SAN FRANCISCO — License plates may be coming to cyberspace.

A government and technology industry panel on cyber-security is recommending that the federal government end its reliance on passwords and enforce what the industry describes as “strong authentication.”

Such an approach would probably mean that all government computer users would have to hold a device to gain access to a network computer or online service. The commission is also encouraging all nongovernmental commercial services use such a device.

“We need to move away from passwords,” said Tom Kellermann, vice president for security awareness at Core Security Technologies and a member of the commission that created the report.

The report (http://www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf), which offers guidance to the Obama administration, is a strong indictment of government and private industry efforts to secure cyberspace to date. “The laissez-faire approach to cyber-security has failed,” Mr. Kellermann said.

Restricting Internet access is one of a series of recommendations that a group of more than 60 government and business computer security specialists will make in a public presentation, “Securing Cyberspace in the 44th Presidency,” on Monday.

The report has been prepared during the last 18 months under the auspices of the Center for Strategic and International Studies (http://topics.nytimes.com/top/reference/timestopics/organizations/c/center_for_strategic_and_international_studies/index.html?inline=nyt-org), a Washington policy group, after a number of break-ins into government computer systems.

“The damage from cyber attack is real,” the report states. “Last year, the Departments of Defense, State, Homeland Security, and Commerce, NASA (http://topics.nytimes.com/top/reference/timestopics/organizations/n/national_aeronautics_and_space_administration/index.html?inline=nyt-org) and the National Defense University all suffered major intrusions by unknown foreign entities.”

The report describes a laundry list of serious break-ins ranging from the hacking of the secretary of Defense’s unclassified e-mail to the loss of “terabytes” of data at the State Department.

The group recommends the creation of a White House cyber-security czar reporting to the president and the consolidation of the powers that have largely been held by the Homeland Security Department (http://topics.nytimes.com/top/reference/timestopics/organizations/h/homeland_security_department/index.html?inline=nyt-org) under the Bush administration. The report argues that cyber-security is one of the most significant national security threats and that it can no longer be relegated to information technology offices and chief information officers.

The commission included the top Democrat and Republican members of the House Homeland Security subcommittee that oversees cyber-security. The chairmen of the commission included Jim Langevin, a Democratic congressman from Rhode Island; and Michael McCaul, a Republican congressman from Texas.

Scott Charney, corporate vice president for trustworthy computing at Microsoft (http://topics.nytimes.com/top/news/business/companies/microsoft_corporation/index.html?inline=nyt-org); and Harry D. Raduege Jr., a retired Air Force lieutenant general who is chairman of the Center for Network Innovation at Deloitte & Touche, were also on the commission.

The report calls for new laws and regulations governing cyberspace.

“We believe that cyberspace cannot be secured without regulation,” the report said. The proposed regulations included new standards for critical infrastructure providers like the finance and energy industries, as well as new federal product acquisition rules to force more secure products.

The report does not entirely reject the work of the Bush administration. It cites the creation of the Comprehensive National Cybersecurity Initiative, adopted by the government as part of a presidential memorandum issued last January as a good starting point for remaking the nation’s cyber-security strategy.

That effort has led to a commitment by the federal government to spend more than $30 billion in the next seven years to enhance computing security.

Looks like Richard Stallman's story, The Right to Read, may actually become reality. :(

smartboyathome:

It's hard to read the article and not come away with the conclusion you have drawn. However, there are two points I would raise:

1. The same "Something Orwellian this way comes" has been discussed for years. Hasn't happened yet.

2. The problem with unilateral regulation of the Internet is that the U.S. cannot control (and has no jurisdiction over) the Internet beyond it's borders. Any attempts to do so would be no different than the U.S. trying to control phone lines in a foreign country.

Besides this, it's a certainty that the F/OSS community will neither agree to nor abide by these guidelines. (What do you think one of the reasons I'm desperately trying to switch to Linux is?)

I don't mean to suggest that such things cannot ever possibly happen. If anything, the old saw "eternal vigilance is the price of freedom" is in operation here. However, this is nothing more than an attempt to get us all riled up so we start making mistakes. Take a deep breath, relax, and focus on what's real. It's the only way we'll get through this.

