genuinely seems likely to support rather than subvert security

Security is not bringing more people onto your net or with you as partners, let alone biased LE. Do you let cops sleep in your house to protect you? What about that little dimebag you like to toke on Fridays? Besides, if they want the service, corps don't need LE to do what they can already do together neutrally on their own, or by subscribing to equivalent commercial honeypot services. What is this, infraguard 2.0? Clipper? Dept of redundancy? Big brother? TIA? Also, latency/TTL detection of remote hosting.. Heads up to Tor people, and cpunks to carve it up further. On Mon, Nov 24, 2014 at 8:24 PM, Ray Dillinger wrote:

Note to list participants: check the CC line of the original message before responding. We are aware that this list is always monitored, but this time I have explicitly invoked monitoring and explicitly invite response. Hello Agent Chesson; feel free to join the (list and) discussion if you have something to add or correct. It's a moderated and usually very polite list, although events in the last couple of years have caused some resentment and a great deal of distrust here toward American Three-Letter agencies.

Brief: The FBI is proposing a security service to assist American companies in achieving network security. It is called CITAS, for "Computer Intrusion Threat Assessment System." It is not an active program yet; My impression that it is the proposal and brainchild of special agent John B. Chesson and that he is actively trying to raise support for it both within the agency and among its potential clients.

This is one of very few proposals I have seen from any US agency that genuinely seems likely to support rather than subvert security, in the strict sense of owners retaining control of the assets they own. It does not require backdoors, it does not require keeping insecure plaintext traffic on the network, and it does not propose to compel participation.

What it proposes is that companies who join the service allocate an IP address on their company's subnet for the use of the FBI, and the FBI can then set up a honeypot at that IP address. Routers and switches in the company's DMZ would direct traffic to the honeypot just as though it were a company machine, leaving no clues to the contrary in route traces or DNS, but the traffic would tunnel over some other channel, probably a VPN, to a location controlled by the FBI.

The honeypot would be physically located at and controlled by an FBI data center. This does not imply that the FBI gets any "behind-the-firewall" view of a company's network; the company's firewall can distrust the honeypot just as much as it distrusts unknown IP addresses out in the wild.

The FBI would monitor the honeypots in real time for threats and attacks, and when any "significant" threat or breach is detected, share the information immediately with the subscribing company.

Less briefly: http://dillingers.com/blog/2014/11/24/citas-threat-assessment-system/ ‎

This arrangement strikes me as likely to be highly effective in terms of security, because the FBI could leverage manpower and monitoring effort across a huge pool of honeypots truly indistinguishable to attackers from genuine targets. Effort spent by an FBI agent to understand and script a log checker for a new threat would instantly apply to thousands of companies via the honeypots sharing software, where the equivalent effort spent by anyone else takes weeks to months to achieve wide adoption, and never achieves wide adoption until after it is redone for the nth time by many open-source volunteers.

This arrangement also strikes me as problematic in that it would also allow the FBI to set up a huge pool of Tor, Gnutella, Bittorrent, etc, nodes truly indistinguishable to users from genuine nodes run by people who support anonymity, uncensored journalism, whistleblowers, and free speech. The data would, of course, be shared across all the usual law-enforcement, espionage, and security agencies of the US. Although to be honest, these services are already so heavily monitored that there is little left to lose.

Although Agent Chesson, whose presentation I attended, did not mention these other uses, I would expect widespread adoption of this system to mean effectively the death of "anonymous" P2P services such as Tor, due to the simple fact of most of the gateway nodes being FBI-operated sockpuppets. While Tor or something like it remains the only way in most of the world to use the Internet for uncensored journalism or whistleblowing, the FBI cannot possibly ignore that as a channel it is also used by criminals.

There is also some risk to the companies involved in the existence of machines which they do not control but which have addresses publicly on record as belonging to that company's subnet. They could experience adverse public perception if a honeypot became publicly known as someplace where an unsavory or criminal activity were happening and its address were traced back to the company's IP block.

Ray "Bear" Dillinger

_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography