[HN Gopher] UK Government scans all web servers hosted in the UK...
___________________________________________________________________
UK Government scans all web servers hosted in the UK for
vulnerabilities
Author : xrayarx
Score : 250 points
Date : 2022-11-04 17:03 UTC (5 hours ago)
(HTM) web link (www.ncsc.gov.uk)
(TXT) w3m dump (www.ncsc.gov.uk)
| motohagiography wrote:
| Taking responsibility for collecting and using vulnerabilty scan
| data in this case also means assuming authority to do so. A good
| test would be whether citizens are also free to inspect the
| vulnerabilities of government systems, or have a right to do so.
| If they don't, that's worth scrutinizing.
|
| Canada has a different approach, where institutions can sign up
| to using a federal DNS service provided through the domain
| registrar, which I interpret is not unlike 1.1.1.1 or 9.9.9.9,
| but with malware detection. I believe it's called Canadian
| Shield, and it's not active scanning, but rather passive
| collection from institutions that manage infrastructure.
|
| Active scans by government seems a bit like domestic intelligence
| collection. Given the techincal capabilities of most of these
| agencies when they work with ISPs, hairpinning traffic from one
| of these scanned servers for inspection is trivial. Fine if the
| threat model involved exceptional cases with clear oversight, and
| individual decision accountability in response to ticking bomb
| situations, but the examples of how similar powers have been used
| in the past are so abundant that I'm having trouble remembering a
| situation where they were used to protect a mere citizen.
| zemnmez wrote:
| I can personally attest to the fact that yes, british citizens
| can assess vulnerabilities in UK government systems. This was
| something I worked with the UKNCSC on:
| https://www.ncsc.gov.uk/information/vulnerability-reporting
| motohagiography wrote:
| That's pretty cool. There are these pockets of really great
| public service internet services.
|
| Am I interpreting correctly that you can join HackerOne to do
| work on UK public service projects? I tried to get something
| like that done for a municipality and a province, where it
| was going to be a way to engage college students on doing
| vulnerability hunting on public infrastructure, but also use
| it as a recruiting pipeline to get people interested in
| public service.
| michaelt wrote:
| I can personally attest to the fact that if your uninvited
| assessment of vulnerabilities reaches the level of gaining
| unauthorised access to computer systems - i.e. if you find
| something and check it works - you are technically in
| violation of the Computer Misuse Act 1990.
|
| It's very easy to forget such laws exist because 99.99% of
| cybercrime goes unpunished - but that's for small victims,
| with hard-to-find attackers who are likely beyond the
| police's jurisdiction. If the 'victim' is an important
| government department, and you are within the police's
| jurisdiction, you could be one of the few people to actually
| face punishment - unjust though that may seem.
| secstu wrote:
| The NCSC also has a similar service to the Canadian approach
| you mention, Protected DNS -
| https://www.ncsc.gov.uk/information/pdns
|
| I believe CISA in the US has something similar too.
| [deleted]
| [deleted]
| pvg wrote:
| _Active scans by government seems a bit like domestic
| intelligence collection._
|
| This is like saying foot patrols are a bit like SWAT raids.
| They are, a bit, but they are a lot more than a bit entirely
| unlike them.
| politelemon wrote:
| Scanning web _sites_ hosted in the UK. Scanning the web server
| implies their software is running on the server OS.
| iso1631 wrote:
| If I ping a server it doesn't mean my software is running on
| it.
| amelius wrote:
| They should do this for privacy violations too.
| LinuxBender wrote:
| Good on them. They should get an account on shodan.io [1] and
| pull in all that existing data whilst they are at it.
|
| [1] - https://www.shodan.io/
| mike_d wrote:
| There are already a handful of organizations that scan the
| entire internet and feed the data to western governments.
|
| You can poke around at https://viz.greynoise.io/ to see who is
| doing what.
| jokabrink wrote:
| > feed the data to western governments
|
| It is ironic that the very link [1] you provided proves you
| wrong. The top 5 countries of origin doing IP scanning in the
| last seven days are China (120k), India (67k), US (52), Iran
| (44k), and Russia (27k).
