US Gov't To Issue Secure Online IDs 205
Hugh Pickens DOT Com writes "Tom Groenfeldt reports in Forbes that the U.S. Postal Service has awarded a contract to SecureKey to implement the Federal Cloud Credential Exchange (FCXX) designed to enable individuals to securely access online services at multiple federal agencies — such as health benefits, student loan information, and retirement benefit information — without the need to use a different password or other digital identification for each service. SecureKey already operates a trusted identity service in Canada using identification keys provided by one of five participating Canadian banks. It allows Canadians to connect with 120 government programs online with no additional user names or passwords for everything from benefits queries to fishing licenses. The SecureKey program is designed to connect identity providers — such as banks, governments, healthcare organizations, and others — with consumers' favorite online services though a cloud-based broker service. The platform allows identity providers and online services to integrate once, reducing the integration and business complexity otherwise incurred in establishing many-to-many relationships."
Super Timing (Score:5, Funny)
The United States government has never had better timing! I'd sign up now, but I figure you guys have got it covered already, OK?
Re:Super Timing (Score:5, Insightful)
Read as: "License to use the Internet".
Pretty fucking clever. Soon, you won't be able to get a stock-quote or the latest XKCD without this thing - much less, send an email.
Re:Super Timing (Score:5, Funny)
It's cool, they're going to beta it with a key with a chip in it, but by the time the public uses it, it'll just be a barcode that they stamp on your forehead or right hand.
Kind of looks like three sixes, but I'm sure that's just a coincidence.
Re: (Score:3)
We'll stamp a 1638 to your forehead if it comforts you in any way.
Hey, we're flexible with our bases!
Re:Super Timing (Score:5, Interesting)
Re:Super Timing (Score:5, Insightful)
Re:Super Timing (Score:5, Insightful)
I was just thinking... a single set of credentials for every online service, what could possibly go wrong?
... created by the government and sent to the lowest bidder on a system with no accountability for failure.
We'll be lucky if the oxygen tanks work properly.
Re: (Score:3, Funny)
at least if it were a sign on we could end trolls
We'll all miss you.
Re:Super Timing (Score:4, Insightful)
why would we read it as that?
Because of past history, the government has been trying to force a national ID on everyone since at least the early 2000's. Remember the Real ID Act?
coming up for a single sign in is good efficiency, and cost savings.
It might be good efficiency, but having a single log in for everything is the absolute worst security model you can have. It would only take one web site infected by malware to compromised your entire online presence. Even us old timers know that you don't put all your eggs in one basket.
Re: (Score:2)
One of the purposes of a single-sign-on system is to avoid the need to trust individual services with your credentials; a compromise of any authenticated services should not allow attackers to impersonate you on other services.
Re: (Score:2)
What? Attacker has access to your account on A and so B and C, which use the same credentials, are secure?
Re: (Score:3)
Dude, you can't expect the NSA to grab every different set of creds you use somewhere, they have other things to do, too, ya know?
Re: (Score:2)
Re: (Score:3)
why would we read it as that?
Because of past history, the government has been trying to force a national ID on everyone since at least the early 2000's. Remember the Real ID Act?
FWIW, This is precisely how I read the idea that you'd have a single ID card that would be used with all online services.
Re: (Score:3)
It's for Government Programs, and it's free to the user.
In that I (will) envy you. Here in Brazil a single sign-on smart card for government services valid for 3 years costs between $100 and $200...
Re: (Score:3)
...and it's free to the user.
Nothing is ever "free". Don't ever forget that.
Since the NSA grabs everything anyways, at least if it were a sign on we could end trolls and harassment online.
So does active moderation. In this case, it will be government doing the moderation. You trust your government, don't you? Don't call it "censorship" - it's "moderation".
Re: (Score:2)
I'd prefer some moderation in my government, personally I think a bit of moderation in their zeal would really be nice.
Re: (Score:3)
As a partial Briton, TV licences are a bad analogy. They subsidise state-funded production and broadcasts.