Such an approach would probably mean that all government computer users would have to hold a device to gain access to a network computer or online service. The commission is also encouraging all nongovernmental commercial services use such a device.
This only restricts users of government and corporate machines, both of which should be regulated by their owners.

This only restricts users of government and corporate machines, both of which should be regulated by their owners.

And given that their "owners", as such, are ultimately "us", the American tax-paying public, that could be interesting.

Oh, the things I could say though if only this weren't a "decent" board... <evil laugh>

And given that their "owners", as such, are ultimately "us", the American tax-paying public, that could be interesting.

Oh, the things I could say though if only this weren't a "decent" board... <evil laugh>
I'd prefer if my "civil servants" aren't watching porn and playing Nethack on their "work" computers ;)

I only see an issue when this starts to be applied to the private sector.

I'd prefer if my "civil servants" aren't watching porn and playing Nethack on their "work" computers ;)

I have a hard time imagining anyone in the gov'ment playing nethack.

Such an approach would probably mean that all government computer users would have to hold a device to gain access to a network computer or online service. The commission is also encouraging all nongovernmental commercial services use such a device.

“We need to move away from passwords,” said Tom Kellermann, vice president for security awareness at Core Security Technologies and a member of the commission that created the report.

Considering how many government laptops have been stolen/misplaced, I fail to see how a dongle (just as easily "misplaced") will help make government data more safe.

doesn't matter how many measures you take to make a system secure, people will still write passwords under their keyboard, or leave the dongle, or whatever, plugged in, or in the top drawer of the desk where it will be handy!

I fail to see the problem here... most people who handle very sensitive data are incredibly poor at cyber-security. This is a very prudent security measure.

My guess is that Core Security Technologies has recently dumped their MS holdings and are now investing in the dongle manufacturing industry.

Fingerprint scans will probably become the norm until all children are chipped at birth.

The joys of internet2 & all it stands for.

doesn't matter how many measures you take to make a system secure, people will still write passwords under their keyboard, or leave the dongle, or whatever, plugged in, or in the top drawer of the desk where it will be handy!

QFT^^^. I was explaining this at work to today. The duty manager is a moron, she recieved a text message on her mobile phone asking for the password to one of our real time information systems, she only bloody sent it back in a reply. She also keeps a little black book full of the different passwords that she uses on different systems. My PC is connected to our corporate LAN, so Net use is monitored and filtered. She has a PC that is connected via WiFi router directly to the internet, with no filtering. I went in with my AA1 netbook the other day, found the router admin password in her little black book and now I have free unfiltered Wifi for when I am working alone on night shifts.

Fingerprint scans will probably become the norm until all children are chipped at birth.

The joys of internet2 & all it stands for.

Seriously, if it comes to that, I'd sell all my computers and dump the internet. I got along OK for almost 40 years without the computer and the internet, I can do without it again.

Going from password in your head, to keycode on a stick. I only trust people not to steal my head, so carrying one of those would just make me paranoid....

If the stick needs a password to make it work, chances are it's no stronger than one that would have been used on it's own anyway. I don't think this will stop a determined (and well equipped and organised) data thief.

Just another layer of things to go wrong IMHO. Of course, there is already a significant layer of things to go wrong - it's called "human beings" - has anyone heard of this technology?

my guess is that core security technologies has recently dumped their ms holdings and are now investing in the dongle manufacturing industry.

+1

Fingerprint scans will probably become the norm until all children are chipped at birth.

The joys of internet2 & all it stands for.

Why not Retina scanners? Much safer (IMO) than fingerprints, which can be lifted off your computer.

Or better yet, vein-patterns:

http://www.sourcesecurity.com/new-products/listing/1/product-profile/access-control/readers-and-controllers/readers/fujitsu-palm-vein-reader.html

QFT^^^. I was explaining this at work to today. The duty manager is a moron, she recieved a text message on her mobile phone asking for the password to one of our real time information systems, she only bloody sent it back in a reply. She also keeps a little black book full of the different passwords that she uses on different systems. My PC is connected to our corporate LAN, so Net use is monitored and filtered. She has a PC that is connected via WiFi router directly to the internet, with no filtering. I went in with my AA1 netbook the other day, found the router admin password in her little black book and now I have free unfiltered Wifi for when I am working alone on night shifts.Where my wife works, they force people to change their passwords every 45 days. My wife does so diligently and keeps it locked inside her head. However, her coworkers write it down and keep it in obvious places (sometimes telling others too)...so she often "hacks" into their workstations and changes minor settings (like cranking the sound or changing wallpaper, etc), then they always wonder how it happened.

