US Gov't To Scan More Civilian Infrastructure Traffic

helix2301 writes with this snippet from NBC News: "The U.S. government is expanding a cybersecurity program that scans Internet traffic headed into and out of defense contractors to include far more of the country's private, civilian-run infrastructure. As a result, more private sector employees than ever before, including those at big banks, utilities and key transportation companies, will have their emails and Web surfing scanned as a precaution against cyber attacks." Further on, the story notes that "By using DHS as the middleman, the Obama administration hopes to bring the formidable overseas intelligence-gathering of the NSA closer to ordinary U.S. residents without triggering an outcry from privacy advocates who have long been leery of the spy agency's eavesdropping."

yeah, makes perfect sense

[new death barbie]

'cause everybody trusts the DHS.

Re:yeah, makes perfect sense

[Anonymous Coward]

"more private sector employees than ever before, including those at big banks, utilities and key transportation companies, will have their emails and Web surfing scanned as a precaution against cyber attacks"

I don't follow the logic of this. Scanning our people's stuff is going to protect us from outside attacks, or attacks by outside agencies done by their people here? How so?

"The Department of Homeland Security will gather the secret data and pass it to a small group of telecommunication companies and cyber security providers that have employees holding security clearances, government and industry officials said. Those companies will then offer to process email and other Internet transmissions for critical infrastructure customers that choose to participate in the program."

So we, that is, our own government agencies, don't have the manpower, equipment, or expertise, or some combination, so the secret info from the various intel folks will be used to determine the scans mentioned in first quote, then the scans' results will pass to a private group that's going to offer to do - what, exactly? - for those who might be affected, if, that is, they join up somehow, somewhere?

All I can make of it is a foot in the door kind of thing, scan hell out of biz/personal e-stuff, pass it through a clearinghouse of interested parties, and use it for something something. Oh, yeah, to protect us from some cyber. This whole thing seems inside-out and backwards. Then it's "you're with us or against us (nice cyber you got there, hate to see some cyber done to it)" all done by selling one thing, calling it another, and actually doing a third thing. I think.

Can someone clarify this shit?

clarifying that shit

[Anonymous Coward]

The idea is really not to prevent law breaking but instead provide justification after the fact.

Say or do something that offends officialdom? Now your past actions can be used against you.

If you were watching TV and some plot point about exposives happen and you decide to go search on that plot point - now officialdom can claim you are a wannabe terrorist and place you under lock and key and THEN state how wonderful the new system is, because it prevented you from getting the explosives you expressed an interest in.

Officialdom is scared and is adding to the framework to attempt to control challengers to their authority. You may not due the time but you'll ride the ride is the buzzphrase of the day.

(note how Aaron didn't do the time and in the end wanted off the ride the DOJ put him on)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ZosX]

Too bad you posted this anonymously. We need more people that will stand up to this tyranny. Who's watching the watchers?

Re:

[Anonymous Coward]

Can someone clarify this shit?

The cyberwar boogie man is prompting Very Serious People to act. They need to do be seen doing something and they stick to what used to work in the 70's: more surveillance, more spying of your own people for their own benefit. Never mind that wont make any difference whatsoever and certainly leads to a full blown surveillance state. They only have the surveillance hammer and are looking around for nails.

Some alternate suggestions that would make indeed a difference:
1. Make credit card companies liable for f

Re:

[Anonymous Coward]

If you go out and by an adaptive firewall that updates its blocking lists based upon input from a vendor, the vendor is actually generating those lists via listening posts located all over the US installed in data centers, honeypots, small companies, et-cetra. When an attacker, for example, begins port scanning a large range addresses at different companies methodically the listening posts notice, and the vendor automatically updates your firewall block list with the ip range. Hence the reason when your m

Re:

[RougeFemme]

Government doesn't have the manpower because legislators think 1 of 3 things: 1)should it be done? no; starve the budget 2)should it be done? no, but if it's going to be done, someone should make huge profits so let's privatize it. 3)should it be done? I don't know/care, but if it's going to be done, someone should make huge profits so let's privatize it. 4)should it be done? yes, and someone should make huge profits so let's privatize it.