This is more like a public-speaking licence, or a printing-press licence.
Re: (Score:2)
As a partial Briton, TV licences are a bad analogy. They subsidise state-funded production and broadcasts.
This is more like a public-speaking licence, or a printing-press licence.
Yes, but wouldn't an Internet license subsidize the state funded efforts of honest GCHQ employees attempting to protect you from terrorists? It sounds more like a TV license to me...
Re: (Score:2)
And just like in public TV you can't even opt out if you don't want to be part of the program because you don't give a shit about it and could do well without it.
Re: (Score:2)
Yes, that's how it is supposed to be used. It is trivial, though, to pass legislation that enforces the use of such IDs on every local provider. No ID, no internet.
15 years ago I'd have said they wouldn't dare to. Today, I'm far from convinced that such a law is impossible.
Re: (Score:2)
Silly poster. Don't you know that everything the government does is an evil plan to enslave you? It's true I read so on the internet. That it's a large entity composed of many parts, some good some not so good, is just a silly notion THEY put out there to confuse you.
Re:Super Timing (Score:5, Insightful)
Re: (Score:3, Funny)
Re: (Score:2)
You should really make this using some kind of variable - Obama is not the first, nor the last, to want to wield this power. The Eye knows no mortal coil, but lusts for an eternity of reading your GMail and knowing what you Like.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Last time I checked, nothing twice is still not really much...
So close (Score:2)
Re: (Score:2)
Government Efficiency (Score:3)
And the really wonderful thing is that they have already used your facebook password and profile as well as your google info to prefill in all your forms..
Probably not for NSA (Score:2)
They already have access to the back end servers. No log in needed.
But it won't make it harder for them either. Maybe they can bypass the FISA courts and those pesky opinions if they can just log into the accounts.
Re: (Score:3)
Thats the idea of the 'cloud' vision - every system on the same network with an understanding of how to get the data out in realtime.
Where the NSA seemed to have problems is the need for some legal domestic front cover e.g. FBI to be the name on their pipe.
With a system like this, so many groups get legal data, the NSA will never have to wait, be dependant on one stream again.
ie privacy will work both ways - nobody will really know who is getting the data 'out' just that the
Future Mandatory Requirement (Score:5, Insightful)
- First, all major government websites require usage of this.
- As more and more brick-and-mortal government offices close, more and more people start using the id.
- VISA, MasterCard, et al begin requiring these for all online banking.
- Taxable web transactions somehow get tied by law to having to use these.
- Soon, ISPs require you to log in with it periodically, (remember AOL internet 'sessions'?)
- All utilities, bills and such paid online start requiring it.
- Social networks require it for 'think of the children' safety.
Re:Future Mandatory Requirement (Score:5, Interesting)
You just have to send your id in the bottom 64 bits of your ipv6 address to access the internet. Why make the address space so large unless you were going to stuff authentication credentials into every packet? Then they could easily just turn you off whenever necessary.
Re: (Score:2)
Will do. Going to call mine the LightNet, and it's going to have hookers, blackjack, poker, a search engine that is both completely uncensored and returns relevant results, and a NNTP server that hosts all the alt.binaries.* groups. Peering agreements start at 1 Gbps.
Re: (Score:2)
Most countries do hint that when you get payments and services from the gov, the gov will like to know who you are, if your eligible and lots of other data.
Track costs and diseases, is the person a veteran, on disability, very poor, very rich, too old, the quality of care needed, time ta
Re: (Score:2)
Experimental proof that the Slashmind thinks we can slam the government for privacy problems in multiple areas, but not in some very specific ones. The future does not bode well for privacy since there are some areas which SHALL NOT BE QUESTIONED.
Re: (Score:2)
Experimental proof that the Slashmind thinks we can slam the government for privacy problems in multiple areas, but not in some very specific ones. The future does not bode well for privacy since there are some areas which SHALL NOT BE QUESTIONED.
