Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tackling The Future Of Digital Trust -- While It Still Exists (ieee.org)

Posted by BeauHD on from the real-world-scenarios dept.

Tekla Perry writes: Last week at Berkeley's Center for Long-Term Cybersecurity, cybersecurity mavens from the industry, academia, government, and media considered a futuristic scenario in which traditional forms of identification and databases that use them -- drivers licenses, voting records, social security numbers, medical records, and bank accounts -- had been compromised. The challenge was to use the scenario to figure out how to establish a new means of verifying one's identity and to rebuild trust in the electronic records system in the case of such an imaginary crisis. Furthermore, they were then challenged to take the conclusions and develop policies that could prevent such a massive breach of digital trust from ever happening in the first place.

11 of 40 comments (clear)

  1. If you trust digital, you belong in the looney bin by Anonymous Coward · · Score: 4, Insightful

    Everything digital is both horribly underdeveloped and infiltrated at all levels, from the standards, through hardware, operating systems and libraries, up to the applications. There is nothing trustworthy about it. It can be useful, yes, but don't trust it.

  2. Do a million things right and three things wrong by jfdavis668 · · Score: 3, Insightful

    If you build a system, you almost entirely make the right choices and design it well. You have done a million things right. But, if you miss a few places and miss a couple of potential problems, it leaves an access for someone to exploit. Systems are getting to the point where they are to large to test for every possible potential problem. It isn't helping that people rush them into service.

  3. Re:If you trust digital, you belong in the looney by Max_W · · Score: 2

    In physical world there is also a week point, - the dumpster diving https://en.wikipedia.org/wiki/... , cheap large capacity hard disks, and cheap labor make it possible to create the carpet databases on the whole population.

    The dumpster diving allows to mine not only an ID and bank data, but also fingerprints, a DNA, a handwriting, etc. It is happening already on the international scale.

  4. Re:Do a million things right and three things wron by quintessencesluglord · · Score: 4, Insightful

    Kinda.

    Frank Abagnale laid out some very basic aspects of fraud and verifying identity that still aren't implemented if for no other reasons than the people who maintain those databases risk nothing if they are compromised.

    I mean really, the notion of identity theft, and that you are somehow responsible because an institution failed to correctly identify you is absurd. But then again, they have very little to risk in comparison, so what does it matter to them?

    One of the points he emphasized was that large databases are unnecessary, and in fact several point to point identifiers, where once your identity is established nothing is kept on record except for the unique verification issued by that one institution limits exposure and decreases gains from fraud.

    That was nearly 30 years ago. I think at this point we can claim criminal negligence.

  5. An imaginary crisis? by Gallefray · · Score: 4, Insightful

    It's not an /imaginary crisis/, it's a /hypothetical crisis/.

    A hypothetical is something that *could* happen but under certain circumstances.
    Imaginary is simply 'not real' -- existing only in your imagination.

    The latter is /technically/ correct, but not really correct, and changes the meaning.

    It's effectively the difference between "Oh this can't happen" and "This could really happen".

    1. Re:An imaginary crisis? by Ol+Olsoc · · Score: 3, Insightful

      It's not an /imaginary crisis/, it's a /hypothetical crisis/.

      A hypothetical is something that *could* happen but under certain circumstances. Imaginary is simply 'not real' -- existing only in your imagination.

      The latter is /technically/ correct, but not really correct, and changes the meaning.

      It's effectively the difference between "Oh this can't happen" and "This could really happen".

      All very nice, but you missed the part about it going on as we speak. for all the stories that we do hear, like Hollywood Hospital's paying ransom to hackers, Target and Home Depot's data being hacked, and now some of those compromised Social security and other stolen data being used to file fraudulent tax returns - there are the daily data thefts we don't hear about. There is nothing hypothetical about it. The only thing that didn't sound like "didn't this already happen?" from TFA was the business of a girl being killed because her health records were altered.

      The only thing protecting us is that at the present moment, the bad guys have a vested interest in keeping their fraud at a level that does not topple the institutions they are parasitizing.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:An imaginary crisis? by penguinoid · · Score: 2

      Imaginary numbers are real. Well, as real as real but they're not themselves real. They make things complex.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    3. Re:An imaginary crisis? by Sir+Holo · · Score: 2

      Yep, nobody likes a Cassandra.

      Not when she warns of impending risk...

      And CERTAINLY not when she points out her prior (unheeded) warnings.

      And so it goes.

  6. Re:Do a million things right and three things wron by Rockoon · · Score: 4, Funny

    Obligatory reflection on identity theft.

