pleroma.site

FBI InfraGard is a CERT-like organization that acts as a liaison between security researchers, vendors and entities which are considered critical infrastructure: banks, utilities, etc. It is a reasonably harmless organization which intends to do well but is controversial for a few reasons.

The main reason it's controversial is due to being incubated by the FBI. The other main reason why it's controversial is because they wrap vulnerability discussions in a series of NDAs. InfraGard-coordinated vulnerabilities do not necessarily see public disclosure.

Personally, I am not really a fan of InfraGard, for both the NDAs and FBI background: friends of mine have been burned by the FBI before when trying to ethically handle vulnerabilities.

But this does not mean that somebody should be faulted for choosing to participate in InfraGard. At worst it just means they believe in something others don't.

You wouldn't defederate someone for drinking chocolate milk out of a wine glass, right? InfraGard membership is, maybe at worst, the infosec equivalent of that type of social faux pas.

When it comes to vulnerability disclosure though, I believe public disclosure is in the public interest. And, well, InfraGard doesn't. And that's the real controversy... they aren't cops or law enforcement of any kind.
replies
0
announces
32
likes
30

@kaniini
I don't think I can trust anyone who drinks chocolate milk out of a wine glass tbh

That's fishy

@Epsiloco sometimes you just have to work with what you have

@kaniini
Oh

Yeah if that's all you have then that's fine.

@kaniini
"Membership Requirements:
[...]
* Notify the FBI of any pending criminal matters
[...]"

Law enforcement no, narcs yes?

@kirby criminal matters concerning yourself afaik they do a background check against all participants

@kaniini work with cops = cop

@chead i look forward to more of your teenage political anecdotes

@kaniini lick a boot about it, clown

@chead is that the best you've got?

@chead @kaniini This is a really confusing mental image.

@kaniini Infragard's intel is usually three to six months out of date. I'm only a member because $dayjob asked me to be, it's really not useful.

@drwho yes, InfraGard is complete trash, and I do question why anyone would highlight their membership in a serious way ;)

@kaniini The WIkipedia page talks about the ACLU being concerned about it -- is that a reasonable concern nowadays, or an artefact of it being only 2 years into the PATRIOT Act and and everything was Suspicious? Do you know if there have been any responses or clarifications to address that concern?

@kaniini Sometimes it's a requirement in a talk. If you give a talk, you have to disclose who you work for and your professional affiliations (FAS, Infragard, ACM, IEEE CS, and so forth) in your slides, so your audience knows who and what they're dealing with..

@gaditb

there's a *lot* of reasons to be concerned about InfraGard. the main one being the complete lack of transparency.

AFAIK InfraGard exists because they wanted a CERT controlled by the feds directly instead of US-CERT, but honestly, as has been mentioned elsewhere in the thread, InfraGard's intel products are complete trash anyway.

i haven't read about the ACLU concerns, but I would say that a CERT which does not behave transparently, incubated by law enforcement, is not great. and as I mentioned, friends of mine have been burned by trying to work with the FBI on this stuff before.

like there is really no value in participating there, but some employers require it anyway.

@drwho i've yet to see a talk where someone's InfraGard affiliation was highlighted honestly.

@kaniini I've seen a bunch, because that was $speaker["employer"] + "'s" policy for being allowed to present.

This is, incidentally, why I give fewer talks these days. I'm not okay with that kind of disclosure.

@drwho i will admit i don't watch too many infosec talks. but i've never seen talks at say, FOSDEM, which were like that.

@kaniini It was definitely about the transparency issue -- "any program that institutionalizes close, secretive ties between such organizations raises serious questions about the scope of its activities, now and in the future." -- but more specifically claiming:

"InfraGard may be closer to a corporate TIPS program, turning private-sector corporations — some of which may be in a position to observe the activities of millions of individual customers — into surrogate eyes and ears for the FBI"

@kaniini okay I wasn't going to give two shits about uspol but this guy supports vulnerability embargoes after all the shit that went down in 2018, and for that reason he can fuck right off

@kaniini RSA, Black Hat, and Defcon have had a few that did. SF Cloud Mafia also had a minicon where a speaker had to disclose that.

@flussence agreed. embargoes are definitely not in the public interest, especially after things like Meltdown.

@kaniini
you. I like you.

@chead
you a cop tho

@lesbianhacker yeah InfraGard is bad for many reasons

@lesbianhacker

yeah, InfraGard is very concerning, however, you have a complete misunderstanding of the fediverse's present security calculus.

an instance you blocked can *and will* still wind up with content that you publish. this happens with boosts (Announces) or simply participating in a thread the blocked instance later rebuilds by receiving a child post in it.

at any rate, i can think of several worse infosec-themed instances than hackers.town, the admin there does not take himself to "full spectrum cyber" levels of seriousness, so he is at least somewhat tolerable.

the much larger and more popular instance is basically a more paranoid version of hacker news with the worst takes i've ever seen spewed onto fedi on a daily basis.

i don't block either instance, but the larger instance is chock full of reply guy "security bro" alleged experts who show up and offer takes that inspire homicide. if i were to block any infosec instance, it would certainly be *that* one before hackers.town.

but, obviously, people should block who and what they want. block early, block often.

@kaniini @lesbianhacker I see blocking more like the Klingon Discommendation Ritual. It's a way of cutting ties with someone, and you are honour-bound to not communicate with that person.

People shouldn't think that there is an actual enforcement of it, and if you think about it, it's technically impossible to do so