Congressional Reps Pushing CISPA Cybersecurity Bill Don't Even Know How To Secure Their Own Websites

from the don't-regulate-what-you-don't-know dept

One of the big concerns we've had over politicians trying to regulate technology, is how gleefully ignorant they often seem to be about the technology they seek to regulate. It's no different with the cybersecurity bill CISPA. We've been asking for months for some actual evidence that shows that we really need a cybersecurity bill, and all we get are fanciful stories about planes falling from the sky and hackers taking down powergrids. If either thing was possible, the real response shouldn't be to set up a cybersecurity bill, but to disconnect those key infrastructure pieces from the internet.

Either way, we're learning, once again, that the backers of CISPA don't seem to know the slightest thing about "cybersecurity." Actual cybersecurity expert, Chris Soghoian has highlighted how the key sponsors of CISPA fail at basic cybersecurity for their own websites, raising serious questions about their competence in writing a cybersecurity bill.
Congressmen Rogers and Ruppersberger are, respectively, the chairman and ranking member of the House Intelligence Committee. Although it is no secret that most members of Congress do not have technologists on staff providing them with policy advice, we can at least hope that the two most senior members of the Intelligence Committee have in-house technical advisors with specific expertise in the area of information security. After all, without such subject area expertise, it boggles the mind as to how they can at least evaluate and then put their names on the cybersecurity legislation that was almost certainly ghostwritten by other parts of the government - specifically, the National Security Agency.

So, given that these two gentlemen feel comfortable forcing their own view of cybersecurity on the rest of the public, I thought it would be useful to look at whether or not they practice what they preach. Specifically, how is their own information security. While I am not (for legal reasons) going to perform any kind of thorough audit of the two members' websites or email systems, even the most cursory evaluation is pretty informative.
Take a wild guess what he found. First, he looks at whether or not they use HTTPS. As he notes, "It is now 2012. HTTPS is no longer an obscure feature used by a few websites. It is an information security best practice and increasingly becoming the default across the industry." So, what did Soghoian find? It appears that neither Reps Rogers nor Ruppersberger do a very good job securing their own sites. He finds some sites without any HTTPS at all, and the others have it configured incorrectly.

When I manually tried to visit the HTTPS URL for Congressman Ruppersberger's website last night, it instead redirected me to the Congressional Caucus on Intellectual Property Promotion. Soon after I called the Congressman's office this morning to question his team's cybersecurity skills, the site stopped redirecting visitors, and now instead displays a misconfiguration error.

Congressman Dutch's campaign webserver appears to support HTTPS, but returns a certificate error.

He notes that there is really no excuse for these configuration errors, because the House appears to be setup with an HTTPS server, and other Reps. have it properly configured on their site. Not much really needs to be done. However, the fact that other Reps have set up HTTPS really raises concerns about these two Reps and their staff when it comes to cybersecurity:
The webserver that runs all of the house.gov websites is listening on port 443 and it looks like Akamai has issued a wildcart *.house.gov certificate that can be used to secure any Congressional website. As an example, Nancy Pelosi's website supports HTTPS without any certificate errors (although it looks like there is some non-HTTPS encrypted content delivered from that page too.) This means that the Congressional IT staff can enable HTTPS encryption for Rogers, Ruppersberger and every other member without having to buy any new HTTPS certificates or setting up new webservers. The software is already all there - and the fact that these sites do not work over HTTPS connections already suggests that no one in the members' offices have asked for it.
Rep. Rogers, of course, recently stated that he's so concerned with the threats of cybersecurity that he literally "can't sleep at night." Funny, then, that he never bothered to make sure his own website was secure, huh?
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cispa, congress, cybersecurity, fail, https


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    :Lobo Santo (profile), 19 Apr 2012 @ 12:30pm

    Pudding of Proof!

    It's a scam!

