The main reason it's controversial is due to being incubated by the FBI. The other main reason why it's controversial is because they wrap vulnerability discussions in a series of NDAs. InfraGard-coordinated vulnerabilities do not necessarily see public disclosure.
Personally, I am not really a fan of InfraGard, for both the NDAs and FBI background: friends of mine have been burned by the FBI before when trying to ethically handle vulnerabilities.
But this does not mean that somebody should be faulted for choosing to participate in InfraGard. At worst it just means they believe in something others don't.
You wouldn't defederate someone for drinking chocolate milk out of a wine glass, right? InfraGard membership is, maybe at worst, the infosec equivalent of that type of social faux pas.
When it comes to vulnerability disclosure though, I believe public disclosure is in the public interest. And, well, InfraGard doesn't. And that's the real controversy... they aren't cops or law enforcement of any kind.
@kaniini The WIkipedia page talks about the ACLU being concerned about it -- is that a reasonable concern nowadays, or an artefact of it being only 2 years into the PATRIOT Act and and everything was Suspicious? Do you know if there have been any responses or clarifications to address that concern?
@kaniini Sometimes it's a requirement in a talk. If you give a talk, you have to disclose who you work for and your professional affiliations (FAS, Infragard, ACM, IEEE CS, and so forth) in your slides, so your audience knows who and what they're dealing with..
there's a *lot* of reasons to be concerned about InfraGard. the main one being the complete lack of transparency.
AFAIK InfraGard exists because they wanted a CERT controlled by the feds directly instead of US-CERT, but honestly, as has been mentioned elsewhere in the thread, InfraGard's intel products are complete trash anyway.
i haven't read about the ACLU concerns, but I would say that a CERT which does not behave transparently, incubated by law enforcement, is not great. and as I mentioned, friends of mine have been burned by trying to work with the FBI on this stuff before.
like there is really no value in participating there, but some employers require it anyway.
@kaniini I've seen a bunch, because that was $speaker["employer"] + "'s" policy for being allowed to present.
This is, incidentally, why I give fewer talks these days. I'm not okay with that kind of disclosure.
@kaniini It was definitely about the transparency issue -- "any program that institutionalizes close, secretive ties between such organizations raises serious questions about the scope of its activities, now and in the future." -- but more specifically claiming:
"InfraGard may be closer to a corporate TIPS program, turning private-sector corporations — some of which may be in a position to observe the activities of millions of individual customers — into surrogate eyes and ears for the FBI"
yeah, InfraGard is very concerning, however, you have a complete misunderstanding of the fediverse's present security calculus.
an instance you blocked can *and will* still wind up with content that you publish. this happens with boosts (Announces) or simply participating in a thread the blocked instance later rebuilds by receiving a child post in it.
at any rate, i can think of several worse infosec-themed instances than hackers.town, the admin there does not take himself to "full spectrum cyber" levels of seriousness, so he is at least somewhat tolerable.
the much larger and more popular instance is basically a more paranoid version of hacker news with the worst takes i've ever seen spewed onto fedi on a daily basis.
i don't block either instance, but the larger instance is chock full of reply guy "security bro" alleged experts who show up and offer takes that inspire homicide. if i were to block any infosec instance, it would certainly be *that* one before hackers.town.
but, obviously, people should block who and what they want. block early, block often.
People shouldn't think that there is an actual enforcement of it, and if you think about it, it's technically impossible to do so