with cash. Considering the internet make it possible for vendors to be anywhere and anyone, I expect that we'll all to do more that way. My credit-card vendor, who already issues me single-use card-numbers for particularly suspicious vendors: I also expect to see single-use numbers with no name, just a single guaranteed amount.

    Oh, and by the way, while I have to identify myself to get into the booth, my vote has no name attached.

    --dave

    --
    davecb@spamcop.net
  32. Now everybody's info can get "honed" by knorthern+knight · · Score: 1

    "Honed" is a term I've coined in honour of Mat Honan and how his info got owned/wiped... http://apple.slashdot.org/stor...

    It's one thing for trusting/ignorant people to put their data in the cloud, and get it stolen. What's the reaction going to be when everybody's data is forcibly put in the cloud?

    --

    I'm not repeating myself
    I'm an X window user; I'm an ex-Windows user
  33. Read the precursor by Anonymous Coward · · Score: 0

    ... will issue online credentials

    This law seems to be demanding a certain level of security. So in order to access one's digital records, credentials will be required. The trap in the floorboards being that a government department doesn't have to provide access in the first place. Next problem: Like Microsoft passport, using one password to access a number of sites is poor security. It's worse security when one authentication factor is a public number like the American SSN.

  34. Razor by Anonymous Coward · · Score: 0

    ...authentication and authorization without compromising privacy...

    You can't have both in a system.

  35. 1,000 pages, true. Still the page could load by raymorris · · Score: 1

    Certainly you couldn't implement checks and cross checks for every detail of the law as part of the web site within any reasonable time frame. However, one could easily build a site that just sends enrollee information to the insurance company and to HHS, and accomplish that within days or weeks. With a couple of years and a billion dollars, one could build a site that does 90% of what was desired, and actually works. It is the job of the chief project manager to not allow the scope to expand beyond what can be done - and tell Congress in the open hearing that it can't be done if they insist on feature X.

  36. Why? by Anonymous Coward · · Score: 0

    Why do I have to establish my identity online when I don't have to establish it when I vote?