[Cryptography] Blogpost: CITAS, a new FBI security program proposal
grarpamp at gmail.com
Mon Nov 24 23:30:29 EST 2014
> genuinely seems likely to support rather than subvert security
Security is not bringing more people onto your net or with you
as partners, let alone biased LE. Do you let cops sleep in your
house to protect you? What about that little dimebag you like to
toke on Fridays? Besides, if they want the service, corps don't
need LE to do what they can already do together neutrally on
their own, or by subscribing to equivalent commercial honeypot
services. What is this, infraguard 2.0? Clipper? Dept of redundancy?
Big brother? TIA?
Also, latency/TTL detection of remote hosting..
Heads up to Tor people, and cpunks to carve it up further.
On Mon, Nov 24, 2014 at 8:24 PM, Ray Dillinger <bear at sonic.net> wrote:
> Note to list participants: check the CC line of the original message
> before responding. We are aware that this list is always monitored, but
> this time I have explicitly invoked monitoring and explicitly invite
> response. Hello Agent Chesson; feel free to join the (list and)
> discussion if you have something to add or correct. It's a moderated
> and usually very polite list, although events in the last couple of
> years have caused some resentment and a great deal of distrust here
> toward American Three-Letter agencies.
> Brief: The FBI is proposing a security service to assist American
> companies in achieving network security. It is called CITAS, for
> "Computer Intrusion Threat Assessment System." It is not an active
> program yet; My impression that it is the proposal and brainchild of
> special agent John B. Chesson and that he is actively trying to raise
> support for it both within the agency and among its potential clients.
> This is one of very few proposals I have seen from any US agency that
> genuinely seems likely to support rather than subvert security, in the
> strict sense of owners retaining control of the assets they own. It
> does not require backdoors, it does not require keeping insecure
> plaintext traffic on the network, and it does not propose to compel
> What it proposes is that companies who join the service allocate an IP
> address on their company's subnet for the use of the FBI, and the FBI
> can then set up a honeypot at that IP address. Routers and switches in
> the company's DMZ would direct traffic to the honeypot just as though it
> were a company machine, leaving no clues to the contrary in route traces
> or DNS, but the traffic would tunnel over some other channel, probably a
> VPN, to a location controlled by the FBI.
> The honeypot would be physically located at and controlled by an FBI
> data center. This does not imply that the FBI gets any
> "behind-the-firewall" view of a company's network; the company's
> firewall can distrust the honeypot just as much as it distrusts unknown
> IP addresses out in the wild.
> The FBI would monitor the honeypots in real time for threats and
> attacks, and when any "significant" threat or breach is detected, share
> the information immediately with the subscribing company.
> Less briefly:
> This arrangement strikes me as likely to be highly effective in terms of
> security, because the FBI could leverage manpower and monitoring effort
> across a huge pool of honeypots truly indistinguishable to attackers
> from genuine targets. Effort spent by an FBI agent to understand and
> script a log checker for a new threat would instantly apply to thousands
> of companies via the honeypots sharing software, where the equivalent
> effort spent by anyone else takes weeks to months to achieve wide
> adoption, and never achieves wide adoption until after it is redone for
> the nth time by many open-source volunteers.
> This arrangement also strikes me as problematic in that it would also
> allow the FBI to set up a huge pool of Tor, Gnutella, Bittorrent, etc,
> nodes truly indistinguishable to users from genuine nodes run by people
> who support anonymity, uncensored journalism, whistleblowers, and free
> speech. The data would, of course, be shared across all the usual
> law-enforcement, espionage, and security agencies of the US. Although to
> be honest, these services are already so heavily monitored that there is
> little left to lose.
> Although Agent Chesson, whose presentation I attended, did not mention
> these other uses, I would expect widespread adoption of this system to
> mean effectively the death of "anonymous" P2P services such as Tor, due
> to the simple fact of most of the gateway nodes being FBI-operated
> sockpuppets. While Tor or something like it remains the only way in
> most of the world to use the Internet for uncensored journalism or
> whistleblowing, the FBI cannot possibly ignore that as a channel it is
> also used by criminals.
> There is also some risk to the companies involved in the existence of
> machines which they do not control but which have addresses publicly on
> record as belonging to that company's subnet. They could experience
> adverse public perception if a honeypot became publicly known as
> someplace where an unsavory or criminal activity were happening and its
> address were traced back to the company's IP block.
> Ray "Bear" Dillinger
> The cryptography mailing list
> cryptography at metzdowd.com
More information about the cryptography