News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

AskWoody Free Newsletter Logo
ISSUE 18.31.F • 2021-08-16

In this issue

PUBLIC DEFENDER: Where’s our ‘National Strategy for Cyberspace’?

Additional articles in the PLUS issue

LANGALIST: No Chrome? Easily add full-function Gmail to Edge!

MICROSOFT 365: So many Outlooks — think you know them all?

WINDOWS 11: Say hello to these new Windows 11 features

PATCH WATCH: Is it safe to print again?


explore ipcstore for electronics deals
If you purchase after clicking this ad, AskWoody may receive a small commission.

PUBLIC DEFENDER

Where’s our ‘National Strategy for Cyberspace’?

Brian Livingston

By Brian Livingston

Crime on the Internet has gotten ridiculous.

In 2020, the Federal Trade Commission received 4.8 million complaints of identity theft (and many others go unreported). At least 37% of businesses around the globe experienced a ransomware attack last year, according to security firm Sophos. And for six days in May, hackers were even able to shut down a pipeline that supplies 45% of the US East Coast’s fuel.

President Joe Biden issued an executive order on July 28, instructing the Secretary of Homeland Security to issue “critical infrastructure cybersecurity performance goals within 1 year.” But the problem is way out of hand. Law enforcement will never be able to prioritize nonviolent computer crimes over high-profile cases that involve dead bodies.

The root cause of cyber fraud is that we can never really be sure who — specifically — is behind a website we’re viewing, an email we’re reading, or a phone call we’re receiving. Any of these things might be legitimate, or they could be scams that look and sound exactly as though they came from a respected organization. Criminals can conceal their identities all too easily.

The answer is right in front of us, but we haven’t demanded it

Various attempts to rein in the madness have emerged over the years. Unfortunately, they’ve been watered down or ignored rather than giving us all some much-needed safety.

Howard Schmidt in 2010In 2010, US Cybersecurity Coordinator Howard Schmidt (Wikimedia photo, left) issued a report called National Strategy for Trusted Identities in Cyberspace. Supported by numerous federal agencies, the report called for an “identity ecosystem,” including the development of small devices — such as a thumb drive or a smartphone app — that could help users positively identify themselves to others on the Web without requiring multiple devices or hard-to-remember passwords.

Full disclosure: In 2001, I met several times with Schmidt in his home and at various cafés in the Redmond, Washington, area. He had moved there after Microsoft hired him in 1997 as its chief information security officer.

At the time of those discussions, I had written the Window Manager column in InfoWorld magazine for a decade, giving me contacts in the tech industry. Schmidt and I thought computer publications could simultaneously announce a plan that would allow individuals to securely identify themselves and others on the Web. We sketched out the following thought experiment:

  • People could purchase or receive for free a small device containing an LED screen. Various form factors could work, such as a watch, a thumb drive, a pocket-size plastic card with a battery and a screen, or an app in a smartphone.
  • Where would people get these things? Post offices around the world have been losing revenue for years due to email displacing first-class mail. That means postmasters would welcome a new revenue source. Every country, no matter how small or underdeveloped, has to have a post office to move letters and packages, so coverage could be global.
  • Individuals would visit a post office and show some proof of identity, such as a driver’s license or utility bill. The post office would send a confirmation letter to that address. If that was the individual’s usual mailing address, he or she would return the letter to the post office and receive a working device.
  • The post office would create a webpage for each person, containing the “public key” for the device they had received. Anyone could copy that public key to communicate with the applicant. The individual’s device would contain the “private key.” That key couldn’t be discovered — even if someone cracked the device’s shell open and reverse-engineered the insides. (Tampering would destroy the device’s fragile circuitry.)
  • The device would display a different six-digit code every 60 seconds or some other interval. The individual would enter this code to verify a connection with a third party. No one other than the authorized individual could know that particular code at that moment, since knowing someone’s public key in no way enables anyone to guess the private key. Best of all, “spear phishing” and other hacker tricks could never induce the user to reveal the private key. Its string of bytes would always remain invisible within the device.
  • If a device were lost or stolen, the user could cancel it and go to a post office to get a new one. The post office would revise the user’s webpage to contain the new public key.
  • Political dissidents on the run could use the address of an Amnesty International office or similar organization. But most people’s mailing addresses are widely known. (If you think you aren’t in hundreds of databases, query your name and address in a search engine — you might be surprised.)
  • Some level of fraud will always exist. In any identity system, there will be crooked officials, encryption flaws that need upgrading, and so forth. In a similar way, bank robbers today can steal and swap license plates to disguise their getaway cars. But ask any police officer whether license plates should be eliminated. No widely-used identification system will ever be 100% hack-proof, but anything that could reduce cybercrime by 99% is enough to be a very worthy goal.