    It's as though the congress-critter are saying "See, if I leave my garage wide open and unlocked with a sign that says "free stuff" people will totally steal my tools! Thus, logically, there needs to be a law against people going into garages they don't own."

    /poor-analogy

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2012 @ 12:33pm

    You only need to secure your website if you have something to hide.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Apr 2012 @ 12:41pm

      Re:

      So, we don't need a cybersecurity bill since we have nothing to hide?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Apr 2012 @ 12:54pm

      Re:

      There are two additionally-important reasons to use https when accessing a website:

      1) your surfing habits cannot be tracked by 3rd parties (aka, your ISP tracking where you go and what you do). This is important for privacy - of course, CISPA wouldn't want that to be a reality anyway.

      2) you want to avoid middle-man attacks - that goes both ways. In theory, someone in the middle can inject incorrect information into a website you are visiting if it's not secured via https. ISPs have been known to do this by injecting their own ads into the site, but anything can be done, malicious or otherwise.

      Of course, again, governments would like to keep those doors open, screw the public - they don't need any sort of privacy or protection.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Apr 2012 @ 1:12pm

        Re: Re:

        1) This is wrong you can absolutely track where others go, you cannot track what is being transmitted unless you get hold of the private key, but that is not a problem for the American government since most key issuers are American companies that need to comply with American government demands even if they are not legally bond to do it because the government have an incredible leverage over those companies, which have a lot of dealings with government agencies.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Apr 2012 @ 1:33pm

          Re: Re: Re:

          You misunderstand how https certificates are issued.

          It is not necessary to reveal your private key to your certificate authority - and many website owners don't. Some CA's do create them for you if you're too lazy to do so yourself, however - so I could see how one might come to this conclusion.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 19 Apr 2012 @ 1:34pm

            Re: Re: Re: Re:

            Oh, and https headers are encrypted, so beyond knowing what the DNS request was for the domain, the actual URL is not revealed to a 3rd party/middleman.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 19 Apr 2012 @ 4:24pm

              Re: Re: Re: Re: Re:

              HTTPS headers are encrypted that doesn't stop people from tracking the IP's and domains you visit.

              Quote:
              Everything in the HTTPS message is encrypted, including the headers, and the request/response load. With the exception of the possible CCA cryptographic attack described in limitations section below, the attacker can only know the fact that a connection is taking place between the two parties, already known to him, the domain name and IP addresses.

              Source: https://en.wikipedia.org/wiki/HTTP_Secure

              Getting a certificate to be recognized by a lot of people is not an easy task either since you must go to a key signing party to get listed in a public certificate authority that is not a company or have government ties.
              http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html

              https://en.wi kipedia.org/wiki/CACert

              link to this | view in chronology ]

          • identicon
            Anonymous Coward, 19 Apr 2012 @ 4:13pm

            Re: Re: Re: Re:

            If you are asking for a connection to an IP address that IP address will be logged doesn't matter how much encryption there is, you still need to ask for an IP address, the only way to mask that is through a proxy, then you be anonymous, otherwise you are not only the contents of the connection are secure, but to whom you connected can be logged and tracked over time.

            On the HTTPS thing most certificate authorities are not controlled by you, they are companies that issue certificates to a lot of other people and entities, in practical terms HTTPS today is controlled by those few companies unless you issued the keys yourself which is a rarity nowadays you have zero true security against governments, further even if you issue a certificate yourself if you want a lot of people to be able to trust it, you need to get it listed somewhere people trust the information otherwise when it hits a browser it will be shown as authority unknown with all the warnings to reject it so you need to get it listed somewhere and that means to create your own contacts and start contacting others to accept your certificate as valid not an easy task for the average Joe, doable if you don't ever need a public facing front and all the people that needs to know about the validity of the certificate knows you and are able to get it directly from you and thus register that into their systems.

            link to this | view in chronology ]

        • icon
          ltlw0lf (profile), 19 Apr 2012 @ 6:50pm

          Re: Re: Re:

