250 comments

[ 3.2 ms ] story [ 249 ms ] thread
waiting for india to implement something similar for seemingly benign reasons like vulnerability and code quality and immediately use it to find critics and hang them. heck, a guy was sentenced for 5 years over a facebook post.
> 2Gkashmiri Stop lying and not relevant, you clearly came here with an agenda.
oh really. an agenda...

>In the unlikely event that we do discover information that is personal or otherwise sensitive, we take steps to remove the data and prevent it from being captured again in the future.

beyond a promise, what assurances do you get it wont be weaponzed?

Scanning for vulnerabilities won't help you find critics. If you wanted to look for critics, you would scan for critics.
>We design our requests to collect the smallest amount of technical information required to validate the presence/version and/or vulnerability of a piece of software. We also design requests to limit the amount of personal data within the response. In the unlikely event that we do discover information that is personal or otherwise sensitive, we take steps to remove the data and prevent it from being captured again in the future.

what is preventing a government to disregard the removal of sensitive data? why can they not weaponize this?

Sounds like a good service for a national security service to provide (in comparison to finding more ways to spy on us).
Why isn't the US doing this?
(comment deleted)
Maybe it has something to do with the Nord Stream pipeline, maybe it doesn't
Word on the grapevine is saying that Google is doing similar. One of the "perk" of being a well-known DNS resolver (8.8.8.8) is getting an early notification whenever a server goes "online" on the internet.
> is getting an early notification whenever a server goes "online" on the internet.

Please elaborate.

Someone types in your new server/domain, like "ijustmadethissite.com", or "newlocation.existingsite.com"

For their computer to resolve this domain name, it's going to call out to a DNS server, of which Google hosts a major one. It can be assumed that they log these names, and can then use that as a "notification" for a site coming up.

But what does that have to do with scanning webservers for vulnerabilities, do they do something with the "newly seen sites", and if so is it documented what they do for scanning?
Because if the vulnerability involves an HTTP request, then the Host header needs to have the domain name of the target website.

So you need: IP address and port for the TCP headers, and the domain name to go in the TCP packet content.

One example of a vulnerability would be having phpMyAdmin with a database password hardcoded and no login needed. Without the domain name it would still be impossible to access. (Of course, domain names shouldn't be considered secret so this would be a very insecure setup.)

True, they have a DNS resolver, but they also have Chrome. And the Certificate Transparency list. Google Analytics. And so on…
I'd never considered the value all those things have when it comes to finding out what to index. Clever, actually.
(comment deleted)
Way back in the early 2000s the FBI contacted a company I was working for to inform us that someone was hosting Disney movies on our servers. So something like this is at least sort of happening.
I don’t know if copy right protection is the same as penetration testing.
[deleted]
So nobody should pay for anything? I pirate tons of stuff and still pay for things that I think are worthy of my payment
I would be surprised if this was the result of active scanning. It's more likely the FBI received a report from someone, and just forwarded it along.
Disney: "Hey FBI, this server is pirating us, plz 2 takedown tyvm"
I think it's illegal under the Computer Fraud and Abuse act. Also, what should the government do when it finds something? What if the site operators are unresponsive or cannot be contacted? There are a lot of practical problems.
Does CFAA restrict government interactions?

If the site operators are unresponsive then that sucks, but it would still help secure those that are responsive.

I mean... They could at least ty to contact the operator.
Greetings Citizen,

We have detected a dangerous virus or service in your hosting environment. Conspiracy theorists and foreign state actors often use these types of methods to spread fake news and influence our elections. These are serious threats to our Democracy, but Fatherland Security is here to help you through this difficult time. Your local neighborhood Security Helper will be at your home in the next few minutes to assist you in removing the dangerous HTTP service. For your safety, please stay away from all doors and windows.

Sincerely,

Rob E. Friendly

> What if the site operators are unresponsive or cannot be contacted?

This seems like only a minor problem. If people are unresponsive, then oh well, they tried to tell you you're hacked. If the site owner cannot be determined, they can email your ISP. This seems to work well for "one of your customers is torrenting movies", and since every ISP is known by definition (thanks, IP addresses), it should be fairly straightforward to get that message to the actual customer. (Send it with the invoice; if the customer doesn't pay invoices, then it's easy to resolve the hacked site. You were shutting them off anyway.)

