36 comments

[ 0.23 ms ] story [ 80.9 ms ] thread
Never look a gift (Trojan) horse in the mouth.
CISA is a defensive organization.
Just like NIST is.
What are you implying?
NIST was used by NSA to plant a back door into a standard on key generation. It is well established, thanks at first to the Snowden papers and after that by follow on admissions.
Don't trust Americans
Extending this logic, I assume most larger nations would be included for similar reasons, certainly the more western and/or developed ones, which seems rather reductionist and somewhat unproductive. Perhaps a more evidence-based approach is advisable.
I don’t see any reason smaller nations wouldn’t be a risk if we’re going down that path.

They seem happy to partner and buy tools.

And just like Crypto AG is. Power doesn't only subvert public orgs, or only orgs in their own countries.

What org would you implicitly trust? I wouldn't immediately discount anything on this list more than anything else I see advertised on HN.

(comment deleted)
“Attack is the secret of defense; defense is the planning of an attack.” ― Sun Tzu, The Art of War
I wonder about the trust aspect of CISAs vulnerability scanning offers towards businesses. Do business owners jump at the opportunity to take advantage of this? I don’t see it.

It’d be beneficial but I wonder if the general sentiment would caution against a federal agency sniffing out vulnerabilities.

The government could scan your stuff anyway so not registering doesn't stop them doing anything nefarious.

The better question is, is the security you already do yourself good enough that you don't want or need CISA to do it? If not then it is better than doing nothing.

The moment I saw that I sent an email to register.

I work at a small government agency (closer to a small business) with 20 FTE... Only 2 if which have the skill set and "wear a hat" that could cover vulnerability scanning or such security. While they are good at responding to incidents that make the news and patching immediately... they do not actively spend time scanning / looking for issues that do not trip alarms.

It depends on your situation of course. Since may be interested purely from a liability avoidance/shield perspective. Just to check the box, essentially. Since we’ve seen how much the suits truly care about security of user start data practically every week or month for over a decade now. Another day, another major corporate data breach. They don’t suffer any consequences for failure beyond the occasional slap on the wrist for PR purposes, yet real people have their entire lives destroyed because of this crap every day. Families without a place to live, children without food to eat.

But hey, $BIGCORP can say they checked the box! Doesn’t matter what happens now, they’re in compliance! User data? Why waste more money on securing that, we’re just going to pimp them all out anyway!

But hey, we checked the box!

(Obvious sarcasm is obvious.)

(comment deleted)
It's like the site is designed to look like a scam site. It has the generic clip art pushing you to their "FREE" cyber security tools that obviously have no catch, complete with the small pixelated government logo in the corner so you know it's legit.

I realize this one is probably fine, but any security guidelines should say "don't download anything from a site that looks like this." Or I'm going to click on download and it'll ask me for my credit card number to charge me $39.99 for my FREE trial.

It’s almost as if they prioritised security of their site over style. How unexpected.
How is creating a giant flashy jpg prioritizing security?
Whenever I access a organization that primarily deals with computer security, I mostly judge them reversely based on the complexity of tech used (well, modern TLS is probably the one exception). A simple static site that probably would look fine in elinks is what I am after. Anything that requires javascript or increases the attack surface are big warning signs to me.

To me, this site loads fast, uses very little eye-candy and gets you right to the list of tools with clear links that are easy to overview and go through so it seems like mission accomplished for highlighting them.

The eye candy on the site is what I object to, the giant image is solely what my complaints were about. It adds nothing but makes the site look like it's trying to trick people.
The US government also had stringent accessibility requirements... This trend to make the websites look dated because virtually every JavaScript framework is accessibility-fifth (if at all).
> accessibility-fifth

I usually use "accessibility-second", but thinking about it you're right. Most web frameworks assumes a "normal" person and even some dismiss making their frameworks accessible to a broader audience.

I always found morals and the technical skills to be uncorrelated to design skill or artistic skill.
If you rely on website looks to determine the level of trustworthiness, I personally think you're opening yourself to be easily scammed.
ctrl-F "nmap" and all they list is a commercial service that does ML on nmap scan reports. So i guess this is "manager level" cybersecurity advice?
> Take steps to quickly detect a potential intrusion:

> Microsoft Defender Antivirus

???

I don't trust any government agency that sponsors and publishes literal propaganda:

https://www.cisa.gov/resilience-series-graphic-novels

Especially when it's designed to encourage a kind of pro-establishment paranoia and hysteria.

They have section about NATIONAL RISK MANAGEMENT that mentions 5G (which isn't even fully deployed and barely used yet) and doesn't mention the fact that US doesn't manufacture antibiotics and many essential drugs domestically?

Their whole website has a very bizarre feel to it. It does not look like a normal government website. No, I'm not talking about design, but the kind of subjects they cover and how they cover them. Click around.

"I don't trust any government agency" is where you should stop.

Government should be inherently distrusted.

Distrust is why Covid response broke in US. With distrust, everyone is going to just do what they want. Society becomes dysfunctional.

Healthy skepticism is good approach to institutions.

Trust is earned not given.

Tell me, how as any US Governmental institution earned any trust at any point during the response to COVID?

"earned any trust at any point during the response to COVID?"

Free vaccines[0], free test kits[1], deployed troops to help hospitals [2], FDA fast tracked vaccine [3], food assistance [4], PPP saved a ton of businesses.

"Trust is earned not given."

If you live in the United States, I have a hard believing that you have derived a net negative from the US government. We should all be extremely skeptical of government leaders, especially those that are elected in a popularity contest. However, to say that the US government, at this point in time, should be inherently distrusted is what got us to this failed Covid response.

We should have had 95% vaccine rates and moved past Covid six months ago.

[0] https://www.hhs.gov/coronavirus/covid-19-vaccines/index.html [1] https://www.covidtests.gov/ [2] https://www.cnbc.com/2021/12/21/omicron-us-to-deploy-troops-... [3] https://www.cnbc.com/2020/08/30/fda-willing-to-fast-track-co... [4] https://www.usda.gov/media/press-releases/2020/04/17/usda-an...

So in your mind "trust" is about free stuff? As long as they print or tax enough to spend on "free" things for everyone all the lies, deceit, and authoritarianism is forgiven? Interesting

>>FDA fast tracked vaccine

FDA creates a overly burdensome process, then admits it is not needed for safety... they should not get credit for that.

That is the best case. Worst case is they bypassed critical safety requirements putting all of us in possible jeopardy

Either Case I award them no points for that.

>>PPP saved a ton of businesses.

There was / is massive fraud in that system, also the loans were not given out on a needs requirement, it was first come first serve. Many companies that did not "need" the loans to survive got a lot of free money. PPP program while I am sure saves some jobs, was also a massive wealth transfer from future tax payers and savers (debt and inflation) to current business owners.

>>I have a hard believing that you have derived a net negative from the US government.

Then you are not paying attention, and/or have more collectivist vs individualist outlook, I prefer individual liberty

CISA’s purview is information security. Why would they mention anything about anabiotic’s?