By Jake Edge
January 12, 2011
The US government has recently been pushing a scheme to create some kind of
"trusted" identity for people to use on the internet. At a meeting at
Stanford University on January 7th, US Commerce Secretary Gary Locke outlined
the problems that he perceives with trust on the internet and how the creation of
"trusted digital identities" might alleviate those problems.
There is likely some truth in what he says, and trusted identities could
well fix
some of the problems. Unfortunately, when looking at it from a privacy
perspective, that kind of scheme is likely to cause more
problems than it solves.
The threats that Locke describes are fairly well-known: "data breaches,
malware, ID theft and spam". It's not exactly clear how a trusted
identity would fix any of the problems he lists, but that's not really his
role. He is trying to build a groundswell of support for these identities,
but he is also being
rather disingenuous when he says things like:
Let's be clear. We are not talking about a national ID card. We are not
talking about a government-controlled system. What we are talking about
is enhancing online security and privacy and reducing and perhaps even
eliminating the need to memorize a dozen passwords, through creation and
use of more trusted digital identities.
PRIVACY Forum moderator
(and long-time privacy advocate) Lauren Weinstein has been following this plan
(which originates in the US Department of Homeland Security) since at least
last June. As he points
out, the entire trusted identity scheme rests on those identities being
linked to
government-issued IDs like driver's licenses or social security numbers.
While Locke might be technically correct about national IDs, he is
playing rather fast-and-loose with the reality as Weinstein notes:
This entire scheme rests on the ability to link Internet
presence/roles with real-world identities. So even if no physical
card ever exists, the system as currently understood would very much
equate to a national ID card for accessing the Internet.
There are the obvious problems with linking internet activity back to a
particular "meatspace" identity, not least that it removes the ability to
do some things
anonymously. Those records will be an attractive target for fishing
expeditions by law enforcement of various sorts. One need not look any
further than the current attempts to track down Wikileaks members and
supporters via Twitter records as an example of how this kind of data might
be misused.
At the meeting, White
House Cybersecurity Coordinator Howard Schmidt said that there is no chance
"a centralized database will
emerge". Even if that's true, it won't be terribly hard to
reconstruct an internet
trail from distributed databases if the ID is tied to government-issued
credentials.
Trusted IDs would also be a juicy target for identity
thieves. In short, these IDs suffer from privacy and control issues that
have been identified for decades by people like Weinstein and organizations
like the Electronic Frontier Foundation. While Locke may be giving lip
service to some of those longstanding concerns, it is pretty clear that, at
least so far, there is no real intent to address them.
There is also a question of how free software fits into this puzzle. Is
presenting a trusted identity going to require running proprietary code?
Is it going to require running a Trusted
Platform Module attested operating system
as well? The latter is clearly something that Microsoft and Apple
would be happy to see, but it would run completely counter to the ideas of
free and open source software.
Ars technica digs
in to some of the technical details of the most recent draft [PDF] of the proposal.
That analysis certainly doesn't alleviate any of the issues that Weinstein
raises, and in fact raises a few others, such as:
In stage number six, the project will address the "liability concerns of
service providers and individuals." It looks as though the project will
create rules for the system that allow for the fixing of security breaches
without everyone suing each other's brains out, perhaps something like the
Digital Millennium Copyright Act's safe harbor provisions. The last three
stages involve promoting and improving the Ecosystem, including offering
loans, tax breaks, and insurance grants for early adopters.
Another draft is due in the next few months, and Weinstein is not
very optimistic:
Revised details of the Internet "Trusted ID" NSTIC plan will
reportedly be released within a matter of months. Perhaps there will
be wondrous revelations that will transform my current very dark view
of the proposal into a ringing endorsement.
Unfortunately, I very much doubt that this will be the case. I wish
I did not have to be so cynical and concerned about this project.
Contrary to some observers, I don't feel that the proponents of this
plan are evil or stupid, nor that their motives aren't in large measure
essentially laudable.
But a lack of evil and stupidity does not eliminate short-sightedness,
foolishness, and priorities run dangerously amok.
Schmidt is also pushing the idea that acquiring a trusted identity would be
voluntary, but if the system gets put in place it's a little hard to
believe it will be. The internet is playing a bigger and bigger role in
our lives. If the US government succeeds in this plan, it's not hard to
imagine that it will be difficult to do anything of consequence on the 'net
without
having such an ID.
This is an issue that bears watching. One might be forgiven for cynically
noting that our best defense against this plan may be the government
bureaucracy itself, as it will undoubtedly take some time—perhaps on
the order of years—for a proposal like this to actually get
implemented. In the meantime, though, privacy advocates and free software
users should be making an effort to clearly show the problems inherent in
this trusted identity scheme.
Comments (19 posted)
Brief items
So there you have it. The names are secure: they're identifiable by a key
of arbitrary length and cannot be stolen. They're human-meaningful: the
name can be whatever string you like. And they're decentralized: no
centralized authority determines who gets what name and yet they're
available to everyone in the network.
--
Aaron Swartz on
a proposed way to "square"
Zooko's
triangle (by way of
BoingBoing).