So any security changes still have to be used by humans. And that is always the weak link in any system.

I used to work for the federal government and this type of login to government computers has actually been going on for a few years.

It's not really that different. Instead of logging in using your name and a password, now you have a key-card with a chip that substitutes for your name. You then have to type in a pin number.

Basically, before, anyone could find out your name and your password and log in. Now, they need not only a password/pin, but a physical card.

No real 'big brother' scenario, just a different login paradigm.

I used to work for the federal government and this type of login to government computers has actually been going on for a few years.

It's not really that different. Instead of logging in using your name and a password, now you have a key-card with a chip that substitutes for your name. You then have to type in a pin number.

Basically, before, anyone could find out your name and your password and log in. Now, they need not only a password/pin, but a physical card.

No real 'big brother' scenario, just a different login paradigm.

I've seen this done; my dad used to have a laptop that required username/password, and pin to login. In his case, he had a little electronic card that he had to keep with him at all times in order to login, because the pin changed every few seconds.

This would be the same as requiring a set of keys (public and private) to assess your Linux computer from a remote host with a few differences.

You would have to have the key, password, username for any access including when you are sitting at your computer.

This means that an intruder would have to either break the key and password or steal you key and password before you report it missing and an admin disables the stolen key.

This sounds like a good idea to me. (Well everything but the cost.)

with EBAY you can get a time dongle that syncs with your computer. If you want to bid, you simply type in the number from the time dongle and somehow it matches you with your system as an authentication.

I wonder if that device only works with windows.

with EBAY you can get a time dongle that syncs with your computer. If you want to bid, you simply type in the number from the time dongle and somehow it matches you with your system as an authentication.

I wonder if that device only works with windows.

No, there are one-time password devices that are OS-independent, using stuff like OpenID for backend authentication. They're pretty cool, I think, and while I don't think they're unbeatable, they are certainly more secure than the traditional password / hash model that is the default at this point.

Why not Retina scanners? Much safer (IMO) than fingerprints, which can be lifted off your computer.


Or better yet, vein-patterns:

http://www.sourcesecurity.com/new-products/listing/1/product-profile/access-control/readers-and-controllers/readers/fujitsu-palm-vein-reader.html

Yep, you got my point.

While I understand the impulse to object to initiatives like this on the grounds that it's a "slippery slope" toward invasive restrictions on private computer use, I also think that response is incorrectly dismissive of the real concerns being addressed here.

This is not DRM. This is about requiring strong authentication for people whose job requires them to access databases containing personal information about you and me. It's about making sure that the person who logs into a database of criminal records is actually the person authorized to do that.

Identity theft is a huge and growing problem, and this is meant to combat that and other computer-based crime. Upgrading the security in and around sensitive systems is not the moral equivalent of a global ID card, and it's not the moral equivalent of selling licenses to read books.

I agree that this technology could potentially enable things that I don't want. It also does useful things. The point is to have a voice in defining how such things are used -- not simply calling for their wholesale ban.

In 1990 I worked for Kodak, as an associate imaging technologist, which was their fancy way of saying a photocopier fixer.

Anyway, one of the customers who's machines I had to service was IBM, at Cherrybrook, in Oz. This is (or at least was) the IBM headquarters for the Asia Pacific region.

When I went to this facility to work, my senior would have contacted them so they new I was coming, everyone entering the facility was stopped by security personal at the guarded entry, where they must identify themselves, in my case, I was given a security card, which would open all of the doors that I needed to go through to access the photocopying machine(s) & no more.

That is the only place I have ever been in with that kind of security.

We don't want our secrets stolen do we?

It could cost us dearly if other humans benefit from our work without paying us for it. We can't loose our advantage over the others.

The others are our enemy.

<snip>

That is the only place I have ever been in with that kind of security.

We don't want our secrets stolen do we?

It could cost us dearly if other humans benefit from our work without paying us for it. We can't loose our advantage over the others.

