Mr. Schmidt argued that the National Strategy for Trusted Identities in Cyberspace (or NSTIC) is meant to serve as a catalyst for the private sector to adopt however it sees fit, and will “balance privacy, anonymity and security.”

In a nutshell, NSTIC would be a way for individuals to sign onto Websites that adopt the voluntary federal program. Initially, the thinking goes, the program would be used by federal agencies to allow individuals to check things like electronic medical records held in government databases, but once proven and accepted, would be adopted by private organizations like banks and other commerce sites to ensure greater security for normal transactions.

Bruce Schneier, the head of cybersecurity for British Telecom, was generally supportive of the program, but also had a word of warning for Mr. Schmidt: “I really think this is something the government can’t control, and if it starts controlling it, everyone would freak.”

Read the rest of this post on the original site

I think of Clear as a $100 service that tells terrorists if the FBI is on to them or not. Why in the world would we provide terrorists with this ability?”

– Security technologist Bruce Schneier

Verified Identity Pass’s Clear registered traveler program requires members to submit to in-depth background checks, provide the company with their drivers’ licenses and passport numbers and get hand and/or retina scans. Those who do are given speedier passage through airport security lines.

Given such robust security precautions, it’s ironic, isn’t it, that a laptop containing the personal information of 33,000 Clear customers went missing for a week? How is it that it simply disappeared?

How is it that the information it contained was unencrypted? And, beyond that, what the hell was that information doing on a laptop in the first place? Surely it’s not Verified Identity Pass’s practice to dump entire customer databases on machines without access logging.

Is it?

No, of course not. And, to be fair, the laptop was protected by two levels of passwords. Two! Plus, according to Allison Beer, senior vice president for corporate development of Clear, the data on the laptop weren’t even all that good. “Yes, it was sensitive privacy information, but not the stuff that was most sensitive,” she told The San Francisco Chronicle.

Sensitive, but not that sensitive. Yeah, no big deal, just addresses, birth dates and driver license, passport or green card information. Just the sort of information that might be, you know, used to verify people’s identity when they travel around the country.

As Bruce Schneier presciently noted in his review of Clear in January, 2007, “If you think having a criminal impersonating you to your bank is bad, wait until they start impersonating you to the Transportation Security Administration.”

Yeah, lot of good that did, too. Here we are a few weeks later, and the newest AACS key, version 3, has been cracked–well in advance of its official release. What will it take for the entertainment industry to realize that its quest to lock down content with digital rights management is a lost cause, that digital media is fundamentally redistributable and you can no more make it uncopyable than you can make water unwet. “All entertainment media on the Internet (like everything else on the Internet) is just bits: ones and zeros,” says computer security specialist Bruce Schneier. “Bits are inherently copyable, easily and repeatedly. If you have a digital file–text, music, video or whatever–you can make as many copies of that file as you want, do whatever you want with the copies. This is a natural law of the digital world, and makes copying on the Internet different from copying Rolex watches or Louis Vuitton luggage. What the entertainment industry is trying to do is to use technology to contradict that natural law. They want a practical way to make copying hard enough to save their existing business. But they are doomed to fail.”