He says. On Slashdot.
There is no such thing as "the Slashmind." This is a big site with a large number of users who have diverse opinions on practically every political issue, and even more diverse combinations of opinions on combinations of issues. Slashdotters, as a group, aren't liberal or conservative or any other ready-made label; individuals may be, to be sure, but the group is just made up of too many different people to hold a coherent opinion on anything. Which is as it should be.
In general, I'
Better Acronym (Score:5, Funny)
So, I came up with a better one for them:
Federal User Credential Keyfob (for Your Online Utopia)
Re: (Score:3, Funny)
What a terrible acronym! How are we supposed to say FCXX anyway?
So, I came up with a better one for them:
Federal User Credential Keyfob (for Your Online Utopia)
In Capitalist America, government FCXX you?
Why banks and healthcare providers? (Score:2)
They have ZERO credibility on this point (Score:2)
Maybe it's just bad timing or bureaucratic paralysis or they're just trolling everyone but they have absolutely no credibility on this.
YES, THIS IS WHAT WE NEED (Score:2)
Re: (Score:2)
Re: (Score:2)
ID may be required for everything except voting - for that it's racist.
Re: (Score:2)
Re: (Score:2)
But those are exactly the arguments why voter id is racist. Just ask the Justice Department.
Re: (Score:2)
if you are now going to tell me that some races are too poor to have internet, im going to tell you that you are a racist
Lets ask the Democrats. [democrats.org] "Those without photo ID are disproportionately low-income, disabled, minority, young, and older voters."
Would not the same argument exist for the internet, or is the internet a magical service that doesnt have disproportionate enrollment vs low-income, disabled, minority, young, and the elderly?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
well, they DO have access to internet, they just dont want to move out of certain areas to get it. there are libraries in pretty much every major city in the country
Ah, everyone has access to the internet.. as long as they are willing to move to a major city. Got it.
That uncomfortable feeling that you get when you continue to update this thread can be avoided right now by simply stopping. Future situations that will lead to this same uncomfortable feeling can be avoided by putting actual effort into saying accurate things.
Re: (Score:2)
Re: (Score:2)
I'm all for online voting!
I always wanted to have a say in US politics!
SSN, please (Score:3)
This is how social security numbers started.
Fucking... (Score:2)
for virginity!
Yes. (Score:5, Insightful)
Identity verification should be a core function of a national government. This can be done right: by creating an agency that does not aggregate data, and serves no other function than to confirm that you are who you say you are when you ask it to. With proper use of two-factor keys and public cryptography, this agency can make data aggregation very difficult: your bank would know you by a different ID# than your cell phone provider, and neither would need to know your name or social security number.
It's true that a corrupt government can do identity verification very badly, turning it into a panopticon. But corporations don't have the longevity, security, or nationwide reach to be able to do the job well, and a corrupt government can simply force corporations to hand over identity data. So in the worst case scenario, identity verification by corporation is no better than by government. And having no centralized authority at all doesn't work either: the fragmentary system we use now is easy to aggregate, and its resistance to identity theft is only as strong as its weakest link -- which is typically very, very weak.
With identity verification managed by government, we can at least use electoral pressure to hold the identity agency responsible for its actions, and fight corruption within it. If it's managed by anyone else, we have no control over it at all.
Re: (Score:2)
Whoa, whoa, whoa. Identity validation within reason. Remember, the core of this government is already outlined by its Constitution. Anything beyond what is needed to implement, to a reasonable degree, the services laid out therein, is going overboard. I.e. it's experiencing either a mid-life crisis ("Tell me I'm still pretty!") or it's experiencing some OCD ("This pencil tip could be sharper...let me get out my pencil sharpening toolkit").
Re: (Score:2)
I think ID verification is justified with the first line of the Constitution: "We, the people of the United States of America". Okay, so who exactly is "we"?
Re: (Score:2)
As long as it remains voluntary at alls levels. Any hint of compulsion and it's true corporate control of all individuals accessing the internet is exposed.