          This is wrong you can absolutely track where others go

          Tunneling proxies take care of that. You can only track the entry to the proxy, but after that, you have to track the proxy.

          you cannot track what is being transmitted unless you get hold of the private key, but that is not a problem for the American government since most key issuers are American companies

          As the other A/C said...you don't give your key up when you get your certificate, so this is not a problem.

          link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Apr 2012 @ 1:52pm

        Re: Re:

        I can't reply seriously to your points because I didn't expect anyone to take my post seriously. I thought it was obvious that I was turning around the oft repeated mantra of, "If you have nothing to hide, you have nothing to fear from this bill."

        It's not that I don't understand your points (I'm not in Congress, after all), I just can't bring myself to address them because I agree.

        link to this | view in chronology ]

  • icon
    gorehound (profile), 19 Apr 2012 @ 12:42pm

    Until we can dump both of these Dinosaur Parties we will continue to lose our Rights.And NOTE:
    Both of the Main Parties are selling us out not just one of them.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2012 @ 12:43pm

    HTTPS

    What does secure HTTP have to do with website security? Using HTTPS doesn't make the website any more "secure", it only makes the communication between the website and the browser secure.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Apr 2012 @ 12:58pm

      Re: HTTPS

      I think it was intended to be used as an example of "what level of expertise has been used here".

      As the article implies: "While I am not (for legal reasons) going to perform any kind of thorough audit of the two members' websites or email systems, even the most cursory evaluation is pretty informative."

      IOW, if you can't even provide working https on your website when you already have the certificate, and the server has been configured to use it on other sites - are you a competent website admin?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2012 @ 12:55pm

    ... and these are the people that we are supposed to trust with our private data?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2012 @ 12:58pm

    whoa! i hope Chris Soghoian covered his tracks well. they'll be doing him for hacking if he isn't careful! you know the rules, make someone doing something stupid actually look stupid and your right in the shite! like most politicians, these idiots are just the paid for mouth pieces of big companies, knowing less than nothing about the bills they are trying to force on to the public.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2012 @ 1:04pm

    Sort of the same reasons why the Inight community link on techdirt tries to go to an https, but which is not supported?

    here, have a few more rocks to throw at your glass house.

    link to this | view in chronology ]

    • icon
      Baldaur Regis (profile), 19 Apr 2012 @ 1:38pm

      Re:

      Are you on drugs? Or are you using IE6? While it's true the "Inight" link does not work (I suspect because it does not exist), the "Insight Community" link goes directly to an https page.

      I kid. Actually, you need the 'special-secret-pirate' version of browser to get there.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Apr 2012 @ 2:03pm

        Re: Re:

        I go there with chrome, and it red crosses out the https, meaning that the connection is not truly https. Basically, the page contains secure AND insecure items on the same page mixed, which makes it a fail.

        It means that for all the HTTPS, a simple switcharoo on one of the insecure items could cause an issue.

        Mike should know that... but he's too busy picking at other people's stuff to bother checking his own.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Apr 2012 @ 3:09pm

          Re: Re: Re:

          Well he also isn't demanding laws be made to make the internet "more secure."

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 19 Apr 2012 @ 7:16pm

            Re: Re: Re: Re:

            No, he demands less laws to make the internet "less secure", and we should all be perfect in how we host our sites and run our servers... yet, clearly, not everything is perfect in the land of Techdirt.

            I think his new clothes are ugly (and more than a little invisible).

            link to this | view in chronology ]

            • icon
              Chuck Norris' Enemy (deceased) (profile), 20 Apr 2012 @ 7:03am

              Re: Re: Re: Re: Re:

              Congress can pass all the laws they want but idiots (read: government) will still leave their networks "less secure". Just more laws to punish those they despise and turn heads/wrist slap those they favor.

              link to this | view in chronology ]

  • icon
    Al Bert (profile), 19 Apr 2012 @ 1:08pm

    there's an example to be made

    Similar scenarios happen in shitty jobs every day. You see something that's a half-broken impediment to productivity or an embarrassment to the profession. You know it's been brought to the attention of management who don't understand or care or outright forbade you or anyone take any corrective measures. In an environment of zero mutual respect, i see this as call to ensure that said something gets broken the rest of the way in a manner which targets directly any claims made as to why it was unimportant.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2012 @ 1:08pm

    Congress a place of marvelous ignorance of everything, it is just shocking how intelligent individuals packed together can become so dumb.

