Tackling The Future Of Digital Trust -- While It Still Exists

Tekla Perry writes: Last week at Berkeley's Center for Long-Term Cybersecurity, cybersecurity mavens from the industry, academia, government, and media considered a futuristic scenario in which traditional forms of identification and databases that use them -- drivers licenses, voting records, social security numbers, medical records, and bank accounts -- had been compromised. The challenge was to use the scenario to figure out how to establish a new means of verifying one's identity and to rebuild trust in the electronic records system in the case of such an imaginary crisis. Furthermore, they were then challenged to take the conclusions and develop policies that could prevent such a massive breach of digital trust from ever happening in the first place.

If you trust digital, you belong in the looney bin

Everything digital is both horribly underdeveloped and infiltrated at all levels, from the standards, through hardware, operating systems and libraries, up to the applications. There is nothing trustworthy about it. It can be useful, yes, but don't trust it.

Do a million things right and three things wrong

[jfdavis668]

If you build a system, you almost entirely make the right choices and design it well. You have done a million things right. But, if you miss a few places and miss a couple of potential problems, it leaves an access for someone to exploit. Systems are getting to the point where they are to large to test for every possible potential problem. It isn't helping that people rush them into service.

Re:Do a million things right and three things wron

[quintessencesluglord]

Kinda.

Frank Abagnale laid out some very basic aspects of fraud and verifying identity that still aren't implemented if for no other reasons than the people who maintain those databases risk nothing if they are compromised.

I mean really, the notion of identity theft, and that you are somehow responsible because an institution failed to correctly identify you is absurd. But then again, they have very little to risk in comparison, so what does it matter to them?

One of the points he emphasized was that large databases are unnecessary, and in fact several point to point identifiers, where once your identity is established nothing is kept on record except for the unique verification issued by that one institution limits exposure and decreases gains from fraud.

That was nearly 30 years ago. I think at this point we can claim criminal negligence.

An imaginary crisis?

[Gallefray]

It's not an /imaginary crisis/, it's a /hypothetical crisis/.

A hypothetical is something that *could* happen but under certain circumstances.
Imaginary is simply 'not real' -- existing only in your imagination.

The latter is /technically/ correct, but not really correct, and changes the meaning.

It's effectively the difference between "Oh this can't happen" and "This could really happen".

Re:An imaginary crisis?

[Ol+Olsoc]

It's not an /imaginary crisis/, it's a /hypothetical crisis/.

A hypothetical is something that *could* happen but under certain circumstances. Imaginary is simply 'not real' -- existing only in your imagination.

The latter is /technically/ correct, but not really correct, and changes the meaning.

It's effectively the difference between "Oh this can't happen" and "This could really happen".

All very nice, but you missed the part about it going on as we speak. for all the stories that we do hear, like Hollywood Hospital's paying ransom to hackers, Target and Home Depot's data being hacked, and now some of those compromised Social security and other stolen data being used to file fraudulent tax returns - there are the daily data thefts we don't hear about. There is nothing hypothetical about it. The only thing that didn't sound like "didn't this already happen?" from TFA was the business of a girl being killed because her health records were altered.

The only thing protecting us is that at the present moment, the bad guys have a vested interest in keeping their fraud at a level that does not topple the institutions they are parasitizing.

Re:Do a million things right and three things wron

[Rockoon]

Obligatory reflection on identity theft.

Sure, it's just like climate change

[TheRealHocusLocus]

TA "This is like climate change,"

Is anyone else noticing that these little zingers are starting to pop up everywhere? It's as if some mechanism that is supposed to keep us from mixing or over-stretching metaphors (unless we're deliberately trying to be funny) has been broken. Like the old social catch-phrase, "How 'bout dem [sports team]?" in which someone is attempting to jump-start a stalled conversation or uncomfortable silence with hilarious off-topic clumsiness.

How 'bout dat Climate Change? (sorry! off topic when I say it, but not when they do)

TA "My team focused on considering how people can identify themselves when the most common form of identification --- the driver's license --- is no longer trusted." [going on to propose something even more complicated]

Other groups suggested... [some things so complicated, effort to implement completely boggles the mind]

So the must-possess-ID to prove your own existence bandwagon we've all jumped onto seems to be experiencing ... technical difficulties. Time and again we applied the naive assumption that the current state of things, such as when local thugs might physically alter and pass documents, is simply intolerable and could not be worse. What we need is the un-crackable trust system. So we embrace increasingly centralized systems that turn out to be centrally exploitable. Now we have globally exploitable systems, what progress! Those thugs in your neighborhood don't stand a chance. Unfortunately neither do police detectives or even FBI agents, even as their forensic methods have improved. How often has the trail of say, some gas-card fraud scheme, dead-ended at some kid whose whole degree of technical prowess consists of writing numbers received in email to mag strips. Numbers acquired by intricate, even fantastic means in bulk by persons who may be anywhere on Earth?

SIMPLIFY. Sounds like there were some clever people there because it ended on an idea 'stack overflow'.

one team expressed what seemed to be a common sentiment --- that the best thing one could do is already impossible. "We should go back to 1995 and get this right. [something about climate] We are too far along to stop bad things from happening in the future; we can just try not to make it worse."

They're right, 1995 was a good year. Allow me to reminisce.

There was this thing 'cash' which most of us used for every day purchases. We were not using cash because we had something to hide... honest! We payed our taxes regularly, sometimes even with cash... honest! Even terrorists paid for things in cash, and their money was as good as anyone's. That's the wonderful thing about cash, once you have it, it's yours and you don't need to worry that the Federal government will seize it from your account because that fellow who bought that living room set was an Iranian. Some reading this never knew a time when it took a lot longer to process a credit card than count money and make change. Then again, in 1995 people didn't hold up the line as they bought and scratched instant-win lottery tickets. That was considered rude then.

Your bank was your friend. it couldn't play the stock market and expose its shiny ass in derivatives, or corroborate with the Federal government in real time to scrutinize your transactions. Few banks were joined at the hip with credit card companies and junk mortgage giants. They offered actual ATM cards which worked in local ATMs that did not immediately broadcast your transaction and geo-position in global data streams to a loose consortium of corporate and government special interests. They