Everything's illegal under the CFAA. It's an old bad overreaching law that should be repealed. The government rarely prosecutes itself though, so that's no reason why. Unfortunately, the culture in the US is such that the populace would freak out if the government tried to do such a thing, never mind practical surmountable issues.
The way I read the article, they're actually collecting vulnerability information. So they check a site with Version X running on it, and detect the vuln; then they later see Version Y, without the vuln, and update their vulnerability database.

Nothing in the article suggests that they contact site-owners (I haven't re-read the article, so might be wrong).

I'm not sure why you think it's a potential violation of CFAA to connect to a public server and probe it. There's no suggestion of unauthorized access; that would involve exploiting vulnerabilities they find, and that would be unauthorized access.

> I think it's illegal under the Computer Fraud and Abuse act.

Things that are illegal for individuals to do aren't necessarily illegal for governments to do. This is a reason why the government should be vigorously doing this, rather than leaving it to private citizens, who risk being charged under the Computer Fraud and Abuse Act.

-----

> Also, what should the government do when it finds something?

It should contact the site operator.

-----

> What if the site operators are unresponsive or cannot be contacted?

I would imagine that in the case that site operators couldn't be contacted, they wouldn't be contacted.

Something tells me that even with the somewhat stretched version of extraterritoriality that the US claims about laws like CFAA, they wouldn't try applying that to their closest intelligence/defence partner country operating largely domestically...
Too busy spying on citizens. And maybe they want to use vulns for their own gain.
The US does do this, it is offered as part of security hygiene.

https://www.cisa.gov/cyber-hygiene-services

Looks like it's offered only to "critical infrastructure organizations".
Correct

"Who can receive services? Federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations."

However, methinks US definition of critical infrastructure organizations, both public and private, will be quite broad.

Why not both? They will never tell you the unsavory things they're doing. At least, not without coercion.
In Germany the BND does this. You get an annoying email from them if they find UDP ports available for an amplification attack on your Linux server...
Are you sure that it's not BSI?
You are correct, its the BSI.
Not as annoying as getting DDoS'ed with amplification attacks because some people can't properly configure their servers... (Also I doubt the BND does this, as another commenter pointed out.)
That depends on whether the BND are testing that it could be used in an attack, or just seeing a port is open. Having UDP/11211 could mean you're running a vulnerable memcached service, but not necessarily so.
As others pointed out, its indeed the BSI not the BND. Sorry for the confusion.
Hah - one of my first ever network programming tasks was to do this at a UK hosting company. That and SMTP relays. Good that (some) governments are wise enough to try to keep this sort of thing in check.

I hope they aren't using a perl script triggered by a cronjob on a hand-rolled VM though..

Did that company happen to be fast?
Goodness, no. I imagine the um, fast, companies didn't bother.

It was a charming little outfit that has since sold out to iomart. Alas.

I have some doubts. For example, if they are just outputting the scan results from some tool with a high false positive rate, how is that helpful? It's a waste of time and money for the government. Bug bounty programs have the same issue that probably most bugs found are trash results from a scanning tool.

On the other hand, a custom built tool that tries to find the most serious known vulnerabilities with a low false positive rate would probably be a good thing for the government to run.

I'd imagine part of the job of the people working there would be to limit the number of false positives.
Could be, but it is certainly not how it works at my org.
What scale does your org function at?
So if they use a bad tool, it would be bad, but if they use a good tool it would be good?
There are no good tools. Just a bunch of shady vendors.
correct. fortunately, the sales person from the security vendor, the media, and the public officials are aware of this constraint.
I think you misunderstand.

I'm reading that the UK government is spying on us, and their retrospective plausible excuse is that they are scanning web servers for, erm, vulnerabilities.

No, I don't think that the government is here to help. It allows itself only to maintain force, that it then uses to forcibly extract wealth from its herd, er, sorry citizens.

The downvoting tells us about the crowd, not about your comment.
It tells you that the crowd don't want to read unsubstantiated cynicaler-than-thou hot takes on HN.

Downvoting "It's raining because Soros and his globalist Jewish cabal control the weather" does not mean I disagree that it's raining but the edit always comes in [downvoters can't handle the TRUTH, stay classy HN] or similar.

e.g. how is scanning for vulnerabilities "spying on us"? How is scanning for vulerabilities "forcibly extracting wealth"? How is informing people of vulernabilities "not here to help"? It's a thinly disguised flamewar comment, not a comment on the topic.