|
| - [1] https://viz.greynoise.io/query/?gnql=last_seen%3A7d
| acdha wrote:
| That doesn't mean they're wrong: it just says that other
| people scan the internet, too, which nobody would argue.
| _0ffh wrote:
| Right, also the source IP of a port scan doesn't say
| anything about who has initiated that scan. If I were a
| state actor, I'd do my port scanning from machines in a
| different jurisdiction for sure.
| underdeserver wrote:
| The UK government seems to be doing the right thing in IT, again
| and again.
| mnd999 wrote:
| Probably breaking their own 'Computer Misuse Act' in the
| process though.
| switch007 wrote:
| I'm not sure we've invented a measurement sufficiently small
| to measure how little recent governments have cared about
| breaking the law.
| denton-scratch wrote:
| That'll be the Planck shit-given unit.
| mijoharas wrote:
| I believe Alex Van Someran recently took over as head of the UK
| NCSC. He's someone that I trust to make the right decisions, so
| I'm quite glad of this fact.
|
| (NOTE: I have no idea if this specific link is related to Alex
| or anything he's done)
| core-utility wrote:
| Agreed, but if the US Government were doing this there would be
| outcry of "spying" and "Government overreach". And before
| anyone says that the US Gov has lost its trust, let me remind
| you that UK has GCHQ.
| alias_neo wrote:
| NCSC is the public "arm" of GCHQ, they provide cyber-security
| guidance to businesses and the general public etc. They are a
| great source of information for current best-practice
| regarding cyber security.
| xav0989 wrote:
| NCSC is GCHQ
| torpid wrote:
| Sure, if you value authoritarianism and an intrusive nanny
| state. The government jiggling the door handles of everyone's
| house to see if it's unlocked crosses a huge line.
| noja wrote:
| "nanny state" is a purposefully skewed statement that pre-
| presumes that doing something for the common good is always
| bad. It's a lazy way of not making an argument.
|
| Why is scanning web servers for vulnerabilities bad?
| torpid wrote:
| Why is asking for permission first bad? The CISA does this
| very thing, but businesses have to explicitly ask first and
| consent unlike the UK. That's the difference between a
| nanny state policy and one that respects choice and the
| property rights of others.
| userbinator wrote:
| "common good", aka socialism...
|
| We already know where that path leads, thanks to countries
| like the former USSR and China. Do not want!
| raverbashing wrote:
| Yeah, scanning for vulnerabilities in a controlled way
| isn't bad
|
| I suspect those opposing it are the ones that eventually
| get caught with glaring vulnerabilities and then we have to
| hear BS like "they care for security and privacy" when they
| didn't even use password hashes
| pbhjpbhj wrote:
| >Why is scanning web servers for vulnerabilities bad? //
|
| Not the OP.
|
| I think it's fine in general with one big proviso, that
| they change the law first to make it lawful.
|
| With a different government it would look more benevolent,
| with the current government growing ever-more fascist--
| having now found a surreptitious way to ditch the ECHR, for
| example--it gets somewhat worrying.
| archsurface wrote:
| "pre-presumes that doing something for the common good is
| always bad"
|
| No, it refers to a state that is intrusive into personal
| choices.
|
| "pre-presumes"?
| bee_rider wrote:
| Some weaknesses of the computer system intrusion/house
| intrusion analogy:
|
| * It is pretty obvious to the user if their door is locked,
| so they don't _need_ pentesters to help them figure it out.
|
| * Houses aren't under attack from the entire planet at all
| times.
|
| * It not that uncommon to have circumstances arranged such
| that if someone _does_ barge into your house, you know about
| it.
|
| If the local government wanted to do something that is closer
| to to what's going on here -- maybe go door to door offering
| a security assessment for non-obvious stuff -- that might be
| a well-received service.
| thebruce87m wrote:
| That's an incredible take on this. What's the alternative?
| Leave everyone to defend themselves against foreign
| governments trying to steal IP?
| denton-scratch wrote:
| > jiggling the door handles of everyone's house to see if
| it's unlocked crosses a huge line
|
| Is it, in your view, better that criminals jiggle the
| handles?
|
| They're maintaining a vulnerability database. That's like
| what CERTs do. It's analagous to maintaining a database of
| safe foodstuffs or drugs.
| torpid wrote:
| Jiggling door handles without consent is a defacto criminal
| act. It's no different if I tried to pick your wallet as
| you walked down the street and said, "better me than a
| criminal..." then flashed my badge.
|
| CISA will jiggle your door handles for free, if you ask and
| consent first. Web server operators who aren't asking for
| vuln assessments aren't apt to keep them regularly patched
| to begin with.
| denton-scratch wrote:
| > Jiggling door handles without consent is a defacto
| criminal act.
|
| Connecting to a webserver using HTTP is not a criminal
| act, under any colour of the law. If you have a listening
| port open to the internet, you are inviting connections.
|
| Picking pockets is stealing; this is more like saying
| "Hello!" to someone who is standing in their own open
| doorway, and observing their response.
|
| I don't think there's anything in the article about this
| programme providing server operators with reports.
| They're not trying to save operators from themselves.
| IshKebab wrote:
| I'd say they aren't doing it wrong 100% of the time. They still
| massively cock up from time to time, e.g. their anti-encryption
| campaigns, the stupid attempt to require ID for porn, the
| disastrous NHS digitisation.
|
| But the gov.uk website is pretty good and they did replace IT
| with computing in schools.
| hanoz wrote:
| Now there's a sentence I never thought I would read.
| TheRealPomax wrote:
| "As part of the NCSC's mission to make the UK the safest place to
| live and do business online" those are pretty wildly disparate
| goals. Why would those two things be under the same agency at
| all?
| mytailorisrich wrote:
| 'Online' applies to both 'live' and 'do business' in the
| sentence above.
|
| Their mission is to make online activities safe.
| xg15 wrote:
| cue star wars meme
|
| to assist the scanned site with fixing the vulnerabilities,
| right?
| decide1000 wrote:
| How can one get all the active ip's within the borders of a
| country? Is there a database for this?
| treffer wrote:
| Scanning only needs to know the potential ips, not the active
| ones.
|
| And you might be interested in the ip space of all UK entities.
|
| If you put it this way then the problem becomes way easier.
| Just check public ip databases for AS and technical contact.
| dekken_ wrote:
| https://lite.ip2location.com/united-kingdom-of-great-britain...
| SXX wrote:
| Within IPv4 address space you can certainly do it in a day
| using $100 dedicated server on Hetzner and ZMap.
| mantas wrote:
| In my case it was out-of-country website with a local TLD.
| mr_gibbins wrote:
| All connections are made using one of two IP addresses:
|
| 18.171.7.246 35.177.10.231
|
| Block these IPs.
| acdha wrote:
| Why? That won't stop anyone malicious -- wouldn't your time be
| better spent making your services more secure?
| alias_neo wrote:
| Do you not think this is an excellent public service they're
| providing?
|
| If NCSC scan my systems for vulnerabilities, they're unlikely
| to exploit them, and they'll (somehow?) attempt to notify me of
| the risk.
|
| I'm curious which systems they scan; cloud systems only? Will
| they scan the stuff I host at home too?
|
| Would be nice if they'd give us some of the tools to run
| ourselves; any one know if it's on their Github?
| bayindirh wrote:
| Turkey also does the same. You get vulnerability reports.
| matthews2 wrote:
| Hopefully it's slightly less pathetic than the "Police
| CyberAlarm".
|
| https://paul.reviews/police-cyberalarm-abysmal-security-yet-...
| https://scottarc.blog/2022/07/04/police-cyberalarm-uses-alar...
| maurits wrote:
| The Swiss do it too. I got a very polite email in 4 languages.
|
| ps: Anybody? [1]
|
| [1] https://serverfault.com/questions/1112995/prevent-the-git-
| di...
| leononame wrote:
| Just a wild guess: location ~ /\\.git.*
|
| i.e., add a .* to the end so that it matches anything coming
| after .git
| no-dr-onboard wrote:
| Anyone who has worked with Chinese companies operating within
| China can tell you that very similar laws were enacted a year
| ago. The CCP has a law that any vulnerabilities made aware to
| private companies need to be disclosed to the federal government.
| This was done in the name of "national security". IMO, this seems
| to be a more veiled version of that same mindset.
|
| http://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm
| https://www.cpomagazine.com/cyber-security/is-china-looking-...
| adamckay wrote:
| This is the opposite, though.
|
| It's a part of the UK's security services running scans for
| vulnerabilities they already know about to tell you that you've
| got an issue.
| franga2000 wrote:
| I was about to say how great I think that law is, but then I
| checked the link you provided...
|
| > anything discovered in the country must now be reported to
| the CCP *and to no one else* (in most cases).
|
| The "no one else" part is terrible and completely changes the
| story. However, I do generally support a "tell the government
| about discovered vulnerabilities" law. Ideally, the government
| would then inform affected users and investigate whether the
| vuln could be considered negligence and the company prosecuted.
|
| I've been in a few situations where I reported very easily
| exploitable vulns that leaked sensitive user data and in all
| cases, I couldn't for the life of me convince the companies to
| disclose the leak. Yes, I could've gone public myself where I
| didn't have a contract, but I would've 100% ended up in jail
| for some poorly defined crime of "hacking".
| LightG wrote:
| Yes, I'm sure they're just scanning for vulnerabilities ...
| geek_at wrote:
| Funny enough I did a similar thing for my country (Austria).
| Found quite a few strange things and even made a collage of
| screenshots of all webservers hosted in Austria -
| https://blog.haschek.at/2019/i-scanned-austria.html
| ultra_nick wrote:
| Where did you find an index of all of your county's websites?
| treesknees wrote:
| To be clear, they said "web servers" not "websites". They
| just pulled a list of all public IP blocks registered to the
| country and opened port 80/443 on each IP address and took a
| screenshot. It's by no means a list of the websites hosted on
| those servers.
|
| You could get somewhat closer by inspecting public DNS
| records for those IP addresses and then attempting to load
| each site by DNS name, but it still wouldn't be a complete
| index of all websites in the country. I'm thinking that's
| impossible to collect, or at least very nearly.
| EthicalSimilar wrote:
| You didn't open the post, did you?
| funshed wrote:
| Sounds like low hanging fruit scans.
| OnlyMortal wrote:
| Yup. When I worked in "secret" level security, we'd often have an
| email circulation from "someone I can't name" about potential
| vulnerabilities in software "I'm not allowed to talk about".
|
| But, at least at some level, this is true.
| keepquestioning wrote:
| How do they find all web servers?
| iso1631 wrote:
| for NET in $UK_NETS; do nmap -p 80,443 $NET; done
| [deleted]
| benbristow wrote:
| Got something similar here in the UK also. I once had a Linux
| server box running on my DMZ, got a few physical letters from my
| residential ISP (Virgin Media UK) saying they detected some open
| port that was recommended to be closed (Think it was NetBIOS
| port).
|
| Might have been part of this scheme.
|
| Don't have that box anymore (was around 5 years ago) or a PC on
| the DMZ so haven't received any since.
| denton-scratch wrote:
| > Might have been part of this scheme.
|
| I doubt it. Network operators like Virgin have very good
| business reasons to ensure their own network isn't infested
| with computers running services like NetBIOS, which has no
| business being exposed on the internet (it is rather verbose,
| and completely useless outside of a LAN).
| bitL wrote:
| Germany is doing the same, Hetzner customers get emails from
| government pentests if they find something.
| WesolyKubeczek wrote:
| Also, I've got an email about any freshly imaged Mac Mini from
| Hetzner. Turns out macOS runs with legacy netbios ports open to
| the wide world by default, but to disable that service, you
| have to unload a service via Terminal. There's no prefpane for
| that.
| sam_lowry_ wrote:
| I received their emails a couple of times.
|
| Not sure if a cost-benefit analysis would find such ops
| positive for the society.
|
| Think of the time wasted by people who read such emails vs the
| money spent protecting from attacks.
|
| Factor in the cost to the taxpayer.
|
| That's a good topic for a Master thesis in Economics.
|
| Anyone interested?
| godelski wrote:
| Does anyone remember that hacker that scanned printers and if
| they found a vulnerability they exploited it to print out a
| warning to the owner of said vulnerability? I think they patched
| it too?
