US Senators Ask DHS To Look Into US Government Workers Using Foreign VPNs (zdnet.com) 93
Two US senators have asked the Department of Homeland Security (DHS) to look into the possible dangers of US government workers using VPN apps that are owned by foreign companies and which redirect sensitive government-related traffic through servers located in other countries -- namely China and Russia. From a report: "If U.S. intelligence experts believe Beijing and Moscow are leveraging Chinese and Russian-made technology to surveil Americans, surely DHS should also be concerned about Americans sending their web browsing data directly to China and Russia," said Senator Ron Wyden (D-OR) and Marco Rubio (R-FL) in a letter sent to Christopher Krebs, Director of the DHS' newly founded Cybersecurity and Infrastructure Security Agency (CISA). The two would like the DHS to issue an emergency directive and ban the use of foreign VPN apps if intelligence experts deem them a national security risk.
Re:catching up to private business practices (Score:4, Interesting)
At my corporation I sure as hell am not allowed to use third-party VPN or traffic anonymizer services.
Allowed? No. But in companies with strict firewalls and web proxies, many people who have the know-how to do it, are doing it. I have never used a VPN, I always have been able to create an SSH tunnel to a server I own, one way or another. But given the popularity of VPNs for bypassing other forms of spying and eavesdropping, it's not a surprising this ends up being the more popular way of doing the same thing... just not a good idea whether you work for the government or the corporate world. Plenty of shady Chinese companies are looking for the opportunity to steal trade secrets, don't open the door for them.
If your companies forces web proxies, or lets your bosses spy on your browsing habits, or has some other ridiculous oppression over their network, expect it to happen.
Re: (Score:1)
Re: (Score:2)
The government already gets it from both my cable company that provides wired Internet and Verizon which controls wireless for my phone. If the government wants to get that information, especially if they have a warrant, they will.
If I spent all my time worrying about what the government is doing I would not have time for anything else. This is not to say I trust the government but merely that they have such a stacked deck that I should probably either avoid committing crimes or I should definitely avoid ge
Re: (Score:2)
Yep, the real solution is to change the Internet so that VPNs aren't needed.
Re: (Score:2)
I don't think there is a real solution. I don't even think I want one. A little bit of crime is a good thing.
We Amelican VPN we Plomise! (Score:5, Insightful)
As if a VPN located anywhere even in the US is rated for any clearance.
Just block them? (Score:5, Informative)
I don't see why some congressional oversight is needed -- just block VPN apps on government owned laptops. If employees are using the apps on their personal devices, they should not have sensitive government data on those devices.
Re: (Score:2)
So you still don't see why oversight is needed to verify that, eh? Gee. Maybe it will just happen all by itself like the invisible jackoff hand of the free market?
Oh my god, I would hope that it doesn't take congress to oversee standard security practice that every large business follows - if any oversight is needed at all, then use it to put competent IT staff in place.
Re: (Score:2)
Re: (Score:2)
Not really, at least on the Federal end of things.
Especially if it has any security requirements at all, you have to be a US citizen....contractor or govy.
Re: (Score:2)
if any oversight is needed at all, then use it to put competent IT staff in place.
The competency deficiency in government is in the overseers, not the workers.
One of the most technical areas is the Department of Energy. This is the guy running it [gizmodo.com].
Re: (Score:2)
It isn't needed.
This is obviously already part of Federal IT policy.
Re:Just block them? (Score:5, Insightful)
If employees are using the apps on their personal devices, they should not have sensitive government data on those devices.
Sensitive data should never be on personal devices, period. If users need sensitive data on portable devices, those devices should be provided by the employer, and no personal data (or use) should be permitted on those devices. There are zero exceptions. If that means users need to carry two devices, so be it. What are they getting paid for, anyway?
Re: (Score:3)
Putting this in context, the article cites a study about VPN Apps on the Apple Store and Google Play Store. We're not talking gov't issued laptops, but rather BYOD cell phones.
BYOD is a security nightmare.
Re: (Score:2)
Sometimes there isn't a clear boarder between sensitive and non-sensitive information. Many people do work at home, or on personal laptops while traveling. While that certainly woudln't include classified information, it might be related to work that is sensitive - sometimes just in work emails.
Often this work is done on people's personal time, so expecting them to go to extra effort to carry additional devices is likely to result in them just not doing the work, and a reduction in productivity.
If I were re
Re: (Score:2)
Sensitive data should never be on personal devices, period.
Well, wrong. As usual on slashdot. Good rule of thumb in a company hiring idiots, of course. Not all do that.
Nothing wrong in hiring people using their own tools - if they are competent to set them up right. Which some people are.
If you hire consultants from some consulting company, they may very well come with their own computers for development+documentation. Hiring a person is very much like hiring a consultant from a one-man company. Might come with his own computer. Ok if he is a computer security expert.
Everything is wrong with letting people set up their own tools if they are going to be storing your data -- even if the people know what they are doing, people are not infallible, so eventually someone's going to slip up and install malware or configure something insecurely. The only way to be sure is to enforce policies with policy enforcement and automatic monitoring.
Ok if he is a computer security expert
If he is, then he'll tell you why he shouldn't have free reign to configure his computer and why the company shoud be enforcing policies an
Re: (Score:2)
If you hire consultants from some consulting company, they may very well come with their own computers for development+documentation.
That's fine. If he's using the same devices for work and personal use, then he's doing it wrong, and any contract should reflect that fact and prohibit such behavior.
Re: (Score:2)
I don't see why some congressional oversight is needed -- just block VPN apps on government owned laptops. If employees are using the apps on their personal devices, they should not have sensitive government data on those devices.
Yeah. Next they'll be saying no using our own webservers and the like. The nerve of some people.