>> e.g. how is scanning for vulnerabilities "spying on us"?

To play Devil's advocate: once you discover a vulnerability you always have two options: report it and have it fixed, or exploit it for your own gain. You charitably assume that government is somehow obligated to chose the former, while in reality in some cases it might choose the latter.

> To play Devil's advocate: once you discover a vulnerability you always have two options: report it and have it fixed, or exploit it for your own gain. You charitably assume that government is somehow obligated to chose the former, while in reality in some cases it might choose the latter.

This assumes that the government that wants to compromise a domestic host can't do it in a way that is a lot more deniable than porting scanning you from a gov owned IP range.

If the government wants to find and exploit a vulnerability they likely will find a way they don't need some loose cover story for it.

This is a fair point - in organisational terms it'd be better if NCSC was under a non-ministerial body, independent of political influence and control. Similar format to a university, maybe.
Depends what they do when they find a vuln, there is incentive to not always reveal it.
Well, as tradition I maintain a watch on postmaster and webmaster at... so I'd hope for a friendly heads-up. Basically well done.
RFC 2142 role mailboxes are critical. It's pretty telling that the webhosts that ignore the RFC are the ones I constantly find problems at. Godaddy not only routinely hosts all kinds of evil, but they make reporters jump through hoops to let them know they need to clean up their mess. If you do try to email abuse@godaddy.com they'll ignore your report and kick back an autoresponder message telling you to fill out a shitty web form instead. Nothing like making more work for people who already went out of their way to let you know you're causing problems for everyone else.
But, do they tell you about the vulnerabilities before they exploit them?

Maybe they put it like this to exempt themselves...

(comment deleted)
Old news?

Few years ago I got a similar notification. A government agency here in Lithuania was happy to remind that my wordpress instance was outdated.

"We have received a notification from the German Federal Office for Information Security (BSI) for (the IP address of) a server you have with us.

Access to a MongoDB server should be restricted to trusted systems (for example, the related web application server)."

My mongodb had with auth - but port was open.

The UK government seems to be doing the right thing in IT, again and again.
Probably breaking their own ‘Computer Misuse Act’ in the process though.
I’m not sure we’ve invented a measurement sufficiently small to measure how little recent governments have cared about breaking the law.
I believe Alex Van Someran recently took over as head of the UK NCSC. He's someone that I trust to make the right decisions, so I'm quite glad of this fact.

(NOTE: I have no idea if this specific link is related to Alex or anything he's done)

Agreed, but if the US Government were doing this there would be outcry of "spying" and "Government overreach". And before anyone says that the US Gov has lost its trust, let me remind you that UK has GCHQ.
NCSC is the public "arm" of GCHQ, they provide cyber-security guidance to businesses and the general public etc. They are a great source of information for current best-practice regarding cyber security.
Sure, if you value authoritarianism and an intrusive nanny state. The government jiggling the door handles of everyone's house to see if it's unlocked crosses a huge line.
"nanny state" is a purposefully skewed statement that pre-presumes that doing something for the common good is always bad. It's a lazy way of not making an argument.

Why is scanning web servers for vulnerabilities bad?

Yeah, scanning for vulnerabilities in a controlled way isn't bad

I suspect those opposing it are the ones that eventually get caught with glaring vulnerabilities and then we have to hear BS like "they care for security and privacy" when they didn't even use password hashes

"pre-presumes that doing something for the common good is always bad"

No, it refers to a state that is intrusive into personal choices.

"pre-presumes"?

scanning for and reporting vulnerable web servers does nothing to limit someone's personal choice to operate one. I just hope they make the data public so that I can make the personal choice to block traffic to/from people who make the personal choice to operate insecure devices on the global internet.
Who gets to pay for all the extra traffic they send? the time spent by security guys to review the false positive attack logs they generate? the time spent by operators to bring the services back online when the government probing crashes something?
I get it, you don't like the idea of taxes, but fortunately most people are glad for them and the services they provide.

If this service causes a bunch of crashes (somehow) or they end up DoSing someone they should be responsible for the harm that they cause, but since these scans are no different that what criminals are already doing every day I don't imagine it'll be a huge problem unless they really screw something up.

I'd also guess that the costs in both time and money spent on the traffic generated by DDoS attacks, malware infections, and phishing sites are much much greater than the costs for 'security guys' to review logs, safely automate scans, and notify webhosts of problems. This is a sensible measure that should save massive amounts of time and money for people all around the globe and make the internet better for UK citizens in the process.

