Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security News Technology

Tackling The Future Of Digital Trust -- While It Still Exists (ieee.org) 40

Tekla Perry writes: Last week at Berkeley's Center for Long-Term Cybersecurity, cybersecurity mavens from the industry, academia, government, and media considered a futuristic scenario in which traditional forms of identification and databases that use them -- drivers licenses, voting records, social security numbers, medical records, and bank accounts -- had been compromised. The challenge was to use the scenario to figure out how to establish a new means of verifying one's identity and to rebuild trust in the electronic records system in the case of such an imaginary crisis. Furthermore, they were then challenged to take the conclusions and develop policies that could prevent such a massive breach of digital trust from ever happening in the first place.
This discussion has been archived. No new comments can be posted.

Tackling The Future Of Digital Trust -- While It Still Exists

Comments Filter:
  • by Anonymous Coward on Sunday February 28, 2016 @05:34AM (#51602477)

    Everything digital is both horribly underdeveloped and infiltrated at all levels, from the standards, through hardware, operating systems and libraries, up to the applications. There is nothing trustworthy about it. It can be useful, yes, but don't trust it.

    • by Max_W ( 812974 )
      In physical world there is also a week point, - the dumpster diving https://en.wikipedia.org/wiki/... [wikipedia.org] , cheap large capacity hard disks, and cheap labor make it possible to create the carpet databases on the whole population.

      The dumpster diving allows to mine not only an ID and bank data, but also fingerprints, a DNA, a handwriting, etc. It is happening already on the international scale.
    • by MrL0G1C ( 867445 )

      Good!

      That's the way I like it because it means my OS is mine and not just a locked down part of a larger system which tells every advertiser who I am and it allows me to read and write anonymously like people have been able to since the beginning of print. These big digital trust systems, I don't trust them because the people running corporations and governments are highly untrustworthy.

  • by jfdavis668 ( 1414919 ) on Sunday February 28, 2016 @05:48AM (#51602501)
    If you build a system, you almost entirely make the right choices and design it well. You have done a million things right. But, if you miss a few places and miss a couple of potential problems, it leaves an access for someone to exploit. Systems are getting to the point where they are to large to test for every possible potential problem. It isn't helping that people rush them into service.
    • by quintessencesluglord ( 652360 ) on Sunday February 28, 2016 @06:12AM (#51602533)

      Kinda.

      Frank Abagnale laid out some very basic aspects of fraud and verifying identity that still aren't implemented if for no other reasons than the people who maintain those databases risk nothing if they are compromised.

      I mean really, the notion of identity theft, and that you are somehow responsible because an institution failed to correctly identify you is absurd. But then again, they have very little to risk in comparison, so what does it matter to them?

      One of the points he emphasized was that large databases are unnecessary, and in fact several point to point identifiers, where once your identity is established nothing is kept on record except for the unique verification issued by that one institution limits exposure and decreases gains from fraud.

      That was nearly 30 years ago. I think at this point we can claim criminal negligence.

      • by Rockoon ( 1252108 ) on Sunday February 28, 2016 @06:44AM (#51602565)
        Obligatory reflection on identity theft. [youtube.com]
      • I think at this point we can claim criminal negligence.

        The University of California Health System mandated that all physicians use a computer-interface to record everything about the provider-patient interaction. This turns MD's into data-entry monkeys. I've talked to many MD's in the system, and they all agree that it detracts from the time that they can spend actually interacting with the patient. They all hate it.

        Oh, and get this, this system originally ran on Win XP (2-3 years ago). When was that EOL'ed? Of course, it was breached within a year. I mov

    • Striving for perfection will be the ruin of this sort of initiative. In the real world, there is tolerance for failure. Just look at the pre-internet system, there was plenty of fraud and identity theft. But we still managed to keep going, failures and all. Sure, the information age changed that dynamic quite a bit. But it's important to note that perfection isn't necessary or even possible. It just has to be tolerable. If we try to make a 100% foolproof system we will be arguing the details until the sun e
      • by Bengie ( 1121981 )
        Failure can be acceptable as long as you can recover from it in a timely fashion. Nothing is perfect, but you do need to make sure all of your bases are covered.
  • by Gallefray ( 2534514 ) <gallefray@NOSPAm.inventati.org> on Sunday February 28, 2016 @06:14AM (#51602539)

    It's not an /imaginary crisis/, it's a /hypothetical crisis/.

