[HN Gopher] UK Government scans all web servers hosted in the UK... ___________________________________________________________________ UK Government scans all web servers hosted in the UK for vulnerabilities Author : xrayarx Score : 250 points Date : 2022-11-04 17:03 UTC (5 hours ago) (HTM) web link (www.ncsc.gov.uk) (TXT) w3m dump (www.ncsc.gov.uk) | motohagiography wrote: | Taking responsibility for collecting and using vulnerabilty scan | data in this case also means assuming authority to do so. A good | test would be whether citizens are also free to inspect the | vulnerabilities of government systems, or have a right to do so. | If they don't, that's worth scrutinizing. | | Canada has a different approach, where institutions can sign up | to using a federal DNS service provided through the domain | registrar, which I interpret is not unlike 1.1.1.1 or 9.9.9.9, | but with malware detection. I believe it's called Canadian | Shield, and it's not active scanning, but rather passive | collection from institutions that manage infrastructure. | | Active scans by government seems a bit like domestic intelligence | collection. Given the techincal capabilities of most of these | agencies when they work with ISPs, hairpinning traffic from one | of these scanned servers for inspection is trivial. Fine if the | threat model involved exceptional cases with clear oversight, and | individual decision accountability in response to ticking bomb | situations, but the examples of how similar powers have been used | in the past are so abundant that I'm having trouble remembering a | situation where they were used to protect a mere citizen. | zemnmez wrote: | I can personally attest to the fact that yes, british citizens | can assess vulnerabilities in UK government systems. This was | something I worked with the UKNCSC on: | https://www.ncsc.gov.uk/information/vulnerability-reporting | motohagiography wrote: | That's pretty cool. There are these pockets of really great | public service internet services. | | Am I interpreting correctly that you can join HackerOne to do | work on UK public service projects? I tried to get something | like that done for a municipality and a province, where it | was going to be a way to engage college students on doing | vulnerability hunting on public infrastructure, but also use | it as a recruiting pipeline to get people interested in | public service. | michaelt wrote: | I can personally attest to the fact that if your uninvited | assessment of vulnerabilities reaches the level of gaining | unauthorised access to computer systems - i.e. if you find | something and check it works - you are technically in | violation of the Computer Misuse Act 1990. | | It's very easy to forget such laws exist because 99.99% of | cybercrime goes unpunished - but that's for small victims, | with hard-to-find attackers who are likely beyond the | police's jurisdiction. If the 'victim' is an important | government department, and you are within the police's | jurisdiction, you could be one of the few people to actually | face punishment - unjust though that may seem. | secstu wrote: | The NCSC also has a similar service to the Canadian approach | you mention, Protected DNS - | https://www.ncsc.gov.uk/information/pdns | | I believe CISA in the US has something similar too. | [deleted] | [deleted] | pvg wrote: | _Active scans by government seems a bit like domestic | intelligence collection._ | | This is like saying foot patrols are a bit like SWAT raids. | They are, a bit, but they are a lot more than a bit entirely | unlike them. | politelemon wrote: | Scanning web _sites_ hosted in the UK. Scanning the web server | implies their software is running on the server OS. | iso1631 wrote: | If I ping a server it doesn't mean my software is running on | it. | amelius wrote: | They should do this for privacy violations too. | LinuxBender wrote: | Good on them. They should get an account on shodan.io [1] and | pull in all that existing data whilst they are at it. | | [1] - https://www.shodan.io/ | mike_d wrote: | There are already a handful of organizations that scan the | entire internet and feed the data to western governments. | | You can poke around at https://viz.greynoise.io/ to see who is | doing what. | jokabrink wrote: | > feed the data to western governments | | It is ironic that the very link [1] you provided proves you | wrong. The top 5 countries of origin doing IP scanning in the | last seven days are China (120k), India (67k), US (52), Iran | (44k), and Russia (27k). | | - [1] https://viz.greynoise.io/query/?gnql=last_seen%3A7d | acdha wrote: | That doesn't mean they're wrong: it just says that other | people scan the internet, too, which nobody would argue. | _0ffh wrote: | Right, also the source IP of a port scan doesn't say | anything about who has initiated that scan. If I were a | state actor, I'd do my port scanning from machines in a | different jurisdiction for sure. | underdeserver wrote: | The UK government seems to be doing the right thing in IT, again | and again. | mnd999 wrote: | Probably breaking their own 'Computer Misuse Act' in the | process though. | switch007 wrote: | I'm not sure we've invented a measurement sufficiently small | to measure how little recent governments have cared about | breaking the law. | denton-scratch wrote: | That'll be the Planck shit-given unit. | mijoharas wrote: | I believe Alex Van Someran recently took over as head of the UK | NCSC. He's someone that I trust to make the right decisions, so | I'm quite glad of this fact. | | (NOTE: I have no idea if this specific link is related to Alex | or anything he's done) | core-utility wrote: | Agreed, but if the US Government were doing this there would be | outcry of "spying" and "Government overreach". And before | anyone says that the US Gov has lost its trust, let me remind | you that UK has GCHQ. | alias_neo wrote: | NCSC is the public "arm" of GCHQ, they provide cyber-security | guidance to businesses and the general public etc. They are a | great source of information for current best-practice | regarding cyber security. | xav0989 wrote: | NCSC is GCHQ | torpid wrote: | Sure, if you value authoritarianism and an intrusive nanny | state. The government jiggling the door handles of everyone's | house to see if it's unlocked crosses a huge line. | noja wrote: | "nanny state" is a purposefully skewed statement that pre- | presumes that doing something for the common good is always | bad. It's a lazy way of not making an argument. | | Why is scanning web servers for vulnerabilities bad? | torpid wrote: | Why is asking for permission first bad? The CISA does this | very thing, but businesses have to explicitly ask first and | consent unlike the UK. That's the difference between a | nanny state policy and one that respects choice and the | property rights of others. | userbinator wrote: | "common good", aka socialism... | | We already know where that path leads, thanks to countries | like the former USSR and China. Do not want! | raverbashing wrote: | Yeah, scanning for vulnerabilities in a controlled way | isn't bad | | I suspect those opposing it are the ones that eventually | get caught with glaring vulnerabilities and then we have to | hear BS like "they care for security and privacy" when they | didn't even use password hashes | pbhjpbhj wrote: | >Why is scanning web servers for vulnerabilities bad? // | | Not the OP. | | I think it's fine in general with one big proviso, that | they change the law first to make it lawful. | | With a different government it would look more benevolent, | with the current government growing ever-more fascist-- | having now found a surreptitious way to ditch the ECHR, for | example--it gets somewhat worrying. | archsurface wrote: | "pre-presumes that doing something for the common good is | always bad" | | No, it refers to a state that is intrusive into personal | choices. | | "pre-presumes"? | bee_rider wrote: | Some weaknesses of the computer system intrusion/house | intrusion analogy: | | * It is pretty obvious to the user if their door is locked, | so they don't _need_ pentesters to help them figure it out. | | * Houses aren't under attack from the entire planet at all | times. | | * It not that uncommon to have circumstances arranged such | that if someone _does_ barge into your house, you know about | it. | | If the local government wanted to do something that is closer | to to what's going on here -- maybe go door to door offering | a security assessment for non-obvious stuff -- that might be | a well-received service. | thebruce87m wrote: | That's an incredible take on this. What's the alternative? | Leave everyone to defend themselves against foreign | governments trying to steal IP? | denton-scratch wrote: | > jiggling the door handles of everyone's house to see if | it's unlocked crosses a huge line | | Is it, in your view, better that criminals jiggle the | handles? | | They're maintaining a vulnerability database. That's like | what CERTs do. It's analagous to maintaining a database of | safe foodstuffs or drugs. | torpid wrote: | Jiggling door handles without consent is a defacto criminal | act. It's no different if I tried to pick your wallet as | you walked down the street and said, "better me than a | criminal..." then flashed my badge. | | CISA will jiggle your door handles for free, if you ask and | consent first. Web server operators who aren't asking for | vuln assessments aren't apt to keep them regularly patched | to begin with. | denton-scratch wrote: | > Jiggling door handles without consent is a defacto | criminal act. | | Connecting to a webserver using HTTP is not a criminal | act, under any colour of the law. If you have a listening | port open to the internet, you are inviting connections. | | Picking pockets is stealing; this is more like saying | "Hello!" to someone who is standing in their own open | doorway, and observing their response. | | I don't think there's anything in the article about this | programme providing server operators with reports. | They're not trying to save operators from themselves. | IshKebab wrote: | I'd say they aren't doing it wrong 100% of the time. They still | massively cock up from time to time, e.g. their anti-encryption | campaigns, the stupid attempt to require ID for porn, the | disastrous NHS digitisation. | | But the gov.uk website is pretty good and they did replace IT | with computing in schools. | hanoz wrote: | Now there's a sentence I never thought I would read. | TheRealPomax wrote: | "As part of the NCSC's mission to make the UK the safest place to | live and do business online" those are pretty wildly disparate | goals. Why would those two things be under the same agency at | all? | mytailorisrich wrote: | 'Online' applies to both 'live' and 'do business' in the | sentence above. | | Their mission is to make online activities safe. | xg15 wrote: | cue star wars meme | | to assist the scanned site with fixing the vulnerabilities, | right? | decide1000 wrote: | How can one get all the active ip's within the borders of a | country? Is there a database for this? | treffer wrote: | Scanning only needs to know the potential ips, not the active | ones. | | And you might be interested in the ip space of all UK entities. | | If you put it this way then the problem becomes way easier. | Just check public ip databases for AS and technical contact. | dekken_ wrote: | https://lite.ip2location.com/united-kingdom-of-great-britain... | SXX wrote: | Within IPv4 address space you can certainly do it in a day | using $100 dedicated server on Hetzner and ZMap. | mantas wrote: | In my case it was out-of-country website with a local TLD. | mr_gibbins wrote: | All connections are made using one of two IP addresses: | | 18.171.7.246 35.177.10.231 | | Block these IPs. | acdha wrote: | Why? That won't stop anyone malicious -- wouldn't your time be | better spent making your services more secure? | alias_neo wrote: | Do you not think this is an excellent public service they're | providing? | | If NCSC scan my systems for vulnerabilities, they're unlikely | to exploit them, and they'll (somehow?) attempt to notify me of | the risk. | | I'm curious which systems they scan; cloud systems only? Will | they scan the stuff I host at home too? | | Would be nice if they'd give us some of the tools to run | ourselves; any one know if it's on their Github? | bayindirh wrote: | Turkey also does the same. You get vulnerability reports. | matthews2 wrote: | Hopefully it's slightly less pathetic than the "Police | CyberAlarm". | | https://paul.reviews/police-cyberalarm-abysmal-security-yet-... | https://scottarc.blog/2022/07/04/police-cyberalarm-uses-alar... | maurits wrote: | The Swiss do it too. I got a very polite email in 4 languages. | | ps: Anybody? [1] | | [1] https://serverfault.com/questions/1112995/prevent-the-git- | di... | leononame wrote: | Just a wild guess: location ~ /\\.git.* | | i.e., add a .