Comments (3 posted)
New vulnerabilities
apparmor: tasks may become unexpectedly unconfined
| Package(s): | apparmor |
CVE #(s): | |
| Created: | January 7, 2011 |
Updated: | March 31, 2011 |
| Description: |
From the Ubuntu advisory:
It was discovered that if AppArmor was misconfigured, under certain
circumstances the parser could generate policy using an unconfined fallback
execute transition when one was not specified.
|
| Alerts: |
|
Comments (none posted)
bip: denial of service
| Package(s): | bip |
CVE #(s): | CVE-2010-3071
|
| Created: | January 12, 2011 |
Updated: | January 12, 2011 |
| Description: |
A remote attacker can force a null pointer dereference in the bip IRC proxy, leading to a denial of service vulnerability. |
| Alerts: |
|
Comments (none posted)
cups: may start prematurely
| Package(s): | cups |
CVE #(s): | |
| Created: | January 7, 2011 |
Updated: | January 12, 2011 |
| Description: |
From the Ubuntu advisory:
Under certain circumstances, CUPS could start before its AppArmor profile
was loaded and therefore run unconfined. This update ensures the AppArmor
profile is loaded before CUPS starts.
|
| Alerts: |
|
Comments (none posted)
django: multiple vulnerabilities
| Package(s): | python-django |
CVE #(s): | CVE-2010-4534
CVE-2010-4535
|
| Created: | January 7, 2011 |
Updated: | February 15, 2011 |
| Description: |
From the Ubuntu advisory:
Adam Baldwin discovered that Django did not properly validate query string
lookups. This could be exploited to provide an information leak to an
attacker with admin privilieges. (CVE-2010-4534)
Paul McMillan discovered that Django did not validate the length of the
token used when generating a password reset. An attacker could exploit
this to cause a denial of service via resource exhaustion. (CVE-2010-4535)
|
| Alerts: |
|
Comments (none posted)
dpkg: directory traversal
| Package(s): | dpkg |
CVE #(s): | CVE-2010-1679
|
| Created: | January 6, 2011 |
Updated: | January 24, 2011 |
| Description: |
From the Debian advisory:
Jakub Wilk discovered that the dpkg-source component of dpkg, the Debian
package management system, doesn't correctly handle paths in patches of
source packages, which could make it traverse directories.
Raphaƫl Hertzog additionally discovered that symbolic links in the .pc
directory are followed, which could make it traverse directories too.
|
| Alerts: |
|
Comments (none posted)
ifupdown: dhcp may start prematurely
| Package(s): | ifupdown |
CVE #(s): | |
| Created: | January 7, 2011 |
Updated: | January 12, 2011 |
| Description: |
From the Ubuntu advisory:
Under certain circumstances, the DHCP client could start before its
AppArmor profile was loaded and therefore run unconfined. This update
ensures the AppArmor profile is loaded before DHCP client starts.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2010-4263
|
| Created: | January 12, 2011 |
Updated: | July 14, 2011 |
| Description: |
The igb driver contains a null pointer dereference vulnerability exploitable by a remote user in certain, limited conditions. |
| Alerts: |
|
Comments (none posted)
kernel: privilege escalation
| Package(s): | kernel |
CVE #(s): | CVE-2010-4160
|
| Created: | January 12, 2011 |
Updated: | March 11, 2011 |
| Description: |
The PPP-over-L2TP socket implementation lacks some important boundary checks, enabling a local privilege escalation attack. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2010-4249
|
| Created: | January 12, 2011 |
Updated: | August 9, 2011 |
| Description: |
The kernel's AF_UNIX garbage collection code has a flow allowing a local user to oops the kernel. |
| Alerts: |
|
Comments (none posted)
kernel: information leak
| Package(s): | kernel |
CVE #(s): | CVE-2010-4525
|
| Created: | January 12, 2011 |
Updated: | April 28, 2011 |
| Description: |
A missed initialization in KVM could leak information to a privileged local user. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2010-4668
|
| Created: | January 12, 2011 |
Updated: | August 9, 2011 |
| Description: |
The kernel block layer lacks some boundary checks in the block layer, enabling a local user to force a kernel oops. |
| Alerts: |
|
Comments (none posted)
mhonarc: multiple vulnerabilities
| Package(s): | MHonArc |
CVE #(s): | CVE-2010-4524
CVE-2010-1677
|
| Created: | January 10, 2011 |
Updated: | March 24, 2011 |
| Description: |
From the Mandriva advisory:
MHonArc 2.6.16 allows remote attackers to cause a denial of service
(CPU consumption) via start tags that are placed within other start
tags, as demonstrated by a <bo<bo<bo<bo<body>dy>dy>dy>dy> sequence,
a different vulnerability than CVE-2010-4524 (CVE-2010-1677).