Re: (Score:2)
But corporations don't have the longevity, security, or nationwide reach to be able to do the job well...
I am mostly with you, but I think someone needs to point out that:
Corporations can and often do outlive humans.
Corporations are often better at securing their own data than governments are theirs.
Corporations not only have nationwide reach, many of them have an international reach.
Re: (Score:2)
True, but we'd like to maintain an identity from cradle to grave, so the longer living the better. The US Government, at least, is older than almost every corporation on the planet.
It's difficult to compare, because governments often have more valuable secrets. In cases where both government and corporations hold the same secrets (plans for military aircraft, for instance), sec
Re: (Score:2)
http://en.wikipedia.org/wiki/Australian_Transaction_Reports_and_Analysis_Centre [wikipedia.org]
Established in 1989 for realtime banking tracking. Every digital movement of cash (~A$10,000) was watched.
http://en.wikipedia.org/wiki/100_point_check [wikipedia.org] again back to ~1988 for building a layers of documentary proof of identity for banking, pensions, later Subscriber Identity Modules (SIMS)...
Reciprocal healthcare agreements between Australia and New Zealand.
The problem I see in
Re: (Score:3)
The best you can ever really do with a piece of ID is verify that the person carrying it is the person you gave it to. That's not the same thing at all as confirmation that "you are who you say you are".
People go on these kicks over ID thinking "if only we know who everyone is, nothing bad can happen, and we can trace it if it does". There will always be ways around the system where people can end up with multiple IDs, or where people's ID can be corrupted. Then you end up with good people with bad paper
Re: (Score:2)
This is getting a little existential, but I don't see the difference. The bank needs to verify that the person standing before them is the same as the person who deposited $500 yesterday, Visa needs to verify that the person buying these new shoes is the same as the person who's faithfully paid their bill e
Re: (Score:3)
This is getting a little existential, but I don't see the difference. The bank needs to verify that the person standing before them is the same as the person who deposited $500 yesterday, Visa needs to verify that the person buying these new shoes is the same as the person who's faithfully paid their bill every month. And when it comes down to it, that's *all* they need to know.
Which is fine when it's just your bank trying to validate that you're the person that gave them the $500. They give you an ID, you show them the ID when you give them the money, then when you show them the ID again you get the money back. I prefer to have my bank supply the ID there.
But the federal government has already been trying to go way beyond that with ID. HSPD-12 was a directive signed by Bush II to issue a common secure ID to all gov't employees and contractors. If you read it that's all it say
Re: (Score:2)
Identity verification should be a core function of a national government
No it shouldn't. Ideally, the government shouldn't even know who I am, although historically we've accepted that military-age men are on a register. If we decide that *anybody* is providing us a service, then I want those services to have their own ID systems. Why? Because if my Slashdot ID is compromised I look like an idiot on Slashdot. If the bank where I keep a small account for local bills is compromised, I have a hassle
Re: (Score:3)
That's not what happens, though. More likely, the attackers clean out that account, then use the SS#, birthdate, mother's maiden name and address info the bank was storing to compromise your Gmail, your credit card, your mutual fund account, and worst of all your Slashdot ID. Then you spend $10,000 proving to each of these organization that you're really you. And the problems
Re: (Score:3)
then use the SS#, birthdate, mother's maiden name and address info the bank was storing to compromise your
The federal government already lost control of that information, and more, for me and tens of thousands of others when a laptop (that should have never had that information on it) was stolen from a car in DC. I don't expect them to do a whole lot better with authentication keys.
And what's included in that annoyingly thorough identity test at the post office? SSN, birthdate, mothers maiden name, last 3 addresses, etc. All the information that gets stolen already anyway-- so the TFA is a convenience, but i
Re:Yes. (Score:5, Interesting)
Agreed. I would love it if my drivers license was a smart card. Provided that it's initialized properly so the private key never leaves the card. The corporation could then act as a gpg keyserver. If everyone had easy to use public key cryptography, I'd call that a win.