* to the end so that it matches anything coming | after .git | no-dr-onboard wrote: | Anyone who has worked with Chinese companies operating within | China can tell you that very similar laws were enacted a year | ago. The CCP has a law that any vulnerabilities made aware to | private companies need to be disclosed to the federal government. | This was done in the name of "national security". IMO, this seems | to be a more veiled version of that same mindset. | | http://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm | https://www.cpomagazine.com/cyber-security/is-china-looking-... | adamckay wrote: | This is the opposite, though. | | It's a part of the UK's security services running scans for | vulnerabilities they already know about to tell you that you've | got an issue. | franga2000 wrote: | I was about to say how great I think that law is, but then I | checked the link you provided... | | > anything discovered in the country must now be reported to | the CCP *and to no one else* (in most cases). | | The "no one else" part is terrible and completely changes the | story. However, I do generally support a "tell the government | about discovered vulnerabilities" law. Ideally, the government | would then inform affected users and investigate whether the | vuln could be considered negligence and the company prosecuted. | | I've been in a few situations where I reported very easily | exploitable vulns that leaked sensitive user data and in all | cases, I couldn't for the life of me convince the companies to | disclose the leak. Yes, I could've gone public myself where I | didn't have a contract, but I would've 100% ended up in jail | for some poorly defined crime of "hacking". | LightG wrote: | Yes, I'm sure they're just scanning for vulnerabilities ... | geek_at wrote: | Funny enough I did a similar thing for my country (Austria). | Found quite a few strange things and even made a collage of | screenshots of all webservers hosted in Austria - | https://blog.haschek.at/2019/i-scanned-austria.html | ultra_nick wrote: | Where did you find an index of all of your county's websites? | treesknees wrote: | To be clear, they said "web servers" not "websites". They | just pulled a list of all public IP blocks registered to the | country and opened port 80/443 on each IP address and took a | screenshot. It's by no means a list of the websites hosted on | those servers. | | You could get somewhat closer by inspecting public DNS | records for those IP addresses and then attempting to load | each site by DNS name, but it still wouldn't be a complete | index of all websites in the country. I'm thinking that's | impossible to collect, or at least very nearly. | EthicalSimilar wrote: | You didn't open the post, did you? | funshed wrote: | Sounds like low hanging fruit scans. | OnlyMortal wrote: | Yup. When I worked in "secret" level security, we'd often have an | email circulation from "someone I can't name" about potential | vulnerabilities in software "I'm not allowed to talk about". | | But, at least at some level, this is true. | keepquestioning wrote: | How do they find all web servers? | iso1631 wrote: | for NET in $UK_NETS; do nmap -p 80,443 $NET; done | [deleted] | benbristow wrote: | Got something similar here in the UK also. I once had a Linux | server box running on my DMZ, got a few physical letters from my | residential ISP (Virgin Media UK) saying they detected some open | port that was recommended to be closed (Think it was NetBIOS | port). | | Might have been part of this scheme. | | Don't have that box anymore (was around 5 years ago) or a PC on | the DMZ so haven't received any since. | denton-scratch wrote: | > Might have been part of this scheme. | | I doubt it. Network operators like Virgin have very good | business reasons to ensure their own network isn't infested | with computers running services like NetBIOS, which has no | business being exposed on the internet (it is rather verbose, | and completely useless outside of a LAN). | bitL wrote: | Germany is doing the same, Hetzner customers get emails from | government pentests if they find something. | WesolyKubeczek wrote: | Also, I've got an email about any freshly imaged Mac Mini from | Hetzner. Turns out macOS runs with legacy netbios ports open to | the wide world by default, but to disable that service, you | have to unload a service via Terminal. There's no prefpane for | that. | sam_lowry_ wrote: | I received their emails a couple of times. | | Not sure if a cost-benefit analysis would find such ops | positive for the society. | | Think of the time wasted by people who read such emails vs the | money spent protecting from attacks. | | Factor in the cost to the taxpayer. | | That's a good topic for a Master thesis in Economics. | | Anyone interested? | godelski wrote: | Does anyone remember that hacker that scanned printers and if | they found a vulnerability they exploited it to print out a | warning to the owner of said vulnerability? I think they patched | it too? | | Edit: Looks like it has happened more than once | | https://cybernews.com/security/we-hacked-28000-unsecured-pri... | | https://www.bleepingcomputer.com/news/security/a-hacker-just... | coretx wrote: | That happend over 9000 times. Fun fact: Some are print server | appliances, no patches or updates for some of those available | as they are EOL - but still in use... | 2Gkashmiri wrote: | waiting for india to implement something similar for seemingly | benign reasons like vulnerability and code quality and | immediately use it to find critics and hang them. heck, a guy was | sentenced for 5 years over a facebook post. | bhaskara2 wrote: | > 2Gkashmiri Stop lying and not relevant, you clearly came here | with an agenda. | pessimizer wrote: | Scanning for vulnerabilities won't help you find critics. If | you wanted to look for critics, you would scan for critics. | AtNightWeCode wrote: | Cool. But in most cases you need to get behind services like | Cloudflare. | hannesm wrote: | srsly it's 2022 and they only have legacy IP and no IPv6? | Waterluvian wrote: | I once ranted loudly that governments should be doing this for | free. That governments should be assembling the best team of | pentesters to pentest everything they can possibly find within | their jurisdiction. | | I love seeing this. | godelski wrote: | I've also ranted about this, and how it should be one of the | NSA's top priorities (including doing it for our allies). | | It's interesting because there are two main methods for what to | do when you find a vulnerability: 1) hold onto it so you can | later use it as a weapon or 2) disclose it and patch it. The | offensive method has problems because as soon as you use it you | are disclosing it. It also has the issue that your enemies may | be able to (are likely to) find the same vulnerability and | exploit it first. But the second method means you're losing | your weapons but instead gaining a shield. | | As I see it, the shield is a lot bigger and has far higher | utility. But part of that is that I see democracies as having | differing vulnerabilities than autocracies. Attacking | autocracies is more spear phishing, very directed attacks on | the specific people that control power. But attacking | democracies is in some sense easier (and in another sense | harder) because more power is held by the average person. | People who are more vulnerable to manipulation, especially at | the large scale. But now we're edging into the data privacy | domain and that's probably out of scope here. | | I really think there should be a very strong blue team effort | by these organizations. I am okay holding on to a specific | vulnerability if you're going to attack a specific person in | the ,,immediate'' future, but these agencies should also be | working with companies to patch these vulnerabilities. That is | the government providing a social good. You know, the reason we | have the social contract and government in the first place. | Waterluvian wrote: | This just made me think of something I need to look up now. | | Allied nations regularly perform war games for practice. What | about cyber war games? | godelski wrote: | Let me know the answer. Because I feel like that should | definitely be part of it. Though there's some very | concerning aspects of lack of defense for national | infrastructure things like power grids. So I doubt it is | being taken seriously, or as seriously as it should be. | | I really do think a country should be proactively red | teaming its own infrastructure and repairing any holes it | finds. But it doesn't seem like the best interest of people | who are more focused on offensive techniques. | RajT88 wrote: | Yes. Because when private individuals or companies do it | unbidden, lawsuits fly in order to save face. | | When you are found out by the government, you're going to think | really carefully about frivolous lawsuits to save face. | chmod775 wrote: | I know Germany provides the same service as well, but I don't | know how fleshed out it is really. So far all the mails they sent | me have been not _very_ helpful. | danudey wrote: | Canada does the same thing, they actually found a memcached | instance of ours on a dev VM that was accidentally exposed to | the internet. | maptime wrote: | From personal experience this is a fantastic service for gov | entities | | For those not aware, UK gov has pretty world leading tech | services, the best example is the UX of the main sites like car | tax | anonymousDan wrote: | Sounds like a good service for a national security service to | provide (in comparison to finding more ways to spy on us). | pessimizer wrote: | Why isn't the US doing this? | luch wrote: | Word on the grapevine is