    A hypothetical is something that *could* happen but under certain circumstances.
    Imaginary is simply 'not real' -- existing only in your imagination.

    The latter is /technically/ correct, but not really correct, and changes the meaning.

    It's effectively the difference between "Oh this can't happen" and "This could really happen".

    • by Ol Olsoc ( 1175323 ) on Sunday February 28, 2016 @09:49AM (#51602861)

      It's not an /imaginary crisis/, it's a /hypothetical crisis/.

      A hypothetical is something that *could* happen but under certain circumstances. Imaginary is simply 'not real' -- existing only in your imagination.

      The latter is /technically/ correct, but not really correct, and changes the meaning.

      It's effectively the difference between "Oh this can't happen" and "This could really happen".

      All very nice, but you missed the part about it going on as we speak. for all the stories that we do hear, like Hollywood Hospital's paying ransom to hackers, Target and Home Depot's data being hacked, and now some of those compromised Social security and other stolen data being used to file fraudulent tax returns - there are the daily data thefts we don't hear about. There is nothing hypothetical about it. The only thing that didn't sound like "didn't this already happen?" from TFA was the business of a girl being killed because her health records were altered.

      The only thing protecting us is that at the present moment, the bad guys have a vested interest in keeping their fraud at a level that does not topple the institutions they are parasitizing.

      • by tsotha ( 720379 )
        Yeah. It's not imaginary or hypothetical. It's already happening. Millions of people in the US alone have had their information compromised, and once it's out, it's out.
        • Yeah. It's not imaginary or hypothetical. It's already happening. Millions of people in the US alone have had their information compromised, and once it's out, it's out.

          And yet the craziest thing is, here in slashdot, here where people are supposed to be paying attention, where teh bad guys are starting to flex their muscles and file fraudulent returns, because they now have so much datat they can impersonote real people, sinec I don't blame it on teh IRS, I'm called a troll.

          The IRS wasn't hacked that we know about, it's a whole lot of other places, and they have our Social security, our credit card numbers, our drivers license numbers, our employee records, and all tha

          • Yep, nobody likes a Cassandra.

            Not when she warns of impending risk...

            And CERTAINLY not when she points out her prior (unheeded) warnings.

            And so it goes.

            • Yep, nobody likes a Cassandra.

              Not when she warns of impending risk...

              And CERTAINLY not when she points out her prior (unheeded) warnings.

              And so it goes.

              So, might as well just grab the popcorn, sit back, and enjoy the show - except for the ending.

              • Yep, nobody likes a Cassandra.

                Not when she warns of impending risk...

                And CERTAINLY not when she points out her prior (unheeded) warnings.

                And so it goes.

                So, might as well just grab the popcorn, sit back, and enjoy the show - except for the ending.

                Good advice. It eases the mind.

                Going out to pick up some popcorn right now...

    • Imaginary numbers are real. Well, as real as real but they're not themselves real. They make things complex.

    • It has already happened.

  • >"traditional forms of identification and databases that use them -- drivers licenses, voting records, social security numbers, medical records, and bank accounts --"

    The one thing missing there is a government issued national ID. The System most European countries had up until about the start of the Millennium was pretty good in my opinion. Basically Name/Date/Place of birth/Photo on a "forgery-proof" piece of plastic or paper that you could show where your identity needed to be established beyond doubt.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      That idea is indeed in widespread use but it isn't a panacea. There are many things wrong with it and in fact having a really good system easily kills people. As it did in the Netherlands, during WWII. Go look it up, and do note that it wasn't the Germans that designed that card, which was very hard to forge for the day. It was the Dutch themselves that had a very high quality administration that included things like... religion so they could provide you the right flavour of burial should you die without re

