Congressional Reps Pushing CISPA Cybersecurity Bill Don't Even Know How To Secure Their Own Websites
from the don't-regulate-what-you-don't-know dept
One of the big concerns we've had over politicians trying to regulate technology, is how gleefully ignorant they often seem to be about the technology they seek to regulate. It's no different with the cybersecurity bill CISPA. We've been asking for months for some actual evidence that shows that we really need a cybersecurity bill, and all we get are fanciful stories about planes falling from the sky and hackers taking down powergrids. If either thing was possible, the real response shouldn't be to set up a cybersecurity bill, but to disconnect those key infrastructure pieces from the internet.Either way, we're learning, once again, that the backers of CISPA don't seem to know the slightest thing about "cybersecurity." Actual cybersecurity expert, Chris Soghoian has highlighted how the key sponsors of CISPA fail at basic cybersecurity for their own websites, raising serious questions about their competence in writing a cybersecurity bill.
Congressmen Rogers and Ruppersberger are, respectively, the chairman and ranking member of the House Intelligence Committee. Although it is no secret that most members of Congress do not have technologists on staff providing them with policy advice, we can at least hope that the two most senior members of the Intelligence Committee have in-house technical advisors with specific expertise in the area of information security. After all, without such subject area expertise, it boggles the mind as to how they can at least evaluate and then put their names on the cybersecurity legislation that was almost certainly ghostwritten by other parts of the government - specifically, the National Security Agency.Take a wild guess what he found. First, he looks at whether or not they use HTTPS. As he notes, "It is now 2012. HTTPS is no longer an obscure feature used by a few websites. It is an information security best practice and increasingly becoming the default across the industry." So, what did Soghoian find? It appears that neither Reps Rogers nor Ruppersberger do a very good job securing their own sites. He finds some sites without any HTTPS at all, and the others have it configured incorrectly.
So, given that these two gentlemen feel comfortable forcing their own view of cybersecurity on the rest of the public, I thought it would be useful to look at whether or not they practice what they preach. Specifically, how is their own information security. While I am not (for legal reasons) going to perform any kind of thorough audit of the two members' websites or email systems, even the most cursory evaluation is pretty informative.
He notes that there is really no excuse for these configuration errors, because the House appears to be setup with an HTTPS server, and other Reps. have it properly configured on their site. Not much really needs to be done. However, the fact that other Reps have set up HTTPS really raises concerns about these two Reps and their staff when it comes to cybersecurity:When I manually tried to visit the HTTPS URL for Congressman Ruppersberger's website last night, it instead redirected me to the Congressional Caucus on Intellectual Property Promotion. Soon after I called the Congressman's office this morning to question his team's cybersecurity skills, the site stopped redirecting visitors, and now instead displays a misconfiguration error.
Congressman Dutch's campaign webserver appears to support HTTPS, but returns a certificate error.
The webserver that runs all of the house.gov websites is listening on port 443 and it looks like Akamai has issued a wildcart *.house.gov certificate that can be used to secure any Congressional website. As an example, Nancy Pelosi's website supports HTTPS without any certificate errors (although it looks like there is some non-HTTPS encrypted content delivered from that page too.) This means that the Congressional IT staff can enable HTTPS encryption for Rogers, Ruppersberger and every other member without having to buy any new HTTPS certificates or setting up new webservers. The software is already all there - and the fact that these sites do not work over HTTPS connections already suggests that no one in the members' offices have asked for it.Rep. Rogers, of course, recently stated that he's so concerned with the threats of cybersecurity that he literally "can't sleep at night." Funny, then, that he never bothered to make sure his own website was secure, huh?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cispa, congress, cybersecurity, fail, https
Reader Comments
Subscribe: RSS
View by: Time | Thread
Pudding of Proof!
It's as though the congress-critter are saying "See, if I leave my garage wide open and unlocked with a sign that says "free stuff" people will totally steal my tools! Thus, logically, there needs to be a law against people going into garages they don't own."