saying that Google is doing similar. | One of the "perk" of being a well-known DNS resolver | (8.8.8.8) is getting an early notification whenever a server | goes "online" on the internet. | DaiPlusPlus wrote: | > is getting an early notification whenever a server goes | "online" on the internet. | | Please elaborate. | doorsopen wrote: | Someone types in your new server/domain, like | "ijustmadethissite.com", or | "newlocation.existingsite.com" | | For their computer to resolve this domain name, it's | going to call out to a DNS server, of which Google hosts | a major one. It can be assumed that they log these names, | and can then use that as a "notification" for a site | coming up. | SteveNuts wrote: | But what does that have to do with scanning webservers | for vulnerabilities, do they do something with the "newly | seen sites", and if so is it documented what they do for | scanning? | lozenge wrote: | Because if the vulnerability involves an HTTP request, | then the Host header needs to have the domain name of the | target website. | | So you need: IP address and port for the TCP headers, and | the domain name to go in the TCP packet content. | | One example of a vulnerability would be having phpMyAdmin | with a database password hardcoded and no login needed. | Without the domain name it would still be impossible to | access. (Of course, domain names shouldn't be considered | secret so this would be a very insecure setup.) | lstamour wrote: | True, they have a DNS resolver, but they also have | Chrome. And the Certificate Transparency list. Google | Analytics. And so on... | hkt wrote: | I'd never considered the value all those things have when | it comes to finding out what to index. Clever, actually. | [deleted] | yeuxardents wrote: | The US does do this, it is offered as part of security | hygiene. | | https://www.cisa.gov/cyber-hygiene-services | Zamicol wrote: | Looks like it's offered only to "critical infrastructure | organizations". | yeuxardents wrote: | Correct | | "Who can receive services? Federal, state, local, tribal | and territorial governments, as well as public and | private sector critical infrastructure organizations." | | However, methinks US definition of critical | infrastructure organizations, both public and private, | will be quite broad. | Consultant32452 wrote: | Way back in the early 2000s the FBI contacted a company I was | working for to inform us that someone was hosting Disney | movies on our servers. So something like this is at least | sort of happening. | l33t233372 wrote: | I don't know if copy right protection is the same as | penetration testing. | fragmede wrote: | [deleted] | bobsmith432 wrote: | So nobody should pay for anything? I pirate tons of stuff | and still pay for things that I think are worthy of my | payment | woodruffw wrote: | I would be surprised if this was the result of active | scanning. It's more likely the FBI received a report from | someone, and just forwarded it along. | 0xbadcafebee wrote: | Disney: "Hey FBI, this server is pirating us, plz 2 | takedown tyvm" | GartzenDeHaes wrote: | I think it's illegal under the Computer Fraud and Abuse act. | Also, what should the government do when it finds something? | What if the site operators are unresponsive or cannot be | contacted? There are a lot of practical problems. | l33t233372 wrote: | Does CFAA restrict government interactions? | | If the site operators are unresponsive then that sucks, but | it would still help secure those that are responsive. | pessimizer wrote: | > I think it's illegal under the Computer Fraud and Abuse | act. | | Things that are illegal for individuals to do aren't | necessarily illegal for governments to do. This is a reason | why the government should be _vigorously_ doing this, | rather than leaving it to private citizens, who risk being | charged under the Computer Fraud and Abuse Act. | | ----- | | > Also, what should the government do when it finds | something? | | It should contact the site operator. | | ----- | | > What if the site operators are unresponsive or cannot be | contacted? | | I would imagine that in the case that site operators | couldn't be contacted, they wouldn't be contacted. | iot_devs wrote: | I mean... They could at least ty to contact the operator. | noodlesUK wrote: | Something tells me that even with the somewhat stretched | version of extraterritoriality that the US claims about | laws like CFAA, they wouldn't try applying that to their | closest intelligence/defence partner country operating | largely