|
| Edit: Looks like it has happened more than once
|
| https://cybernews.com/security/we-hacked-28000-unsecured-pri...
|
| https://www.bleepingcomputer.com/news/security/a-hacker-just...
| coretx wrote:
| That happend over 9000 times. Fun fact: Some are print server
| appliances, no patches or updates for some of those available
| as they are EOL - but still in use...
| 2Gkashmiri wrote:
| waiting for india to implement something similar for seemingly
| benign reasons like vulnerability and code quality and
| immediately use it to find critics and hang them. heck, a guy was
| sentenced for 5 years over a facebook post.
| bhaskara2 wrote:
| > 2Gkashmiri Stop lying and not relevant, you clearly came here
| with an agenda.
| pessimizer wrote:
| Scanning for vulnerabilities won't help you find critics. If
| you wanted to look for critics, you would scan for critics.
| AtNightWeCode wrote:
| Cool. But in most cases you need to get behind services like
| Cloudflare.
| hannesm wrote:
| srsly it's 2022 and they only have legacy IP and no IPv6?
| Waterluvian wrote:
| I once ranted loudly that governments should be doing this for
| free. That governments should be assembling the best team of
| pentesters to pentest everything they can possibly find within
| their jurisdiction.
|
| I love seeing this.
| godelski wrote:
| I've also ranted about this, and how it should be one of the
| NSA's top priorities (including doing it for our allies).
|
| It's interesting because there are two main methods for what to
| do when you find a vulnerability: 1) hold onto it so you can
| later use it as a weapon or 2) disclose it and patch it. The
| offensive method has problems because as soon as you use it you
| are disclosing it. It also has the issue that your enemies may
| be able to (are likely to) find the same vulnerability and
| exploit it first. But the second method means you're losing
| your weapons but instead gaining a shield.
|
| As I see it, the shield is a lot bigger and has far higher
| utility. But part of that is that I see democracies as having
| differing vulnerabilities than autocracies. Attacking
| autocracies is more spear phishing, very directed attacks on
| the specific people that control power. But attacking
| democracies is in some sense easier (and in another sense
| harder) because more power is held by the average person.
| People who are more vulnerable to manipulation, especially at
| the large scale. But now we're edging into the data privacy
| domain and that's probably out of scope here.
|
| I really think there should be a very strong blue team effort
| by these organizations. I am okay holding on to a specific
| vulnerability if you're going to attack a specific person in
| the ,,immediate'' future, but these agencies should also be
| working with companies to patch these vulnerabilities. That is
| the government providing a social good. You know, the reason we
| have the social contract and government in the first place.
| Waterluvian wrote:
| This just made me think of something I need to look up now.
|
| Allied nations regularly perform war games for practice. What
| about cyber war games?
| godelski wrote:
| Let me know the answer. Because I feel like that should
| definitely be part of it. Though there's some very
| concerning aspects of lack of defense for national
| infrastructure things like power grids. So I doubt it is
| being taken seriously, or as seriously as it should be.
|
| I really do think a country should be proactively red
| teaming its own infrastructure and repairing any holes it
| finds. But it doesn't seem like the best interest of people
| who are more focused on offensive techniques.
| RajT88 wrote:
| Yes. Because when private individuals or companies do it
| unbidden, lawsuits fly in order to save face.
|
| When you are found out by the government, you're going to think
| really carefully about frivolous lawsuits to save face.
| chmod775 wrote:
| I know Germany provides the same service as well, but I don't
| know how fleshed out it is really. So far all the mails they sent
| me have been not _very_ helpful.
| danudey wrote:
| Canada does the same thing, they actually found a memcached
| instance of ours on a dev VM that was accidentally exposed to
| the internet.
| maptime wrote:
| From personal experience this is a fantastic service for gov
| entities
|
| For those not aware, UK gov has pretty world leading tech
| services, the best example is the UX of the main sites like car
| tax
| anonymousDan wrote:
| Sounds like a good service for a national security service to
| provide (in comparison to finding more ways to spy on us).
| pessimizer wrote:
| Why isn't the US doing this?
| luch wrote:
| Word on the grapevine is saying that Google is doing similar.
| One of the "perk" of being a well-known DNS resolver
| (8.8.8.8) is getting an early notification whenever a server
| goes "online" on the internet.
| DaiPlusPlus wrote:
| > is getting an early notification whenever a server goes
| "online" on the internet.
|
| Please elaborate.
| doorsopen wrote:
| Someone types in your new server/domain, like
| "ijustmadethissite.com", or
| "newlocation.existingsite.com"
|
| For their computer to resolve this domain name, it's
| going to call out to a DNS server, of which Google hosts
| a major one. It can be assumed that they log these names,
| and can then use that as a "notification" for a site
| coming up.
| SteveNuts wrote:
| But what does that have to do with scanning webservers
| for vulnerabilities, do they do something with the "newly
| seen sites", and if so is it documented what they do for
| scanning?
| lozenge wrote:
| Because if the vulnerability involves an HTTP request,
| then the Host header needs to have the domain name of the
| target website.
|
| So you need: IP address and port for the TCP headers, and
| the domain name to go in the TCP packet content.
|
| One example of a vulnerability would be having phpMyAdmin
| with a database password hardcoded and no login needed.
| Without the domain name it would still be impossible to
| access. (Of course, domain names shouldn't be considered
| secret so this would be a very insecure setup.)
| lstamour wrote:
| True, they have a DNS resolver, but they also have
| Chrome. And the Certificate Transparency list. Google
| Analytics. And so on...
| hkt wrote:
| I'd never considered the value all those things have when
| it comes to finding out what to index. Clever, actually.
| [deleted]
| yeuxardents wrote:
| The US does do this, it is offered as part of security
| hygiene.
|
| https://www.cisa.gov/cyber-hygiene-services
| Zamicol wrote:
| Looks like it's offered only to "critical infrastructure
| organizations".
| yeuxardents wrote:
| Correct
|
| "Who can receive services? Federal, state, local, tribal
| and territorial governments, as well as public and
| private sector critical infrastructure organizations."
|
| However, methinks US definition of critical
| infrastructure organizations, both public and private,
| will be quite broad.
| Consultant32452 wrote:
| Way back in the early 2000s the FBI contacted a company I was
| working for to inform us that someone was hosting Disney
| movies on our servers. So something like this is at least
| sort of happening.
| l33t233372 wrote:
| I don't know if copy right protection is the same as
| penetration testing.
| fragmede wrote:
| [deleted]
| bobsmith432 wrote:
| So nobody should pay for anything? I pirate tons of stuff
| and still pay for things that I think are worthy of my
| payment
| woodruffw wrote:
| I would be surprised if this was the result of active
| scanning. It's more likely the FBI received a report from
| someone, and just forwarded it along.
| 0xbadcafebee wrote:
| Disney: "Hey FBI, this server is pirating us, plz 2
| takedown tyvm"
| GartzenDeHaes wrote:
| I think it's illegal under the Computer Fraud and Abuse act.
| Also, what should the government do when it finds something?
| What if the site operators are unresponsive or cannot be
| contacted? There are a lot of practical problems.
| l33t233372 wrote:
| Does CFAA restrict government interactions?
|
| If the site operators are unresponsive then that sucks, but
| it would still help secure those that are responsive.
| pessimizer wrote:
| > I think it's illegal under the Computer Fraud and Abuse
| act.
|
| Things that are illegal for individuals to do aren't
| necessarily illegal for governments to do. This is a reason
| why the government should be _vigorously_ doing this,
| rather than leaving it to private citizens, who risk being
| charged under the Computer Fraud and Abuse Act.
|
| -----
|
| > Also, what should the government do when it finds
| something?
|
| It should contact the site operator.
|
| -----
|
| > What if the site operators are unresponsive or cannot be
| contacted?
|
| I would imagine that in the case that site operators
| couldn't be contacted, they wouldn't be contacted.
| iot_devs wrote:
| I mean... They could at least ty to contact the operator.
| noodlesUK wrote:
| Something tells me that even with the somewhat stretched
| version of extraterritoriality that the US claims about
| laws like CFAA, they wouldn't try applying that to their
| closest intelligence/defence partner country operating
| largely domestically...
| jrockway wrote:
| > What if the site operators are unresponsive or cannot be
| contacted?
