Tuesday, April 19, 2011

Why the Fed.Gov's Internet ID is a persistently bad idea

The Fed.Gov's Internet ID plan is back:

As we reported, on Friday the United States Department of Commerce and a host of privacy and security experts met at Stanford University to discuss the mapping out of an "Identity Ecosystem" for cyberspace.

That would be a place, Commerce Secretary Gary Locke explained at the event, "where individuals and organizations can complete online transactions with greater confidence... putting greater trust in the online identities of each other... and greater trust in the infrastructure that the transactions run across."

We know what you're thinking. Locke knows it too.

"Let's be clear," he quickly added. "We are not talking about a national ID card."
And the original Income Tax was going to be capped at 3% ...

But that's not why this is a bad idea.  It's not even the very weak tea used to justify the plan (click through to read the extremely unpersuasive example scenarios that this "solves").

The problem is that a central, authoritative database of user identities is a huge target for the Bad Guys.

Imagine that the Fed.Gov establishes this program.  Imagine that it actually is useful - as useful as they plan.  You can get all sorts of validated access to sensitive data, based on their database vouching for you.

What Bad Guy wouldn't want to get access to that?

Furthermore, the security of the database system itself will be pathetic, its guardians incompetent, and so the data in it will be subject not just to disclosure, but to tampering.  How do we know this?

Because the Fed.Gov can't keep malware out of even its classified networks.  You know, the ones protected by large staffs of well-trained security gurus using all the latest security technology (no, I'm not being sarcastic here).  And it's not just them.  RSA, one of the world's premier security vendors, was hacked recently.  The Bad Guys were after information on how to break RSA's two-factor authentication tokens (basically, a password replacement device).  These devices are used by every security-conscious organization on the planet.

Even with all their skill and technology, even with the motivation to keep this from happening, RSA got hacked:
The number of enterprises hit by APTs grows by the month; and the range of APT [Advanced Persistent Threats, industry jargon for custom trojan horse malware - Borepatch] targets includes just about every industry. Unofficial tallies number dozens of mega corporations attacked; examples are in the press regularly, and some examples are here, and here.

These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?

The first thing actors like those behind the APT do is seek publicly available information about specific employees – social media sites are always a favorite.  With that in hand they then send that user a Spear Phishing email. Often the email uses target-relevant content; for instance, if you’re in the finance department, it may talk about some advice on regulatory controls.

The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”

The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls.

The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a patch for the zero-day, so it can no longer be used to inject malware onto patched machines.
And the Fed.Gov thinks they can prevent this from happening to their uber-identity database?  Good luck with that.

So the problem with this proposal is not that it's an idiotic crock full of FAIL, the problem is that it might just succeed well enough to become the Mother Lode target.  That's why it's a bad idea.  So why is it a persistently bad idea?

Law Enforcement has a strong, almost visceral dislike of Internet anonymity.   This is an institutional dislike, meaning that there's very little difference between the two political parties.  Other countries have an even deeper dislike for Internet anonymity, and would like to eliminate it as a means to better control their populations.

At the bottom, governments are hierarchical structures comfortable with top-down control.  The idea of a self-organizing population is a divide-by-zero error.  And so we see repeated attempts by the government to impose some sort of top-down control onto the Internet.  It's a bad idea, because control always means restricting access to part of the information on the 'Net, which means that the population has less access to information, which means that the 'Net is less useful.  The governments always tell themselves that the reduced productivity that comes from their plans will be small - tiny, really, almost undetectable.

Oooooooh kaaaaaaay.

I'd be more impressed with their ability to forecast the future if they weren't steering the FAIL Boat full speed towards the shoals that RSA just pitched up upon.

So the proposal is a bad idea, it's always been a bad idea, it will remain a bad idea, and it - sadly - will keep coming back.


Dave H said...

Two things I've learned about computer security in the past couple of years:

1) People are always a weak link. Not always the weakest link - I've seen some pretty lame attempts at access control - but no matter how good the technology is, there's a person who can negate it by doing something dumb. The problem with this Internet ID plan is it'd be run by the federal government, which is full of people.

2) Screw Adobe. From out here in luser land, it looks like they're where Microsoft was ten years ago - a major distributor of bigger, flashier, buggier, easily exploited bloatware.

(These are my own opinions and don't necessarily reflect those of Borepatch.)

notDilbert said...

Hmmmm... A single DB than connects all internet transactions and uniquely and positively indentifies all buyers and sellers.

What possible motive could the Goverment that's been trying to find a way to increase tax revenues have in promoting the need for a system that does that????????

What could possibly go wrong???

The Czar of Muscovy said...

Well, it sure wouldn't be a national ID.

Because, for example, a legal-minded ICE official could subpoena the list to find out which people in a community were not legal American citizens.

And isolate and prosecute or evict them from the country.

Can't have that. I guess.

Stan said...

off topic comment: I thought you would be interested in this news, that the global warming pundits are pulling out the big guns now in their save the planet crusade.

Charles Manson speaks out on Global Warming http://t.co/8jxsf0f

B said...

And you SSn was never intended to be an ID#.....But it is now.

There is absolutely Zero upside to this scheme. There is no way it will not be an issue.

Guffaw in AZ said...

...and your check is in the mail, and I won't.....(you know the rest)

Gee, why not let THE FREE MARKET handle it?

Chris said...

"So the proposal is a bad idea, it's always been a bad idea, it will remain a bad idea, and it - sadly - will keep coming back."

Sorta like socialism.

wolfwalker said...

These companies deploy any imaginable combination of state-of-the-art perimeter and end-point security controls, and use all imaginable combinations of security operations and security controls. Yet still the determined attackers find their way in. What does that tell you?


Some things never, ever change.

kx59 said...

It's really very simple. The federal government (ack, these days that phrase gives me acid reflux) has never enacted a policy or law that has turned out the way they said it would. Ever. And, further more..Ever.