domestically... | jrockway wrote: | > What if the site operators are unresponsive or cannot be | contacted? | | This seems like only a minor problem. If people are | unresponsive, then oh well, they tried to tell you you're | hacked. If the site owner cannot be determined, they can | email your ISP. This seems to work well for "one of your | customers is torrenting movies", and since every ISP is | known by definition (thanks, IP addresses), it should be | fairly straightforward to get that message to the actual | customer. (Send it with the invoice; if the customer | doesn't pay invoices, then it's easy to resolve the hacked | site. You were shutting them off anyway.) | fragmede wrote: | Everything's illegal under the CFAA. It's an old bad | overreaching law that should be repealed. The government | rarely prosecutes itself though, so that's no reason why. | Unfortunately, the culture in the US is such that the | populace would _freak out_ if the government tried to do | such a thing, never mind practical surmountable issues. | denton-scratch wrote: | The way I read the article, they're actually collecting | vulnerability information. So they check a site with | Version X running on it, and detect the vuln; then they | later see Version Y, without the vuln, and update their | vulnerability database. | | Nothing in the article suggests that they contact site- | owners (I haven't re-read the article, so might be wrong). | | I'm not sure why you think it's a potential violation of | CFAA to connect to a public server and probe it. There's no | suggestion of unauthorized access; that would involve | _exploiting_ vulnerabilities they find, and that _would_ be | unauthorized access. | yellow_lead wrote: | Too busy spying on citizens. And maybe they want to use vulns | for their own gain. | [deleted] | neets wrote: | Maybe it has something to do with the Nord Stream pipeline, | maybe it doesn't | Ptchd wrote: | But, do they tell you about the vulnerabilities before they | exploit them? | | Maybe they put it like this to exempt themselves... | onetimeusename wrote: | I have some doubts. For example, if they are just outputting | the scan results from some tool with a high false positive | rate, how is that helpful? It's a waste of time and money for | the government. Bug bounty programs have the same issue that | probably most bugs found are trash results from a scanning | tool. | | On the other hand, a custom built tool that tries to find the | most serious known vulnerabilities with a low false positive | rate would probably be a good thing for the government to run. | fao_ wrote: | I'd imagine part of the job of the people working there would | be to limit the number of false positives. | doubled112 wrote: | Could be, but it is certainly not how it works at my org. | ygjb wrote: | What scale does your org function at? | pessimizer wrote: | So if they use a bad tool, it would be bad, but if they use a | good tool it would be good? | onetimeusename wrote: | correct. fortunately, the sales person from the security | vendor, the media, and the public officials are aware of | this constraint. | hsbauauvhabzb wrote: | There are no good tools. Just a bunch of shady vendors. | marricks wrote: | Why not both? They will never tell you the unsavory things | they're doing. At least, not without coercion. | [deleted] | verisimi wrote: | I think you misunderstand. | | I'm reading that the UK government is spying on us, and their | retrospective plausible excuse is that they are scanning web | servers for, erm, vulnerabilities. | | No, I don't think that the government is here to help. It | allows itself only to maintain force, that it then uses to | forcibly extract wealth from its herd, er, sorry citizens. | archsurface wrote: | The downvoting tells us about the crowd, not about your | comment. | jodrellblank wrote: | It tells you that the crowd don't want to read | unsubstantiated cynicaler-than-thou hot takes on HN. | | Downvoting "It's raining because Soros and his globalist | Jewish cabal control the weather" does not mean I disagree | _that it 's raining_ but the edit always comes in | [downvoters can't handle the TRUTH, stay classy HN] or | similar. | | e.g. how is scanning for vulnerabilities "spying on us"? | How is scanning for vulerabilities "forcibly extracting | wealth"? How is informing people of vulernabilities "not | here to help"? It's a thinly disguised flamewar comment, | not a comment on the topic. | 988747 wrote: | >> e.g. how is scanning for vulnerabilities "spying on | us"? | | To