Slashdot Mirror
Tackling The Future Of Digital Trust -- While It Still Exists (ieee.org)
Tekla Perry writes: Last week at Berkeley's Center for Long-Term Cybersecurity, cybersecurity mavens from the industry, academia, government, and media considered a futuristic scenario in which traditional forms of identification and databases that use them -- drivers licenses, voting records, social security numbers, medical records, and bank accounts -- had been compromised. The challenge was to use the scenario to figure out how to establish a new means of verifying one's identity and to rebuild trust in the electronic records system in the case of such an imaginary crisis. Furthermore, they were then challenged to take the conclusions and develop policies that could prevent such a massive breach of digital trust from ever happening in the first place.
Everything digital is both horribly underdeveloped and infiltrated at all levels, from the standards, through hardware, operating systems and libraries, up to the applications. There is nothing trustworthy about it. It can be useful, yes, but don't trust it.
I take it that you don't fly, don't drive a car newer than say 2000, don't have a bank account, etc etc
We have put our trust and our lives in the hands of 'Digital' technology for decades now.
We do trust it. We have to but since everything seems to be connected to the internet these days (or the makers would want it to be.,..) the level of trust in our devices has fallen and in some areas dramatically.
Then along comes the various governments around the world and want their part of the action. They want to know what we are doing 24/7/52 just in case we have 'bad thoughts'. 1984 is here and alive.
If you are ok with that then good luck with that sleep walk into ???? Free speech will be a thing of the past. Free will ? Unless you are a good citizen and buy your quota of 'stuff' that is designed to fall apart in 1-2 years then it will be time for you to be re-educated.
etc etc etc.
If you go 'off grid' then the TLA's of this world think you are definitely up to no good.
So be a good citizen (prole) and toe the line, sing the party song and don't say a word out of line. The 21st Century Gulags are ready and waiting for you.
If you build a system, you almost entirely make the right choices and design it well. You have done a million things right. But, if you miss a few places and miss a couple of potential problems, it leaves an access for someone to exploit. Systems are getting to the point where they are to large to test for every possible potential problem. It isn't helping that people rush them into service.
In physical world there is also a week point, - the dumpster diving https://en.wikipedia.org/wiki/... , cheap large capacity hard disks, and cheap labor make it possible to create the carpet databases on the whole population.
The dumpster diving allows to mine not only an ID and bank data, but also fingerprints, a DNA, a handwriting, etc. It is happening already on the international scale.
Kinda.
Frank Abagnale laid out some very basic aspects of fraud and verifying identity that still aren't implemented if for no other reasons than the people who maintain those databases risk nothing if they are compromised.
I mean really, the notion of identity theft, and that you are somehow responsible because an institution failed to correctly identify you is absurd. But then again, they have very little to risk in comparison, so what does it matter to them?
One of the points he emphasized was that large databases are unnecessary, and in fact several point to point identifiers, where once your identity is established nothing is kept on record except for the unique verification issued by that one institution limits exposure and decreases gains from fraud.
That was nearly 30 years ago. I think at this point we can claim criminal negligence.
It's not an /imaginary crisis/, it's a /hypothetical crisis/.
A hypothetical is something that *could* happen but under certain circumstances.
Imaginary is simply 'not real' -- existing only in your imagination.
The latter is /technically/ correct, but not really correct, and changes the meaning.
It's effectively the difference between "Oh this can't happen" and "This could really happen".
in 'business' then... like berlin in the bad old days? madison.ave.war is our 'media' now?
Obligatory reflection on identity theft.
"His name was James Damore."
This really isn't a concern for the average Joe.
In the early 1900s, most people didn't even have birth certificates. At least not in rural Canada, and that was where a majority of people lived. Compare that to ID requirements now.
Yet, the only REAL purpose of all of this ID is control. Mostly, control of debt. And trust of debt.
For example, electricity. Or cable. Or internet access. There is little need to link this to names, they all go to a specific place, yes? A simple deposit is all that is required, or pre-pay to eliminate the need of ID checks, credit checks, and more.
When I buy gas for my car, I don't put gas in and pay for it after I've used it! Nor do I do the same for food.
Well, that is, unless someone is living on credit cards.
Again, 99.9999% of usage cases for ID and identification is simply to enable credit.
How does that bother Joe?
Imagine if credit never existed. If it had been made illegal 100 years ago.
I assure you our modern world would still exist, and that people would still have jobs. It would merely be a different capitalistic system. One where people were paid in cash, likely.
So?
Well, I guess that prevents free transfer of money. And the CIA and NSA from tracking everywhere you spend money, and where you purchase things, and even the things you buy (air mile cards, hooks into large-retailer data, etc).
