Hacker News new | comments | ask | show | jobs | submit login
To help replace the CAC card, Pentagon enlists AI startup (fedscoop.com)
53 points by jonbaer 7 days ago | hide | past | web | favorite | 45 comments

> The contract, an other transaction agreement (OTA) awarded through DOD’s Rapid Innovation Fund, will focus on next-generation identity verification by authenticating users “by their behavior, such as how they walk, type, carry their device, or interact with the screen,” TWOSENSE.AI said in a release.

It sounds like a bad idea. I'm reminded that for many, many years; the "locks" on the US's nuclear weapons had the combination set to all zeros, because the Pentagon was worried the complexity of using an actual combination would mean they'd be rendered useless in wartime [1]. It seems like the height of foolishness to tie military effectiveness to a finicky and unreliable "AI/ML" solution. Soldiers will probably behave differently in wartime, and I can large numbers getting locked out of their devices as a result, at least initially.

[1] Since any war they'd be used in would probably last less than an hour.

The moment it requests the user to authenticate by taking a minute or so to display their behaviors because of a false negative, it'll probably be canned

...unless it's been widely rolled out already. They just need to make sure that it doesn't fuck up during initial testing.

I'm looking forward to the moment somebody has to enter the ICBM launch codes a captcha appearing 'click on the traffic lights...'

And they do a good job so the system decides to mine for more data by making them do more images before letting them through.

There are 5 buttons on launch pads of Russian road mobile icbms: raise the launch tube, lower the launch tube, arm, disarm, and launch.

All road mobile icbms are programmed at the factory. No mid-flight retargeting or anything fancy

you've never accidentally locked your CAC have you?

It makes just as much sense as 'secret questions' for account unlock but it is dubious for login or continuous validation -- how many times have I used another person's keyboard, or them mine, while working on a set of slides etc?

Behavior-based authentication is invisible to the user, therefore it can be used continuously without creating any extra work

Yeah...right. As if vanilla CAC authentication isn't already littered with UX warts.

Also, clickbait article title:

Well, from my [DoD CIO Dana Deasy] standpoint, the CAC will remain the department’s principle authenticator for the foreseeable future.

> the CAC will remain the department’s principle authenticator

At least in principal.

Wait, in the story's top photo they covered up the person's human-readable information but left the barcode exposed?

At least they stopped putting social security numbers in the barcode a few years ago

That's good, at least.

If they were trying to cover his first name, they did a pretty terrible job of it.

This talks about continuous authentication, which isn’t about accessing a system, but rather flagging unusual behavior for followup inspection.

There's nothing new about this, except for attaching "AI" to it. There's something to be said for the value in detecting drive-by or opportunistic attacks, or cleaning up after the fact. Though it was a thinly veiled advertisement for his company, Counterpane, Bruce Schneier made the case for this approach in a 2001 paper: https://www.schneier.com/academic/paperfiles/paper-msm.pdf

But these pattern detection systems are fundamentally incapable of preventing targeted attacks. For a targeted attack any pattern recognizer (heuristic, bayesian, neural net, army of elite white hats, w'ever) simply provides a blueprint for reliably subverting the system. They could never replace a hard, cryptographically strong authentication factor providing distinct, provable security characteristics; certainly not in environments like DoD facilities which require such strong authentication.

Given how long it took to deploy CAC and iron out the major issues I'm not holding my breath on this.

CAC Card... Common Access Card Card.

Sorry DoD Acronyms never stopped getting on my nerves even 5 years later.

We had a game to find how many acronyms we could find with the same word multiple times.

I was once part of a 2-vendor software demo/showdown with a DoD client. Both vendors (us and them) each had two hours to present our solution and why it would be a better fit for the DoD base to adopt. It was a totally routine enterprise software demo.

But during the day's introductory remarks, it became clear that the DoD had invented a new acronym for the meeting. I don't remember exactly what it was, but it was something silly along the lines of S.P.E.A.R. - <Some Topic> Project Education And Review.

It was when I witnessed the US military invent a brand new acronym to represent one specific routine meeting I had with them that fully internalized just how out of control acronyms were in the US military.

The aviation community is also quite acronym-ful. I wonder if it's because of military influence, or the other way around.

Granted DoD acronyms are insane and that CAC Card is like ATM machine, but the 12 year old in me always winced a little when referring to "my cac". To the emotionally immature (me) it's a useful redundancy.

I suspect the pun was intentional, given some of the other names that the DoD has come up with...

When I was part of the DoC I dropped the "card" and just referred to it as a CAC. Admittedly I was one of the few.

"Please insert your CAC here, sir." "I'm pretty sure it won't fit, but I'll give it my damnedest!"

This is a terrible idea. Machine learning solutions are fuzzy and inexact (which is why they are great at some problems). Using a ensemble of nonstandard biometrics to identify a person is going to lead to a whole lot of problems:

1) "by the way they walk, interact with their phone, commute to work, and how and where they spend their time."

