U.S. spy agencies ... email for cybersecurity

Tue Jul 10 20:47:53 UTC 2012

On Mon, Jul 9, 2012 at 11:22 PM, Christopher Morrow
<morrowc.lists at gmail.com> wrote:
> (note, people ought to: 1) think about this on their own making up
> their own minds, 2) understand that the press has some very weird
> ideas, 3) take some better protections on their own, for their own
> security)
>
> also, I'm not judging the OP nor the reporter nor the ideas espoused
> in the article/clips...
>
> On Mon, Jul 9, 2012 at 9:46 PM, William Allen Simpson
> <william.allen.simpson at gmail.com> wrote:
>> Somebody needs to give them a clue-by-four.  The private sector
>
> people keep trying, sometimes it's helped. sometimes reporters need to
> sell stories :(
>
>> already has the "Internet address where an email ... originated";
>
> it's not just email they care about :( (you knew that I think)
>
>> it's already in the Received lines.  We don't need to be informed
>> about it, we already inform each other about it.
>
> one interesting idea, that has proven out some merit over the years is
> the ability to share 'incident' data across entry points (say across
> companies, or gov'ts even) about 'bad things' that are happening.
>
> Take the case of 'spam came in from this end system to my mailserver',
> if I tell you that (or some central system that which you can query)
> you'll learn that maybe the inbound connection to you is also
> spam-rich.
>
>> And it's already delivered "at network speed."
>>
>
> the article sort of reads like the above scenario though... maybe it's
> NOT that, maybe it's something else entirely... it SEEMS that the
> gov't wants to help. They may be able to, they may just foul things
> up. The reporter certainly didn't leave enough details in place to
> tell :(
>
>> It is my understanding the Dept of Homeland Security already
>> cooperates in sharing government intrusion information.  We certainly
>> don't need a "U.S. spy agency" MITM to "protect the private sector."
>
> <http://en.wikipedia.org/wiki/Einstein_%28US-CERT_program%29>
>
> you may mean? could be... the wikipedias are sometimes wrong, or so
> says the teacher of my 7yr old.
>
>> Moreover, the US is the source of most spam and malware, so the NSA
>> isn't really going to be much help.  And the US is the source of the
>
> but hosts in the US that are botted/spamming, also spam/bot other
> things outside the US, right? so really who cares where the src is,
> get some data collection points up and use that data to inform your
> security policy, no? (sure, you'll have to have some smarts, and some
> smart people, and be cautious... but you'd do that anyway, right? :) )
>
> These folks have some awesome tech for that sort of data collection
> and analysis:
>  <http://en.wikipedia.org/wiki/SHERIFF>
>
> it's a shame that their parent company can't find a way to monetize
> that sort of thing. (the article there talks about some older version
> of the system, which is still alive/well today doing fraud detection
> and was doing some IDS/anomaly-detection-like work as well for ip
> network things)

to be fair to vz/mci here, an offline reader pointed me to:
<http://newscenter.verizon.com/press-releases/verizon/2011/verizon-teams-with-northrop.html>

hey lookie, they sold one :) (hopefully for the sheriff folks, they
can do more of this, it really is cool)

>> only known cyber attacks on other country's infrastructure, so it's
>> not likely much help there, either.  Unless they expect retaliation?
>>
>> ===
>>
>> http://in.reuters.com/article/2012/07/10/net-us-usa-security-cyber-idINBRE86901620120710
>>
>> U.S. spy agencies say won't read Americans' email for cybersecurity
>> 8:48pm EDT
>>
>> By Tabassum Zakaria and David Alexander
>>
>> WASHINGTON (Reuters) - The head of the U.S. spy agency that eavesdrops on
>> electronic communications overseas sought on Monday to reassure Americans
>> that the National Security Agency would not read their personal email if
>> a new cybersecurity law was enacted to allow private companies to share
>> information with the government.
>> ...
>>
>> But to help protect the private sector, he said it was important that the
>> intelligence agency be able to inform them about the type of malicious
>
> translated: "Hey, what if we could tell our private sector partners
> (Lockheed-Martin, for instance) that they should be on the lookout for
> things like X, or traffic destined to Y, or people sending all their
> DNS queries to these 5 netblocks." (dcwg.org sorta crap)
>
> that doesn't sound 'bad', it sounds like there is a gap in the
> business world to wrap all this data up and sell access to it... but
> the gov't can jump in with their mountains of data from their
> 'einstein' or whatever and go to town protecting their 'partners' who
> have often close interactions with the gov't, right?
>
>> software and other cyber intrusions it is seeing and hear from companies
>> about what they see breaching the protective measures on their computer
>> networks.
>
> adding to the above: "What if we had an API such that you could feed
> your collected alarm/alert/badness data to us as well? and we could
> feed that back into our system, protect ourselves AND send it back out
> to the other partners?"
>
> again, that's not that bad, really it sounds pretty cool... only if
> MCI could have found a way to productize and monetize that... which we
> built for them too :( but I digress.
>
>> "It doesn't require the government to read their mail or your mail to do
>> that. It requires them, the Internet service provider or that company, to
>> tell us that that type of event is going on at this time. And it has to be
>> at network speed if you're going to stop it," Alexander said.
>
> alexander is loose with his pronouns, which makes this worse... in
> reality: "send your alarm data to our system, hurrah!", PROBABLY this
> could include large ISP people if the pricing (or regulatory world
> were right), these folks COULD of course limit that to 'business isp
> traffic only', maybe.
>
> this sounds a little less on the ball though, so I'll blame bad
> reporter-translation, and hope that Alexander really meant: "Our
> partners in the industry, who help supply us and build our widgets for
> us, would be enabled to send data into our API..."
>
>>
>> He said the information the government was seeking was the Internet
>> address where an email containing malicious software originated and
>> where it traveled to, not the content of the email.
>
> I'm sure this was simply an example... and the reporter jumped on it
> like a carnivore, poor job reporter! :(
>
>> ...
>>
>> But the U.S. government is also concerned about the possibility of a cyber
>> attack from adversaries on critical infrastructure such as the power grid or
>> transportation systems.
>
> yes, put in the boogie-man! also, keep in mind that CI things are ...
> in a horrid state, and as it turns out the folk running it are
> ostriches :(
>
> -chris