Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Technology

US Senators Ask DHS To Look Into US Government Workers Using Foreign VPNs (zdnet.com) 93

Two US senators have asked the Department of Homeland Security (DHS) to look into the possible dangers of US government workers using VPN apps that are owned by foreign companies and which redirect sensitive government-related traffic through servers located in other countries -- namely China and Russia. From a report: "If U.S. intelligence experts believe Beijing and Moscow are leveraging Chinese and Russian-made technology to surveil Americans, surely DHS should also be concerned about Americans sending their web browsing data directly to China and Russia," said Senator Ron Wyden (D-OR) and Marco Rubio (R-FL) in a letter sent to Christopher Krebs, Director of the DHS' newly founded Cybersecurity and Infrastructure Security Agency (CISA). The two would like the DHS to issue an emergency directive and ban the use of foreign VPN apps if intelligence experts deem them a national security risk.
This discussion has been archived. No new comments can be posted.

US Senators Ask DHS To Look Into US Government Workers Using Foreign VPNs

Comments Filter:
  • by Anonymous Coward on Friday February 08, 2019 @02:16PM (#58090260)

    As if a VPN located anywhere even in the US is rated for any clearance.

  • Just block them? (Score:5, Informative)

    by hawguy ( 1600213 ) on Friday February 08, 2019 @02:20PM (#58090290)

    I don't see why some congressional oversight is needed -- just block VPN apps on government owned laptops. If employees are using the apps on their personal devices, they should not have sensitive government data on those devices.

    • by PuckSR ( 1073464 )

      It isn't needed.
      This is obviously already part of Federal IT policy.

    • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Friday February 08, 2019 @04:12PM (#58091140) Homepage Journal

      If employees are using the apps on their personal devices, they should not have sensitive government data on those devices.

      Sensitive data should never be on personal devices, period. If users need sensitive data on portable devices, those devices should be provided by the employer, and no personal data (or use) should be permitted on those devices. There are zero exceptions. If that means users need to carry two devices, so be it. What are they getting paid for, anyway?

      • by chill ( 34294 )

        Putting this in context, the article cites a study about VPN Apps on the Apple Store and Google Play Store. We're not talking gov't issued laptops, but rather BYOD cell phones.

        BYOD is a security nightmare.

      • Sometimes there isn't a clear boarder between sensitive and non-sensitive information. Many people do work at home, or on personal laptops while traveling. While that certainly woudln't include classified information, it might be related to work that is sensitive - sometimes just in work emails.

        Often this work is done on people's personal time, so expecting them to go to extra effort to carry additional devices is likely to result in them just not doing the work, and a reduction in productivity.

        If I were re

    • I don't see why some congressional oversight is needed -- just block VPN apps on government owned laptops. If employees are using the apps on their personal devices, they should not have sensitive government data on those devices.

      Yeah. Next they'll be saying no using our own webservers and the like. The nerve of some people.

  • by Anonymous Coward

    the secret back-channel between "Individual 1" and Alfabank.

  • by bobstreo ( 1320787 ) on Friday February 08, 2019 @02:35PM (#58090396)

    I needed to ssh into a server for testing. Company policy blocked ssh outgoing.

    If you get desperate enough, you can probably do it over DNS.

    • DNS tunneling is indeed a thing. Overhead is nasty. Ping tunneling is also a thing.

    • by Anonymous Coward

      If you need to do this for testing, and policy blocks it, then the correct answer is to have your boss request a documented exception to the security policy.

      The security people will either do it, or work with you to find a better way. If they don't, your boss will have leverage to go higher. If you don't, and you are found to be attempting to get around security, the security people will have leverage against you.

      I know, as a security administrator, I would be asking why are you doing ssh over the Interne

      • If you need to do this for testing, and policy blocks it, then the correct answer is to have your boss request a documented exception to the security policy.

        The security people will either do it, or work with you to find a better way. If they don't, your boss will have leverage to go higher. If you don't, and you are found to be attempting to get around security, the security people will have leverage against you.

        I know, as a security administrator, I would be asking why are you doing ssh over the Internet to outside servers that security doesn't already know about, wasn't involved in setting up and securing, and don't already have rules in place to allow ssh or vpn administration?

        Yeah, I actually sat on the connection exception review team. Still took a long while to get through the process.

        • by sjames ( 1099 )

          Yeah, I actually sat on the connection exception review team. Still took a long while to get through the process.

          And that's why it gets bypassed. By the time it gets through the process, the project is dead and half the department is laid off. It's a little like picking through the smoldering ruins of a crashed jetliner and telling the barely conscious pilot "yeah, go ahead and make an emergency landing if you think it's necessary.

          I'm not advocating lax security, just explaining how and why it happens. It's easier to get employees and their managers to go along with necessary security when it's reasonable AND responsi

    • by cob666 ( 656740 )
      I experienced something similar at a company I was working for as a contractor. We developed an application that had to ftp payroll ACH information to the bank for payroll and the IT policies didn't allow any type of ftp.
    • by _merlin ( 160982 )

      At one place I worked they blocked certain HTTP headers with a (not so) transparent proxy. It was so annoying that we took to tunnelling data over ICMP echo requests to work around it.

  • The network is hostile. If you think you don't need it, you are very naive.

  • $15 lifetime VPN.... so no then?
  • When the Ds and the Rs get together on something it means money. Someone is afraid that a US citizen might be hiding some wealth somewhere.

    • by tomhath ( 637240 )

      Someone is afraid that a US citizen might be hiding some wealth somewhere.

      More like putting a stop to government employees watching porn during work hours. Or spending most of their day campaigning for whatever politician they're beholden to.

Computer programmers never die, they just get lost in the processing.

Working...