Internet IDs: Yea or Nay?

Internet IDs are a hot topic recently, particularly in light of LulzSec’s aggressive (but abbreviated) campaign against , like, everyone ever. Proponents argue that a system of “trusted credentials”–as they’re ambiguously called now because the technology is still mostly in development–would allow for safer, more secure online transactions. The opposition says that these efforts are misguided and naive–they ignore the failure of similar plans in the past and that to truly make the Internet a safer place, anonymity is the very thing that needs to be eliminated.

PopSci’s Point/Counterpoint features on the subject are both well written and argued. It’s hard to see if there’s a one-solution-for-all that will actually be effective.

From We Need a System of Internet IDs:

Internet security is broken, and we need to roll up our cyber-sleeves and fix it. That’s why the U.S. Chamber of Commerce announced this new proposal on April 15, designed to fight the steady increase in online crime. Entitled the National Strategy for Trusted Identities in Cyberspace, or NSTIC, it outlines the beginnings of an “identity ecosystem” to be created jointly by the private and public sector to spur more innovative and effective online authentication methods. Even if you’re not as immediately and easily swayed by snazzy, futuristic phrases like “identity ecosystem” as I am (and oh, how I am) there are still lots of other reasons to support increased Internet security.

From Internet IDs Are a Terrible Idea:

They go by many names—trusted identities, ID ecosystems, Internet driver’s licenses—but the basic idea is always the same: Create a single online credential system that somehow increases accountability, combats fraud and identity theft, and helps deter cybercrime. Over the years we’ve seen many of these schemes trotted out in the private sector only to fail time and again. And for good reason. These plans are not only impractical, they also ignore history, confuse the primary threats we face online, and, worst of all, have the potential to do infinitely more harm than good.

I’m interested to hear what you Geeks think about this. If you’re here reading then you’re likely an upstanding Internet Citizen with an opinion on the matter. Will a new plan for unique user IDs help reduce fraud and protect our sensitive information, or is a move like that riskier than it’s worth?

[PopSci]

Advertisements
Advertisement




42 Responses to Internet IDs: Yea or Nay?

  1. First of all I think placing all of ones virtual eggs in one basket is a bad idea.  A single system only creates a single wall for hackers to get over.  Instead we need multiple systems, and a myriad of them.  The more variation there is to overcome hacking from one site to the next the more adaptive a hacker will have to be.  The more varied they are the less likely they will be to crack ever single system out there.

    Right now the big reason why a lot of this is happening is because of tight security.  The bigger the challenge the more likely someone is to take it on.  The reason these big crime waves exist is because of the very security that was designed to deter them.  So to me MORE anonymity is required.  The more you have the less of target you are.

    • Ummm… "tight security"?
      Internet security as it stands now, is a joke compared to what it could be – even ignoring an ID system.

  2. First of all I think placing all of ones virtual eggs in one basket is a bad idea.  A single system only creates a single wall for hackers to get over.  Instead we need multiple systems, and a myriad of them.  The more variation there is to overcome hacking from one site to the next the more adaptive a hacker will have to be.  The more varied they are the less likely they will be to crack ever single system out there.

    Right now the big reason why a lot of this is happening is because of tight security.  The bigger the challenge the more likely someone is to take it on.  The reason these big crime waves exist is because of the very security that was designed to deter them.  So to me MORE anonymity is required.  The more you have the less of target you are.

  3. I think the problem here is not unique ID's, it that we all think we must put everything online. You're trying to correct the symptom of our own laziness with regulation. That's the last thing we need.

    Secondly, people are too gullible and uninformed to make good decisions when using the internet. Let's face it, viruses and malicious software are spread because people are too stupid to know not to click on an attachment in an email, or to click on some link on a website. Having a internet ID stolen would no doubt be more damaging than simply having a credit card or bank account compromised online.

    Lastly, I don't want to go down the conspiracy, 1984'ish road, but seriously, one of the greatest hings about the internet is anonymity. Google already gives information to the US Gov't 94% of all requests. The last thing we need is to make it easier for Governments and organizations to track the honest people that would actually register for something like this. The Gov't is already tracking a ridiculously excessive amount of information about normal people's online activity. Something like this, although well intended, would no doubt be used in ways that would further violate rights as well as uncountable unforeseen reasons.

    This is one of those "road to hell was paved with good intentions" ideas. The people pushing it are probably tired of the futile effort it takes to combat online fraud. This wouldn't be a fix, it would likely cause many more problems that we already have.

  4. A universal, unique ID system would so obviously fail that it is hard not impune the motives of advocates. I am open to correction, but the only motives I can fathom are a quick buck or political hay.

    Simply, it will NOT achieve the stated goal; it WILL give miscreants another tool for ID theft.

    Even worse case, it will give the establishment another tool to persecute dissent.

    (CB Miller has a better "plan."  MORE anonymity + LESS centralization = Better Security)

  5. A universal, unique ID system would so obviously fail that it is hard not impune the motives of advocates. I am open to correction, but the only motives I can fathom are a quick buck or political hay.

    Simply, it will NOT achieve the stated goal; it WILL give miscreants another tool for ID theft.

    Even worse case, it will give the establishment another tool to persecute dissent.

    (CB Miller has a better “plan.”  MORE anonymity + LESS centralization = Better Security)

  6. So basically, kinda like if someone gets hold of your social security number, they can pretty much find everything they want about you and completely steal your identity.  So with an Internet ID, if someone finds that code out about you, they can track anything you have online… definitely a bad idea.

  7. There are only two effective solutions. Simplify the systems online so that they're easier to make bug free… and really ask yourself if creating an account somewhere is worth it. Whether it be forums, chat rooms, blog sites, banking sites, your apartment complex…

    Also, don't put anything out there you wouldn't be completely comfortable telling someone you only just met in a crowded coffee shop with the next table occupant right against your back.

  8. And then Internet IDs will be stolen and innocent people will lose everything.

    I'd much rather remain anonymous when I want to be. Also, since this threatens 4chan, I highly doubt Anonymous will stay quiet about this.

  9. And then Internet IDs will be stolen and innocent people will lose everything.

    I'd much rather remain anonymous when I want to be. Also, since this threatens 4chan, I highly doubt Anonymous will stay quiet about this.

  10. And then Internet IDs will be stolen and innocent people will lose everything.

    I’d much rather remain anonymous when I want to be. Also, since this threatens 4chan, I highly doubt Anonymous will stay quiet about this.

  11. I think it will fail, its a bad idea with this level of technology, at the same time I think that websites should issue personal security systems. Look at the Blizzard Authenticator for a good example. These should be purchasable security usable for any site linked in to the same user groups.

  12. I think it will fail, its a bad idea with this level of technology, at the same time I think that websites should issue personal security systems. Look at the Blizzard Authenticator for a good example. These should be purchasable security usable for any site linked in to the same user groups.

    • Blizzard recently removed the requirement of entering your Authenticator everytime you login to your account or WoW.  A Windows Registry Key is used to mark your machine as "safe".

    • Blizzard recently removed the requirement of entering your Authenticator everytime you login to your account or WoW.  A Windows Registry Key is used to mark your machine as "safe".

  13. Bad idea that will never work in the wild…. As far as security, that's really up to the users. I've had computers online for the best part of 30 years now and have only had 1 virus. And no, I've never used a Mac. I'm a game player and there really never was a lot out there for Macs :)

    Practice smart computing :)

  14. Bad idea that will never work in the wild…. As far as security, that’s really up to the users. I’ve had computers online for the best part of 30 years now and have only had 1 virus. And no, I’ve never used a Mac. I’m a game player and there really never was a lot out there for Macs :)

    Practice smart computing :)

  15. All that is going to happen if that comes into play is people(hackers) are going to figure out how to clone peoples identities and it will actually increase fraud and identity theft. There is already too much of that gojng on, but no system is going to be perfect and there are always going to be some kind of security holes, etc.

  16. Honestly, I just don't think it's a good idea either. It seems that every time there's a new security compromise or new virus, the public has a knack for overreacting. It started with Michealgelo, Melissa, Red Alert, Slammer, Iloveu and now it has evolved into Stuxnet (side note: also over-hyped but I digress). Now our panics have also evolved into network security. The trouble is that panic has escalated to such a point that they're trading anonymity for security (as mentioned in earlier comments). We don't need new security (especially one that puts all our collective information into one basket), we need better education and more emphasis on the fundamentals (a lapse on these fundamentals is what is causing half these problems anyway). There's no point in having a super secure basket when people are still dropping the ball on the basics.