What's wrong with asking first and letting the web operator opt in?

The gist of your argument is if I go up and try to pick your pocket but say my intentions are only to help you from real pickpockets, there's nothing but your personal choice to walk on public sidewalk and should just accept it.

I outlined the problem with opt in here: https://news.ycombinator.com/item?id=33470079#33476189

the people who would opt in aren't likely to be the problem. The problem with your pickpocket example is that you lose something when someone picks your pocket, but you lose nothing when someone checks to see what ports are open.

In fact, that's something that's already happening all the time anyway. The only difference is that in this case the person checking for your failures to secure your devices will notify you of the problem instead of exploiting your devices like everyone else will (assuming that they haven't already).

This should not only help people secure their devices, but it should also make the internet a better place for everybody.

It's intrusive. My web server is none of their business.
"common good", aka socialism...

We already know where that path leads, thanks to countries like the former USSR and China. Do not want!

You clearly have a very skewed idea of what socialism is. Would you consider parks or public schools socialist too as they also contribute to the common good of society.
Is this meant to be a joke or are people still this wilfully blind about what socialism actually is?
>Why is scanning web servers for vulnerabilities bad? //

Not the OP.

I think it's fine in general with one big proviso, that they change the law first to make it lawful.

With a different government it would look more benevolent, with the current government growing ever-more fascist--having now found a surreptitious way to ditch the ECHR, for example--it gets somewhat worrying.

Why is asking for permission first bad? The CISA does this very thing, but businesses have to explicitly ask first and consent unlike the UK. That's the difference between a nanny state policy and one that respects choice and the property rights of others.
That’s an incredible take on this. What’s the alternative? Leave everyone to defend themselves against foreign governments trying to steal IP?
Some weaknesses of the computer system intrusion/house intrusion analogy:

* It is pretty obvious to the user if their door is locked, so they don't need pentesters to help them figure it out.

* Houses aren't under attack from the entire planet at all times.

* It not that uncommon to have circumstances arranged such that if someone does barge into your house, you know about it.

If the local government wanted to do something that is closer to to what's going on here -- maybe go door to door offering a security assessment for non-obvious stuff -- that might be a well-received service.

Our local government gave me a call because a neighbor asked for a wellness check because we hadn’t plowed our driveway when we were in California. So it does actually happen kind of.
> jiggling the door handles of everyone's house to see if it's unlocked crosses a huge line

Is it, in your view, better that criminals jiggle the handles?

They're maintaining a vulnerability database. That's like what CERTs do. It's analagous to maintaining a database of safe foodstuffs or drugs.

Jiggling door handles without consent is a defacto criminal act. It's no different if I tried to pick your wallet as you walked down the street and said, "better me than a criminal..." then flashed my badge.

CISA will jiggle your door handles for free, if you ask and consent first. Web server operators who aren't asking for vuln assessments aren't apt to keep them regularly patched to begin with.

> Jiggling door handles without consent is a defacto criminal act.

Connecting to a webserver using HTTP is not a criminal act, under any colour of the law. If you have a listening port open to the internet, you are inviting connections.

Picking pockets is stealing; this is more like saying "Hello!" to someone who is standing in their own open doorway, and observing their response.

I don't think there's anything in the article about this programme providing server operators with reports. They're not trying to save operators from themselves.

Opt-in is generally more fair than opt-out, but in this instance it makes sense - they are not checking personal property, they are checking publicly facing webservers. They are not doing it for the server owners benefit, they are doing it to help keep people secure. Servers that aren't being patched properly are exactly the servers that are a security issue waiting to happen, that such a security force should be identifying and telling to buck their ideas up.

I suppose the differences in how those two equivalent departments approach this, likely come from national mindset differences, and the political differences they cause. At least it seems reasonable to me: that in Washington people might all agree that the right to decide if you are tested is more important than finding insecure webservers, whilst in London people might well all agree on the opposite.

It's more like the government driving around neighbourhoods and doing a survey if you have solar roofs or not, used for a reasonable common good purpose, while letting you know they're doing it and letting you opt put.
I'd say they aren't doing it wrong 100% of the time. They still massively cock up from time to time, e.g. their anti-encryption campaigns, the stupid attempt to require ID for porn, the disastrous NHS digitisation.

