Thursday, February 16, 2012

Wrong on so very many levels...

So, CNN ran another piece about the Administration's proposal for a single internet identity for everybody, to circumvent all those pesky passwords and logins you have to remember right now.

This may be the stupidest idea to come out of Washington since the creation of the TSA.
Passwords are often shared among family, friends and spouses, and people typically use the same passwords for everything. Many experts say passwords are cybersecurity's weak link.
If some people are that dumb, why punish those of use who use a different alphanumeric, case-sensitive hash everywhere, just because Joe Blow and Suzy Schmoe use the same "12345" each place they log in?

Anyway, how is this idea made of fail? Let us count the ways...
  1. It's another barrier to entry for budding e-commerce entrepreneurs. Whatever solution gets cooked up between government regulators and giants like Google, Amazon, and Apple will be designed to stifle the next Jeff Bezos, not empower him.

  2. Now in order to impersonate you on the web, somebody only has to steal one password instead of a bunch of them!

  3. Say you wound up the target of some Hollywood-grade government conspiracy overnight. Tomorrow morning, they could suspend your driver's license, but that wouldn't stop you from driving to Canada. This plan, however, would theoretically allow them to suspend your internet license instantly, throwing you off the Information Superhighway by deploying the digital stop sticks at the touch of a button.

  4. For the eschatologically-inclined, there'll be no buying and selling on the internet without this number...
The more technically literate and suspicious among you could no doubt think of a dozen others, but there's a good start right there.

The internet has been a goose that has been laying economic golden eggs for an amazing amount of time, considering the continual ham-handed efforts of the government to try and serve itself up some foie gras. Let's hope it can shrug off this one.


JD Rush said...

Can't control the sheeple if they can say "bad" things behind your back and not immediately have a SWAT team sent to their house.

Andy said...

The market is already working on this. Note the identity options of your own posting form. Facebook also a competitor in that.

Leatherwing said...

Wherever that password data was stored would become the Holy Grail for every hacker, Russian mobster, and the Chinese government. Imagine the ability to stop all internet commerce and communication. Anonymous is having wet dreams about this one.

Bubblehead Les. said...

Funny. This Administration wants everyone to have a Single Internet Identity, but are prosecuting States who are demanding that one uses Official Government Identity Cards to prove that they can legally vote, even though the Supreme Court ruled several years ago that each State has that right. Funny.

Larry said...

Ooooh, the Mark of the Beast!

12345??? That's the stupidest combination I ever heard in my life!

robl said...

Larry, you just hacked Syria's government.

Anonymous said...

I had a client that ran a security net for some big time customers.

Their password was password.


I am human!

BobG said...

“Good day, Number Six.”

taylor said...

"Correct Horse Battery Staple"

Dont know what it is? Google it. The premise here is flawed beyond the ability for words to explain.

That is all.

Boyd K said...

A friend once told me that most banks in Finland issue security tokens on request. These are the little keyfobs that show a number and you type that in with your password to access an account. Here, my bank doesn't know what that is (speaking to high level IT folks who really should at least be aware of RSA tokens) and the government wants me to have single sign on to control my life. If that happens, my life will quickly change dramatically to reduce use of those systems.

Tam said...


I am aware of that.

My passwords (which come from a string of tail numbers on transient aircraft that get combined and sometimes reversed depending on the type of site I'm using) aren't going to be that hard for Robby the Robot to guess, but I remember them okay.

The point is, if Robby does crack one, he's got access to one site.

Keith said...

Boyd K that system is used by some online games to keep passwords secure and can be run on a smartphone as well. Kinda sad that WoW is more secure than B of A.

Ken said...

Well, whichever incumbent e-commerce organizations do us the great favor of telling us they support it will be the ones to shun henceforth.

Jake (formerly Riposte3) said...

Boyd K: There's an app for that!

It looks like there's an iPhone version, too. And a plugin for Wordpress.

Unfortunately, it only works with Google sites. I doubt there are any banks that would use it (or a similar app).

Stranger said...

Since I am fumblefingered, all my passwords are on a memory stick on my keyrings, along with a simple but unusual reader.

When I access a site, my keys go back in my pocket. So do my passwords. So I am not too worried about password security.

I last lost my keys in 1949 when a canoe turned over. And, as Tam says, if Robbie takes a password, it has access to just one site.

But I am certainly concerned about the level of nosiness of our ever more intrusive government. It's none of their business who I talk to as long as I am not plotting a crime.


Kristopher said...

Both stupid, and unenforceable.

People will just get email accounts from providers outside the US.

And attempting to build it into the OS will just increase Ubuntu installs.

And just because a local ISP is forced to tie email, DNS look ups and other crap to your cable or DSL modem, does not mean you have to use their email or DNS lookup resources.

Hell, there are anonymity providers outside the US that will set up a co-located box that you can log into and do your browsing. emailing, and buying from.

JFP said...

"12345???- Amazing, thats the same combination to my luggage!"

Keith, WoW needs authenticator fobs both because of constant hacker/phishing attempts and their "RealID" system to let people talk between games/servers. They had to switch from basic usernames to email based usernames. After years of telling people to not give out their login info, Blizzard told everyone to share their account's username (your email address tied to the game account) to talk to family/friends.