|
| This seems like only a minor problem. If people are
| unresponsive, then oh well, they tried to tell you you're
| hacked. If the site owner cannot be determined, they can
| email your ISP. This seems to work well for "one of your
| customers is torrenting movies", and since every ISP is
| known by definition (thanks, IP addresses), it should be
| fairly straightforward to get that message to the actual
| customer. (Send it with the invoice; if the customer
| doesn't pay invoices, then it's easy to resolve the hacked
| site. You were shutting them off anyway.)
| fragmede wrote:
| Everything's illegal under the CFAA. It's an old bad
| overreaching law that should be repealed. The government
| rarely prosecutes itself though, so that's no reason why.
| Unfortunately, the culture in the US is such that the
| populace would _freak out_ if the government tried to do
| such a thing, never mind practical surmountable issues.
| denton-scratch wrote:
| The way I read the article, they're actually collecting
| vulnerability information. So they check a site with
| Version X running on it, and detect the vuln; then they
| later see Version Y, without the vuln, and update their
| vulnerability database.
|
| Nothing in the article suggests that they contact site-
| owners (I haven't re-read the article, so might be wrong).
|
| I'm not sure why you think it's a potential violation of
| CFAA to connect to a public server and probe it. There's no
| suggestion of unauthorized access; that would involve
| _exploiting_ vulnerabilities they find, and that _would_ be
| unauthorized access.
| yellow_lead wrote:
| Too busy spying on citizens. And maybe they want to use vulns
| for their own gain.
| [deleted]
| neets wrote:
| Maybe it has something to do with the Nord Stream pipeline,
| maybe it doesn't
| Ptchd wrote:
| But, do they tell you about the vulnerabilities before they
| exploit them?
|
| Maybe they put it like this to exempt themselves...
| onetimeusename wrote:
| I have some doubts. For example, if they are just outputting
| the scan results from some tool with a high false positive
| rate, how is that helpful? It's a waste of time and money for
| the government. Bug bounty programs have the same issue that
| probably most bugs found are trash results from a scanning
| tool.
|
| On the other hand, a custom built tool that tries to find the
| most serious known vulnerabilities with a low false positive
| rate would probably be a good thing for the government to run.
| fao_ wrote:
| I'd imagine part of the job of the people working there would
| be to limit the number of false positives.
| doubled112 wrote:
| Could be, but it is certainly not how it works at my org.
| ygjb wrote:
| What scale does your org function at?
| pessimizer wrote:
| So if they use a bad tool, it would be bad, but if they use a
| good tool it would be good?
| onetimeusename wrote:
| correct. fortunately, the sales person from the security
| vendor, the media, and the public officials are aware of
| this constraint.
| hsbauauvhabzb wrote:
| There are no good tools. Just a bunch of shady vendors.
| marricks wrote:
| Why not both? They will never tell you the unsavory things
| they're doing. At least, not without coercion.
| [deleted]
| verisimi wrote:
| I think you misunderstand.
|
| I'm reading that the UK government is spying on us, and their
| retrospective plausible excuse is that they are scanning web
| servers for, erm, vulnerabilities.
|
| No, I don't think that the government is here to help. It
| allows itself only to maintain force, that it then uses to
| forcibly extract wealth from its herd, er, sorry citizens.
| archsurface wrote:
| The downvoting tells us about the crowd, not about your
| comment.
| jodrellblank wrote:
| It tells you that the crowd don't want to read
| unsubstantiated cynicaler-than-thou hot takes on HN.
|
| Downvoting "It's raining because Soros and his globalist
| Jewish cabal control the weather" does not mean I disagree
| _that it 's raining_ but the edit always comes in
| [downvoters can't handle the TRUTH, stay classy HN] or
| similar.
|
| e.g. how is scanning for vulnerabilities "spying on us"?
| How is scanning for vulerabilities "forcibly extracting
| wealth"? How is informing people of vulernabilities "not
| here to help"? It's a thinly disguised flamewar comment,
| not a comment on the topic.
| 988747 wrote:
| >> e.g. how is scanning for vulnerabilities "spying on
| us"?