But the gov.uk website is pretty good and they did replace IT with computing in schools.

Now there's a sentence I never thought I would read.
How can one get all the active ip's within the borders of a country? Is there a database for this?
Scanning only needs to know the potential ips, not the active ones.

And you might be interested in the ip space of all UK entities.

If you put it this way then the problem becomes way easier. Just check public ip databases for AS and technical contact.

Within IPv4 address space you can certainly do it in a day using $100 dedicated server on Hetzner and ZMap.
In my case it was out-of-country website with a local TLD.
UK Government also scans all internet traffic and save's it 3 days.
Citation?
"Valuable data can be kept for three days, and metadata for 30 days. One leaked document states that all metadata is usually kept: 'we pull in everything we see'."

https://www.amnesty.org.uk/why-taking-government-court-mass-...

"metadata" & "everything we see" is not the same thing as "all internet traffic". I'm not trying downplay the quantity or sensitivity of what is stored, its just the idea that all internet traffic is being recorded by any government seems technically very challenging and makes me very skeptical of that unqualified claim when I see it.
I always wonder how much of the bandwidth in the world is used to spy on the "regular" traffic.

I suspect it's well over 50%. I mean, the UK is far from the only power capturing all our traffic.

Given the percentage of global internet bandwidth that is video streaming, and the immense expense that entails, I find your >50% figure hard to believe.
I have a sneaking suspicion it's somewhat more than three days. Unless isp's are in on the game and keeping traffic/ logs for greater than the three.
Scanning web sites hosted in the UK. Scanning the web server implies their software is running on the server OS.
If I ping a server it doesn't mean my software is running on it.
Yes, I'm sure they're just scanning for vulnerabilities ...
Got something similar here in the UK also. I once had a Linux server box running on my DMZ, got a few physical letters from my residential ISP (Virgin Media UK) saying they detected some open port that was recommended to be closed (Think it was NetBIOS port).

Might have been part of this scheme.

Don't have that box anymore (was around 5 years ago) or a PC on the DMZ so haven't received any since.

> Might have been part of this scheme.

I doubt it. Network operators like Virgin have very good business reasons to ensure their own network isn't infested with computers running services like NetBIOS, which has no business being exposed on the internet (it is rather verbose, and completely useless outside of a LAN).

Germany is doing the same, Hetzner customers get emails from government pentests if they find something.
I received their emails a couple of times.

Not sure if a cost-benefit analysis would find such ops positive for the society.

Think of the time wasted by people who read such emails vs the money spent protecting from attacks.

Factor in the cost to the taxpayer.

That's a good topic for a Master thesis in Economics.

Anyone interested?

Also, I’ve got an email about any freshly imaged Mac Mini from Hetzner. Turns out macOS runs with legacy netbios ports open to the wide world by default, but to disable that service, you have to unload a service via Terminal. There’s no prefpane for that.
I know Germany provides the same service as well, but I don't know how fleshed out it is really. So far all the mails they sent me have been not very helpful.
Canada does the same thing, they actually found a memcached instance of ours on a dev VM that was accidentally exposed to the internet.
Same. I run a plex server and they send me the same unhelpful and wrong email every few days. I created a gmail rule to delete it immediately.
More details on the German one: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisati...

The intention is good, but in practice I think it's mostly useless because:

* The reports go to the AS operator, who in most cases are not the actual admins of the vulnerable software. Some hosting providers such as Hetzner and Manitu have scripts in place to forward reports to the respective customers, but most don't since it involves a lot of parsing of the email (which is not in an easily machine readable format).

* The emails often warn about security issues that may not actually be problematic (i.e. merely warning about some open port that may be intentionally open, and especially if you operate, say, a honeypot), with no way to opt out for specific hosts/ports. So you can only really filter them entirely in your mail client which I think most people do.

Turkey also does the same. You get vulnerability reports.
Anyone who has worked with Chinese companies operating within China can tell you that very similar laws were enacted a year ago. The CCP has a law that any vulnerabilities made aware to private companies need to be disclosed to the federal government. This was done in the name of "national security". IMO, this seems to be a more veiled version of that same mindset.

http://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm https://www.cpomagazine.com/cyber-security/is-china-looking-...

This is the opposite, though.

It's a part of the UK's security services running scans for vulnerabilities they already know about to tell you that you've got an issue.

I was about to say how great I think that law is, but then I checked the link you provided...

> anything discovered in the country must now be reported to the CCP *and to no one else* (in most cases).

The "no one else" part is terrible and completely changes the story. However, I do generally support a "tell the government about discovered vulnerabilities" law. Ideally, the government would then inform affected users and investigate whether the vuln could be considered negligence and the company prosecuted.

I've been in a few situations where I reported very easily exploitable vulns that leaked sensitive user data and in all cases, I couldn't for the life of me convince the companies to disclose the leak. Yes, I could've gone public myself where I didn't have a contract, but I would've 100% ended up in jail for some poorly defined crime of "hacking".

How do they find all web servers?

  for NET in $UK_NETS; do nmap -p 80,443 $NET; done
(comment deleted)
Cool. But in most cases you need to get behind services like Cloudflare.
Good on them. They should get an account on shodan.io [1] and pull in all that existing data whilst they are at it.

[1] - https://www.shodan.io/

There are already a handful of organizations that scan the entire internet and feed the data to western governments.

You can poke around at https://viz.greynoise.io/ to see who is doing what.

> feed the data to western governments

It is ironic that the very link [1] you provided proves you wrong. The top 5 countries of origin doing IP scanning in the last seven days are China (120k), India (67k), US (52), Iran (44k), and Russia (27k).

- [1] https://viz.greynoise.io/query/?gnql=last_seen%3A7d

That doesn’t mean they’re wrong: it just says that other people scan the internet, too, which nobody would argue.
Right, also the source IP of a port scan doesn't say anything about who has initiated that scan. If I were a state actor, I'd do my port scanning from machines in a different jurisdiction for sure.
Totally - this is like thinking you’ll catch FSB agents by looking for Russian passports.
You probably can

Actual GRU agents have been identified by a receipt for taxi from GRU hq to Sheremetievo airport

No, you can't. They have a long, well-established history of concealing their undercover agents. The fact that this is not perfect doesn't mean that they don't make the effort, or that you're doing anything other than fooling yourself if you think that all traffic by a national intelligence agency comes from the netblocks assigned to those countries.
I see your point. But then how is the accusation 'west scans internet' connected to 'see this map of countries of origin'? Because I thought he would back up this claim with this source/second paragraph.

If other people (and arguably other govt's) are scanning too, then saying 'west scans internet' seems somewhat superficial. Not that I deny western state actors scanning the internet, its just that everybody does it.

Meh, the context was a western gov scanning the internet.

We tend to hold them to a higher standard than the ones who much more shamelessly operate pseudo-blackhat hacking teams. The west at least tries to maintain a sheen of legality. Or morality. Or whatever.

Do you think the Chinese government tells their citizens that they are shamelessly "operating pseudo-blackhat hacking teams"? No, of course not, just like yout Government doesn't tell you that either. The only reason you think the West is the only trying to maintain "a sheen of legality" is that their voice is the only one you're listening to.
Uhh I don't live in a country with a great firewall. The intel agencies get criticized very heavily in my information bubble. The shady stuff the NSA does is pretty well known. It's in movies all the time too, so I'm sure the mainstream even understands that.

And yet despite all the messed up stuff they do every day they still get held to a higher standard.

The accusation was never made that the west scans the internet. "organizations that scan the entire internet and feed the data to western governments." As an analogy, the west buys iPhones, but it doesn't necessarily manufacture them.
It could well be easier to run such a scanning company from the mentioned countries than in many european ones where it's illegal or a gray area.

(But there are also other reasons your conclusion is wrong I think)

Yeah, could be. But still that does not support the argument of "feed the data to western governments".

When you say: "Look, the people from village A north are stealing apples from the city orchard. Here is a list of apple thieves and the direction (N,E,S,W) from which they came." And this list shows that it appears to be majorly the directions E,S,W (so not directly from village A). Then how is this an argument?

It just shows that everybody steals apples, making the accusation "villagers of A are to blame" superficial. That's the point it tried to make.

> But there are also other reasons your conclusion is wrong I think

I would be interested on why my conclusion is wrong. At best, one could draw nothing from the data as it does not show any relation to state actors. And if this conclusion is drawn, then why did `mike_d` blame the western state actors in the first place?

Think for a second about this: Did you think that the link `mike_d` provided supported the argument "... feed the data to western governments" with the emphasis on 'western'?

"As part of the NCSC’s mission to make the UK the safest place to live and do business online" those are pretty wildly disparate goals. Why would those two things be under the same agency at all?
'Online' applies to both 'live' and 'do business' in the sentence above.

Their mission is to make online activities safe.

Except people don't live online. They live in the UK, and maybe spend time online, and this agency knows that.
> They live in the UK, and maybe spend time online

I think "maybe" drastically undersells the amount of time and things some people do online (generally the younger generations).

You're also overlooking that a very large portion of daily life has moved online and it's important to protect that. Everything from buying groceries, booking doctors appointments to looking up the menu of local restaurants.

I'd want all my personal and payment details protected, and it's reassuring to know information I'm reviewing hasn't been maliciously tampered with.

cue star wars meme

to assist the scanned site with fixing the vulnerabilities, right?

Funny enough I did a similar thing for my country (Austria). Found quite a few strange things and even made a collage of screenshots of all webservers hosted in Austria - https://blog.haschek.at/2019/i-scanned-austria.html
Where did you find an index of all of your county's websites?
To be clear, they said "web servers" not "websites". They just pulled a list of all public IP blocks registered to the country and opened port 80/443 on each IP address and took a screenshot. It's by no means a list of the websites hosted on those servers.

You could get somewhat closer by inspecting public DNS records for those IP addresses and then attempting to load each site by DNS name, but it still wouldn't be a complete index of all websites in the country. I'm thinking that's impossible to collect, or at least very nearly.

You got a new rss subscriber. I like that, I’m surprised that are only 60.000 ips that answer on the 80 port.
I once ranted loudly that governments should be doing this for free. That governments should be assembling the best team of pentesters to pentest everything they can possibly find within their jurisdiction.

I love seeing this.

I've also ranted about this, and how it should be one of the NSA's top priorities (including doing it for our allies).

It's interesting because there are two main methods for what to do when you find a vulnerability: 1) hold onto it so you can later use it as a weapon or 2) disclose it and patch it. The offensive method has problems because as soon as you use it you are disclosing it. It also has the issue that your enemies may be able to (are likely to) find the same vulnerability and exploit it first. But the second method means you're losing your weapons but instead gaining a shield.

As I see it, the shield is a lot bigger and has far higher utility. But part of that is that I see democracies as having differing vulnerabilities than autocracies. Attacking autocracies is more spear phishing, very directed attacks on the specific people that control power. But attacking democracies is in some sense easier (and in another sense harder) because more power is held by the average person. People who are more vulnerable to manipulation, especially at the large scale. But now we're edging into the data privacy domain and that's probably out of scope here.

I really think there should be a very strong blue team effort by these organizations. I am okay holding on to a specific vulnerability if you're going to attack a specific person in the ,,immediate'' future, but these agencies should also be working with companies to patch these vulnerabilities. That is the government providing a social good. You know, the reason we have the social contract and government in the first place.

This just made me think of something I need to look up now.

Allied nations regularly perform war games for practice. What about cyber war games?

Let me know the answer. Because I feel like that should definitely be part of it. Though there's some very concerning aspects of lack of defense for national infrastructure things like power grids. So I doubt it is being taken seriously, or as seriously as it should be.

I really do think a country should be proactively red teaming its own infrastructure and repairing any holes it finds. But it doesn't seem like the best interest of people who are more focused on offensive techniques.

The "disclose or weaponise" question gets very easy when, say, all of your adversaries are using Chinese software and all of your allies are using American software.
Yes. Because when private individuals or companies do it unbidden, lawsuits fly in order to save face.

When you are found out by the government, you're going to think really carefully about frivolous lawsuits to save face.

I wonder how effective this is. The text suggests that the only thing that they look for is that they look for is a version statement of a major component, and then compare it to known vulnerable components. That could be somewhat helpful, but a lot of vulnerabilities won't be detected by that process. Does anyone know if they do more?
I think this kind of service should be heavily skewed to favour false negatives instead of false positives.
They should do this for privacy violations too.
Does anyone remember that hacker that scanned printers and if they found a vulnerability they exploited it to print out a warning to the owner of said vulnerability? I think they patched it too?

Edit: Looks like it has happened more than once

https://cybernews.com/security/we-hacked-28000-unsecured-pri...

https://www.bleepingcomputer.com/news/security/a-hacker-just...

That happend over 9000 times. Fun fact: Some are print server appliances, no patches or updates for some of those available as they are EOL - but still in use...