/poor-analogy
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
1) your surfing habits cannot be tracked by 3rd parties (aka, your ISP tracking where you go and what you do). This is important for privacy - of course, CISPA wouldn't want that to be a reality anyway.
2) you want to avoid middle-man attacks - that goes both ways. In theory, someone in the middle can inject incorrect information into a website you are visiting if it's not secured via https. ISPs have been known to do this by injecting their own ads into the site, but anything can be done, malicious or otherwise.
Of course, again, governments would like to keep those doors open, screw the public - they don't need any sort of privacy or protection.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
It is not necessary to reveal your private key to your certificate authority - and many website owners don't. Some CA's do create them for you if you're too lazy to do so yourself, however - so I could see how one might come to this conclusion.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Quote:
Source: https://en.wikipedia.org/wiki/HTTP_Secure
Getting a certificate to be recognized by a lot of people is not an easy task either since you must go to a key signing party to get listed in a public certificate authority that is not a company or have government ties.
http://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
https://en.wi kipedia.org/wiki/CACert
[ link to this | view in chronology ]
Re: Re: Re: Re:
On the HTTPS thing most certificate authorities are not controlled by you, they are companies that issue certificates to a lot of other people and entities, in practical terms HTTPS today is controlled by those few companies unless you issued the keys yourself which is a rarity nowadays you have zero true security against governments, further even if you issue a certificate yourself if you want a lot of people to be able to trust it, you need to get it listed somewhere people trust the information otherwise when it hits a browser it will be shown as authority unknown with all the warnings to reject it so you need to get it listed somewhere and that means to create your own contacts and start contacting others to accept your certificate as valid not an easy task for the average Joe, doable if you don't ever need a public facing front and all the people that needs to know about the validity of the certificate knows you and are able to get it directly from you and thus register that into their systems.
[ link to this | view in chronology ]
Re: Re: Re:
Tunneling proxies take care of that. You can only track the entry to the proxy, but after that, you have to track the proxy.
you cannot track what is being transmitted unless you get hold of the private key, but that is not a problem for the American government since most key issuers are American companies
As the other A/C said...you don't give your key up when you get your certificate, so this is not a problem.
[ link to this | view in chronology ]
Re: Re:
It's not that I don't understand your points (I'm not in Congress, after all), I just can't bring myself to address them because I agree.
[ link to this | view in chronology ]
Re: Re: Re:
<sarcasm>
LoL
</sarcasm>
Source: W3Schools: HTML entities
[ link to this | view in chronology ]
Both of the Main Parties are selling us out not just one of them.
[ link to this | view in chronology ]
HTTPS
[ link to this | view in chronology ]
Re: HTTPS
As the article implies: "While I am not (for legal reasons) going to perform any kind of thorough audit of the two members' websites or email systems, even the most cursory evaluation is pretty informative."
IOW, if you can't even provide working https on your website when you already have the certificate, and the server has been configured to use it on other sites - are you a competent website admin?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
here, have a few more rocks to throw at your glass house.
[ link to this | view in chronology ]
Re:
I kid. Actually, you need the 'special-secret-pirate' version of browser to get there.
[ link to this | view in chronology ]
Re: Re:
It means that for all the HTTPS, a simple switcharoo on one of the insecure items could cause an issue.
Mike should know that... but he's too busy picking at other people's stuff to bother checking his own.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
I think his new clothes are ugly (and more than a little invisible).
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
there's an example to be made
[ link to this | view in chronology ]
TreeHugger: CA Senator Wants Warning Labels on Reusable Bags: "Can Cause Serious Illness, Cancer"
Maybe we should call this the age of paranoid politics. Well not really looking at history is just impressive that after millenia we still do the same exact things that people did in antiquity or the middle ages.
People intelligent in one area or otherwise, that get to power suddenly believe they can regulate all other areas according to their own bias because everything that they experience is applicable to other areas, without having to respect true democratic values which where build exactly to address those shortcomings of top down BS management.
There is not a way to secure the internet, you can secure information for a short while anything that needs a long term secrecy about it should never transverse open channels but exclusive ones, punishing people for your own failings will not save you from people who want to do real harm since they don't care about the punishment, further trying to create cybersecurity BS bills that criminalize experimentation in security harms your own prospects to have the necessary people with the necessary skills to protect anything.
Yes you can disable the US navy through the internet it is doable because the navy uses the fucking open internet to communicate important data, it is possible to destroy a pump somewhere using SCADA which begs the question why are these dumb people allowing it to communicate over unsecure channels at all, most importantly it shows the weakness of central single point of failures, if they were really interested in securing the nation they would be thinking in decentralization and the P2P'fying of the entire vital infra-structure, production of energy should be distributed if possible to the family level, water needs should be met with new technologies for treatment and recycling inside a home and so forth then there is no risk from the internet anymore, it would become impossible to disable the country.
Taking those steps you reduce dramatically the apocalyptic scenarios that cyber-dumb people can come up with.
I am calling them cyber-dumb-people because that is what they are, they could be very knowledgeable in some other area but are completely stupid about how technology really works and what it can do and so are undermining democracy to get the feel of security, that can't be had by such measures but real work, real innovation, we are not going to secure America by legislating bad guys out they don't care, we will secure America the only way that is proven to work and that is innovating and working on the real solutions that will upset many deep rooted interests.
[ link to this | view in chronology ]
Does Techdirt support encryption? Does anyone care? Give me a break with the incessant whining about everything.
[ link to this | view in chronology ]
Re:
HTTPS is basic stuff, if you can't even get that right it really calls into question the other assumptions about how much those people involved really know about what they are talking about.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Are you honestly claiming that https is not the industry standard? Really?
Give me a break with the incessant whining about everything.
Only one person is whining here, and he's the goofy guy who shows up in the mirror when you look at it. The rest of us are having a serious discussion about something important. When you grow up, perhaps we'll let you join us.
[ link to this | view in chronology ]
Re: Re:
Are you honestly claiming that https is not the industry standard? Really?
I'm saying it's not industry standard to have https on every webpage--even TD is not https.
Only one person is whining here, and he's the goofy guy who shows up in the mirror when you look at it. The rest of us are having a serious discussion about something important. When you grow up, perhaps we'll let you join us.
All you do is whine about every little thing. You're the whiniest bitch on the internet, Mike.
[ link to this | view in chronology ]
Do as we (and our lobbyists) say, and not as we do!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I heard
That will increase the quality of hospitals.
I fail to see how the cybersecurity actually increases security. It just makes more things illegal.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
http://vimeo.com/3519680
[ link to this | view in chronology ]
We have to ask a few questions first..
2. if they have those that DO make the sites, do you THINK they are pro or NUBE?? which is cheaper?
3. Are you SURE they dont WANT their sites hacked? If they are, then they can MAKE A POINT..
4. do you REALLY think they know ANYTHING in the first place? How about the process of getting oil out of the ground and into your car and ALL the money WE pay in tax for OIL exploration..
WHO thinks that these idiots have their OWN servers and sites?? (NOT I)
And then they connect there other computers TO IT??(really stupid)
[ link to this | view in chronology ]
Re: We have to ask a few questions first..
[ link to this | view in chronology ]
Re: We have to ask a few questions first..
[ link to this | view in chronology ]
It would be instructive and useful if...
[ link to this | view in chronology ]
Re: It would be instructive and useful if...
[ link to this | view in chronology ]
Well said.... Might I add....
WHY THE FUCK are critical systems on the internet in the first place ?
Unconnected read only access as a monitoring device...ok but full access via the web is just ludicrous from a security standpoint.
?
[ link to this | view in chronology ]
Amazing how true this saying fits to current standard of Governance
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
film izle
[ link to this | view in chronology ]