Which security concern keeps you up at night?
Assuming each one of us can be seen under different roles such as citizen, patient, employee, employer and so on. For each one of these roles which security aspect do you consider most valuable? More importantly how could European Union appease those concerns?
UK government staff caught snooping on citizen data: https://www.zdnet.com/blog/london/uk-government-staff-caught-snooping-on...
Group audience:
Comments
That government is enforcing
That government is enforcing and allowing dis-empowerment of citizens both through the actions (bad regulation creating bad technology and ever more ineffective public sector) and non-actions (failure to prevent concentration of power in infrastructure and allowing kartel standards preventing innovation and growth).
EU and Governments are persuing an out-dated security understanding focusing on central surveillance and control failling to understand that this is the problem creating further problems for both economics and security.
Data retention make every MORE insecure because it dictate stripping of security from citizens and transfering control to entities that cannot even theoretically manage this control and in reality these powers are getting serisously abuse to profit from negative externatlities CREATED by government regulation.
"More importantly how could
"More importantly how could European Union appease those concerns?"
Stop "appeasing" and start solving the problems by moving upsteam.
It is stupid to enofrce dis-empowerment through e.g. bad payment regulation (e.g. not ensuring a legal tender and right to pay using e.g. Digital Cash) and then trying in vain to "appease" this problem through "Data regulation".
Nomatter the good internt of "Data Regulation", it cannot eliminate or undo the dis-empowerment of bad payment structures. The consequences is two pieces of bad regulation damaging society and leaving the wolves in infrastructure in control of markets through preventing security in digital infrastrucure that is controlling ALL society processes.
The digital economy act (
The digital economy act (#deact) in the UK nearly stopped me sleeping. It was the most ridiculous piece of legislation, that none of the politicians actually understood. It was rushed through parliament in 'washup' and became adopted. It is the thin end of the wedge, and opens the door to even more snooping, and I feel it is not the role of government to do this. I don't intend commenting here a lot because I am not an expert, but I look forward to reading all the discussions, and to my mind this is the way we can influence the European Union to make sure they have a complete understanding of security before they make rules... bring on the experts.
A relevant video posted today
A relevant video posted today: What scares the living IT out of you?: http://www.scmagazine.com/video-what-scares-the-living-it-out-of-you/art...
Ah,, identities.
Ah,, identities.
Or at least the attributes/roles which we all have. You might be interested in the talk about federated ID. How many identities do you have? https://tnc2012.terena.org/web/media/archive/4D
We all have thounsands - one
We all have thounsands - one for each trasanction, we ever participated or ever will participate in.
The second, you reuse identifiers, you dis-empower citizens to control linkage
And Federated Identity is designed to own you - not to liberate or secure you.
When you look through this
When you look through this video, you should realise one thing. It is based on a perimeter approach with a set of federation gatekeepers - but you have no protection against the IdPs as the protocol is inherently linkable.
If you wanted an empowering appriach so all the funding poored into the reseaerch community could be reused outside the research community, you would not trust central entities with anything but what they are supposed to control - doing so would add risk to both them and all participants.
Rule # 1 - Citizens control identity creation. I.e. The citizen will herself be in control of the mechanisms creating purpose-specific identity (such as a project identity) from some root identity.
Even if someone know WHO is the real person behind the project identity, the systems should NOT know.
Rule # 2 - Dont create linking where it can be avoided.
So - if the Idp does NOT know the real identity of the citizen (because this is protected from IdP failure), the Identity will inhernetly always be purpose-specific even if federated across multiple systems. Purpose can be at many layers e.g. a Discussion Group within a larger project, a Project Id, an employee id etc.
How do you avoid creaing linkage between the layers? Simple in principles, a bit less so technically as here are many aspects.
You move up or down by proving Blinded Group Attributes according to the specific needs of the purpose. I.e. if you are to create a Project Discussion Group Id, you may have to prove Project membership authorisation (proof of membership of project without revealing Project Membership) as part of establishing the Group Membership Id but nothing more.
Why? Well because the Discussion Group might explictly NOT want Accountability nor any other affiliation in order to ensure the discussion in focussing on the validity of argument and not WHO is stating it. The research Community do this all the time - e.g. when evaluating papers or project proposals submitted for evaluation and review.