Re:

[rtfa-troll]

I love the way you neatly sidestepped the Spanish inquisition trap there :-)

Clarification needed? Cyberlaw to the rescue!

[cemulli]

1. Critical infrastructure is defined by the Homeland Security Act as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." 42 USC 5195c(e).

2. To protect national cybersecurity concerns, the government thinks that it has to protect critical infrastructure.
3. Most owners and

Re:

[Anonymous Coward]

'cause everybody trusts the DHS.

While it would be nice to believe that this is sarcasm, and while most slashdotters don't trust the DHS, most nongeeks do trust the DHS. And there's whole, "If you don't have anything to hide then who cares..." that most people believe in.

Re:

[davester666]

"I'm from the government and I'm here to keep you safe."

Re:

[slick7]

"I'm from the government and I'm here to keep you safe."

Wh-wh-what? You mean it's not for the children or national security?

Re:

[RougeFemme]

Plus, how many private sector employees expect privacy, anyway? Yes, I know the "slippery slope" argument, but I know that my emails and websurfing are being monitored at work anyway - by INTERNAL security. The fact that DHS is stepping in is not a huge deal. Monitoring me at home? Problem. At work? I don't care. It's my employer's equipment, infrastructure, etc.

Re:

[ixuzus]

Now if the DHS is a trusted system to banking, infrastructure, utilities, etc then all your enemies have to do is compromise the DHS and they get the keys to everything.

Re:

[slick7]

Now if the DHS is a trusted system to banking, infrastructure, utilities, etc then all your enemies have to do is compromise the DHS and they get the keys to everything.

DHS is the compromise, they have access to all your records, the question is, how do they get the children to spy on their parents?

Encrypt everything

[Anonymous Coward]

If you aren't browsing over a VPN with HTTPS / SSL and transmitting all your data encrypted by this point you ought to be.

Re:

[c0lo]

If you aren't browsing over a VPN with HTTPS / SSL and transmitting all your data encrypted by this point you ought to be.

Why? After all, if you have nothing to hide and you set your evil bit [ietf.org] to zero, the DHS won't intercept your traffic.

I mean: nobody is so crazy to waste citizens' money on intercepting and storing everyone's communication, the investment and maintenance cost will be everly increasing.
And for what? After all it is only the traffic caused by hackers that would be interesting, not honest citizens' traffic. And the institutions/companies have already organized their own defense, as any good citizen does (e.g. i

Re:

[Cosgrach]

I mean: nobody is so crazy to waste citizens' money on intercepting and storing everyone's communication, the investment and maintenance cost will be everly increasing.

Wanna bet? They will simply take the money from some 'unimportant' department that actually provides some sort of public service. Sorry guys, you can't have money for cancer research, because we are going to snoop through your e-mails. You had better believe it.

Re:

[Cosgrach]

Sometimes it is difficult to tell.

Re:

[Seumas]

Agreed. The government is all about fiscal accountability and doesn't waste money or spend money it doesn't have.

Re:

[slick7]

Agreed. The government is all about fiscal accountability and doesn't waste money or spend money it doesn't have.

What planet are you from? Was your flight long? Would you like to rest a spell before we tour the city?

Re:

[slick7]

I mean: nobody is so crazy to waste citizens' money....

(grin)

Brought to you by the people who supported the banksters and their gambling addicted wallstreeters. Get a clue, please.

Re:

[Anonymous Coward]

Yes, so you won't stand out of the crowd. Wouldn't want to become a person of interest.

What's that guy's sig, about the 2nd law of thermodynamics? Something like, "you can't win, you can't even break even, and you can't quit."? Good luck to you, sir. I wish you the best. It's not that you're wrong, not at all; just too late, I think.