All that made me do was create seperate accounts for every game and not use RealID. With all the facebook connections I'm surprised there haven't been more hacked accounts, likely due to many having authenticators.

John A said...

"We're from the Government, and we're here to help."

No law or regulation - AS LONG AS whatever scheme[s] private companies come up with are acceptable to us. Which will probably be decided by the FTC.

Borepatch said...

Step 1: Provide helpful, voluntary .GOV ID.

Step 2: Since not enough Comrades are opting into Step 1, issue one to everyone. The Organs of the State are here to help, Tovarich!

Step 3: After lobbying from the Usual Suspects, .GOV decrees that use of .GOV ID is a legally acceptable signature.

Step 4: The .GOV ID database gets mysteriously downloaded to Estonia. Hilarity ensues.

Step 5: After much chin-tugging by .GOV security experts, we find out that a huge budget increase for additional security measures is the order of the day.

Borepatch said...

@JFP: Actually, Anonymous "hacked" Assad's email account. His password was "12345". (no joke)

Obviously, he should watch more movies.

And OBTW, this whole scheme likely traces back to Oracle's Larry Ellison, trying to sell a 300,000,000 user database license.

Robin said...

Where do they find people this stupid to work in this administration?

Canthros said...

Robin: mostly the Ivy League, it seems.

docjim505 said...

AoSHQ has a good post that, I think, ties into this issue.

I was blown away at the idea that a private citizen could, in this country, previous to changes in this law at least, simply create a bonfire on the beach and enjoy it. Just because he wanted to.

Then I started to think like this: What kind of a mind-screw did they do on me when I should be surprised that people would be allowed to do this?

What kind of mindscrew have we done to ourselves that our elected officials think that they can mandate ANYTHING about something as personal as our internet identities? How is it that this idea - and others like it that put Uncle Sugar in charge of ever-increasing parts of our lives - wasn't immediately and completely buried under a heap of outrage and ridicule?

And, to really push your blood pressure up:

The mother, who doesn’t wish to be identified at this time, says she made her daughter a lunch that contained a turkey and cheese sandwich, a banana, apple juice and potato chips. A state inspector assessing the pre-K program at the school said the girl also needed a vegetable, so the inspector ordered a full school lunch tray for her. While the four-year-old was still allowed to eat her home lunch, the girl was forced to take a helping of chicken nuggets, milk, a fruit and a vegetable to supplement her sack lunch.

And to think that we've worried at various times through the years about some chap with a powderd wig telling us "I'm your king and you must obey!" or some little paperhanger with a funny moustache or some goon with a hammer and sickle on his lapel...

AMB said...

Now now, I don't know. One government ID number for everything, that you need to register with critical life tasks, that sounds like a mighty fine idea.

In fact, let's just use the existing one-size fits all .gov number: our SSN.

After all, NO ONE steals social security numbers. I mean, that would imply some kind of "identity theft" and who's ever heard of such a silly notion?

Matt G said...

Look for it to be accompanied by laws forbidding alternate Internet identities, and then forbidding certain types of Internet behavior.

Start with: That number belongs to little Susie. She's 5, and that number shouldn't look at porn.

Then move to: That number is Joe Swizzlestick. He's an alcoholic with three DWI's to his name. He doesn't need to be visiting the Bass, Guinness, or Bud Light sites, ever again.

Then you'll see: That's Ms. Grundy. She's a school teacher. I sure wouldn't want her accessing sites X, Y, or Z between 8:00am and 3:00pm on a school day!

Finally you get to: You know, the proletariat should not be accessing verboten sites while they are on the clock and should be productive, for the Fatherland! Each worker will provide his schedule and associated necessary sites for registration to the Office Of Homeland Internet Security, immediately!

Anonymous said...

"One Ring to rule them all, One Ring to find them, One Ring to bring them all and in the darkness bind them
In the Land of Mordor (on the Potomac) where the Shadows lie."

DirtCrashr said...

It's all about money. After Larry Ellison's license-fee, they can make it a tax-I.D. synonym and capture all the sales tax on the Inrternetz.

Anonymous said...

A number of us are switching to a "dark net" these are internets connecting systems via private VPNs (Virtual Private Networks). Combined with using TOR for anonymous internet access (you don't have to use it to steal music) there is a way to surf the net in almost untraceable ways. If push comes to shove (TSHTF), all of us ham radio operators can even move the communications off of the phone lines and into the air.

Arizona Rifleman said...

Jake: Thanks for the heads up about the Google Authenticator plug-in for WordPress. I already use the Authenticator application for securing other services (email, in particular) and getting it set up on my blog was the work of a minute or so.

Using the Authenticator is certainly a bit less of a hassle than the one-time passwords I presently use, and is great when accessing my blog over insecure connections. (My hosting company is amazing, but they don't offer SSL.)

Back on topic: having some sort of official, electronic ID for accessing government services would be excellent and enormously convenient. If it could be extended to use by other entities without giving access to those services by the government (much like how using the Google Authenticator does not give Google access to all your stuff), that'd be useful as (presumably) most people would have such a device.