|
| To play Devil's advocate: once you discover a
| vulnerability you always have two options: report it and
| have it fixed, or exploit it for your own gain. You
| charitably assume that government is somehow obligated to
| chose the former, while in reality in some cases it might
| choose the latter.
| hkt wrote:
| This is a fair point - in organisational terms it'd be better
| if NCSC was under a non-ministerial body, independent of
| political influence and control. Similar format to a
| university, maybe.
| robotresearcher wrote:
| The bulk of UK government revenues are dispersed to the sick
| and poor, and to educate children. Iron fisted despots.
|
| https://yougov.co.uk/topics/politics/articles-
| reports/2014/1...
| stuaxo wrote:
| Depends what they do when they find a vuln, there is incentive
| to not always reveal it.
| nonrandomstring wrote:
| Well, as tradition I maintain a watch on postmaster and
| webmaster at... so I'd hope for a friendly heads-up.
| Basically well done.
| belter wrote:
| In Germany the BND does this. You get an annoying email from
| them if they find UDP ports available for an amplification
| attack on your Linux server...
| Tomte wrote:
| Are you sure that it's not BSI?
| belter wrote:
| You are correct, its the BSI.
| hkt wrote:
| Hah - one of my first ever network programming tasks was to
| do this at a UK hosting company. That and SMTP relays. Good
| that (some) governments are wise enough to try to keep this
| sort of thing in check.
|
| I hope they aren't using a perl script triggered by a cronjob
| on a hand-rolled VM though..
| nhanhi wrote:
| Did that company happen to be fast?
| mtmail wrote:
| It's the BSI (https://en.wikipedia.org/wiki/Federal_Office_fo
| r_Information...) and I found the one warning I got years ago
| useful. ElasticSearch open default port I think.
| hannob wrote:
| Not as annoying as getting DDoS'ed with amplification attacks
| because some people can't properly configure their servers...
| (Also I doubt the BND does this, as another commenter pointed
| out.)
| treesknees wrote:
| That depends on whether the BND are testing that it could
| be used in an attack, or just seeing a port is open. Having
| UDP/11211 could mean you're running a vulnerable memcached
| service, but not necessarily so.
| belter wrote:
| As others pointed out, its indeed the BSI not the BND.
| Sorry for the confusion.
| mantas wrote:
| Old news?
|
| Few years ago I got a similar notification. A government agency
| here in Lithuania was happy to remind that my wordpress instance
| was outdated.
| blitzar wrote:
| _" We have received a notification from the German Federal
| Office for Information Security (BSI) for (the IP address of) a
| server you have with us.
|
| Access to a MongoDB server should be restricted to trusted
| systems (for example, the related web application server)."_
|
| My mongodb had with auth - but port was open.
| nix23 wrote:
| UK Government also scans all internet traffic and save's it 3
| days.
| IndigoIncognito wrote:
| Good to know where my tax money is going
| BurningFrog wrote:
| I always wonder how much of the bandwidth in the world is used
| to spy on the "regular" traffic.
|
| I suspect it's well over 50%. I mean, the UK is far from the
| only power capturing all our traffic.
| RadiozRadioz wrote:
| Given the percentage of global internet bandwidth that is
| video streaming, and the immense expense that entails, I find
| your >50% figure hard to believe.
| dagenix wrote:
| Citation?
| damagednoob wrote:
| "Valuable data can be kept for three days, and metadata for
| 30 days. One leaked document states that all metadata is
| usually kept: 'we pull in everything we see'."
|
| https://www.amnesty.org.uk/why-taking-government-court-
| mass-...
| InCityDreams wrote:
| I have a sneaking suspicion it's somewhat more than three days.
| Unless isp's are in on the game and keeping traffic/ logs for
| greater than the three.
| dwheeler wrote:
| I wonder how effective this is. The text suggests that the only
| thing that they look for is that they look for is a version
| statement of a major component, and then compare it to known
| vulnerable components. That could be somewhat helpful, but a lot
| of vulnerabilities won't be detected by that process. Does anyone
| know if they do more?
| anonymousDan wrote:
| I think this kind of service should be heavily skewed to favour
| false negatives instead of false positives.
___________________________________________________________________
(page generated 2022-11-04 23:00 UTC)