Re:

[TheSeatOfMyPants]

Just using a VPN isn't enough -- most of them hand over user data to the US government without question when asked [torrentfreak.com], regardless of whether the VPN account was free or paid and even if the VPN company and all of its servers are located in other parts of the world. (Yes, the article was focused on the use of VPNs for file-sharing, but the lesson remains the same: don't trust them to protect your personal data from your government.)

Re:

[rtfa-troll]

am I missing something?

the fact that they already have all your traffic from outside the VPN logged elsewhere and that the court order they give says something like

from this day forward log all connections incoming from this customer and tell nobody you did this ever or you will be disappeared

they get the new log of traffic correlate various IDs in it with the old (browser IDs ; crypto secrets derived from your device MAC address, processor IDs embedded in message padding by software maintained by placemen etc.) and then th

Americans paying for big biz cheapness

[Anonymous Coward]

So, big business implements half ass computer security for its infrastructure, at a lower cost. This could have been the logical business decision, especially with constantly changing computer technology. However, China, and increasingly other nations, are now going after security holes, and changes in computer technology have slowed down.

However, for the American People to pay for the incompetance of half ass measures of big business is something else. Just, like the bank bailouts of 2008. This country has

Re:Americans paying for big biz cheapness

[Opportunist]

The run for the bottom started way earlier, you can't blame the chimp for everything. Looking at the US for the past decades, I dare say the whole mess started with Reagan or no later than Bush Sr.

What this country, or any country, could well need is the kind of politicians we had after WW2. Say what you want, I still think Eisenhower was the best since 45.

Re:

[jafac]

It started with the Lewis Powell Memo, in 1972. (Powell was the head of the US Chamber of Commerce - then was a Nixon appointee to SCOTUS).

Re:

[kermidge]

Thanks for having excellent memory - I'd clean forgotten this. Long time back, man. Yeah, that was a good trigger.

Re:

[SuricouRaven]

You assume the US invented the abusive government-corporate partnership. Ever hear of the East India Company? This type of practice is as old as civilisation: Those with power need money, and those with money expect certain favours in return.

And how is this 'more' invasive than now?

[Anonymous Coward]

The NSA has taps on the fiber backbones already - the telcos have legal immunity and so are letting them mirror all traffic going through the major peering points. I don't see how a minor adjustment in the location of said tapping changes things. All traffic is already monitored, and relationship graphs are already generated for most US residents.

Re:

[Opportunist]

It's a matter of magnitude. Think of it as the difference between being stuck in cold weather without a coat and sitting butt naked in a frozen pond. Neither is really pleasant, but the latter sure as hell kills you faster.

I can see positives, but

[ALeader71]

I still don't trust the government. If this was to track malware, botnets, or attempts to attack vital parts of our infrastructure, I'd be all for it. However I also know this will be used to clandestinely monitor everyone's communication. While I fall into the "nothing to hide" category, the definition of "nothing to hide" is flexible and ever changing. The truth is, in a way, I do hide. A lot. I don't mouth off on social media sites. I don't put my political opinions into forums. I limit confrontation to in-person or via telephone communication. We already live in an age of online surveillance. This new level of government surveillance is just the next step.

I look forward to the rise of the DarkNets!

Re:

[__aaltlg1547]

Yes, ALeader71. You DO mouth of on social media sites. This one, for instance.

Re:

[Seumas]

Hm. . . This isn't a social media site any more than FIDOnet, Usenet, or any discussion forum since the beginning of the web has been a "social media site".

Re:I can see positives, but

[Opportunist]

They're already here. They are just not globally announced and touted as the next best thing because "people who know" got wary after what happened to "their" Internet. Once the unwashed masses got in, things went downhill. For reference, see file sharing. You know, in the good ol' days, nobody gave a damn. Sure, the RIAA wasn't too excited about it, but the damage was low, so why bother? More and more people came and once it became trivially easy, the lobbying started and we have the mess we have today.

Can you imagine what an issue blueboxing would have been if it wasn't limited to a handful of phreaking enthusiasts? AT&T would have wanted their heads. And we're certainly not talking about the probation sentence Draper got, this would have reached insane heights akin to what we see today with punishments for copyright infringement. So, it was ... well, basically just a little nuisance.