RSA key fob and smartphone appThe authentication system would be completely voluntary. (An RSA Security key fob and a smartphone app are pictured at left.) Anyone who wanted to make up a fanciful username for an online forum, a video-game tournament, or a virtual art exhibition would be free to do so. But transactions involving banking, communications, server sign-ins, and other important relationships would increasingly require positive identity verification.

Best of all, users would no longer need to carry around multiple ATM cards, keep numerous ID badges, or remember complex passwords. Ideally, a single secure device could positively identify you to a greater and greater number of businesses and organizations as the system caught on.

This wouldn’t be a mythical arrangement that “everyone would have to use” for it to work. If even just two people adopted it, the pair could securely communicate, each receiving positive identity verification of the other.

Thanks to standardization, we all can send an email, place a phone call, or send a letter to any country in the world. The next great standard we need is a universal way to identify ourselves and prevent crooks from posing as us or pretending to be someone we know.

Build a better mousetrap, and people won’t beat a path to your door

When Schmidt and I were meeting, he was remarkably modest. I had no idea he had headed the Computer Exploitation Team of the National Drug Intelligence Center, nor that he had helped form the Defense Computer Forensic Laboratory for the US Air Force.

All that didn’t ensure success, however. We contacted a few tech journalists, but they weren’t overly interested in the idea. They probably assumed that it would be a hard sell to get the computer industry to agree on anything related to the boring topic of security.

I lost touch with Schmidt, but he kept himself busy. In December 2001, President George W. Bush appointed him as special adviser for cyberspace security. He served the Republican administration until May 2003. In December 2009, Schmidt was named national cybersecurity coordinator by President Barack Obama. Working in the Executive Office of the President, Schmidt conferred with 140 different agencies to come up with the Trusted Identities report in June 2010.

The report contained several improvements to the old, coffee shop–inspired model. For example, in addition to merely verifying one’s identity, a digital device would be required to confirm to a website that the user was over 21 — for a user to order wine online, say — without revealing the user’s actual date of birth, which can lead to identity theft.

Other aspects were familiar. The US Postal Service was delegated in November 2012 to create a Federal Cloud Credential Exchange. This resulted in a website called Connect.gov, which launched in December 2014. The first two vendors to generate digital credentials compatible with Connect.gov were Verizon and ID.me, according to a Federal News Network blog post.

Perhaps inevitably, turf battles arose. The General Services Administration terminated Connect.gov in August 2016, promising to replace it with an all-new service called Login.gov, according to a SecureIDNews article. The new website went live in April 2017, but its primary function was “the public’s one account for government,” allowing people to access different US agencies with a single username and password. That’s nice, but it’s a far cry from an identity verification system that people around the world would use.

Schmidt resigned as the White House’s cybersecurity coordinator in May 2012. I tried to contact him for this column, but he had tragically succumbed to brain cancer in 2017.

His role was filled from 2012 to 2017 by Michael Daniel, formerly head of the intelligence branch of the Office of Management and Budget. He was followed by Rob Joyce, previously with the National Security Agency. Joyce decided to return in May 2018 to Fort Meade, home of the NSA. The White House promptly abolished the cybersecurity position at the urging of John Bolton, security adviser to President Donald J. Trump, according to a Politico analysis.

On April 12, 2021, President Biden nominated former NSA Deputy Director Chris Inglis to the new post of national cyber director. The office had been created in a defense bill that Congress enacted in 2020 over a veto by Trump. The position has Congressional oversight and requires Senate approval. That confirmation occurred in a rare unanimous vote on June 17, so Inglis has officially started work, Politico says.

It’s a rocky road to a secure identity, but it’s worth the effort

In a recent Zoom interview, the senior systems engineer of RSA’s SecurID, Steve Schmalz, expressed optimism, telling me: “There could be a consortium between government and private industry to make sure you are who you say you are.”

Schmalz is confident that a unified security approach can slash crime on the Net. “If you use strong two-factor authentication, you would reduce the incidence of hacking.”