    Here's a few basic things I've seen people screw up that cause this problem:

    1) Not configuring and securing their systems before connecting to the internet (not everything is ready to go out of the box).

    2) Connecting test systems to the internet using default accounts/passwords (Why not just hand them the keys to your network while you're at it?)

    3) Failure to update. Though this can vary depending on what kind of network is setup as you'll usually want to observe the bitch forums (or use a test environment if one is available) to see if an update causes any problems (and looking for fixes), exploits don't take long to be seized upon. This is not something to procrastinate or forget about and you would be surprised how often people don't do this.

    4) Not authenticating vendor calls. Of all the ways to get into a network, this is STILL the easiest. Pretend to be a vendor, supply marginal information and then extract a list of usernames and passwords without the other side being any wiser for it. I've consulted and gotten many an admin account just by asking for it.

    5) Failure to maintain and test backups. This is another culprit, sometimes it's laziness, other times, bad scheduling (curious: what happens if you do a backup during a defrag?). This is in addition to keeping backups in nonsecure locations such as on desks or left in the boss's safe. Offsite is ideal, but failing that, at least keep the tapes somewhere besides next to your family photos (not naming names here)

    6) No disaster recovery plan or one that isn't tested. If your network has been compromised, what do you do? If you discover a vulnerability, who are you supposed to talk to? Can the network be restored in the event of a disaster? What's the procedure and the schedule for your back ups? Did you update your security software prior to backing up? These things don't just occur in the moment, people plan and gather information before they hit your network, no one just says, "I'm going to magically break into X companies network" and then skips right to execution. Having a proper plan laid out will help people recognize when there's a problem, report it and handle the situation; instead of running around screaming at the last minute to undo the damage that has already been done, then shutting everything down for week while PR shills attempt to do publicity damage control.

    7) Failure to update or even implement antivirus/antispyware. Another common mistake (also a core fundamental), why have a scanner that doesn't know what to look for? I know IT budgets are tight and usually the first on any businesses chopping block with budget cuts, but how much value are you placing on the information in the long run? A firewall isn't going to block an e-mail with a malicious attachment on it.

    8) No solid usage policy and/or failing to educate your users. This is the most overlooked item. Not everyone knows a lot about computers. My grandparents had to be dragged into the 21st century kicking and screaming (and all I was doing was introducing them to e-mail, so it's more like the 20th century); I've spent hours just removing rogue antispyware from my step-dads computer. So despite the advances in technology, we still have people who think of computers as complex unicorns that shit math and complicated applications. Things that you would consider common sense aren't so easy for them since they can barely navigate their inbox (oh that poor Nigerian fellow, this $200 check should make him feel better). In addition, this is how viruses hoaxes end up being spread like wild fire (like the Olympic torch virus hoax that pops up every 2 years or so). This means not only having a policy that clearly defines what a user can and cannot do, but also have a policy where they can address concerns and items to think about before they compromise the network you're working your ass off to keep stable.

    9) Doing it all by yourself. I understand that times are tight and budgets are tighter, but there's a reason why large companies have entire departments dedicated to this practice. A consultant might be pricey, but if you don't have another brain to bounce ideas off of, you're going to end up missing something or not doing something right. You would be surprised how many mistakes I find just because 1 admin became a lone wolf and couldn't be bothered to ask for help.

    10) Insider threats: Still one of the biggest screw ups I've seen today surround either excessive trust or not even bothering to define user permissions more accurately. Extracting information is big business; for example, corporate espionage or just paying inside employees for giving information they think is harmless. Disgruntled employees can also ruin your day and you would be surprised how not using the principle of lowest privilege can allow them to ruin your day. In tandem to this, is social engineering. There's key card cracks available to get into secure locations, but in some cases I don't need them; grab a few dozen boxes and see how many people will open the door for you (hey how about that doorman service!). Additionally, we also have portable devices which administrators are either not monitoring (in terms of traffic and network use) or no solid policy is in place regarding the use of iPods and other USB devices (see the point #8). All I have to do is write a program into a USB device, drop it and wait for someone curious to pick it up and plug it in to see what's on it (I didn't even have to enter the building that time, the employees do the work for me).

