US Government Sets Up Online "App Store"

krapper writes "The Obama administration has unveiled a government 'app store' designed to push the federal bureaucracy into the era of cloud computing. The change means some federal employees will begin using services like YouTube, Gmail and WordPress, which store data on private internet servers instead of on those paid for with public money. The process will start small but will ramp up quickly, Vivek Kundra, the US chief information officer, said in a blog post on Tuesday. 'Our policies lag behind new trends, causing unnecessary restrictions on the use of new technology,' Kundra writes in the post on WhiteHouse.gov. 'We are dedicated to addressing these barriers and to improving the way government leverages new technology.' The app store is designed for federal employees doing official government business and is not intended for use by the public."

And Gov2.0 considers Trusted Computing a key

[KNicolson]

I wonder how this is related to a recent announcement of Wave System, OpenID, Google, PayPal, etc into an initiative to have a single sign-on for e-government [blogoftrust.com]?

Re:And Gov2.0 considers Trusted Computing a key

[Anonymous Coward]

I'm not sure how a TPM can establish identity. Fundamentally, a TPM is a cryptographic token that can accept a key or a passphrase, and has the option to seal it and keep it sealed until the right boot code is passed through it. Other than that, it is fundamentally just a smart card fixed onto a computer's motherboard.

A TPM wouldn't be good for validating a user, who can be using that machine, a phone, a jaw harp, or a beer mug with an IP stack for access. A TPM can validate that the first part of an OS boot was not tampered with on a machine, as well as store some private keys that are usable only on that box. The advantage of this would be for this is ensuring that an attacker can't just replace the MBR with a keylogger, then later on, steal the laptop in a two phase black bag attack.

For a single sign on for users, the US government already has a large and well established system, the DoD's Common Access Card.

Fears of a national ID card aside, using a smart card for access can be a very good thing. No passwords can be sniffed, it is quite easy to use client certificates (the server doesn't have to care one whit if a client's key is on a card, in Firefox's key storage, or in a TPM), and allows shorter passwords to be used, because all it would take is 3-15 (usual default settings on smart cards) bad attempts, and the smart card will either block further attempts until reset, or permanently brick itself needing replacement. Phishing would be useless because all a phisher would get is "yay, this user has connected to your web server with a valid certificate". The main way a smart card can be compromised would be malware that would grab the user's PIN via a keylogger, then use the smart card (if inserted) to sign/decrypt stuff in the background.

Finally, a large number of security programs like TrueCrypt can use smart cards. I have on a laptop TC protected volumes for a VM that runs my Quicken. If someone steals the laptop and manages to get past BitLocker (RAM dump while the box is on), they would need to have the passphrase, the PIN from the eToken, and the eToken itself, to be able to mount that volume. A couple wrong guesses, the eToken zaps itself, so that gets rid of the brute forcing route in. (Of course, rubber hose crypto does work, but my biggest security scenario is silent theft of the laptop, not seizure and interrogation of the owner.)

Disclaimer: TPMs are double edged swords, and they can be used to enforce DRM stacks, but I consider them a good thing in general. Especially because by the TCG spec, they are to be shipped disabled and unowned, so software companies cannot assume every computer user has one and can use it for copy protection.

Re:How is this going to help..

[moosesocks]

Simple. Joe Biden signed up for an account at Mint.Com [mint.com]. Our financial problems are over!

(Serious aside: The Fed could/should employ a team of designers and information experts (a la Edward Tufte or this guy [wallstats.com]) to help improve the transparency and operational efficiency of the government. Mint.com has some great examples of boring/old data presented in a fresh, informative, and visually-attractive manner. There's plenty of scientific evidence showing that aesthetics can improve cognition. The Obama administration have done an admirable job on this front compared to their predecessors, but there's still more to be done, particularly at the congressional level [blogspot.com])

(Second aside: Mint.com were purchased by Intuit yesterday. Ew.)

FOIA and "Transparency"?

[The Wooden Badger]

I don't know. I thought keeping data on old clunky servers is kind of necessary for purposes of the Freedom of Information Act and this whole "transparency" idea. They are going to start storing data in gmail and youtube accounts? Maybe I'm missing something, but this doesn't feel right.

Re:How is this going to help..

[B1oodAnge1]

Are you certain? [youtube.com]

Re:Great!

[Joakal]

How about completely opening the entire authentication systems up? All the methods being proposed are closed systems. There are systematic refusal to accept new corporation/sites/etc as a form of authentication without being celebrity, monopolist or payment for certificates, etc. Recently, I created a browser-based trust initiative here: JRep project [joakal.com] Although I initially came up by means of browser-based trust transfer but I believe this can be tweaked for authentication transfer. Bonus: It's completely open and free because I want it that way.

Apple's attorneys are going to be all over them

[MichaelCrawford]

I'm pretty sure "App Store" must be some kind of Apple trademark.

However, it is possible to lose the rights to your trademark if it falls into common use. That's why so many companies defend their marks so vigorously.

Re:The bigger question is...

[sitarlo]

1. Assuming I'm uneducated is, well, uneducated.
2. I never mentioned socialism or socialist nations.
3. I've been to almost all the nations you cite, none are like Nazi Germany and I have no problem with modern socialism.
4. The comments I made ARE verifiable and objective. Hitler and Obama were both "Men of the Year", they both support leftist, progressive, and fringe-science ideas and their fundamentals were/are rooted in fascism. Look it up.

The fact that you call me "ignorant" for typing a post containing facts that any undergrad could cite leads me to believe that you are offended by my statements in some way. That wasn't my objective. I was simply pointing out parallels in two world leader's political profiles.

Re:The Term 'App Store' is Becoming Over Used

[dkf]

Agreed. This seems to be more of an official non-classified download repository than anything else. If I were in a small business and called their samba share that had the install images of Office, Acrobat, and other licensed packages for internal use an "app store", I'd be looked at by their IT people like I was some troll or pirate.

But the government isn't like a small business. It's like a very large business, and that sort of concept has been around for a while; we do the same thing for applications here with a secure webserver that employees (and students since we're a university) can download install images from, with appropriate invoices being generated internally if necessary afterwards (depends on what sort of license was negotiated with the vendor).

Re:Great!

[dkf]

How about completely opening the entire authentication systems up?

It's exceptionally difficult to build an entire end-to-end authentication system, and it's massively more complex if you have more than one vendor. This is stupid - there are plenty of open specifications in this area - but nonetheless true. Part of the problem is that there's so many different ways to put the bits together in a manner that will work, and there's no easy way to either bridge between them or understand which is best for a particular situation. Add in the fact that irritatingly much of the security parts of a system tend to end up in the other layers of applications (it seems to be nearly impossible to stop that) and you get horrendous levels of lock-in to particular solutions.

It's a crappy situation, and I don't blame anyone for going with a single vendor. At least then they get their security exposure down (which is definitely the most important part).

Re:How is this going to help..

[divisionbyzero]

I'm more worried about accountability. Any information posted or otherwise maintained on a private server is not subject to FOIA. It's protected by the 4th Amendment which is a much higher bar. This is the same as when Cheney used a private mail address for government business.

White House looking to hire a web archivist

[mantis2009]

They want someone to ensure that the WH's use of Youtube and Facebook complies with the Presidential Records act. [fbo.gov]
Good luck with all of that.