RSA is seeing people move toward smartphones as their favorite identity device. No, physical security fobs won’t disappear. “You wouldn’t want to take a smartphone onto a battlefield,” as Schmalz describes it. “But outside of government, a smartphone will be the preferred form factor of authentication.”

To satisfy this preference, RSA announced on June 21 a new SecurID app for Android and iOS devices. The firm is also excited about Solid, a new, decentralized network designed by Tim Berners-Lee, who is widely acknowledged to be the inventor of the World Wide Web. Solid uses a concept known as verifiable credentials, as described in a July 15 article.

Secure digital identities are often called an Internet driver’s license. But I feel that’s the wrong metaphor. No one needs a driver’s license to use the Web — it’s one click away on any smartphone.

An Internet passport is a better concept. It helps prove that you are who you say you are, and makes it hard for anyone else to impersonate you.

It’s widely understood that you need a national passport to travel across borders. Internet passports could let you safely surf all the way around the World Wide Web.

In a follow-up to this column, I’ll report on the latest efforts to create an Internet passport or something like it.

For more information, see Schmidt’s original Trusted Identities paper, which is available as a White House archives PDF. Also, Wikipedia contains Schmidt’s life story and a history of Trusted Identities implementation — or the lack thereof.

Scales of Justice Do you know something that we all should know? Tell me about it! I’ll keep your identity totally confidential or give you credit, as you prefer. Send your story via the Public Defender tips page.
Talk Bubbles Join the conversation! Your questions, comments, and feedback about this topic are always welcome in the AskWoody Lounge!

The PUBLIC DEFENDER column is Brian Livingston’s campaign to give you consumer protection from tech. If it’s irritating you, and it has an “on” switch, he’ll take the case! Brian is a successful dot-com entrepreneur, author or co-author of 11 Windows Secrets books, and author of the new book Muscular Portfolios. Get his free monthly newsletter.


Tabcat Pet Tracker
If you purchase after clicking this ad, AskWoody may receive a small commission.

Stories in this week’s PAID AskWoody Plus Newsletter
Become an ASKWOODY PLUS member today!

LANGALIST

Fred Langa

No Chrome? Easily add full-function Gmail to Edge!

By Fred Langa

Setup takes all of about 60 seconds, and there’s absolutely zero old-school POP or IMAP mail-server arcana to figure out.

Plus: Why some restarts during an update are OK, but others are destructive; and we note a milestone as the IBM PC turns 40!

MICROSOFT 365

Peter Deegan

So many Outlooks — think you know them all?

By Peter Deegan

If you think Outlook is one thing, you’re wrong. It’s Microsoft’s fault – the Outlook brand is beyond confusing. The company doesn’t help by referring to “Outlook” without being specific about which software or service it is talking about.

WINDOWS 11

Lance Whitney

Say hello to these new Windows 11 features

By Lance Whitney

The next flavor of Windows kicks in several new features, some interesting and hopefully helpful, and others not so much.

Which ones might actually be worth the upgrade?

PATCH WATCH

Susan Bradley

Is it safe to print again?

By Susan Bradley

Is Print Nightmare finally fixed?

The August updates are out and finally include a fix for the fix for the earlier fix for Print Spooler issues that allow attackers to take control of your system via rights elevation. While the good news is that we finally have a fix for the current Print Spooler issue, I’m seeing in various tweets that an issue still exists. If you want SYSTEM (beyond admin) rights on any supported version of Windows, there is a way to use a remote/cloud malicious print driver to get them.


You’re welcome to share! Do you know someone who would benefit from the information in this newsletter? Feel free to forward it to them. And encourage them to subscribe via our online signup form — it’s completely free!


RoboForm box

Like what you see in the
AskWoody FREE newsletter?

Become a PLUS member!

As a Plus member, you’ll receive the full newsletter, including all our great content about Windows, Microsoft, Office, 365, PCs, MS-DEFCON Alert notifications, useful and safe freeware, and Susan Bradley’s sought-after patch advice. Plus membership also allows continuous access to the complete archive of nearly two decades of Windows Secrets and AskWoody Newsletters.

Naturally, Plus members have all the benefits of free membership, including access to the popular AskWoody forums.

The cost? We’re supported by donations — choose any amount for a one-year membership. Every little bit helps.

 Join AskWoody PLUS Today!


Publisher: AskWoody Tech LLC (sb@askwoody.com); editor: Will Fastie (editor@askwoody.com).

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody, Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Your subscription:


Copyright © 2021 AskWoody Tech LLC. All rights reserved.