Can you imagine what happens if Darknets go the way of torrents? Everyone using them, essentially rendering the whole shiny surveillance technology a matter for the recycle bin? If you think then we'd win, think again and ponder who your "enemy" is in this game. Hint: He makes the rules.

Re:

[ALeader71]

One big difference between torrents and a Darknet -- torrents, like social media, are meant to be open and easily shared. Darknets are designed to deny by default, allow only if invited. The total opposite of the open Internet we have today. So no, I'd not worry if I primarily operated on a properly run and maintained Darknet.

Employers

[the eric conspiracy]

Employers already have the right to scan everything coming in and leaving, and AFAIK defense contractors count as employers.

I don't particularly see this as a loss of Internet privacy since I don't expect any at a place of employment.

Re:

[the eric conspiracy]

Do you have a problem with reading comprehension? This story is US specific.

Europe has its own civil rights problems starting with free speech, discrimination against ethnic groups (for example the Roma), no protection against age discrimination in hiring and so on.

People living in glass houses shouldn't be so quick to throw bricks.

Re:

[Anonymous Coward]

What the fuck did you just fucking say about me, you little bitch? I'll have you know I graduated top of my class in the Navy Seals, and I've been involved in numerous secret raids on Al-Quaeda, and I have over 300 confirmed kills. I am trained in gorilla warfare and I'm the top sniper in the entire US armed forces. You are nothing to me but just another target. I will wipe you the fuck out with precision the likes of which has never been seen before on this Earth, mark my fucking words. You think you can g

How naive do you have to be?

[russotto]

After the AT&T revelation, why would you believe they aren't ALREADY scanning pretty much everything they can?

Does not make it any better

[Anonymous Coward]

Dear Mr.Obama,

Just because you move the shady / possibly-abuse-filled surveillance project to another department does not make us "like" the program anymore.

Also if you think the whole issue was the department handling the program, you have no clue why people are upset and outraged. That or you are intenionally ignoring the real reason.

Please take the critical systems off the public internet if you are that worried about a "cyber" attack against public infastructure.

Signed,
- The People of the USA

Signature based scanning?

[schwit1]

Hasn't signature based scanning been debunked as a successful method for detecting modern malware?

Re: Signature based scanning?

[Aryeh Goretsky]

Hello, Actually, it's one of the few technologies which was adapted and worked quite well over the past couple of decades. Regards, Aryeh Goretsky

Re:

[SuricouRaven]

Only against the very best, the APT-class attackers, who have the skill and the time to write and test their own tools. Against your common script kiddie or for-profit botnet operator, it'll still work fine.

This is not their job...

[Anonymous Coward]

This is not their job, please get busy and get a balanced budget out! Then maybe think about things you shouldn't be doing.

Encrypt everything and hide intent

[Anonymous Coward]

Not only do we need to encrypt everything going over the network we need to develop systems which defeat infererence of useful envelope information by adding noise in space and time and via the use of indirect reflections.

Aggregation of power into the hands of the government regardless of the justification will only incite internal corruption and bring out the same human failings that lead to oppression. Technology will corrupt our society if we don't take steps to prevent it.

Cyber attack against utilities?

[PPH]

My power company won't even trim the stinkin' trees. When the lights go out, how will we differentiate between an attack and normal operations?

Re:

[jameshofo]

Maybe if you put a wifi antenna on those branches they'ed be more willing to get out and tend to them!

Re:

[PPH]

More likely if the tree was a nesting site for an endangered species.

Re:

[ArsonSmith]

You are lucky, the power company butchered my pecan trees which were not even close to causing issues due to some "possible interference any time in the next 10 years" rule they have.

Re:

[drinkypoo]

LOL. In a first-World country your trees would be fine - power lines are underground.

How cute, someone from a small country thinks that they know what's good for a large developed nation with the least population density.

