Anonymous identity

Another part of it is that all of those IoT things have firmware that can update. The moment that someone gets a key to update this, you can hack the grid by making rapid changes on power usage which actually destroys the .... do the standards make things less secure? It should be illegal to design broken cryptosystems. Engineers should go to jail. It's too dangerous. Do you think there should be smart grids at all?

Well if the designs are based on digital security, then no. If you design these things well, no matter what the devices do, they will end up acting up in a way that fails gracefully. They will be able to suggest, but not control. Baking all of this digital stuff into the devices is just dangerous. Analog command-and-control stuff, it's easy to understand the liabilities of. The devices are simple. We had a rule where anything safety related, had to be done with an analog system becaus you could understand how it works, and you can't do that for digital.

I agree with that a model to a large degree. The security has to be susceptible to analysis. I do work on smart grid systems. It's sort of like, well, how do you... people were asking me to build stuff that I'm sure people are incapable of evaluating. I don't know as a community how do we get people to, vendors, to not do this? How do you get contract developers to not write buggy contractors? False flags maybe.

100 years ago, bridges fell down all the time. Well, then we figured out how to engineer bridges. And now the thing is that we know when they are going to fall down, we just don't fix them. Graceful failure is important. You have to design bridges s otha twhen they are about to fall down, you get a warning. Suspension bridges should have stop lights to prevent cars from going on the bridge when a suspension wire fails. They should have sensors for each of the suspension wires.

Well, if the cost is so prohibitive, then perhaps that's a good pitch for joining blackhat organizations. For power distribution, centralization is broken. If that things go out, that thing loses power.

Please have 3-4 points to give a 5 minute presentation. An overview of what you have been talking about. Okay? Thank you. You're encouraged to talk more, you don't have to finalize your discussion or anything. You have 90 minutes still.

Everything is broken. We have to create systems as a governance model where we allow people to have weak identities. I have two vectors. You have weak and strong, and good and bad. When you turn 16 and start using the network, you have a weak identity. When you get older, you have a stronger identity. What you're talking about is the ablity to maintain a weak identity. Don't have identities, make them up out of thin air. Non-traceable.

Identity inherently has a cost to it. You end up impacting privacy. The default should be, in any system, try to design it without identity. Only use identity as a last resort. When is identity actually necessary? One of my favorite examples is AML/KYC literally led to ISIS as they were going across the territory they were taking over. One of the main ways they were getting funding, was to go to the local banks, get the records, then go off and get money from those people.

Their security model for AML/KYC did not take into account the need for security. ISIS was able to walk in there and take the data. When these things fail, there aren't systems to hold people responsible. Agents were literally killed in foregin countries due to an NSA backdoor in the Officers Management hack... So who is going to be responsible? They think it was the juniper routers that were hacked.

Maybe you only need identity when you need to be able to punish people. So identity is for punishment? Politicians need to be transparent. They need to have money at stake that we can take away from them.

I think the goal is to create good standards, evangelize those standards. Apache software foundation has a bank-in-a-box software project. Perhaps they should be using it instead of random stuff that banks create on their own.

Do we need identity? The sets of systems where really what we need is purely anonymous identity, where we don't care about tracking you, but still the participants-- but there is still an identity variable in the software stack, it's ust ephemeral and not persistent. Versus systems where there is no concept of identity. Should the electricity system have wires and electron?

Ephemeral identity, persistent identity. What bits of data are you leaking to the other side of the connection? You have to make it cost to the user do something. This is how you prevent sybil attacks. Proof-of-work is a very epheremal identity.

The reason why identity plays differently in each application domain is that there's a different threat model, there's a different use model and there's a different economic model. In application models, it's expensive to create identity, which has cascading implications ofr what the threat model is. Sometimes you don't need a specific identity, you need set inclusion. Multisig threshold signatures, or where you know some number of the group signed but not all of them.

Identity-related information has a very high cost. It's dangerous to have it around. It's a liability. So since it's a liability, here's a hierarchy of solutions you could use for least risky and most risky. You could do one-shot batch web shopping, or you could a session cookie, or you could login and register your credit card and have a profile. There's a hierarchy of, the less ephemeral identity willing to put into the system, the more kinds of applications you have, but the more risky it is.

Arguably, some of the stronger identity case like wanting to register your credit card, is obsoleted by new payment tech where you don't have to register all that info. You just give them a QR code or something. How do we find those boundaries? What are the space of threat models? What use cases are obsoleted by technology? Shopping should go from here, to there. A lot of set inclusion things, where I'm ordering a burrito online and a drone is going to deliver it, and I don't know where it's coming from, it's anonymous burrito delivery and it's FDA approved by proof. Or maybe Motion Machines should have their machine stamp their hamburgers and burritos with a unique hash to show that it has an audit trail. Your receipts should have an audit trail for your food and for health maintenance reasons.

Ideal scenario is that you show that you are a member of a group, you use a group signature, and then you can show you are a part of the set.

You can have an audit trail on every receipt for every food purchase, whether groceries or restaurants, so that you can see the entire trail where the food has been and how it has been processed, and then figure out elements in common that might be causing food-borne illness.

Who are these people and why do they want my identity? Data is pollution, it never goes away. If you trust the government with your data, do you trust the next politicians to manage the data? Data is a liability. EFF should tell companies to not be storing data. In fact, you should audit your company and then calculate data as a liability.

Data loss insurance. So would an insurer insure a company against data loss? The goal is to minimize the amount of data that a company is storing. If the repercussions are to osmall, then there's no way that people are going to go after them anyway. Without this liability, they might not worry as much.

You can't assign liability after something goes wrong. You have to just get rid of the data upfront. A first step would be, you're responsible for losses. If you get hacked and your customer data gets out there, and they suffer millions of dollars of damage because of it, then that's on you.

Wow, these two people just did a trade for cookies without using a blockchain.

For something to be standardized, people should be looking for academic involvement to decide whether something is secure. Academic consensus is one form of consensus that might be required here, more so than the typical IETF crypto discussions.

I am trying to start a new phrase: "Welcome to my threat model."

We want to get your summaries on the identity stuff. We want to start in 10 after the hour. We want to get back on track. We want to hear summaries and get going. Neha, if you are here, can you find me, because I can't see you.