play Devil's advocate: once you discover a | vulnerability you always have two options: report it and | have it fixed, or exploit it for your own gain. You | charitably assume that government is somehow obligated to | chose the former, while in reality in some cases it might | choose the latter. | hkt wrote: | This is a fair point - in organisational terms it'd be better | if NCSC was under a non-ministerial body, independent of | political influence and control. Similar format to a | university, maybe. | robotresearcher wrote: | The bulk of UK government revenues are dispersed to the sick | and poor, and to educate children. Iron fisted despots. | | https://yougov.co.uk/topics/politics/articles- | reports/2014/1... | stuaxo wrote: | Depends what they do when they find a vuln, there is incentive | to not always reveal it. | nonrandomstring wrote: | Well, as tradition I maintain a watch on postmaster and | webmaster at... so I'd hope for a friendly heads-up. | Basically well done. | belter wrote: | In Germany the BND does this. You get an annoying email from | them if they find UDP ports available for an amplification | attack on your Linux server... | Tomte wrote: | Are you sure that it's not BSI? | belter wrote: | You are correct, its the BSI. | hkt wrote: | Hah - one of my first ever network programming tasks was to | do this at a UK hosting company. That and SMTP relays. Good | that (some) governments are wise enough to try to keep this | sort of thing in check. | | I hope they aren't using a perl script triggered by a cronjob | on a hand-rolled VM though.. | nhanhi wrote: | Did that company happen to be fast? | mtmail wrote: | It's the BSI (https://en.wikipedia.org/wiki/Federal_Office_fo | r_Information...) and I found the one warning I got years ago | useful. ElasticSearch open default port I think. | hannob wrote: | Not as annoying as getting DDoS'ed with amplification attacks | because some people can't properly configure their servers... | (Also I doubt the BND does this, as another commenter pointed | out.) | treesknees wrote: | That depends on whether the BND are testing that it could | be used in an attack, or just seeing a port is open. Having | UDP/11211 could mean you're running a vulnerable memcached | service, but not necessarily so. | belter wrote: | As others pointed out, its indeed the BSI not the BND. | Sorry for the confusion. | mantas wrote: | Old news? | | Few years ago I got a similar notification. A government agency | here in Lithuania was happy to remind that my wordpress instance | was outdated. | blitzar wrote: | _" We have received a notification from the German Federal | Office for Information Security (BSI) for (the IP address of) a | server you have with us. | | Access to a MongoDB server should be restricted to trusted | systems (for example, the related web application server)."_ | | My mongodb had with auth - but port was open. | nix23 wrote: | UK Government also scans all internet traffic and save's it 3 | days. | IndigoIncognito wrote: | Good to know where my tax money is going | BurningFrog wrote: | I always wonder how much of the bandwidth in the world is used | to spy on the "regular" traffic. | | I suspect it's well over 50%. I mean, the UK is far from the | only power capturing all our traffic. | RadiozRadioz wrote: | Given the percentage of global internet bandwidth that is | video streaming, and the immense expense that entails, I find | your >50% figure hard to believe. | dagenix wrote: | Citation? | damagednoob wrote: | "Valuable data can be kept for three days, and metadata for | 30 days. One leaked document states that all metadata is | usually kept: 'we pull in everything we see'." | | https://www.amnesty.org.uk/why-taking-government-court- | mass-... | InCityDreams wrote: | I have a sneaking suspicion it's somewhat more than three days. | Unless isp's are in on the game and keeping traffic/ logs for | greater than the three. | dwheeler wrote: | I wonder how effective this is. The text suggests that the only | thing that they look for is that they look for is a version | statement of a major component, and then compare it to known | vulnerable components. That could be somewhat helpful, but a lot | of vulnerabilities won't be detected by that process. Does anyone | know if they do more? | anonymousDan wrote: | I think this kind of service should be heavily skewed to favour | false negatives instead of false positives. ___________________________________________________________________ (page generated 2022-11-04 23:00 UTC)