Commentary by Mark Wahl, CISA
Organizing principles for identity systems:
Information Assurance: audit trail aggregation in science fiction: the Bounty Bear (2007/3/26)
One of the areas of difficulty in applying information assurance in enterprise networks is a proliferation of cheap, plentiful, unmanaged network-attaching devices: in the 90's it was modems, today it is wireless access points. These devices add benefit to the end user (who can now work without being tethered to the office), but have as one of their downsides the end user who buys and installs one is often unaware of their capabilities: beyond providing access to them, the devices may provide access to unknown others, and may contain web servers, firewalls, proxies, configuration and audit trails of which the end user is unaware: it 'just works'.
In television, the forensic investigators in the Saturn-award-winning CSI are frequently reliant upon their Magic Databases of fingerprints, DNAs, cell phone call records, trademarks, tattoo schemas, chemical compounds, etc. Some of these databases actually exist, and as the CSI characters using these databases are the employees of a large crime lab, they would presumably be able to obtain legitimate access to such databases as needed.
One of the family of gadgets in Wim Wender's 1991 near-future science fiction/road movie Until the End of the World is the integrated skiptrace package, such as Bounty Bear.
"I'm the Bounty Bear. I search them here, I search them there."
Software running on these devices would search for the credit card transactions and identity checks involving the bounty hunter's target across multiple databases, using its "Eastern Bloc technology" and "superior Vietnamese chips". When a new record is added to one of these databases, the Bounty Bear displays the time and geolocation of the target's interactions, accompanied with the product's jingle and dancing video game characters showing the target's route. In this future world tracking an ordinary person in the US is fairly straightforward, as merchants, even used car dealers, only accept credit cards: only criminals would possess or be interested in paper currency.
Assuming that support for the Bounty Bear and friends wouldn't be built in to the databases of card processors and government agencies, nor would the notifications it seeks be freely available, it seems likely that Bounty Bear embeds hacks that enable it to gain illegitimate access into these databases. One interesting aspect of this scenario is that in this future, the exploits to break into commercial and government databases have become a commodity: the bounty hunter running them probably doesn't care how they work or what databases are accessed.