I'd say they aren't doing it wrong 100% of the time. They still massively cock up from time to time, e.g. their anti-encryption campaigns, the stupid attempt to require ID for porn, the disastrous NHS digitisation.
But the gov.uk website is pretty good and they did replace IT with computing in schools.
I believe Alex Van Someran recently took over as head of the UK NCSC. He's someone that I trust to make the right decisions, so I'm quite glad of this fact.
(NOTE: I have no idea if this specific link is related to Alex or anything he's done)
Agreed, but if the US Government were doing this there would be outcry of "spying" and "Government overreach". And before anyone says that the US Gov has lost its trust, let me remind you that UK has GCHQ.
NCSC is the public "arm" of GCHQ, they provide cyber-security guidance to businesses and the general public etc. They are a great source of information for current best-practice regarding cyber security.
Sure, if you value authoritarianism and an intrusive nanny state. The government jiggling the door handles of everyone's house to see if it's unlocked crosses a huge line.
"nanny state" is a purposefully skewed statement that pre-presumes that doing something for the common good is always bad. It's a lazy way of not making an argument.
Why is scanning web servers for vulnerabilities bad?
Yeah, scanning for vulnerabilities in a controlled way isn't bad
I suspect those opposing it are the ones that eventually get caught with glaring vulnerabilities and then we have to hear BS like "they care for security and privacy" when they didn't even use password hashes
scanning for and reporting vulnerable web servers does nothing to limit someone's personal choice to operate one. I just hope they make the data public so that I can make the personal choice to block traffic to/from people who make the personal choice to operate insecure devices on the global internet.
What's wrong with asking first and letting the web operator opt in?
The gist of your argument is if I go up and try to pick your pocket but say my intentions are only to help you from real pickpockets, there's nothing but your personal choice to walk on public sidewalk and should just accept it.
the people who would opt in aren't likely to be the problem. The problem with your pickpocket example is that you lose something when someone picks your pocket, but you lose nothing when someone checks to see what ports are open.
In fact, that's something that's already happening all the time anyway. The only difference is that in this case the person checking for your failures to secure your devices will notify you of the problem instead of exploiting your devices like everyone else will (assuming that they haven't already).
This should not only help people secure their devices, but it should also make the internet a better place for everybody.
Who gets to pay for all the extra traffic they send? the time spent by security guys to review the false positive attack logs they generate? the time spent by operators to bring the services back online when the government probing crashes something?
I get it, you don't like the idea of taxes, but fortunately most people are glad for them and the services they provide.
If this service causes a bunch of crashes (somehow) or they end up DoSing someone they should be responsible for the harm that they cause, but since these scans are no different that what criminals are already doing every day I don't imagine it'll be a huge problem unless they really screw something up.
I'd also guess that the costs in both time and money spent on the traffic generated by DDoS attacks, malware infections, and phishing sites are much much greater than the costs for 'security guys' to review logs, safely automate scans, and notify webhosts of problems. This is a sensible measure that should save massive amounts of time and money for people all around the globe and make the internet better for UK citizens in the process.
>Why is scanning web servers for vulnerabilities bad? //
Not the OP.
I think it's fine in general with one big proviso, that they change the law first to make it lawful.
With a different government it would look more benevolent, with the current government growing ever-more fascist--having now found a surreptitious way to ditch the ECHR, for example--it gets somewhat worrying.
Why is asking for permission first bad? The CISA does this very thing, but businesses have to explicitly ask first and consent unlike the UK. That's the difference between a nanny state policy and one that respects choice and the property rights of others.
You clearly have a very skewed idea of what socialism is. Would you consider parks or public schools socialist too as they also contribute to the common good of society.
Some weaknesses of the computer system intrusion/house intrusion analogy:
* It is pretty obvious to the user if their door is locked, so they don't need pentesters to help them figure it out.
* Houses aren't under attack from the entire planet at all times.
* It not that uncommon to have circumstances arranged such that if someone does barge into your house, you know about it.
If the local government wanted to do something that is closer to to what's going on here -- maybe go door to door offering a security assessment for non-obvious stuff -- that might be a well-received service.
Our local government gave me a call because a neighbor asked for a wellness check because we hadn’t plowed our driveway when we were in California. So it does actually happen kind of.
Jiggling door handles without consent is a defacto criminal act. It's no different if I tried to pick your wallet as you walked down the street and said, "better me than a criminal..." then flashed my badge.
CISA will jiggle your door handles for free, if you ask and consent first. Web server operators who aren't asking for vuln assessments aren't apt to keep them regularly patched to begin with.
> Jiggling door handles without consent is a defacto criminal act.
Connecting to a webserver using HTTP is not a criminal act, under any colour of the law. If you have a listening port open to the internet, you are inviting connections.
Picking pockets is stealing; this is more like saying "Hello!" to someone who is standing in their own open doorway, and observing their response.
I don't think there's anything in the article about this programme providing server operators with reports. They're not trying to save operators from themselves.
Opt-in is generally more fair than opt-out, but in this instance it makes sense - they are not checking personal property, they are checking publicly facing webservers. They are not doing it for the server owners benefit, they are doing it to help keep people secure. Servers that aren't being patched properly are exactly the servers that are a security issue waiting to happen, that such a security force should be identifying and telling to buck their ideas up.
I suppose the differences in how those two equivalent departments approach this, likely come from national mindset differences, and the political differences they cause. At least it seems reasonable to me: that in Washington people might all agree that the right to decide if you are tested is more important than finding insecure webservers, whilst in London people might well all agree on the opposite.
It's more like the government driving around neighbourhoods and doing a survey if you have solar roofs or not, used for a reasonable common good purpose, while letting you know they're doing it and letting you opt put.