ID is all about control. It is of little benefit to citizen that is essentially forced to have ID to negotiate our current society.
>"traditional forms of identification and databases that use them -- drivers licenses, voting records, social security numbers, medical records, and bank accounts --"
The one thing missing there is a government issued national ID. The System most European countries had up until about the start of the Millennium was pretty good in my opinion. Basically Name/Date/Place of birth/Photo on a "forgery-proof" piece of plastic or paper that you could show where your identity needed to be established beyond doubt.
In Germany that data was basically only "On file" in your local town hall, so no big central database to break/hack into either.
Of course after ~2000 the whole thing tilted into the central database / biometric data wanted / etc... angle that made the thing less and less desirable.
Striving for perfection will be the ruin of this sort of initiative. In the real world, there is tolerance for failure. Just look at the pre-internet system, there was plenty of fraud and identity theft. But we still managed to keep going, failures and all. Sure, the information age changed that dynamic quite a bit. But it's important to note that perfection isn't necessary or even possible. It just has to be tolerable. If we try to make a 100% foolproof system we will be arguing the details until the sun explodes.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Good!
That's the way I like it because it means my OS is mine and not just a locked down part of a larger system which tells every advertiser who I am and it allows me to read and write anonymously like people have been able to since the beginning of print. These big digital trust systems, I don't trust them because the people running corporations and governments are highly untrustworthy.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Mod parent up, video is spot on and funny.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
In physical world there is also a week point...
Yeah, our ability to spell.
As long as there's benefit to having other people's personal information this will continue to be a problem. But hey, that chair could go a little to the left
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The exercise neatly shows that you can't really trust "cybersecurity experts" with any of this. They have entirely the wrong background, come from the wrong initial assumptions, fail to see the obvious. So the best you get is a neat little parade of naked emperors shouting they're the king of cyberhacking. It may be cute, but certainly oh so wrong. Makes them a good living, though, so there's no real reason why they'd clean up their act.
catch or breath, keep our heads.. the best has yet to come?
That idea is indeed in widespread use but it isn't a panacea. There are many things wrong with it and in fact having a really good system easily kills people. As it did in the Netherlands, during WWII. Go look it up, and do note that it wasn't the Germans that designed that card, which was very hard to forge for the day. It was the Dutch themselves that had a very high quality administration that included things like... religion so they could provide you the right flavour of burial should you die without relatives. So yeah.
Of course, that's an extreme and wars don't happen to you anyway, so let's forget about that possibility, eh? Well, even without war it's easy to fall between the cracks, and the harder such an identity system, the harder it is to get back in once you fall out, maybe on a stupid little technicality or a computer glitch or whatever the excuse of the day is.
On top of that we have that the government now completely owns your identity. It doesn't just provide some convenient administrative services, you're becoming completely dependent on its machinery for more and more things, down to daily chores. You're no longer your own person. This has implications in and of itself also. And then there are the centralisation and biometrics angles you mention. So to me this simply isn't the way forward.
Let me illustrate what this way can mean in practice: We had a tv report recently, where some people had to call (various offices of) the government every month for fifteen months to get the same change applied again because some automated system had set it back again. And that's the social security office relying on those decentralised local town registries and something between the two went awry. Officially some 10k people are affected, on a total population of 17M, though the total number of benefits receivers would be lower of course. I've heard of a minister having had to apologise in person to the same person three times in a row for a similar problem. The harder you make this traditional "identity" thing the more you're going to get this sort of very hard to fix or outright unfixable problem. We're talking about government and IT here, so yeah.
Notice that due to "digital" and "cyber", any such system will eventually entrench itself more and more, spread its tentacles everywhere, unless the design makes this somehow impossible. That means that any traditional approach is automatically obsolete. And I see nothing but traditional approaches coming from these "experts". Can't we fire that bunch already?
Can't they find anybody who can write a summary without sophomoric mistakes in grammar and composition? This is really pitiful. Hire somebody who speaks English as a first language, graduated from high school and actually gives a shit to give these things a once-over.
Unlike everything in the "digital world", most of the aircraft is still analog, and every single line of code in digital avionics systems is traceable to a line in the requirements, audited, validated and tested against both acceptable and unacceptable inputs. What secuirty people call "fuzzing" and think of as a relatively new tool is actually very old and has been used since the first digital devices were used in aviation. Additionally, the aerospace manufacturers are liable for a thousand lawyer's salaries and your life, where as the "tech industry" is responsible for finding their next jobs. The level of quality of internet connected things has nothing, at all, in any way, in common with the aerospace industry. Your entire comparison is bullshit.
IRS reports now indicate that 700,000 tax returns were stolen, social security numbers and all. That's just one NOT imaginary incident out of dozens/hundreds.
