Jeff Atwood at Coding Horror put together a detail Howto on getting rid of Spyware infestation using something called “systeminternals“.

I’m always happy to see Linux get on the Common Criteria validated products list. Red Hat is a good product and its good to see the industry picking up on it.

Red Hat Enterprise Linux is a general purpose, multi-user, multi-tasking Linux based operating system. It provides a platform for a variety of applications in the governmental and commercial environment. Red Hat Enterprise Linux is available on a broad range of computer systems, ranging from departmental servers to multi-processor enterprise servers and small server type computer systems.

It was given an Evaluation Assurance Level 4 (EAL 4).

Good Article about it at Computer World

Disclaimer: The following is pure speculation on my part. I am simply a private citizen doing my own independent research. I do NOT have access to any confidential information regarding any kind of national ID system. According to the Department of Homeland Security their is no national ID system anyway.

The U.S. Government has put the REAL ID act of 2005 in to motion (it road in on the back of a troop support bill). It specifies the need to consolidate all state ID and driver’s license systems and a standardization of basic features of each card (features such as types of data to data).

This sounds like the first step in making U.S. driver’s licences/ID cards into a national ID card. Something most Americans oppose. Merging all the driver’s license databases together could allow for an Open Grid Service Achitecture (OGSA).

What is Open Grid Service Architecture?
According to Open Grid Service Architecture ver 1.0:
Key to the realization of this Grid vision is standardization, so that the diverse components that make up a modern computing environment can be discovered, accessed, allocated, monitored, accounted for, billed for, etc., and in general managed as a single virtual system—even when provided by different vendors and/or operated by different organizations. Standardization is critical if we are to create interoperable, portable, and reusable components and systems; it can also contribute to the development of secure, robust, and scalable Grid systems by facilitating the use of good practices.

The REAL ID system could be a part of the Total Information Awareness system that DARPA’s Information Awareness system originally released to the public.

I’ve had trouble with getting video on my blog until now. If you’re having problems check out Jack Humphrey’s video about the subject.

Information Assurance is not just information security. Information Assurance is managing the risk associated with the confidentiality, integrity and availability of information.

About two weeks ago I attended the DISA IA Boot Camp.  The training was run by two guys who had removed all of their childhood memories and replaced them with DODD 8500.01E and DODI 8500.2.  They knew information assurance like nobodies business.

I would recommend this class to ALL Information Assurance Officers (IAO) and Information Assurance Managers (IAM).  The level of the material stays right in the middle – its not really technical and backs off of some of the intricate details of a specific organization’s implementation of something like the DIACAP.  Which brings me to the most controversial and frustrating part of the training.

These guys were saying that the DIACAP was rejected (as of mid-2006/beginning 2007 time frame) by a few key organizations (namely the Inspectors Generals office) because the method in which it was approved did not comply with regs.  The irony is like a knife stabbing itself.

Anyway, they emphasized the importance of maintaining with the IA Controls indicated in both the DIACAP and DITSCAP.  Beyond the mountain of documentation and mind numbing bureaucracy, it is MOST important to secure the systems.
What guys out in the field are doing is implementing the DITSCAP’s SSAA package as a supplement (artifact.. whatever you want to call it) in the DIACAP package in order to cover all tracks.

Most American citizens violently oppose a National ID card.  The federal government can get around this in two ways: 

1. Don’t call it a national ID card 
2. Don’t put the federally controlled database in a federal building

The U.S. government is doing both of these things (as up 2007, should be complete by 2009).

According the the Department of Homeland Security’s FAQ on REAL ID it is NOT a national ID card & the feds will not create a national database:

“Is this a National ID card?

No. The proposed regulations establish common standards for States to issue licenses. The Federal Government is not issuing the licenses, is not collecting information about license holders, and is not requiring States to transmit license holder information to the Federal Government that the Government does not already have (such as a Social Security Number). Most States already routinely collect the information required by the Act and the proposed regulations.”

“Will a national database be created that stores information about every applicant?

No. The REAL ID Act and these regulations do not establish a national database of driver information. States will continue to collect and store information about applicants as they do today. The NPRM does not propose to change this practice and would not give the Federal government any greater access to this information”  

Well piss on my back and tell me its raining! The government is NOT creating a national ID card.  The only problem with the above statements issued by the DHS is that they are bullshit. 

Imagine.  ME, a security guy of all people, opposed to a National ID Card?  But I’m not the only one.

First off, what is this National ID Card REAL ID Card?

On March 1, the Department of Homeland Security (DHS) released draft regulations [PDF] for implementing REAL ID, which makes states standardize drivers licenses and create a vast national database linking all of the ID records together. Once in place, uses of the IDs and database will inevitably expand to facilitate a wide range of tracking and surveillance activities. — EFF

As stated above, the National ID Card for the U.S. would be based on existing State I.D. Cards and driver’s license programs.  The main issue is linking all state databases together so that the federal government can track citizens.  

Now you may be wondering: Does this sound like something an illegal immigrant and/or criminal would not be able to falsify?  (and even if they are caught current laws for illegal immigrants are not enforced)  If illegal immigrants are not going to abide by the law, does this law really enhance the nation’s security?  

Oppose the Real ID Act of 2005 

My main reason for opposing a US national ID card is that I don’t trust the federal government with a consolidated view and control of all of our information.  I think all the information they gather will eventually fall into the wrong hands (on purpose or by negligence).  I was in the military, so the feds already have my data and the feds have lost MY {privacy act protected} information more than once.  A branch of the U.S. government lost 25.6 million account including the Social Security Numbers for Veterans more than once. They kept this information secret from the victims for 19 days.  19 days is ample time for someone to steal an identity once they have the information they need.  In one case the data was supposedly recovered and deemed by the FBI forensics as un-tampered with.  Supposedly they are not creating a seperate national database… but the linked state system WILL be the national database from which the feds will feed.  Its a play on words and I wish people would wake up screaming about this.

There seems to be a disregard for protecting the privacy and security of citizens.  The resources that would normally be used to protect us are being wasted and sent to serve other purposes.  In my oppinion security is still NOT being done because illegal immigrant laws are not being enforced despite the fact there is a “war on terrorism”.  Now if you don’t think something is seriously wrong about the protection of our borders at a time when their is a “war on terrorism” read the story of Border Patrol Agent Ignacio Ramos being jailed for shoot a drug dealer trying to enter the country. The DHS officials lied to congress about these agents (and got caught).  Drug smuggler Osbaldo Aldrete-Davila is a free man.  Meanwhile, other border patrol agents are being deployed to Iraq.  I believe there is a reason that the law is not enforced but I leave that speculation up to you.

Privacy Clearing House has a chronological list of data breaches starting from 2005.  The more databases of large organizations (schools, federal/state, credit cards) our personal information is in, the greater the risk of ID theft and financial fraud we face.  ID theft is currently the fastest growing crime in the US and UK.  And its been the fastest growing for a long time.  I attribute this to organizations putting security last when it should be implemented from the very begining and maintained aggressively. 

So, a national card REAL ID registry databases at the federal level may only add to on-going issues of personal security of US citizens which the US government does not seem to worried about too much. 

To the credit of the U.S. federal government, the Department of Homeland Security’s Chief Privacy Officer, Hugo Teufel III, issued a Privacy Impact Assessment (PIA).  According to the document the National ID card would be difficult to falsify. 

Other issues addressed in the PIA: