NIST was used by NSA to plant a back door into a standard on key generation. It is well established, thanks at first to the Snowden papers and after that by follow on admissions.
Extending this logic, I assume most larger nations would be included for similar reasons, certainly the more western and/or developed ones, which seems rather reductionist and somewhat unproductive. Perhaps a more evidence-based approach is advisable.
I wonder about the trust aspect of CISAs vulnerability scanning offers towards businesses. Do business owners jump at the opportunity to take advantage of this? I don’t see it.
It’d be beneficial but I wonder if the general sentiment would caution against a federal agency sniffing out vulnerabilities.
The government could scan your stuff anyway so not registering doesn't stop them doing anything nefarious.
The better question is, is the security you already do yourself good enough that you don't want or need CISA to do it? If not then it is better than doing nothing.
The moment I saw that I sent an email to register.
I work at a small government agency (closer to a small business) with 20 FTE... Only 2 if which have the skill set and "wear a hat" that could cover vulnerability scanning or such security. While they are good at responding to incidents that make the news and patching immediately... they do not actively spend time scanning / looking for issues that do not trip alarms.
It depends on your situation of course. Since may be interested purely from a liability avoidance/shield perspective. Just to check the box, essentially. Since we’ve seen how much the suits truly care about security of user start data practically every week or month for over a decade now. Another day, another major corporate data breach. They don’t suffer any consequences for failure beyond the occasional slap on the wrist for PR purposes, yet real people have their entire lives destroyed because of this crap every day. Families without a place to live, children without food to eat.
But hey, $BIGCORP can say they checked the box! Doesn’t matter what happens now, they’re in compliance! User data? Why waste more money on securing that, we’re just going to pimp them all out anyway!
It's like the site is designed to look like a scam site. It has the generic clip art pushing you to their "FREE" cyber security tools that obviously have no catch, complete with the small pixelated government logo in the corner so you know it's legit.
I realize this one is probably fine, but any security guidelines should say "don't download anything from a site that looks like this." Or I'm going to click on download and it'll ask me for my credit card number to charge me $39.99 for my FREE trial.
Whenever I access a organization that primarily deals with computer security, I mostly judge them reversely based on the complexity of tech used (well, modern TLS is probably the one exception).
A simple static site that probably would look fine in elinks is what I am after. Anything that requires javascript or increases the attack surface are big warning signs to me.
To me, this site loads fast, uses very little eye-candy and gets you right to the list of tools with clear links that are easy to overview and go through so it seems like mission accomplished for highlighting them.
The eye candy on the site is what I object to, the giant image is solely what my complaints were about. It adds nothing but makes the site look like it's trying to trick people.
The US government also had stringent accessibility requirements... This trend to make the websites look dated because virtually every JavaScript framework is accessibility-fifth (if at all).
I usually use "accessibility-second", but thinking about it you're right. Most web frameworks assumes a "normal" person and even some dismiss making their frameworks accessible to a broader audience.
Especially when it's designed to encourage a kind of pro-establishment paranoia and hysteria.
They have section about NATIONAL RISK MANAGEMENT that mentions 5G (which isn't even fully deployed and barely used yet) and doesn't mention the fact that US doesn't manufacture antibiotics and many essential drugs domestically?
Their whole website has a very bizarre feel to it. It does not look like a normal government website. No, I'm not talking about design, but the kind of subjects they cover and how they cover them. Click around.
"earned any trust at any point during the response to COVID?"
Free vaccines[0], free test kits[1], deployed troops to help hospitals [2], FDA fast tracked vaccine [3], food assistance [4], PPP saved a ton of businesses.
"Trust is earned not given."
If you live in the United States, I have a hard believing that you have derived a net negative from the US government. We should all be extremely skeptical of government leaders, especially those that are elected in a popularity contest. However, to say that the US government, at this point in time, should be inherently distrusted is what got us to this failed Covid response.
We should have had 95% vaccine rates and moved past Covid six months ago.
So in your mind "trust" is about free stuff? As long as they print or tax enough to spend on "free" things for everyone all the lies, deceit, and authoritarianism is forgiven? Interesting
>>FDA fast tracked vaccine
FDA creates a overly burdensome process, then admits it is not needed for safety... they should not get credit for that.
That is the best case. Worst case is they bypassed critical safety requirements putting all of us in possible jeopardy
Either Case I award them no points for that.
>>PPP saved a ton of businesses.
There was / is massive fraud in that system, also the loans were not given out on a needs requirement, it was first come first serve. Many companies that did not "need" the loans to survive got a lot of free money. PPP program while I am sure saves some jobs, was also a massive wealth transfer from future tax payers and savers (debt and inflation) to current business owners.
>>I have a hard believing that you have derived a net negative from the US government.
Then you are not paying attention, and/or have more collectivist vs individualist outlook, I prefer individual liberty
36 comments
[ 0.23 ms ] story [ 80.9 ms ] threadThey seem happy to partner and buy tools.
What org would you implicitly trust? I wouldn't immediately discount anything on this list more than anything else I see advertised on HN.
It’d be beneficial but I wonder if the general sentiment would caution against a federal agency sniffing out vulnerabilities.
The better question is, is the security you already do yourself good enough that you don't want or need CISA to do it? If not then it is better than doing nothing.
I work at a small government agency (closer to a small business) with 20 FTE... Only 2 if which have the skill set and "wear a hat" that could cover vulnerability scanning or such security. While they are good at responding to incidents that make the news and patching immediately... they do not actively spend time scanning / looking for issues that do not trip alarms.
But hey, $BIGCORP can say they checked the box! Doesn’t matter what happens now, they’re in compliance! User data? Why waste more money on securing that, we’re just going to pimp them all out anyway!
But hey, we checked the box!
(Obvious sarcasm is obvious.)
I realize this one is probably fine, but any security guidelines should say "don't download anything from a site that looks like this." Or I'm going to click on download and it'll ask me for my credit card number to charge me $39.99 for my FREE trial.
To me, this site loads fast, uses very little eye-candy and gets you right to the list of tools with clear links that are easy to overview and go through so it seems like mission accomplished for highlighting them.
I usually use "accessibility-second", but thinking about it you're right. Most web frameworks assumes a "normal" person and even some dismiss making their frameworks accessible to a broader audience.
> Microsoft Defender Antivirus
???
https://www.cisa.gov/resilience-series-graphic-novels
Especially when it's designed to encourage a kind of pro-establishment paranoia and hysteria.
They have section about NATIONAL RISK MANAGEMENT that mentions 5G (which isn't even fully deployed and barely used yet) and doesn't mention the fact that US doesn't manufacture antibiotics and many essential drugs domestically?
Their whole website has a very bizarre feel to it. It does not look like a normal government website. No, I'm not talking about design, but the kind of subjects they cover and how they cover them. Click around.
Government should be inherently distrusted.
Healthy skepticism is good approach to institutions.
Tell me, how as any US Governmental institution earned any trust at any point during the response to COVID?
Free vaccines[0], free test kits[1], deployed troops to help hospitals [2], FDA fast tracked vaccine [3], food assistance [4], PPP saved a ton of businesses.
"Trust is earned not given."
If you live in the United States, I have a hard believing that you have derived a net negative from the US government. We should all be extremely skeptical of government leaders, especially those that are elected in a popularity contest. However, to say that the US government, at this point in time, should be inherently distrusted is what got us to this failed Covid response.
We should have had 95% vaccine rates and moved past Covid six months ago.
[0] https://www.hhs.gov/coronavirus/covid-19-vaccines/index.html [1] https://www.covidtests.gov/ [2] https://www.cnbc.com/2021/12/21/omicron-us-to-deploy-troops-... [3] https://www.cnbc.com/2020/08/30/fda-willing-to-fast-track-co... [4] https://www.usda.gov/media/press-releases/2020/04/17/usda-an...
>>FDA fast tracked vaccine
FDA creates a overly burdensome process, then admits it is not needed for safety... they should not get credit for that.
That is the best case. Worst case is they bypassed critical safety requirements putting all of us in possible jeopardy
Either Case I award them no points for that.
>>PPP saved a ton of businesses.
There was / is massive fraud in that system, also the loans were not given out on a needs requirement, it was first come first serve. Many companies that did not "need" the loans to survive got a lot of free money. PPP program while I am sure saves some jobs, was also a massive wealth transfer from future tax payers and savers (debt and inflation) to current business owners.
>>I have a hard believing that you have derived a net negative from the US government.
Then you are not paying attention, and/or have more collectivist vs individualist outlook, I prefer individual liberty
Is it only? Doesn't seem like it from what they do. 'I' stands for "Infrastructure" and it's a very stretchable term:
https://www.cisa.gov/chemical-security