Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit
Despite years of strenuous effort, the idea of mass digital identity remains stuck somewhere between non-existent and a total mess.
Ask someone to prove their identity today, and almost without exception they will fall back on a paper passport, driving licence, or bank account statements, usually backed by a social security number (SSN). The online world struggles to accommodate these.
Digital identity systems such as the UK government’s Gov.UK Verify exist but barely any are used in anger. They float around in no man’s land, like clever experiments whose original objective their creators have lost track of.
Meanwhile, shadowing flesh and blood human identities are virtual ones built from oceans of online data. Much of this is handed over willingly to “surveillance capitalists” – Facebook, Google and advertisers, for instance – but lots more exists in this parallel dimension people are only dimly aware exists.
It’s also the world of identity middle-men such as Equifax, which collected so much valuable data it eventually burst at the seams, spilling millions of names, addresses, SSNs, birth dates and driving licence numbers to cybercriminals who could use it to fuel industrial identity theft for years to come.

Sophos Home
Free home computer security software for all the family
Learn More
Not everyone is giving up yet, however, including the Social Market Foundation (SMF), a UK think tank, which argues in a new report that governments should stop shilly-shallying around and press ahead with full-blown digital ID systems.
不是每个人都放弃,然而,然而,包括社会市场基金会(SMF),英国的一个智库, 提出一个新的报告说,政府应该停止犹豫不决,推进全面的数字标识系统。
But aren’t government systems a damp squib? According to the SMF, the problem of systems such as Gov.UK Verify (which uses private-sector partners) is that they were conceived to serve access to government services such as tax and benefits when the real need is much wider.
Verify’s usefulness would improve dramatically if only companies could use it to identify people too:
Encouragingly, use of Verify in private sector contexts is being actively explored, and we believe there are significant benefits for consumers that could arise from this.

Advantages such as:
Passports could give way to app-based identity systems, possibly backed by biometrics
Expensive paper systems could be banished forever
Online verification could be transformed from today’s guesswork and assumption-based model.
Welfare and immigration fraud would be reduced
Because everyone would have an ID, social exclusion faced by people who lack documents could be reduced
Verification and digital identity could be about to become an industry in its own right so jobs could be at stake
And cybercriminals would no longer find is easy to carry out identity theft against a system that included real-time identity checks on individuals themselves.
Sceptics will see in this as a reprise of the failed UK identity card scheme of a decade ago, eventually scrapped in 2010 after burning through £4.5bn ($6.3bn). Certainly, it’s hard to see how a new ID system wouldn’t initially need to rely on physical documents of the sort that sank the original system on cost grounds.
The other problem is government itself. Solving the digital identity conundrum once and for all can probably only be done at government level – but what if people don’t trust government?
The poster child for digital ID is Estonia, the first country in the world to conduct general elections across the Internet backed by a digital identity system years ahead of other developed countries.
Then there’s India’s Aadhaar, a biometric digital ID system with 1.2bn members that critics have described as “Orwellian”.  The worry is that the Aadhaar model hands government the power to withhold as well as enable access to services as a form of social control.
Which of the two extremes should countries such as the UK and US look to? Probably both deserve scrutiny, but it’s interesting that some of the same civil liberties arguments levelled at Aadhaar also dogged the UK’s ID cards.
This suggests that the path to 21st century digital identity will not be smooth. The flaw in today’s identity model is that data is smeared just about everywhere and anywhere, and incentives to guard it have become warped by commercial self-interest.
But until someone comes up with a way to implement an alternative that doesn’t simply over-centralise power with governments, digital identity will remain a rocky road.
天威视讯内幕交易案二审维持原判 涉案人数曾创记录
With identity theft at record levels what is hard to believe that digital identity can’t be postponed indefinitely. But the old world of uncertain, weakly defended identity won’t go away quickly – expect Equifax-style breaches to be with us for a while yet.


网络安全法普法宣传 004《网络安全法》的突出亮点
希腊海岸油轮漏油 碧海变得一片乌黑
商业间谍与黑客参与搜索专利大战 APT攻击让提升员工信息安全意识

A critical Apache Struts security flaw makes it ‘easy’ to hack Fortune 100 firms

(Image: Wikimedia Commons; file photo)A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server — putting sensitive corporate data at risk.
The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability.
what’s hot on zdnet
Apple doesn’t need to be a first mover in artificial intelligence
Big data and digital transformation: How one enables the other
Hurricane Irma: Storm trackers and other survival tools for mobile and desktop users
Samsung Galaxy Note 8 review: The epitome of a business-first smartphone
All versions of Struts since 2008 are affected, said the researchers.
Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo, a security researcher at LGTM, who led the effort that led to the bug’s discovery, said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems.
Mo said that all a hacker needs “is a web browser.”
“I can’t stress enough how incredibly easy this is to exploit,” said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability.
“If you know what request to send, you can start any process on the web server running a vulnerable application,” he said.
The vulnerability is caused by how Struts deserializes untrusted data, Mo said. An attacker can exploit the flaw to run any command on an affected Struts server, even behind a company firewall. “If the server contains customer or user data it’s not hard at all to collect that data and transfer it to somewhere else,” van Schaik said. The attacker can also use the server as an entry point to other areas of the network, effectively bypassing the corporate firewall and gaining access to other shielded-off areas of the company, he said.
“An attacker can use the vulnerability to find the credentials, connect to the database server, and extract all data,” he said. Worse, he added, an attacker could delete data.
“A creative attacker will have a field day,” he said. “And even worse: The organization under attack may not even notice until it is well too late.”
An exploit has been developed by the security researchers but has not been released to give companies time to patch their systems. He said that he’s not aware of anyone exploiting the vulnerability but warned that he expects this to change “within a few hours” of the bug’s details being made public.
“Companies may indeed scramble to fix their infrastructure,” van Schaik said.
A source code fix was released some weeks prior, and Apache released a full patch on Tuesday to fix the vulnerability.
But many companies will be vulnerable to attack until their systems are patched.
Several government websites, including the IRS and California’s Deptartment of Motor Vehicles, along with other major multinational companies, such as Virgin Atlantic and Vodafone, use the software and are potentially affected by the vulnerability — but van Schaik said that the list was “the tip of the iceberg.”
As many as 65 percent of the Fortune 500 are potentially affected by the vulnerability, said Fintan Ryan, an industry analyst at Redmonk, in an email.
Ryan said the figure was based on the known usage of Struts across the Fortune 100, such as developer metrics and hiring data. He said that Struts is used typically to sustain or augment existing applications, rather than newer web applications.
There’s no specific way for security researchers or attackers to externally test if a server is vulnerable without exploiting the vulnerability.
“It turns out that there is no other way than to announce the vulnerability publicly and stress how important it is that people upgrade their Struts components,” van Schaik said.
“There is simply no other way to reach the companies who are affected,” he said.
Contact me securely
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
Read More
Leaked TSA documents reveal New York airport’s wave of security lapses
US government pushed tech firms to hand over source code
At the US border: Discriminated, detained, searched, interrogated
Millions of Verizon customer records exposed in security lapse
Meet the shadowy tech brokers that deliver your data to the NSA
Inside the global terror watchlist that secretly shadows millions
FCC chairman voted to sell your browsing history — so we asked to see his
With a single wiretap order, US authorities listened in on 3.3 million phone calls
198 million Americans hit by ‘largest ever’ voter records leak
Britain has passed the ‘most extreme surveillance law ever passed in a democracy’
Microsoft says ‘no known ransomware’ runs on Windows 10 S — so we tried to hack it
Leaked document reveals UK plans for wider internet surveillance