    11) Lax information security standards. No policies regarding how private or proprietary secret information is handled. Examples include: folders left on desks, no locks on "secure" filing cabinets, information deemed as "trivial" just discarded into trash bins without being shredded, sensitive information being discussed over the water cooler (just ignore the Fed Ex guy, he won't know what you're talking about) and so on. Sometimes I don't even have to talk to people to garner a list of password possibilities since I could just listen in on conversation about such and such a user or an account that was recently settled. Some companies have a clause that you have to sign in which you can be penalized (usually fired, but in cases of government information you could be arrested, such as disclosing DOD UCNI), but you'd be surprised how few people either forget about this clause, don't think the information they disclose fall under this clause or don't even have this clause in their employee contracts.

    12) No encryption standards what so ever. Really, this is just embarrassing. This biggest example is lulzsec's infamous break in on the PS network. Not only could they do it thanks to users who use the same username and password on everything, but Sony has been hacked no less than 5 times because of this and so many of the aforementioned screw ups. Additionally, the media went apeshit when they found private information disclosed on a public medium. Granted, they over-hyped what kind of information that got leaked (tip: Identity thieves need more than just a Social Security number to open a credit card in your name, but I digress), most of it was just names, addresses, and phone numbers. It's still bad and quite damaging as anyone from stalkers to prank callers and telemarketers can harass you, but it does illustrate a problem; this problem being that there's no encryption on the inside of the network. No one can guarantee 100% that this information won't be compromised in some fashion, but what's retarded is how they put the blame on the customers and internet security firms when they were the ones dumb enough to leave all that information unencrypted in the first place. How else would they be able to broadcast that private information to begin with?

    In essence, if you want to end the hysteria, try promoting end-user education and practice the fundamentals. We don't need advanced security, we just need better informed people.

  17. Honestly, I just don't think it's a good idea either. It seems that every time there's a new security compromise or new virus, the public has a knack for overreacting. It started with Michealgelo, Melissa, Red Alert, Slammer, Iloveu and now it has evolved into Stuxnet (side note: also over-hyped but I digress). Now our panics have also evolved into network security. The trouble is that panic has escalated to such a point that they're trading anonymity for security (as mentioned in earlier comments). We don't need new security (especially one that puts all our collective information into one basket), we need better education and more emphasis on the fundamentals (a lapse on these fundamentals is what is causing half these problems anyway). There's no point in having a super secure basket when people are still dropping the ball on the basics.

    Here's a few basic things I've seen people screw up that cause this problem:

    1) Not configuring and securing their systems before connecting to the internet (not everything is ready to go out of the box).

    2) Connecting test systems to the internet using default accounts/passwords (Why not just hand them the keys to your network while you're at it?)

    3) Failure to update. Though this can vary depending on what kind of network is setup as you'll usually want to observe the bitch forums (or use a test environment if one is available) to see if an update causes any problems (and looking for fixes), exploits don't take long to be seized upon. This is not something to procrastinate or forget about and you would be surprised how often people don't do this.

    4) Not authenticating vendor calls. Of all the ways to get into a network, this is STILL the easiest. Pretend to be a vendor, supply marginal information and then extract a list of usernames and passwords without the other side being any wiser for it. I've consulted and gotten many an admin account just by asking for it.

    5) Failure to maintain and test backups. This is another culprit, sometimes it's laziness, other times, bad scheduling (curious: what happens if you do a backup during a defrag?). This is in addition to keeping backups in nonsecure locations such as on desks or left in the boss's safe. Offsite is ideal, but failing that, at least keep the tapes somewhere besides next to your family photos (not naming names here)

    6) No disaster recovery plan or one that isn't tested. If your network has been compromised, what do you do? If you discover a vulnerability, who are you supposed to talk to? Can the network be restored in the event of a disaster? What's the procedure and the schedule for your back ups? Did you update your security software prior to backing up? These things don't just occur in the moment, people plan and gather information before they hit your network, no one just says, "I'm going to magically break into X companies network" and then skips right to execution. Having a proper plan laid out will help people recognize when there's a problem, report it and handle the situation; instead of running around screaming at the last minute to undo the damage that has already been done, then shutting everything down for week while PR shills attempt to do publicity damage control.

