[Cryptography] Blogpost: CITAS, a new FBI security program proposal

Ray Dillinger bear at sonic.net
Mon Nov 24 20:24:47 EST 2014

Note to list participants: check the CC line of the original message
before responding.  We are aware that this list is always monitored, but
this time I have explicitly invoked monitoring and explicitly invite
response.  Hello Agent Chesson; feel free to join the (list and)
discussion if you have something to add or correct.  It's a moderated
and usually very polite list, although events in the last couple of
years have caused some resentment and a great deal of distrust here
toward American Three-Letter agencies.

Brief: The FBI is proposing a security service to assist American
companies in achieving network security. It is called CITAS, for
"Computer Intrusion Threat Assessment System."  It is not an active
program yet; My impression that it is the proposal and brainchild of
special agent John B. Chesson and that he is actively trying to raise
support for it both within the agency and among its potential clients.

This is one of very few proposals I have seen from any US agency that
genuinely seems likely to support rather than subvert security, in the
strict sense of owners retaining control of the assets they own.  It
does not require backdoors, it does not require keeping insecure
plaintext traffic on the network, and it does not propose to compel

What it proposes is that companies who join the service allocate an IP
address on their company's subnet for the use of the FBI, and the FBI
can then set up a honeypot at that IP address. Routers and switches in
the company's DMZ would direct traffic to the honeypot just as though it
were a company machine, leaving no clues to the contrary in route traces
or DNS, but the traffic would tunnel over some other channel, probably a
VPN, to a location controlled by the FBI.

The honeypot would be physically located at and controlled by an FBI
data center. This does not imply that the FBI gets any
"behind-the-firewall" view of a company's network; the company's
firewall can distrust the honeypot just as much as it distrusts unknown
IP addresses out in the wild.

The FBI would monitor the honeypots in real time for threats and
attacks, and when any "significant" threat or breach is detected, share
the information immediately with the subscribing company.

Less briefly:
http://dillingers.com/blog/2014/11/24/citas-threat-assessment-system/ ‎

This arrangement strikes me as likely to be highly effective in terms of
security, because the FBI could leverage manpower and monitoring effort
across a huge pool of honeypots truly indistinguishable to attackers
from genuine targets.  Effort spent by an FBI agent to understand and
script a log checker for a new threat would instantly apply to thousands
of companies via the honeypots sharing software, where the equivalent
effort spent by anyone else takes weeks to months to achieve wide
adoption, and never achieves wide adoption until after it is redone for
the nth time by many open-source volunteers.

This arrangement also strikes me as problematic in that it would also
allow the FBI to set up a huge pool of Tor, Gnutella, Bittorrent, etc,
nodes truly indistinguishable to users from genuine nodes run by people
who support anonymity, uncensored journalism, whistleblowers, and free
speech. The data would, of course, be shared across all the usual
law-enforcement, espionage, and security agencies of the US. Although to
be honest, these services are already so heavily monitored that there is
little left to lose.

Although Agent Chesson, whose presentation I attended, did not mention
these other uses, I would expect widespread adoption of this system to
mean effectively the death of "anonymous" P2P services such as Tor, due
to the simple fact of most of the gateway nodes being FBI-operated
sockpuppets.  While Tor or something like it remains the only way in
most of the world to use the Internet for uncensored journalism or
whistleblowing, the FBI cannot possibly ignore that as a channel it is
also used by criminals.

There is also some risk to the companies involved in the existence of
machines which they do not control but which have addresses publicly on
record as belonging to that company's subnet.  They could experience
adverse public perception if a honeypot became publicly known as
someplace where an unsavory or criminal activity were happening and its
address were traced back to the company's IP block.

Ray "Bear" Dillinger

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141124/7270d722/attachment.sig>

More information about the cryptography mailing list