Cross-site scripting (XSS) vulnerability in lib/mhtxthtml.pl in
MHonArc 2.6.16 allows remote attackers to inject arbitrary web script
or HTML via a malformed start tag and end tag for a SCRIPT element,
as demonstrated by <scr<body>ipt> and </scr<body>ipt> sequences
(CVE-2010-4524).
|
| Alerts: |
|
Comments (none posted)
php: denial of service
| Package(s): | php |
CVE #(s): | CVE-2010-4645
|
| Created: | January 11, 2011 |
Updated: | April 15, 2011 |
| Description: |
From the CVE entry:
strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products, allows context-dependent attackers to cause a denial of service (infinite loop) via a certain floating-point value in scientific notation, which is not properly handled in x87 FPU registers. |
| Alerts: |
|
Comments (none posted)
php: cross-site scripting
| Package(s): | php5 |
CVE #(s): | CVE-2009-5016
|
| Created: | January 12, 2011 |
Updated: | February 4, 2011 |
| Description: |
The PHP5 XML UTF8 decoder has an integer overflow vulnerability which allows an attacker to bypass cross-site scripting protections. |
| Alerts: |
|
Comments (none posted)
pidgin: denial of service
| Package(s): | pidgin |
CVE #(s): | CVE-2010-4528
|
| Created: | January 10, 2011 |
Updated: | February 25, 2011 |
| Description: |
From the CVE entry:
directconn.c in the MSN protocol plugin in libpurple 2.7.6 through 2.7.8 in Pidgin before 2.7.9 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a short p2pv2 packet in a DirectConnect (aka direct connection) session. |
| Alerts: |
|
Comments (none posted)
pidgin: denial of service
| Package(s): | pidgin |
CVE #(s): | |
| Created: | January 10, 2011 |
Updated: | January 12, 2011 |
| Description: |
From the Red Hat bugzilla:
A NULL pointer dereference flaw was found in the Pidgin MSN
DirectConnect protocol implementation, by processing certain
P2P messages. A remote, authenticated user could use this flaw
to cause denial of service (Pidgin crash).
|
| Alerts: |
|
Comments (none posted)
pyfribidi: buffer overflow
| Package(s): | pyfribidi |
CVE #(s): | CVE-2010-3444
|
| Created: | January 10, 2011 |
Updated: | January 12, 2011 |
| Description: |
From the Red Hat advisory:
It was reported that pyfribidi contains a buffer overflow in the
log2vis_utf8() function due to the assumption that the string returned by
fribidi_unicode_to_utf8() will be the same length as the original UTF-8 string. Due to changes in fribidi 0.19.1, for the Arabic language this is not the case as the joining added in fribidi causes some of the original 2-byte UTF-8 sequences to be come 3-bytes long.
|
| Alerts: |
|
Comments (none posted)
webkit: lots of vulnerabilities
Comments (none posted)
webkitgtk: multiple vulnerabilities
| Package(s): | webkitgtk |
CVE #(s): | CVE-2010-4198
CVE-2010-4197
CVE-2010-4204
CVE-2010-4206
CVE-2010-1791
CVE-2010-3812
CVE-2010-3813
CVE-2010-4577
|
| Created: | January 10, 2011 |
Updated: | August 23, 2011 |
| Description: |
From the CVE entries:
Google Chrome before 7.0.517.44 does not properly handle large text areas, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted HTML document. (CVE-2010-4198)
Use-after-free vulnerability in Google Chrome before 7.0.517.44 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving text editing. (CVE-2010-4197)
Google Chrome before 7.0.517.44 accesses a frame object after this object has been destroyed, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2010-4204)
Google Chrome before 7.0.517.44 accesses memory at an out-of-bounds array index during processing of an SVG document, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2010-4206)
Integer signedness error in WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving a JavaScript array index. (CVE-2010-1791)
Integer overflow in the wholeText method in WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.3 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving Text objects. (CVE-2010-3812)
WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.3 on Mac OS X 10.4, allows remote attackers to bypass the DNS prefetching setting via an HTML LINK element, as demonstrated by an HTML e-mail message that uses a LINK element for X-Confirm-Reading-To functionality. (CVE-2010-3813)
Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 do not properly parse Cascading Style Sheets (CSS) token sequences, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. (CVE-2010-4577) |
| Alerts: |
|
Comments (none posted)
wireshark: denial of service
| Package(s): | wireshark |
CVE #(s): | CVE-2010-4301
|
| Created: | January 12, 2011 |
Updated: | April 19, 2011 |
| Description: |
A bug in the wireshark ZigBee ZCL dissector allows an attacker to throw the program into an infinite loop. |
| Alerts: |
|
Comments (none posted)
wireshark: arbitrary code execution
| Package(s): | wireshark |
CVE #(s): | CVE-2010-4538
|
| Created: | January 10, 2011 |
Updated: | April 19, 2011 |
| Description: |
From the Mandriva advisory:
Buffer overflow in epan/dissectors/packet-enttec.c in Wireshark 1.4.2
allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted ENTTEC DMX
packet with Run Length Encoding (RLE) compression |
| Alerts: |
|
Comments (none posted)
wordpress: unauthorized access
| Package(s): | wordpress-mu |
CVE #(s): | CVE-2010-0682
|
| Created: | January 10, 2011 |
Updated: | January 12, 2011 |
| Description: |
From the CVE entry:
WordPress 2.9 before 2.9.2 allows remote authenticated users to read trash posts from other authors via a direct request with a modified p parameter. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