    TreeHugger: CA Senator Wants Warning Labels on Reusable Bags: "Can Cause Serious Illness, Cancer"

    Maybe we should call this the age of paranoid politics. Well not really looking at history is just impressive that after millenia we still do the same exact things that people did in antiquity or the middle ages.

    People intelligent in one area or otherwise, that get to power suddenly believe they can regulate all other areas according to their own bias because everything that they experience is applicable to other areas, without having to respect true democratic values which where build exactly to address those shortcomings of top down BS management.

    There is not a way to secure the internet, you can secure information for a short while anything that needs a long term secrecy about it should never transverse open channels but exclusive ones, punishing people for your own failings will not save you from people who want to do real harm since they don't care about the punishment, further trying to create cybersecurity BS bills that criminalize experimentation in security harms your own prospects to have the necessary people with the necessary skills to protect anything.

    Yes you can disable the US navy through the internet it is doable because the navy uses the fucking open internet to communicate important data, it is possible to destroy a pump somewhere using SCADA which begs the question why are these dumb people allowing it to communicate over unsecure channels at all, most importantly it shows the weakness of central single point of failures, if they were really interested in securing the nation they would be thinking in decentralization and the P2P'fying of the entire vital infra-structure, production of energy should be distributed if possible to the family level, water needs should be met with new technologies for treatment and recycling inside a home and so forth then there is no risk from the internet anymore, it would become impossible to disable the country.

    Taking those steps you reduce dramatically the apocalyptic scenarios that cyber-dumb people can come up with.

    I am calling them cyber-dumb-people because that is what they are, they could be very knowledgeable in some other area but are completely stupid about how technology really works and what it can do and so are undermining democracy to get the feel of security, that can't be had by such measures but real work, real innovation, we are not going to secure America by legislating bad guys out they don't care, we will secure America the only way that is proven to work and that is innovating and working on the real solutions that will upset many deep rooted interests.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2012 @ 1:11pm

    I'm not sure I see the point in whining about whether some Congressperson's website supports https. Who cares? Trying to paint is as the industry standard is silly.

    Does Techdirt support encryption? Does anyone care? Give me a break with the incessant whining about everything.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Apr 2012 @ 1:16pm

      Re:

      Silly is your understanding of what was written, it is not about support for HTTPS, but how people in congress with all the tools layed out for them in the easiest way possible still manage to get the simple things wrong.

      HTTPS is basic stuff, if you can't even get that right it really calls into question the other assumptions about how much those people involved really know about what they are talking about.

      link to this | view in chronology ]

    • icon
      Jeremy2020 (profile), 19 Apr 2012 @ 1:44pm

      Re:

      I see that you have have made an excellent reverse psychology post. If you have tools already to make things more secure and choose not to use them, then why add new ones?

      link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 19 Apr 2012 @ 2:04pm

      Re:

      Trying to paint is as the industry standard is silly.

      Are you honestly claiming that https is not the industry standard? Really?

      Give me a break with the incessant whining about everything.

      Only one person is whining here, and he's the goofy guy who shows up in the mirror when you look at it. The rest of us are having a serious discussion about something important. When you grow up, perhaps we'll let you join us.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 Apr 2012 @ 11:18am

        Re: Re:

        Good Lord.

        Are you honestly claiming that https is not the industry standard? Really?

        I'm saying it's not industry standard to have https on every webpage--even TD is not https.