Failure can be acceptable as long as you can recover from it in a timely fashion. Nothing is perfect, but you do need to make sure all of your bases are covered.
TA "This is like climate change,"
Is anyone else noticing that these little zingers are starting to pop up everywhere? It's as if some mechanism that is supposed to keep us from mixing or over-stretching metaphors (unless we're deliberately trying to be funny) has been broken. Like the old social catch-phrase, "How 'bout dem [sports team]?" in which someone is attempting to jump-start a stalled conversation or uncomfortable silence with hilarious off-topic clumsiness.
How 'bout dat Climate Change? (sorry! off topic when I say it, but not when they do)
TA "My team focused on considering how people can identify themselves when the most common form of identification --- the driver's license --- is no longer trusted." [going on to propose something even more complicated]
Other groups suggested... [some things so complicated, effort to implement completely boggles the mind]
So the must-possess-ID to prove your own existence bandwagon we've all jumped onto seems to be experiencing ... technical difficulties. Time and again we applied the naive assumption that the current state of things, such as when local thugs might physically alter and pass documents, is simply intolerable and could not be worse. What we need is the un-crackable trust system. So we embrace increasingly centralized systems that turn out to be centrally exploitable. Now we have globally exploitable systems, what progress! Those thugs in your neighborhood don't stand a chance. Unfortunately neither do police detectives or even FBI agents, even as their forensic methods have improved. How often has the trail of say, some gas-card fraud scheme, dead-ended at some kid whose whole degree of technical prowess consists of writing numbers received in email to mag strips. Numbers acquired by intricate, even fantastic means in bulk by persons who may be anywhere on Earth?
SIMPLIFY. Sounds like there were some clever people there because it ended on an idea 'stack overflow'.
one team expressed what seemed to be a common sentiment --- that the best thing one could do is already impossible. "We should go back to 1995 and get this right. [something about climate] We are too far along to stop bad things from happening in the future; we can just try not to make it worse."
They're right, 1995 was a good year. Allow me to reminisce.
There was this thing 'cash' which most of us used for every day purchases. We were not using cash because we had something to hide... honest! We payed our taxes regularly, sometimes even with cash... honest! Even terrorists paid for things in cash, and their money was as good as anyone's. That's the wonderful thing about cash, once you have it, it's yours and you don't need to worry that the Federal government will seize it from your account because that fellow who bought that living room set was an Iranian. Some reading this never knew a time when it took a lot longer to process a credit card than count money and make change. Then again, in 1995 people didn't hold up the line as they bought and scratched instant-win lottery tickets. That was considered rude then.
Your bank was your friend. it couldn't play the stock market and expose its shiny ass in derivatives, or corroborate with the Federal government in real time to scrutinize your transactions. Few banks were joined at the hip with credit card companies and junk mortgage giants. They offered actual ATM cards which worked in local ATMs that did not immediately broadcast your transaction and geo-position in global data streams to a loose consortium of corporate and government special interests. They
<blink>down the rabbit hole</blink>
Digital Trust already does not exist.
The FIVE biggest breaches — Anthem Health care, U-CA Health System, US-OPM (security clearance applications), the IRS, and again the US-OPM (fingerprints this time), have ALL affected me. There is nothing else to be breached.
Oh, wait, aren't the Credit-score Reporting Agencies well-known for happily reporting false data in peoples' Credit Reports? (HINT: Yes.)
The game is already over.
The proposed solution, as suggested by the study, is for us to release even more personal information, relying on the one thing that we can never-ever change – our DNA. Are you gonna prick my finger and run a PCR on my identity every time I withdraw cash from an ATM? Oh, oops, my DNA will be left in finger-oil residues on those anonymous cash bills when I spend them.
Uhm, GATTACA – no thank you.
I think at this point we can claim criminal negligence.
The University of California Health System mandated that all physicians use a computer-interface to record everything about the provider-patient interaction. This turns MD's into data-entry monkeys. I've talked to many MD's in the system, and they all agree that it detracts from the time that they can spend actually interacting with the patient. They all hate it.
Oh, and get this, this system originally ran on Win XP (2-3 years ago). When was that EOL'ed? Of course, it was breached within a year. I moved to a GP who keeps everything on paper. Yes, huge manila folders full of prior notes, results, and diagnoses. No computer files, aside from the bare minimum mandated by state law (for Rx, etc.).
I know that my own medical records are my own property, and periodically demand photocopies of every intervening period be made, and physically mailed to me. That is my right, YOUR RIGHT, and everyone else's (in the US).
Try to hack that! Unless you break into my home (I'm not that important), then such files remain private.
Relational databases are wonderful things. Just don't connect them to the internet!!!