For people who keep talking about all businesses requiring it, have you looked at how the US does SSN. For non US readers, every American citizen is assigned a number at birth, or trying to work, etc.... Congress practically shouted that this number was not to be used for anything else. Take a guess how well that worked out. Identity theft in the US basically boils down to knowing someones name and SSN. The problem is EVERYONE NEEDS YOUR SSN. Hell, a Social Security card can be used in conjunction with a drivers license to prove US citizenship. I kid you not, since most people in the US don't have passports that's what they use. The card just has a name and a number on it. It never expires. Hell, because it's normally issued at birth there isn't even a photo.
Now, back on topic. There are quite a few ways for this electronic ID to go bad. The most obvious is if the government or corporation has copies of the private keys. If so, then the system is useless. Another is if the government logged every authentication request. That's pretty easy for them to do.
Re: (Score:2)
I agree with your list of ways this could go bad. The big challenge is keeping private keys and authentication logs out of the hands of the key agency, while still allowing the agency to revoke and replace your keys if you get mugged or forget your PIN. I think this is possible, but I'm no crypto expert.
One thing I will say is that well-designed government agencies can have surprisingly effective legal firewalls. It's a lot easier for the cops to get your credit card statement than it is for them to get
Re: (Score:2)
Electronic ID for use with government and only with government can reasonably be issued by government. For everything else, I'd rather generate my own key.
Re: (Score:3)
Identity theft in the US basically boils down to knowing someones name and SSN. The problem is EVERYONE NEEDS YOUR SSN. Hell, a Social Security card can be used in conjunction with a drivers license to prove US citizenship. I kid you not, since most people in the US don't have passports that's what they use.
And fortunately everyone pretty has pretty much accepted that the SSN as ID is compromised and acts more or less accordingly. You need to at least go down to MacArthur Park and get a fake driver's license or green card in addition.
I still laugh at people when they as for the SS card-- when I got mine decades ago it was a cheap piece of heavy paper, not difficult to forge even then, with a number and a place for my signature. It said explicitly on it something like "this is not identification". As you poi
Re: (Score:2)
That puts your identity data in the hands of a bunch of security amateurs who have an incentive to sell it for profit, and who are weak enough that the government can just take it from them when they want. Is that actually better?
Re: (Score:2)
That puts your identity data in the hands of a bunch of security amateurs who have an incentive to sell it for profit, and who are weak enough that the government can just take it from them when they want. Is that actually better?
It is better-- they have something to lose (money, their company, their future ability to work) if they screw up. If they do it right then it's very difficult for the government to take without it at least being very obvious. The government is like the phone company- they don't care because they don't have to. And there are a whole lot of people in government (and especially the security side) who get into it because they want control over what other people can do.
Will this work on ... (Score:2)
... any browser in BSD and Linux? Or will the government be forcing me to buy another computer since I want things to be secure?
Doesn't NSA do this already? (Score:2)
Why can't the just tell us what the IDs that NSA already assigns us are?
Federated identity (Score:2)
Looks like RMS was right... (Score:5, Interesting)
http://www.gnu.org/philosophy/right-to-read.html [gnu.org]
Once your extreme views become fact, you're no longer a crackpot.
HuffPo too (Score:2)
Pork (Score:3)
So which major defense contractor has the multibillion dollar contract to implement this? I won't worry. It'll get over budget and behind schedule so fast (due to no actual work being done) that it will be axed before anywhere near completion.
I have a bad feeling about this... (Score:2)
I could not help but think....
Three Master Keys for the Agencies under the Executive
Seven for the Security Council in the Congress Hall
Nine for the Justice supporting no warrants
One for the President on his Dark Throne
In the Land of States where Freedom dies
One Key to Rule rule them all, One Key to silence them
One Key to subject them all and in subjugation bind them
In the Land of States where Freedom dies
Re:Brilliant! (Score:5, Informative)
Posting AC because I worked on this proposal for one of the seven other candidates for this bid.