    7) Failure to update or even implement antivirus/antispyware. Another common mistake (also a core fundamental), why have a scanner that doesn't know what to look for? I know IT budgets are tight and usually the first on any businesses chopping block with budget cuts, but how much value are you placing on the information in the long run? A firewall isn't going to block an e-mail with a malicious attachment on it.

    8) No solid usage policy and/or failing to educate your users. This is the most overlooked item. Not everyone knows a lot about computers. My grandparents had to be dragged into the 21st century kicking and screaming (and all I was doing was introducing them to e-mail, so it's more like the 20th century); I've spent hours just removing rogue antispyware from my step-dads computer. So despite the advances in technology, we still have people who think of computers as complex unicorns that shit math and complicated applications. Things that you would consider common sense aren't so easy for them since they can barely navigate their inbox (oh that poor Nigerian fellow, this $200 check should make him feel better). In addition, this is how viruses hoaxes end up being spread like wild fire (like the Olympic torch virus hoax that pops up every 2 years or so). This means not only having a policy that clearly defines what a user can and cannot do, but also have a policy where they can address concerns and items to think about before they compromise the network you're working your ass off to keep stable.

    9) Doing it all by yourself. I understand that times are tight and budgets are tighter, but there's a reason why large companies have entire departments dedicated to this practice. A consultant might be pricey, but if you don't have another brain to bounce ideas off of, you're going to end up missing something or not doing something right. You would be surprised how many mistakes I find just because 1 admin became a lone wolf and couldn't be bothered to ask for help.

    10) Insider threats: Still one of the biggest screw ups I've seen today surround either excessive trust or not even bothering to define user permissions more accurately. Extracting information is big business; for example, corporate espionage or just paying inside employees for giving information they think is harmless. Disgruntled employees can also ruin your day and you would be surprised how not using the principle of lowest privilege can allow them to ruin your day. In tandem to this, is social engineering. There's key card cracks available to get into secure locations, but in some cases I don't need them; grab a few dozen boxes and see how many people will open the door for you (hey how about that doorman service!). Additionally, we also have portable devices which administrators are either not monitoring (in terms of traffic and network use) or no solid policy is in place regarding the use of iPods and other USB devices (see the point #8). All I have to do is write a program into a USB device, drop it and wait for someone curious to pick it up and plug it in to see what's on it (I didn't even have to enter the building that time, the employees do the work for me).

    11) Lax information security standards. No policies regarding how private or proprietary secret information is handled. Examples include: folders left on desks, no locks on "secure" filing cabinets, information deemed as "trivial" just discarded into trash bins without being shredded, sensitive information being discussed over the water cooler (just ignore the Fed Ex guy, he won't know what you're talking about) and so on. Sometimes I don't even have to talk to people to garner a list of password possibilities since I could just listen in on conversation about such and such a user or an account that was recently settled. Some companies have a clause that you have to sign in which you can be penalized (usually fired, but in cases of government information you could be arrested, such as disclosing DOD UCNI), but you'd be surprised how few people either forget about this clause, don't think the information they disclose fall under this clause or don't even have this clause in their employee contracts.

    12) No encryption standards what so ever. Really, this is just embarrassing. This biggest example is lulzsec's infamous break in on the PS network. Not only could they do it thanks to users who use the same username and password on everything, but Sony has been hacked no less than 5 times because of this and so many of the aforementioned screw ups. Additionally, the media went apeshit when they found private information disclosed on a public medium. Granted, they over-hyped what kind of information that got leaked (tip: Identity thieves need more than just a Social Security number to open a credit card in your name, but I digress), most of it was just names, addresses, and phone numbers. It's still bad and quite damaging as anyone from stalkers to prank callers and telemarketers can harass you, but it does illustrate a problem; this problem being that there's no encryption on the inside of the network. No one can guarantee 100% that this information won't be compromised in some fashion, but what's retarded is how they put the blame on the customers and internet security firms when they were the ones dumb enough to leave all that information unencrypted in the first place. How else would they be able to broadcast that private information to begin with?

