Let me start off by saying that I'm making this whole thing up.

Imagine you're in charge of infiltrating sleeper agents into the United States. The year is 1983, and the proliferation of identity databases is making it increasingly difficult to create fake credentials. Ten years ago, someone could have just shown up in the country and gotten a driver's license, Social Security card and bank account -- possibly using the identity of someone roughly the same age who died as a young child -- but it's getting harder. And you know that trend will only continue. So you decide to grow your own identities.

Call it "identity farming." You invent a handful of infants. You apply for Social Security numbers for them. Eventually, you open bank accounts for them, file tax returns for them, register them to vote, and apply for credit cards in their name. And now, 25 years later, you have a handful of identities ready and waiting for some real people to step into them.

There are some complications, of course. Maybe you need people to sign their name as parents -- or, at least, mothers. Maybe you need to doctors to fill out birth certificates. Maybe you need to fill out paperwork certifying that you're home-schooling these children. You'll certainly want to exercise their financial identity: depositing money into their bank accounts and withdrawing it from ATMs, using their credit cards and paying the bills, and so on. And you'll need to establish some sort of addresses for them, even if it is just a mail drop.

You won't be able to get driver's licenses or photo IDs on their name. That isn't critical, though; in the U.S., more than 20 million adult citizens don't have photo IDs. But other than that, I can't think of any reason why identity farming wouldn't work.

Here's the real question: Do you actually have to show up for any part of your life?

Again, I made this all up. I have no evidence that anyone is actually doing this. It's not something a criminal organization is likely to do; twenty-five years is too distant a payoff horizon. The same logic holds true for terrorist organizations; it's not worth it. It might have been worth it to the KGB -- although perhaps harder to justify after the Soviet Union broke up in 1991 -- and might be an attractive option to existing intelligence adversaries like China.

Immortals could also use this trick to self-perpetuate themselves, inventing their own children and gradually assuming their identity, then killing their parents off. They could even show up for their own driver's license photos, wearing a beard as the father and blue spiked hair as the son. I’m told this is a common idea in Highlander fan fiction.

The point isn't to create another movie plot threat, but to point out the central role that data has taken on in our lives. Previously, I've said that we all have a data shadow that follows us around, and that more and more institutions interact with our data shadows instead of with us. We only intersect with our data shadows once in a while -- when we apply for a driver's license or passport, for example -- and those interactions are authenticated by older, less-secure interactions. The rest of the world assumes that our photo IDs glue us to our data shadows, ignoring the rather flimsy connection between us and our plastic cards. (And, no, REAL-ID won't help.)

It seems to me that our data shadows are becoming increasingly distinct from us, almost with a life of their own. What's important now is our shadows; we're secondary. And as our society relies more and more on these shadows, we might even become unnecessary.

Our data shadows can live a perfectly normal life without us.

---

Bruce Schneier is Chief Security Technology Officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

Voggy adj. Smoggy weather caused when volcanoes, like Hawaii's active Kilauea, release sulfur dioxide that combines with dust and sunlight.

Admixed embryo n. Legalese for any early-stage embryo combining human and nonhuman genes or tissue. Encompassing both cybrids and chimeras yet sounding less apocalyptic than either, these hybrids are now approved in England for stem cell research.

Memristors n. pl. Resistors with memory — meaning that the resistance changes with fluctuations in electrical charge. If the charge is turned off, the element will remember the last resistance. Hypothesized in 1971 as the fourth basic circuit element (in addition to the resistor, inductor, and capacitor), memristors could make brainlike computing possible. A nanoscale version has finally been built by Hewlett-Packard.

Deep carbon n. Greenhouse gases, including carbon dioxide and methane, stored deep beneath Earth's surface and underwater naturally. It could be released in catastrophic quantities as global warming raises sea temperatures. Typically ignored in climate-change prediction models, deep carbon may have a far bigger impact on our survival than driving SUVs or eating red meat.

— Jonathon Keats jargon@wired.com

Security researchers have reported finding vulnerabilities in Google's new Web browser a day after it was released in beta.

One vulnerability would allow hackers to crash the browser. Security researcher Rishi Narang described the issue on the SecuriTeam Web site and posted a proof of concept at Evilfingers. According to Narang, a hacker could build a malicious link that includes an undefined handler followed by a certain character. When a user clicks on the link, Chrome crashes.

Another, potentially more serious vulnerability could result in Chrome users downloading malicious code. The problem is due, in part, to the fact that Google uses an older version of WebKit, the open-source browser technology also used in Apple's Safari browser, that includes the vulnerability.

Discovered by researcher Aviv Raff, the problem lies in the way Chrome downloads files and the way Windows handles the downloaded files, he said.

Chrome's default setting downloads files into a folder. It then displays a download bar at the bottom of the browser page. Users click on the bar to open the file. If the file is an executable, Windows displays a warning, which can help users avoid inadvertently downloading malicious code.

If the file is a JAR (Java Archive), however, it isn't treated like other executables, Raff said. When a user clicks on that download bar, instead of displaying a warning, Windows automatically runs the file.

The problem is exacerbated by the way the download bar looks, Raff said. The bar appears to be part of the Web page. In a proof of concept that Raff posted, users might think they're clicking on a link or a button on the page, rather than opening up a downloaded file.

"This is again a sort of a 'blended threat'," he wrote in a blog post. "Two small issues in different products, when blended together, create a much larger problem."

He thinks Google might face other, similar issues in the future because Chrome uses technologies from different browsers, including Apple's Safari and Mozilla's Firefox.

"Security wise, it's very problematic," Raff wrote. "They'll have to track all security vulnerabilities in those features, and fix them in Chrome too. This will probably be only after those vulnerabilities were fixed by the other vendors or were publicly reported. It will put Chrome users at risk for a long time."

Google did not directly address questions about this vulnerability or whether it plans to make any changes to Chrome to prevent any potential problems. Instead, a Google spokeswoman said in a statement that, by default, Chrome downloads files into a separate folder instead of on the user's desktop as a way to avoid some security problems. In addition, she said that users can set the browser to ask where to save each file before downloading it.

She also did not say whether Google intends to upgrade to the more recent version of WebKit, which addresses the problem by displaying a dialog box for JAR files asking users if they want to download them.

In yet another example of Google's expanding influence, the search company's co-founder, Sergey Brin, said he expects the new Chrome browser to eventually become part of the Android wireless phone platform, which is under separate development by the Open Handset Alliance led by Google.

Brin, in an interview with CNET at the Chrome announcement yesterday, said that "probably a subsequent version of Android is going to pick up a lot of the Chrome stack." Google officials were unavailable to elaborate.

[ Special report: Google Android: Invader from beyond ]

While developed separately, both Chrome and Android's browser rely on WebKit open-source software for interpreting HTML code that builds and renders a Web page.

The first Android phone is expected to launch in November, manufactured by HTC as the Dream phone and first sold in the U.S. by T-Mobile.

Google's ultimate ability to increase its influence in the mobile device market may well depend on whether a mobile Chrome browser is used on any other phones using Android software, several analysts said. Among the mobile browers available today are FireFox, Internet Explorer, Opera and the emerging Skyfire.