    --
    "His name was James Damore."
  7. Re:The missing "traditional forms of identificatio by Anonymous Coward · · Score: 2, Insightful

    That idea is indeed in widespread use but it isn't a panacea. There are many things wrong with it and in fact having a really good system easily kills people. As it did in the Netherlands, during WWII. Go look it up, and do note that it wasn't the Germans that designed that card, which was very hard to forge for the day. It was the Dutch themselves that had a very high quality administration that included things like... religion so they could provide you the right flavour of burial should you die without relatives. So yeah.

    Of course, that's an extreme and wars don't happen to you anyway, so let's forget about that possibility, eh? Well, even without war it's easy to fall between the cracks, and the harder such an identity system, the harder it is to get back in once you fall out, maybe on a stupid little technicality or a computer glitch or whatever the excuse of the day is.

    On top of that we have that the government now completely owns your identity. It doesn't just provide some convenient administrative services, you're becoming completely dependent on its machinery for more and more things, down to daily chores. You're no longer your own person. This has implications in and of itself also. And then there are the centralisation and biometrics angles you mention. So to me this simply isn't the way forward.

    Let me illustrate what this way can mean in practice: We had a tv report recently, where some people had to call (various offices of) the government every month for fifteen months to get the same change applied again because some automated system had set it back again. And that's the social security office relying on those decentralised local town registries and something between the two went awry. Officially some 10k people are affected, on a total population of 17M, though the total number of benefits receivers would be lower of course. I've heard of a minister having had to apologise in person to the same person three times in a row for a similar problem. The harder you make this traditional "identity" thing the more you're going to get this sort of very hard to fix or outright unfixable problem. We're talking about government and IT here, so yeah.

    Notice that due to "digital" and "cyber", any such system will eventually entrench itself more and more, spread its tentacles everywhere, unless the design makes this somehow impossible. That means that any traditional approach is automatically obsolete. And I see nothing but traditional approaches coming from these "experts". Can't we fire that bunch already?

  8. Sure, it's just like climate change by TheRealHocusLocus · · Score: 4, Insightful

    TA "This is like climate change,"

    Is anyone else noticing that these little zingers are starting to pop up everywhere? It's as if some mechanism that is supposed to keep us from mixing or over-stretching metaphors (unless we're deliberately trying to be funny) has been broken. Like the old social catch-phrase, "How 'bout dem [sports team]?" in which someone is attempting to jump-start a stalled conversation or uncomfortable silence with hilarious off-topic clumsiness.

    How 'bout dat Climate Change? (sorry! off topic when I say it, but not when they do)

    TA "My team focused on considering how people can identify themselves when the most common form of identification --- the driver's license --- is no longer trusted." [going on to propose something even more complicated]

    Other groups suggested... [some things so complicated, effort to implement completely boggles the mind]

    So the must-possess-ID to prove your own existence bandwagon we've all jumped onto seems to be experiencing ... technical difficulties. Time and again we applied the naive assumption that the current state of things, such as when local thugs might physically alter and pass documents, is simply intolerable and could not be worse. What we need is the un-crackable trust system. So we embrace increasingly centralized systems that turn out to be centrally exploitable. Now we have globally exploitable systems, what progress! Those thugs in your neighborhood don't stand a chance. Unfortunately neither do police detectives or even FBI agents, even as their forensic methods have improved. How often has the trail of say, some gas-card fraud scheme, dead-ended at some kid whose whole degree of technical prowess consists of writing numbers received in email to mag strips. Numbers acquired by intricate, even fantastic means in bulk by persons who may be anywhere on Earth?

    SIMPLIFY. Sounds like there were some clever people there because it ended on an idea 'stack overflow'.

    one team expressed what seemed to be a common sentiment --- that the best thing one could do is already impossible. "We should go back to 1995 and get this right. [something about climate] We are too far along to stop bad things from happening in the future; we can just try not to make it worse."

    They're right, 1995 was a good year. Allow me to reminisce.

    There was this thing 'cash' which most of us used for every day purchases. We were not using cash because we had something to hide... honest! We payed our taxes regularly, sometimes even with cash... honest! Even terrorists paid for things in cash, and their money was as good as anyone's. That's the wonderful thing about cash, once you have it, it's yours and you don't need to worry that the Federal government will seize it from your account because that fellow who bought that living room set was an Iranian. Some reading this never knew a time when it took a lot longer to process a credit card than count money and make change. Then again, in 1995 people didn't hold up the line as they bought and scratched instant-win lottery tickets. That was considered rude then.

    Your bank was your friend. it couldn't play the stock market and expose its shiny ass in derivatives, or corroborate with the Federal government in real time to scrutinize your transactions. Few banks were joined at the hip with credit card companies and junk mortgage giants. They offered actual ATM cards which worked in local ATMs that did not immediately broadcast your transaction and geo-position in global data streams to a loose consortium of corporate and government special interests. They

    --
    <blink>down the rabbit hole</blink>