Here’s an awesome idea: Immigrants seeking US entry from 7 extra-Muslimy-countries will be told to hand over all their web, banking, and social media credentials.
According to our friends at El Reg, DHS czar John Kelly plans to require all passwords from all “7M” refugees and visa applicants, so that DHS vetters can root around in banking, credit card and social media accounts. If they refuse, they can’t come in. “We want to say ‘what kind of sites do you visit and give us your passwords,’ so we can see what they do,” Kelly stated during a meeting of the House Homeland Security Committee. “We want to get on their social media with passwords – what do you do, what do you say. If they don’t want to cooperate then they don’t come in. If they truly want to come to America they’ll cooperate, if not then ‘next in line’.”
It’s easy to see the slippery slope here, once DT gets upset with countries 8, 9, 10, 11 and 12. It’s easy, too, to imagine what banks and social media firms think about what is essentially the biggest password-sharing scheme in history.
DHS presumably has no plans to reimburse banks or social media sites for the cascading identity failures and a spike in credit card fraud that is almost certain to result from sharing passwords amongst the between 5,000 and 10,000 new government employees and contractors Kelly wants to hire.
Security is a funny thing. It’s not uncommon that an idea that at first glance, seems like it might make us safer… later turns out to backfire big time. That’s why it’s important before you implement any big change in your defensive stack – be it hardware, software or policy – that you INSTRUMENT your environment so that you can gather hard data on whether or not something is actually making you more secure. Security moves based on gut-feelings and assumptions almost always end in tears.