Nobody mention (Score:1)
the secret back-channel between "Individual 1" and Alfabank.
Re: (Score:2, Funny)
Just a perfectly innocent ongoing stream of repeated DNS lookups. No collusion!
https://www.newyorker.com/maga... [newyorker.com]
SSL over HTTP/HTTPS for the win (Score:3)
I needed to ssh into a server for testing. Company policy blocked ssh outgoing.
If you get desperate enough, you can probably do it over DNS.
Re: (Score:2)
DNS tunneling is indeed a thing. Overhead is nasty. Ping tunneling is also a thing.
Re: (Score:1)
If you need to do this for testing, and policy blocks it, then the correct answer is to have your boss request a documented exception to the security policy.
The security people will either do it, or work with you to find a better way. If they don't, your boss will have leverage to go higher. If you don't, and you are found to be attempting to get around security, the security people will have leverage against you.
I know, as a security administrator, I would be asking why are you doing ssh over the Interne
Re: (Score:2)
If you need to do this for testing, and policy blocks it, then the correct answer is to have your boss request a documented exception to the security policy.
The security people will either do it, or work with you to find a better way. If they don't, your boss will have leverage to go higher. If you don't, and you are found to be attempting to get around security, the security people will have leverage against you.
I know, as a security administrator, I would be asking why are you doing ssh over the Internet to outside servers that security doesn't already know about, wasn't involved in setting up and securing, and don't already have rules in place to allow ssh or vpn administration?
Yeah, I actually sat on the connection exception review team. Still took a long while to get through the process.
Re: (Score:2)
Yeah, I actually sat on the connection exception review team. Still took a long while to get through the process.
And that's why it gets bypassed. By the time it gets through the process, the project is dead and half the department is laid off. It's a little like picking through the smoldering ruins of a crashed jetliner and telling the barely conscious pilot "yeah, go ahead and make an emergency landing if you think it's necessary.
I'm not advocating lax security, just explaining how and why it happens. It's easier to get employees and their managers to go along with necessary security when it's reasonable AND responsi
Re: (Score:2)
Re: (Score:3)
At one place I worked they blocked certain HTTP headers with a (not so) transparent proxy. It was so annoying that we took to tunnelling data over ICMP echo requests to work around it.
Re: (Score:2)
I don't see anybody here arguing against VPNs. I argued against VPN SERVICES. Even though I put SERVICES in caps, some people still didn't get it.
YOU DON'T NEED TO USE A VPN "SERVICE" TO USE A VPN! The VPN Service companies have thoroughly muddled the minds of the public.
For most use cases, there is no need to involve a third-party SERVICE. Certainly, for work-related stuff - which is what the article was about - the workplace should install a VPN s
Re: (Score:2)
Testing how your site looks from other countries/regions is a good use case of a VPN service. But MOST users do not need this.
On-site VPN server for access to corporate systems is the right way to go for remote access.
Trusting a third party who un-encrypts and re-encrypts for anything that you need/want to be secure
Re: (Score:1)
Actually if you assume the user is basically competent and knows how to apply his own security updates or switch router vendors when one refuses to issue a necessary one, everything he said is true. Maybe you're forgetting the possibility of conflicts-of-interest amongst the staff at any free 3rd party VPN service (the part where the traffic they're supposed to be hiding for you is more valuable than the service of hiding it for you) evaporates any possible improvement in network security unless you're ass
Re: (Score:1)
Well, you're obviously astro-turfing because you've assumed i'm using a shitty off-the-shelf plastic router in the first place, rather than something a little bit more auditable like a Linux or BSD box.
Re: (Score:3)
1. Learn to read and parse English.
2. Wash your mouth out with soap.
I never said anything about the motivations of the ends users. "their" clearly refers to the VPN services. I question to motivations of the services that give services away for free. How are they making money?
Re: (Score:2)
Interesting how a reasonable post with a reasonable opinion, not flame bait, got modded to 0. While an obscenity-laced response that shows lack of comprehension gets modded up.
Presume it was done by bots from hostile countries. I now have to presume the existence of a hostile bot net with /. mod points.
Re: (Score:2)
In those cases, obviously you run your own VPN.
Depends on why you are running it. If I run my own VPN from home or a local co-loc data center, then it looks to the remote site like I am at or near my present location. One uses a foreign VPN when one wants to appear to be in that country*. If Evil Foreign governments can hijack that VPN, they can also hijack the sites I am visiting. So this isn't about me being safe from Evil Foreigners. This is about the NSA not being able to (easily) sniff my traffic.
*There are other reasons to run a VPN. Like connect
Re: (Score:2)
I might want to watch a foreign news stream. Some of these are geo-blocked outside of their home markets. BBC is notorious for doing this.
Re: (Score:2)
Useless for what? Evading the law?
MOST users are not evading the law. For MOST users, this is not a concern. I would be more concerned about somebody in a foreign country scraping credit cards, personal details with which to commit financial fraud. Unfriendly countries building up databases of personal details of the general public that can be banked and used in the future to create disruption.
Everyone should use VPN 24/7 (Score:2)
The network is hostile. If you think you don't need it, you are very naive.
Re: (Score:3)
Not all VPN services are friendly. Make sure you're not jumping out of the frying pan into the fire.
Re: (Score:2)
My firewall logs are in full agreement with you :|
Slashdot Deals... (Score:2)
Bipartisan (Score:2)
When the Ds and the Rs get together on something it means money. Someone is afraid that a US citizen might be hiding some wealth somewhere.
Re: (Score:2)
Someone is afraid that a US citizen might be hiding some wealth somewhere.
More like putting a stop to government employees watching porn during work hours. Or spending most of their day campaigning for whatever politician they're beholden to.