    In essence, if you want to end the hysteria, try promoting end-user education and practice the fundamentals. We don't need advanced security, we just need better informed people.

  18. Adding another protocol (internet ID) to others (HTTP, FTP, DNS, etc) may improve accountability for those who work within protocols, but the whole point of hacking/cracking is that you work outside established use cases and specifications to make a piece of software do something the designers didn't intend. That is, a hacker will either not use internet ID, or will use it incorrectly. And so internet ID will only add another vulnerability point for hackers, while at the same time increasing complexity and frustration to normal users.

  19. The only system I can see that is even remotely feasible, while maintaining the compartmentalization that exists today, is to have a system that keeps track of Online IDs for each person. You create whatever ID you wish for whatever service, then that service registers that ID with your account in the ID system. All this ID system does is keep all of your Alias in a single "folder" – no personal data of significant value is stored there.
    So, even if one of you Aliases is compromised, the rest of your Aliases are still safe – and the breach is reported to the ID system.
    It's essentially the same system we have now, but with a layer of fraud protection; if one aliases is compromised, this system knows to send advisories notifications to all your other aliases to change passwords, along with notifications to the individual services that a breach is possible for specific aliases.
    This way, you get to maintain your anonymity if your are just a regular web user, and hackers are forced to hide themselves better, since their aliases can all be linked together, while still having all the individual walls to jump.
    That said, those individual walls need to be reinforced sooner rather than later – as in now.

    As for *how* you link together the aliases, without using private data, that is something that will need some creative thought; but this is just the abstract.

  20. The only system I can see that is even remotely feasible, while maintaining the compartmentalization that exists today, is to have a system that keeps track of Online IDs for each person. You create whatever ID you wish for whatever service, then that service registers that ID with your account in the ID system. All this ID system does is keep all of your Alias in a single “folder” – no personal data of significant value is stored there.
    So, even if one of you Aliases is compromised, the rest of your Aliases are still safe – and the breach is reported to the ID system.
    It’s essentially the same system we have now, but with a layer of fraud protection; if one aliases is compromised, this system knows to send advisories notifications to all your other aliases to change passwords, along with notifications to the individual services that a breach is possible for specific aliases.
    This way, you get to maintain your anonymity if your are just a regular web user, and hackers are forced to hide themselves better, since their aliases can all be linked together, while still having all the individual walls to jump.
    That said, those individual walls need to be reinforced sooner rather than later – as in now.

    As for *how* you link together the aliases, without using private data, that is something that will need some creative thought; but this is just the abstract.

    • It's not a bad thought on paper. You can maintain a sort of disconnect for making users anonymous. My biggest problem is that this does not address the problem at large. Many times it's the people who drop the ball by failing to exercise the most basic fundamentals that creates this problem in the first place. It reminds me of when I was stationed at Nellis in America's largest above ground nuke storage facility; We used to have a saying, "We cannot guarantee that people cannot get in,  but we will guarantee that they will not get out." It's the same principle, people think that just having a firewall and antivirus software is enough to keep intruders out and on a few levels, it is. The trouble is there's no sound security policy regarding organization information or discussions thereof. You would be surprised how many people would surrender  username and passwords in exchange for chocolate (yes, you read that right, I offered chocolate and sometimes the information was useless, but sometimes it was correct). An outsider does not always need to crack a firewall or write a new virus to get into the networks to get access to sensitive information, so why not encrypt the information too? We already use PHP, SSL and so many others to encrypt it in transit to protect consumer information and it works perfectly fine, why not do the same thing on the inside? This is half the problem when you have bean counters who understand nothing about information security forcing the IT department to cut down on overhead by cutting corners. No amount of user verification and walling up, is going to stop a determined outsider (and in most cases insiders too) from getting access to that information, it's about making that information useless if it gets compromised so that if an attack is successful, no amount of brute forcing or reverse engineering is going to yield what they are looking for. That's the main problem.

