And the original Income Tax was going to be capped at 3% ...
As we reported, on Friday the United States Department of Commerce and a host of privacy and security experts met at Stanford University to discuss the mapping out of an "Identity Ecosystem" for cyberspace.
That would be a place, Commerce Secretary Gary Locke explained at the event, "where individuals and organizations can complete online transactions with greater confidence... putting greater trust in the online identities of each other... and greater trust in the infrastructure that the transactions run across."
We know what you're thinking. Locke knows it too.
"Let's be clear," he quickly added. "We are not talking about a national ID card."
But that's not why this is a bad idea. It's not even the very weak tea used to justify the plan (click through to read the extremely unpersuasive example scenarios that this "solves").
The problem is that a central, authoritative database of user identities is a huge target for the Bad Guys.
Imagine that the Fed.Gov establishes this program. Imagine that it actually is useful - as useful as they plan. You can get all sorts of validated access to sensitive data, based on their database vouching for you.
What Bad Guy wouldn't want to get access to that?
Furthermore, the security of the database system itself will be pathetic, its guardians incompetent, and so the data in it will be subject not just to disclosure, but to tampering. How do we know this?
Because the Fed.Gov can't keep malware out of even its classified networks. You know, the ones protected by large staffs of well-trained security gurus using all the latest security technology (no, I'm not being sarcastic here). And it's not just them. RSA, one of the world's premier security vendors, was hacked recently. The Bad Guys were after information on how to break RSA's two-factor authentication tokens (basically, a password replacement device). These devices are used by every security-conscious organization on the planet.
Even with all their skill and technology, even with the motivation to keep this from happening, RSA got hacked:
The number of enterprises hit by APTs grows by the month; and the range of APT [Advanced Persistent Threats, industry jargon for custom trojan horse malware - Borepatch] targets includes just about every industry. Unofficial tallies number dozens of mega corporations attacked; examples are in the press regularly, and some examples are here, and here.And the Fed.Gov thinks they can prevent this from happening to their uber-identity database? Good luck with that.
These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?
The first thing actors like those behind the APT do is seek publicly available information about specific employees – social media sites are always a favorite. With that in hand they then send that user a Spear Phishing email. Often the email uses target-relevant content; for instance, if you’re in the finance department, it may talk about some advice on regulatory controls.
The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”
The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls.
The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.
So the problem with this proposal is not that it's an idiotic crock full of FAIL, the problem is that it might just succeed well enough to become the Mother Lode target. That's why it's a bad idea. So why is it a persistently bad idea?
Law Enforcement has a strong, almost visceral dislike of Internet anonymity. This is an institutional dislike, meaning that there's very little difference between the two political parties. Other countries have an even deeper dislike for Internet anonymity, and would like to eliminate it as a means to better control their populations.
At the bottom, governments are hierarchical structures comfortable with top-down control. The idea of a self-organizing population is a divide-by-zero error. And so we see repeated attempts by the government to impose some sort of top-down control onto the Internet. It's a bad idea, because control always means restricting access to part of the information on the 'Net, which means that the population has less access to information, which means that the 'Net is less useful. The governments always tell themselves that the reduced productivity that comes from their plans will be small - tiny, really, almost undetectable.
I'd be more impressed with their ability to forecast the future if they weren't steering the FAIL Boat full speed towards the shoals that RSA just pitched up upon.
So the proposal is a bad idea, it's always been a bad idea, it will remain a bad idea, and it - sadly - will keep coming back.