Ive known many many Marines during my service... We were always injured, sprained wrists and ankles, broken fingers, torn muscles. That's normal for a fighting force that does continuous training. Our weight was changing constantly, as well as our locations, sleep cycles, and habits. The listed biometrics would be curfuzzled by this lifestyle.

2) "therefore it can be used continuously without creating any extra work” said Dawud Gordon

Imagine the amount of work needed to debug a system like this when it doesn't believe the identity of an intelligence officer trying to get to his workstation in a top secret environment. Would he be detained at the guard post until they fix it (standard SOP if he tries to enter the building without a CAC card and TS ID).

While thing seems ludicrous to me.

Thank goodness it's the DOD, because it will take 10 years to get this approved, but sadly they'll approve technology that is 6 years old.

After spending roughly 10 billion dollars on it (here's to you, F35 Junk Strike Fighter)

And it will remain mandated for a decade or two.

I think there needs to be a specification and a framework for ID cards and how they get used with all the best practices dealt with, so that people don't have to roll their own and make mistakes in the process or overpay. These things might already exist.

I wonder if they know that the current AI tech always has a non-zero error rate and as a rule it's not very robust to the data distributions it hasn't seen, which can be something as mundane as e.g. a different brand of the sensor or different compression settings.

When I worked for DISA I had a manager who loathed when anyone would repeat the last letter in an acronym. Hearing things like CAC card, ATM machine, PIN number all really got him going and we heard CAC card a lot.

How does the 'this authenticated person seems to be nearby or holding me' signal get from the device into the security domain on a continuous basis?

The DoD might also be interested in a bridge in Brooklyn that's currently up for sale. It's a real steal, and could be used to replace all their other bridges, too. In fact, it'll revolutionize bridging.

My God, they'll never need another bridge!!! Is it powered by the "AI"?

> CAC card

> CAC card

> CAC cards

This is so annoying. It's like saying ATM machine, or PIN number.


It's annoying, but so are off-topic subthreads, so can you please resist the temptation?

(The unpredictable kind of off-topic subthread is fine, but there are many kinds of predictable ones and those should be resisted.)

I guess you’re getting downvoted because some people think this is nit-picky?

But I wholeheartedly agree. This is a correction that is important in my job as a technical proposal writer. It important to call “tools” etc. by their correct name. “CAC card” is technically incorrect and it’s always my job to fix mistakes like these at work.

Edited to add: in the case of this article, the author should have led with the spelled-out words then abbreviated afterwards.

> “CAC card” is technically incorrect

Common Access Card (CAC) is a name for the card, but it's also the name of the system using the card. In a context where the abbreviation is otherwise consistently used as a name for the system and as an adjective to modify other nouns associated with the system, it appears both correct and more clear than the alternative to do the same thing with the card used in the system.

I think in many contexts there's a case to be made for the redundancy. For instance, at a checkout counter where a customer or cashier may have a pen in hand, may be wearing one or more pins, and is subsequently prompted for a PIN - saying "PIN number" immediately resolves any possible ambiguity. "ATM machine" similarly disambiguates the machine from the abbreviation for "at the moment". "CAC" is an acronym with many meanings and is sufficiently uncommon for laypersons that replacing parts of speech with it is bound to cause confusion. I am tempted generally to consider the unqualified use of acronyms as jargon which I prefer to avoid using whenever reasonably possible.

I respectfully disagree. "Enter your PIN" can't refer to their ballpoint or to the little flag on their lapel. If I'm getting cash from the ATM, I can't mean the Asynchronous Transfer Mode router. "Present your CAC at the door" would only have one meaning in any setting where you'd be expected to show your CAC.

But neither of those contexts are an article on the internet or casual conversation, which could very well be about ballpoint pens, little flags, or anything else.

Then be explicit instead of redundant. “Enter your personal identification number to get cash from the automated teller machine.”

What’s the point in collapsing a descriptive name to an initialism then partially redundantly expanding it?

The point is to communicate clearly and unambiguously, rather than satisfying some sort of pedantic aversion to harmless redundancy. Redundancy in communication can be very valuable.

At this point you could easily go your entire life without knowing what PIN stands for. It has become colloquial. It doesn't matter any more what is stands for. Just like Laser, radar, Tardis, or ATM. The original acronym doesn't matter. That's ok, beause Acronyms Seriously Suck. They are new words, with a mildly interesting derivation.

Agree, the acronym shouldn't need to be dereferenced. The thing you plug in / swipe is a card --> call it a card. If you want someone to enter a number, say number. So "CAC card" is (label="CAC", object type=card).

If someone needs l to be pedantic they can go to the/Pedantic or something. You can argue that PIN itself is wrong, as it doesn't identify a person at all, the account number in the identifier, what you enter is a secret.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact