Pseudo-random seldom does the job

My friend Adam has hammered this one home.  A weak RNG can undermine the security of a system that uses it.  A recent scenario we worked on together involved a multi-player game.  If you can predict the RNG outcome then you can incorporate that into your game strategy.  Why engage in an attack if you know the dice are literally stacked against you?

Now the problem has turned up in a far more serious area.  Social Security Numbers should never have been used as IDs.  The US has a long and hypocritical history of resisting a nationally issued ID card and so the really-not-an-ID-card-no-matter-how-many-organizations-treat-it-that-way SSN has become the de facto national ID card.  A flimsy piece of paper and misplaced trust in a bank worked for a while but that ship has sailed.

Today we find out that the situation has gone from bad to worse.  SSNs should be randomly generated numbers that are very long.  Unfortunately SSNs were first issued a long time ago and use some “clever” scheme to self-validate against the person’s other metadata.  And now, someone has automated the process.  Name, birthday and social used to be enough.  Now we should treat them all as public information.

It’s time to rethink identity in a way that protects individuals from the government, from each other and  corporations.  Recent efforts pretend that the government is here to help you.  Fortunately most of these have failed but the problem hasn’t gone away, it’s getting closer and closer every day.