The oversight/selection committee for this consisted of people from GSA, NIST, and several other agencies. Speaking as a privacy/security nut myself, I can say their requirements were very privacy-friendly.
This system is intended to allow people to use third-party authentication mechanisms (provided by Equifax, etc.) to access government systems. The kicker is that neither side is allowed to know who the other side is. The FCCX is intended to be an anonymizer-like service to completely disassociate the public information from the federal systems.
Regardless of what some other agencies are doing (illegally, immorally, etc.), these guys were really striving - at least in the RFQ/RFP - to do it the right way.
Re: (Score:2)
Re: (Score:3, Informative)
Same AC.
Depends on the site and the level of authentication required. INS will have a different requirement than the IRS, for instance. Different identification services will use varying levels of identification for enrollment, and FCCX will pass on the level of assurance to the relying party. It's a complex system. I don't know how the bid winners will handle the back end, but there's a lot of new tech that needs to be developed. (How do you give data to two parties without telling each who the other
Re: (Score:2)
I do not question your intentions nor your information.
I question the intentions of those that ordered this system. It's fairly easy to pervert such a system into one of surveillance, and given the recent developments in the US it will be kinda hard to give me reason to believe it won't be.
Re: (Score:2)
The kicker is that neither side is allowed to know who the other side is. The FCCX is intended to be an anonymizer-like service to completely disassociate the public information from the federal systems.
At least that's what they say in the non-classified meetings...
Re: (Score:2)
Then don't vote for politicians that are for securing the country at all cost. Honestly, if the GOP candidates wouldn't be so quick to take away our freedoms, it would be a lot easier to find somebody to vote for that would have more of a spine. But, ultimately, we ended up with Obama who was far less scary than either Romney or McCain in this area, but falls well short of what a reasonable politician should be doing with personal Liberties.
Re: (Score:2)
So Kodos next time around? I thought we did that already last time around.
Re: (Score:3, Insightful)
You missed his point. He's saying people did vote for Democrats and now we are totally fucked, because there are never any serious Republican candidates. If only someone would run against the Democrats, things could (maybe possibly if we're both really lucky and really try hard) get better. But since the Republicans have abandoned the country, the kind of people who limit themselves to voting R-or-D (users of the "lesser of two evils" strategy) have no choice but to vote Democrat. (Now, we might not resp
Re: (Score:2)
Re: (Score:2)
Yeah...see, I don't know...as a tech, if I survive any AI that emerges, I stand a fair chance of being employed / living well enough. On the other hand, from a system's standpoint, while integrating several systems together can be magical, it also almost guarantees at least one dooms day in your future (one hour of outage = so much pain, so much bureaucrats complaining, so many developers quitting). Like anything precious / useful, you want to stash several copies around, for safe keeping, and let them be r
Re: (Score:2)
We are the priest class of the new feudalism.
Pie Iesu domine, dona eis requiem...
Re: (Score:2)
Government-issue id already is compulsory for lots of things. The time to rebel against this kind of thing, was about a century ago. For whatever reason, we didn't.
Re: (Score:2)
Oh, of course, it is surely more secure for everyone to have a different password for each site they visit.
Re: (Score:2)
ANYTHING as high profile as this will get cracked.
Be realistic. That's going to be for ID theft what Windows was for botnets. THE system to crack if you want to be professional about it.
Re: (Score:2)
Last time I know was when they started write something beginning with "We, the people".
It was downhill from there.
Re: (Score:2)
We'll just be 30 years late. Well, DUH, when was it ever the case that the government was on time with its projects? Sure, this time it took them QUITE a bit longer, but it ain't something trivial like fixing the road next to your house.
Re: (Score:2)
Obama must be jerking off in front of a poster of Richard M. Nixon while reading this news.
You think so? I find it more probable that Obama is jerking off in front of a poster of Erich Mielke [wikipedia.org].