
To help replace the CAC card, Pentagon enlists AI startup - jonbaer
https://www.fedscoop.com/cac-card-twosenseai-startup-dod-contract/
======
CharlesColeman
> The contract, an other transaction agreement (OTA) awarded through DOD’s
> Rapid Innovation Fund, will focus on next-generation identity verification
> by authenticating users “by their behavior, such as how they walk, type,
> carry their device, or interact with the screen,” TWOSENSE.AI said in a
> release.

It sounds like a bad idea. I'm reminded that for many, many years; the "locks"
on the US's nuclear weapons had the combination set to all zeros, because the
Pentagon was worried the complexity of using an actual combination would mean
they'd be rendered useless in wartime [1]. It seems like the height of
foolishness to tie military effectiveness to a finicky and unreliable "AI/ML"
solution. Soldiers will probably behave differently in wartime, and I can
large numbers getting locked out of their devices as a result, at least
initially.

[1] Since any war they'd be used in would probably last less than an hour.

~~~
Novashi
The moment it requests the user to authenticate by taking a minute or so to
display their behaviors because of a false negative, it'll probably be canned

~~~
markovbot
...unless it's been widely rolled out already. They just need to make sure
that it doesn't fuck up during initial testing.

------
metaphor
_Behavior-based authentication is invisible to the user, therefore it can be
used continuously without creating any extra work_

Yeah...right. As if vanilla CAC authentication isn't already littered with UX
warts.

Also, clickbait article title:

 _Well, from my [DoD CIO Dana Deasy] standpoint, the CAC will remain the
department’s principle authenticator for the foreseeable future._

~~~
excalibur
> _the CAC will remain the department’s principle authenticator_

At least in principal.

------
kstrauser
Wait, in the story's top photo they covered up the person's human-readable
information but left the barcode exposed?

~~~
Rebelgecko
At least they stopped putting social security numbers in the barcode a few
years ago

~~~
kstrauser
That's good, at least.

------
dak1
This talks about continuous authentication, which isn’t about accessing a
system, but rather flagging unusual behavior for followup inspection.

~~~
wahern
There's nothing new about this, except for attaching "AI" to it. There's
something to be said for the value in detecting drive-by or opportunistic
attacks, or cleaning up after the fact. Though it was a thinly veiled
advertisement for his company, Counterpane, Bruce Schneier made the case for
this approach in a 2001 paper:
[https://www.schneier.com/academic/paperfiles/paper-
msm.pdf](https://www.schneier.com/academic/paperfiles/paper-msm.pdf)

But these pattern detection systems are fundamentally incapable of preventing
targeted attacks. For a targeted attack any pattern recognizer (heuristic,
bayesian, neural net, army of elite white hats, w'ever) simply provides a
blueprint for reliably subverting the system. They could never replace a hard,
cryptographically strong authentication factor providing _distinct_ ,
_provable_ security characteristics; certainly not in environments like DoD
facilities which require such strong authentication.

------
jandrese
Given how long it took to deploy CAC and iron out the major issues I'm not
holding my breath on this.

------
bargl
CAC Card... Common Access Card Card.

Sorry DoD Acronyms never stopped getting on my nerves even 5 years later.

We had a game to find how many acronyms we could find with the same word
multiple times.

~~~
ageitgey
I was once part of a 2-vendor software demo/showdown with a DoD client. Both
vendors (us and them) each had two hours to present our solution and why it
would be a better fit for the DoD base to adopt. It was a totally routine
enterprise software demo.

But during the day's introductory remarks, it became clear that the DoD had
invented a new acronym for the meeting. I don't remember exactly what it was,
but it was something silly along the lines of S.P.E.A.R. - <Some Topic>
Project Education And Review.

It was when I witnessed the US military invent a brand new acronym to
represent one specific routine meeting I had with them that fully internalized
just how out of control acronyms were in the US military.

~~~
userbinator
The aviation community is also quite acronym-ful. I wonder if it's because of
military influence, or the other way around.

------
craftinator
This is a terrible idea. Machine learning solutions are fuzzy and inexact
(which is why they are great at some problems). Using a ensemble of
nonstandard biometrics to identify a person is going to lead to a whole lot of
problems:

1) "by the way they walk, interact with their phone, commute to work, and how
and where they spend their time."

Ive known many many Marines during my service... We were always injured,
sprained wrists and ankles, broken fingers, torn muscles. That's normal for a
fighting force that does continuous training. Our weight was changing
constantly, as well as our locations, sleep cycles, and habits. The listed
biometrics would be curfuzzled by this lifestyle.

2) "therefore it can be used continuously without creating any extra work”
said Dawud Gordon

Imagine the amount of work needed to debug a system like this when it doesn't
believe the identity of an intelligence officer trying to get to his
workstation in a top secret environment. Would he be detained at the guard
post until they fix it (standard SOP if he tries to enter the building without
a CAC card and TS ID).

While thing seems ludicrous to me.

------
watertom
Thank goodness it's the DOD, because it will take 10 years to get this
approved, but sadly they'll approve technology that is 6 years old.

~~~
craftinator
After spending roughly 10 billion dollars on it (here's to you, F35 Junk
Strike Fighter)

------
tareqak
I think there needs to be a specification and a framework for ID cards and how
they get used with all the best practices dealt with, so that people don't
have to roll their own and make mistakes in the process or overpay. These
things might already exist.

------
m0zg
I wonder if they know that the current AI tech always has a non-zero error
rate and as a rule it's not very robust to the data distributions it hasn't
seen, which can be something as mundane as e.g. a different brand of the
sensor or different compression settings.

------
joeblau
When I worked for DISA I had a manager who loathed when anyone would repeat
the last letter in an acronym. Hearing things like CAC card, ATM machine, PIN
number all really got him going and we heard CAC card a lot.

------
breatheoften
How does the 'this authenticated person seems to be nearby or holding me'
signal get from the device into the security domain on a continuous basis?

------
wahern
The DoD might also be interested in a bridge in Brooklyn that's currently up
for sale. It's a real steal, and could be used to replace all their other
bridges, too. In fact, it'll revolutionize bridging.

~~~
craftinator
My God, they'll never need another bridge!!! Is it powered by the "AI"?

------
excalibur
> CAC card

> CAC card

> CAC cards

This is so annoying. It's like saying ATM machine, or PIN number.

[https://en.wikipedia.org/wiki/RAS_syndrome](https://en.wikipedia.org/wiki/RAS_syndrome)

~~~
dwringer
I think in many contexts there's a case to be made for the redundancy. For
instance, at a checkout counter where a customer or cashier may have a pen in
hand, may be wearing one or more pins, and is subsequently prompted for a PIN
- saying "PIN number" immediately resolves any possible ambiguity. "ATM
machine" similarly disambiguates the machine from the abbreviation for "at the
moment". "CAC" is an acronym with many meanings and is sufficiently uncommon
for laypersons that replacing parts of speech with it is bound to cause
confusion. I am tempted generally to consider the unqualified use of acronyms
as jargon which I prefer to avoid using whenever reasonably possible.

~~~
kstrauser
I respectfully disagree. "Enter your PIN" can't refer to their ballpoint or to
the little flag on their lapel. If I'm getting cash from the ATM, I can't mean
the Asynchronous Transfer Mode router. "Present your CAC at the door" would
only have one meaning in any setting where you'd be expected to show your CAC.

~~~
Retra
But neither of those contexts are an article on the internet or casual
conversation, which could very well be about ballpoint pens, little flags, or
anything else.