The others are our enemy.

Some others are our enemies, yes, and for various reasons. As long as that is true, we will need ways of protecting our advantages over them.

This isn't a philosophical issue, it's just a practical reality, and I don't see you volunteering to post your bank account numbers here, and for good reason.

Why not? Because the gesture would not bring an end to the strife that you feel these secrets symbolize. It would be both futile and self-destructive. For the same reason, ignoring computer security on the grounds that humans all ought to be friends is both futile and self-destructive.

@pquarles: This is why I think that Google will become an increasingly political issue in the near future.

Google say whatever, but they have collected the largest database of information on humanity at large that has ever existed. No matter what they say to the little people, parts of that information would have already have been sold to various governments & other high level organisations.

Their database is their most valuable asset.

People who think that we may start sliding down the slippery slope towards a big brother scenario, haven't been looking past the spin & don't see where we are yet.

The wonders of the communication age, & the internet that we know & love is a double edged sword when powerful organisations that are interested in gaining more power & control are taken into consideration.

The world of commerce is changing really fast, there are old ways struggling to maintain there existence against this change, (media corporations for example) big players see that they need to own the internet to maintain there wealth & control.

The U.S. has started to weaken its control on the telco's who were limited to only being carriers. These companies know that if they can influence the U.S. government to give them more ownership of the internet that they will become the most powerful corps on the planet.

Most all of the internet backbone is in the U.S..

You have to control the internet, if you want to control how people think.

For the same reason, ignoring computer security on the grounds that humans all ought to be friends is both futile and self-destructive.

The issues are very complex, & no black & white answers exist.

News organizations already control what news is considered newsworthy with viewpoints determined by how the articles are written and presented to readers which are the consumers of news.
Yes it is a high stakes game which can be manipulated to present views which those organizations wish to promote. This has gone on for ages already, even during the revolutionary war in the US with Thomas Paine's inflamatory pamphlets, etc...

http://en.wikipedia.org/wiki/Thomas_Paine

Control of the media is central to control of the hearts and minds of the people. Control of education is also a means of promoting the tenets of humanism in American school children thru the efforts of Dewey.

http://en.wikipedia.org/wiki/John_Dewey

Yep, you got my point.


Hmmm, I love the smell of sarcasm in the morning

;)

just because the US has no jurisdiction outside its boarders does not mean it wont work deals with other major countries.

This is bad, especially considering Obama thinks the government is here to run peoples lives.

I have a hard time imagining anyone in the gov'ment playing nethack.
I don't think so ;)

Hmmm, I love the smell of sarcasm in the morning

;)

There was no sarcasm intended.

:confused:

I don't understand how this is related to DRM. ???

I don't understand how this is related to DRM. ???

What does DRM ultimately protect?

This thread is a perfect example of why F/OSS as a general concept and Linux as a specific execution thereof is a good thing for the U.S., particularly as a counter to anything the Federal Gov't. might try to do.

C'mon Project Gimp and Project Scribus! ;)

QFT^^^. I was explaining this at work to today. The duty manager is a moron, she recieved a text message on her mobile phone asking for the password to one of our real time information systems, she only bloody sent it back in a reply. She also keeps a little black book full of the different passwords that she uses on different systems. My PC is connected to our corporate LAN, so Net use is monitored and filtered. She has a PC that is connected via WiFi router directly to the internet, with no filtering. I went in with my AA1 netbook the other day, found the router admin password in her little black book and now I have free unfiltered Wifi for when I am working alone on night shifts.

Just a tip, when you are doing something that will get you fired (like stealing someone's password for unfettered net access at work) it is not a very good idea to brag about it even pseudonymously in an internet forum.

Something like that is best kept to yourself and enjoyed. ;)

I've seen this done; my dad used to have a laptop that required username/password, and pin to login. In his case, he had a little electronic card that he had to keep with him at all times in order to login, because the pin changed every few seconds.


Something like the RSA SecurID
http://www.rsa.com/images_new/SID900_signing_token_smlr.jpg
http://www.rsasecurity.com/company/news/kit/logos/photos/images/SID700_120w.jpg
http://www.rsa.com/products/securid/images/SID1100-environment.jpg