        Only one person is whining here, and he's the goofy guy who shows up in the mirror when you look at it. The rest of us are having a serious discussion about something important. When you grow up, perhaps we'll let you join us.

        All you do is whine about every little thing. You're the whiniest bitch on the internet, Mike.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2012 @ 1:29pm

    You are missing the key point.

    Do as we (and our lobbyists) say, and not as we do!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2012 @ 1:32pm

    Hey I know, lets put Rogers and Ruppersberger in charge of the NSA! Obviously they're well qualified if they can't even secure their own websites.

    link to this | view in chronology ]

  • identicon
    Bengie, 19 Apr 2012 @ 1:32pm

    I heard

    I hear people die in hospitals. I figure it would be wise to make it illegal for someone to die in a hospital.

    That will increase the quality of hospitals.

    I fail to see how the cybersecurity actually increases security. It just makes more things illegal.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2012 @ 1:38pm

    Will you blow me where teh pampers is?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2012 @ 1:52pm

    DojoSec Monthly Briefings - March 2009 - Marcus J. Ranum gives an interesting talk on CyberWar and the failure of the notion.
    http://vimeo.com/3519680

    link to this | view in chronology ]

  • icon
    ECA (profile), 19 Apr 2012 @ 1:54pm

    We have to ask a few questions first..

    1. do you REALLY think they make/create their own sites??
    2. if they have those that DO make the sites, do you THINK they are pro or NUBE?? which is cheaper?
    3. Are you SURE they dont WANT their sites hacked? If they are, then they can MAKE A POINT..
    4. do you REALLY think they know ANYTHING in the first place? How about the process of getting oil out of the ground and into your car and ALL the money WE pay in tax for OIL exploration..

    WHO thinks that these idiots have their OWN servers and sites?? (NOT I)
    And then they connect there other computers TO IT??(really stupid)

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Apr 2012 @ 2:46pm

      Re: We have to ask a few questions first..

      It's pretty amusing if you s/site/bill in your comment there... which is the entire point of this article.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Apr 2012 @ 3:12pm

      Re: We have to ask a few questions first..

      Really do think nube?? Sure want make a point, really anything.. All we oil who own not I to it!!

      link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 19 Apr 2012 @ 3:38pm

    It would be instructive and useful if...

    ...someone stood up at one of their press conferences and asked Rogers or Ruppersberger to describe, at a basic level, a DNS cache poisoning attack.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Apr 2012 @ 4:01pm

      Re: It would be instructive and useful if...

      They would explain how the 'bad' cash being pushed in the wrong direction (to the people, not to the congress critters) is poisoning the public to the views that they have been demanding.... or something similarly silly.

      link to this | view in chronology ]

  • identicon
    ANonnnomm, 19 Apr 2012 @ 4:55pm

    hackers taking down powergrids etc....
    "" Disconnect those key infrastructure pieces from the internet ""

    Well said.... Might I add....


    WHY THE FUCK are critical systems on the internet in the first place ?
    Unconnected read only access as a monitoring device...ok but full access via the web is just ludicrous from a security standpoint.

    ?

    link to this | view in chronology ]

  • icon
    article.directory (profile), 20 Apr 2012 @ 7:44am

    People who live in Glass houses should not throw stones at others.

    Amazing how true this saying fits to current standard of Governance

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Apr 2012 @ 9:19am

    The governments big picture is they want to root out all that speak out against them. They want to exactly where they are, who they talk to, EVERYTHING. It's not far from what happened in Germany in the 1920's and 30's. Only this time its going a collective of all the major military forces of the world they call themselves NATO and UN. If the Nazi timeline holds in 5 to 20 years the military will start to process 95% of the population of the world. Some would say I'm paranoid. I would say that what they want you to think.

    link to this | view in chronology ]

  • identicon
    film izle, 22 Apr 2012 @ 6:23am

    film izle

    Thanks you

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.