Credit: Reuters/David Moir
Well at least those cyber spies and thieves can breathe a little easier.
The U.S government is going to start testing its new and well-thought-out identity consolidation program. It's the NSTIC (National Strategy for Trusted Identities in Cyberspace), and it basically works like an online Uncle Sam-approved driver's license. What a great idea! Absolutely nothing could possibly go wrong. At all.
[ More Cringe: Two-timing Netflix will speed the downfall -- and rebirth -- of a free Internet. | For a humorous take on the tech industry's shenanigans, subscribe to Robert X. Cringely's Notes from the Underground newsletter and follow Cringely on Twitter. | Can we talk? Send your tech war story to firstname.lastname@example.org and get a $50 AmEx gift cheque if InfoWorld publishes it. We're all ears! ]
It's not as though our trusted Uncle Sam has a near-omnipotent arm of data-hungry spy weenies with a track record for abusing their powers that's so long and awful it makes me sprint to the liquor cabinet whenever I think about it. Or that government sites, networks, and databases like the U.S. Navy or the Department of Energy (to name only a very, very few) are about as safe as a dinner party at Kim Jong-Un's house. Or that the same people who are supposed to protect our most valuable data -- like, say, the IRS -- couldn't be bothered to upgrade their non-secure desktop OS (Windows XP, which now stands for eXtra Porous) before the support deadline ran out.
Nope, none of that's a problem. So why not implement an identity consolidation program that we're probably going to be forced to use with any government site and eventually a growing population of miserly app builders who'd rather hawk an NSTIC logo than shell out for more expensive and undoubtedly more secure identity management platforms?
At least our beleaguered black hatters can get back to the easy lifestyle they deserve. They were crying after Heartbleed was exposed, since now it would take them more than 10 minutes to crack any OpenSSL site. I really felt for them. What a blow! But here comes Uncle Sam to the rescue with a program that will consolidate our security for multiple sites into a single glorious database that'll probably take some middle schooler less than a week to crack. Whew. Back to using our identities like ATMs so they can concentrate on the really important things like loafing, video games, and porn.
But wait! It gets better. While a government organization, namely the NIST (National Institute for Standards and Technology), is managing the program, it can't be bothered to actually manage the credentials. It's looking for a third party to do that, and reportedly, it's considering really secure and data-neutral folks, including banks, phone companies, and "technology companies."
So it's possible that AT&T, Google, or my best friend Zuckerberg could bid to hold onto all our most valuable creds with an attached profile of who we are down to the molecular level and where all our most precious information is stored while promising up and down that they'll make sure the data is 100 percent secure and will never be used for anything nefarious at all. Ever. If they believe that, the guys at NIST are sitting around smoking legalized weed and wondering what the world would be like if farts had colors.
The argument from most folks, including the EFF, is that if this really gets traction, it'll be mandated. You won't have a choice but to use this technology to access most government sites and online services. That's bad, but I don't see it as the biggest problem. You're forced to use whatever harebrained and previously penetrated scheme each government site is using now. The only difference here is that the bad guys will get more information if they snag your creds.
What bugs me more is that there's no way our friends in DC won't offer this to the private sector. For one, they'll make revenue on that, which is never a bad idea. And it'll make life easier for other government arms, especially our various secret police organizations. Sure, the NIST finally removed the NSA-compromised RSA random number generator from its arsenal, but it took several months, and what are the odds that was the NSA's only way in? Or that it won't bully the NIST into using another crack?
Once it gets popular, the same identity tech you use to access the vulnerability-riddled IRS website will get used by your bank, your stock broker, your mortgage company, and wherever your daughter thinks she's hiding her sexting photos. All those locked gates will spring open with much of the data attached to your profile in addition to your keys. A physical driver's license is used as acceptable ID all over meatspace, so we can expect the same with this concept online. NIST is piloting this mistake in Michigan and Pennsylvania, and I wish them all the bad luck in the world.
In the words of someone whose name I can't remember, "May the fleas of a thousand camels nestle in your armpits."
This article, "Uncle Sam's brilliant new idea: An online driver's license," was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, follow Cringely on Twitter, and subscribe to Cringely's Notes from the Underground newsletter.