  • As long as there's benefit to having other people's personal information this will continue to be a problem. But hey, that chair could go a little to the left

  • by TheRealHocusLocus ( 2319802 ) on Sunday February 28, 2016 @11:55AM (#51603395)

    TA [ieee.org] "This is like climate change,"

    Is anyone else noticing that these little zingers are starting to pop up everywhere? It's as if some mechanism that is supposed to keep us from mixing or over-stretching metaphors (unless we're deliberately trying to be funny) has been broken. Like the old social catch-phrase, "How 'bout dem [sports team]?" in which someone is attempting to jump-start a stalled conversation or uncomfortable silence with hilarious off-topic clumsiness.

    How 'bout dat Climate Change? (sorry! off topic when I say it, but not when they do)

    TA [ieee.org] "My team focused on considering how people can identify themselves when the most common form of identification --- the driver's license --- is no longer trusted." [going on to propose something even more complicated]

    Other groups suggested... [some things so complicated, effort to implement completely boggles the mind]

    So the must-possess-ID to prove your own existence bandwagon we've all jumped onto seems to be experiencing ... technical difficulties. Time and again we applied the naive assumption that the current state of things, such as when local thugs might physically alter and pass documents, is simply intolerable and could not be worse. What we need is the un-crackable trust system. So we embrace increasingly centralized systems that turn out to be centrally exploitable. Now we have globally exploitable systems, what progress! Those thugs in your neighborhood don't stand a chance. Unfortunately neither do police detectives or even FBI agents, even as their forensic methods have improved. How often has the trail of say, some gas-card fraud scheme, dead-ended at some kid whose whole degree of technical prowess consists of writing numbers received in email to mag strips. Numbers acquired by intricate, even fantastic means in bulk by persons who may be anywhere on Earth?

    SIMPLIFY. Sounds like there were some clever people there because it ended on an idea 'stack overflow'.

    one team expressed what seemed to be a common sentiment --- that the best thing one could do is already impossible. "We should go back to 1995 and get this right. [something about climate] We are too far along to stop bad things from happening in the future; we can just try not to make it worse."

    They're right, 1995 was a good year. Allow me to reminisce.

    There was this thing 'cash' which most of us used for every day purchases. We were not using cash because we had something to hide... honest! We payed our taxes regularly, sometimes even with cash... honest! Even terrorists paid for things in cash, and their money was as good as anyone's. That's the wonderful thing about cash, once you have it, it's yours and you don't need to worry that the Federal government will seize it from your account because that fellow who bought that living room set was an Iranian. Some reading this never knew a time when it took a lot longer to process a credit card than count money and make change. Then again, in 1995 people didn't hold up the line as they bought and scratched instant-win lottery tickets. That was considered rude then.

    Your bank was your friend. it couldn't play the stock market and expose its shiny ass in derivatives, or corroborate with the Federal government in real time to scrutinize your transactions. Few banks were joined at the hip with credit card companies and junk mortgage giants. They offered actual ATM cards which worked in local ATMs that did not immediately broadcast your transaction and geo-position in global data streams to a loose consortium of corporate and government special interests. They

    • TL;BUT I DID READ.

      You are spot-on. Scarily so.

      I sort-of felt it coming, but am probably 10 years younger than you, and lacked the perspective, at that tender age, to shout, "WTF are you guys doing?!? This will not end well." Ah, but it has, and there is no mechanism of abatement in sight.

      MOD the parent up!!!

  • Digital Trust already does not exist.

    The FIVE biggest breaches — Anthem Health care, U-CA Health System, US-OPM (security clearance applications), the IRS, and again the US-OPM (fingerprints this time), have ALL affected me. There is nothing else to be breached.

    Oh, wait, aren't the Credit-score Reporting Agencies well-known for happily reporting false data in peoples' Credit Reports? (HINT: Yes.)

    The game is already over.

    The proposed solution, as suggested by the study, is for us to release even mo

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...