Re:

[Bacon Bits]

If you call them and actually get to speak with a human being, it was probably an attack.

Don't you feel safer?

[HangingChad]

Finally something progressives and conservatives can team up to fight.

The last briefing I heard there were something like 200 Chinese front companies operating in the U.S. gathering data on Americans, particularly those with security clearances.

Maybe we stop the obvious stuff and the cloud databases being stored all over the world before we go all 1984 on our own citizens.

In the same briefing I found out the French are also spying on our defense related industries. And the Israelis. Some allies we have. The ones not spying on us think we're idiots.

Re:

[TheSeatOfMyPants]

Finally something progressives and conservatives can team up to fight.

I wish... Based on recent years, the political reaction will be more like:
-- Most of the party that's clearly not in charge will condemn the latest overreach, declare that this sort of thing wouldn't happen on their watch, and that if given power again they'll be certain to reverse it.
-- Most of the party in power will either remain silent or make vague supportive comments about doing what we must for security. The rare over-enthusiastic sort will say it's a great step forward blah blah blah.
-- A few from

Re:

[Redmancometh]

Strong start weak finish. ... still funny

Re:

[RougeFemme]

Allies have always spied on each other - we do it, too.

Translation...

[Macdude]

"By using DHS as the middleman, the Obama administration hopes to bring the formidable overseas intelligence-gathering of the NSA closer to ordinary U.S. residents without triggering an outcry from privacy advocates who have long been leery of the spy agency's eavesdropping."

Translation: People don't fear the DHS as much as they fear the NSA, this should fix that.

Re:

[Cosgrach]

Better fucking pray we aren't Nazi Germany v 2.0

Sadly, we are already on the way to that.

Re:

[Redmancometh]

I see us in more of a "brave new world." The ultimate nanny state predicated on false contentedness.

entropy

[wbr1]

Erode away rights, waste away privacy. You will succumb to the second law of thermodynamics like everything else.

You know it occurs to me...

[tlambert]

You know it occurs to me...

All the major telecommunications carriers are defense contractors, as are the people running MAE East and MAE West.

So what exactly isn't going to be scanned under this proposal?

Fix it.

[SuricouRaven]

This is Slashdot. We're a bunch of nerds. So let us do what it is that nerds do: Find a technological solution. Let us get every website using HTTPS, every email and IM conversation encrypted. It doesn't have to be perfectly secure against an attacker who can plant their own certificates on client devices, it just has to make interception difficult enough to prevent governmental fishing expeditions.

Re:

[dkleinsc]

Let us get every website using HTTPS, every email and IM conversation encrypted.

What makes you so certain the NSA hasn't cracked SSL? Because I'm reasonably certain that if they had broken SSL, they wouldn't tell anyone about that capability.

Re:

[SuricouRaven]

Of course they have - or rather, they wouldn't need to. I'm in no doubt at all that the NSA has access to a few root certs. Even so, it limits interception targets only to those the NSA considers enough of a concern to risk revealing their capabilities over: No more trawling billions of emails to build profiles or so anyone who jokes about blowing up the whitehouse can be flagged as a potential terrorist, and no more private-sector monitors at the ISP sneakily monitoring web traffic to better target adverti

And the reason why?

[XB-70]

The DHS deserves to ... because they've done such a fine job scanning us at airports.

I trust NSA more than I do DHS.

[John Hasler]

NSA doesn't have any cops.

What could possibly go wrong?

[Impy the Impiuos Imp]

If the banks request it, good.

If they don't, bad. As in Hitler bad.

Re:

[bmk67]

Seek. Professional. Help.

Re:

[XB-70]

Mental health is not a joke. The above is a classic case where an individual, probably extremely bright, is likely off their meds and suffering terribly. For the huge cost of the DHS, they should be doing something positive: track down the originating IP of the above missive, dispatch an emergency mental health team and give this individual the compassionate care and attention that they need instead of flagging every grandmother's email to her children back home that says "Allah be praised.".

.

We do do th