  21. This is a stupid idea.  The first people who need to be educated are the U.S. Chamber of Commerce.  They are trying to make decisions on things they obviously do not understand.  Most identity fraud, security problems and so on happen because people do not understand the problems.  Not just in the cyber world but in the real world as well.  I have seen people get into physical places that they shouldn't because the guy who opened the locked door with their security pass hold it open for the guy behind him.  I have seen people, not aware of their surroundings, think they were safe because of a tiny, black and white, security camera that took lousy pictures, shocked to be attacked.  These people didn't understand their screw ups because they never analysed it before.  If this internet ID thing happens people will think their safe.  They won't do what it takes to stay safe because they will have faith that a magic system will save them.  

    Not to mention, if this ID thing did get out, we would get a crappy explanation of how it is suppose to work.  Plus they will make it impossible for you to track what goes on in your own account. (at least without a fee if used more then once a year)  The tools that would be needed to keep you as safe as possible (and it's not possible to be safe 100% no matter how cautious you are)  would be convoluted, cryptic, and expensive.  To be as safe as possible you need an active hand, and different systems.  And no one should assume just because someone uses a magic ID that it's really that person's ID.  All ID fraud stems from someone assuming knowing a particular ID or address makes it that person.

    The hardest part of this is the regular problem of ID theft.  People will say, "well as long as you don't give out that number and keep it safe you will be fine."  This is BS.  As I try to explain to people, "Yes, while people will dig through your trash for info, a lot more times they will get your information from someone else."  Your credit card number, well that got compromised from that last purchase you made at the store.  They put that number on record,virtual and/or physical then someone you never met before held the door open for someone they never met while giving their password to a person on the phone claiming they are from that companies IT department testing or resetting passwords.

    Heck, maybe if we took some time to fix more of the physical world's mistakes,educated people better, and made the tools to keep us safer easy and convenient we will be in a better position to attempt to improve internet security. 

    • They say "knowledge is power" and above all else, you are right on the money (I forgot to touch up on this earlier). That's always a problem when you have people who don't know anything about the systems they regulate, the shrug and expect a magical solution to surface so that they don't have to learn anything and then absolve themselves of responsibility when it inevitably falls apart (willful failure to know in my books)

  22. I think it is a terrible idea. As the first thing any hacker do anything that will get traced is to borrow someone else's ID. Its not like a driver's licence where it is attached to a real person (and these still get faked from time to time). I see great chance of abuse and very little increased security. The only people it would catch are stupid people. Generally Hackers are quite the opposite.

  23. This is just a ploy.  A unique ID system will do absolutely nothing.  I mean, originally, IP addresses were unique, but with proxies, botnets, backdoors, etc. the point of catching these hackers with an IP address was rendered moot.  The same thing is going to happen with these unique ID's.

    They're just going to find a way around them, and the government and law enforcement knows it.  When you tell a criminal that he can no longer have a firearm, the most you can do is make it slightly harder to obtain.

    Criminals don't follow laws; the government and law enforcement know this for a fact.  It's just one more collar going on our necks.

  24. This is just a ploy.  A unique ID system will do absolutely nothing.  I mean, originally, IP addresses were unique, but with proxies, botnets, backdoors, etc. the point of catching these hackers with an IP address was rendered moot.  The same thing is going to happen with these unique ID's.

    They're just going to find a way around them, and the government and law enforcement knows it.  When you tell a criminal that he can no longer have a firearm, the most you can do is make it slightly harder to obtain.

    Criminals don't follow laws; the government and law enforcement know this for a fact.  It's just one more collar going on our necks.

  25. Sure, that's exactly what I want, a system for the government to hang one more noose around my neck. An ID just to get online? No thank you. What makes anyone think that this would stop a determined hacker anyway?! Stuxnet used legitimate secured signed certificates to infiltrate systems, what makes anyone think that this "new" system would be any less vulnerable? Here's an idea: use a dash of caution and an ounce of intelligence. Use strong security methods for passwords and don't reuse the same one. Seriously people, why is that every time the general public is presented with a problem, rather than rolling up our own personal sleeves, we turn to government to "do it for us"? Every time we let the government "do it for us" we give away a little piece of our own freedoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.