description of InfraGard (boost with CW; threading with my post above because related; I am still an uninformed outsider)
From @kaniini in https://pleroma.site/notice/9gRG15Nl5QQy0YZAeW
FBI InfraGard is a CERT-like organization that acts as a liaison between security researchers, vendors and entities which are considered critical infrastructure: banks, utilities, etc. It is a reasonably harmless organization which intends to do well but is controversial for a few reasons.
The main reason it's controversial is due to being incubated by the FBI. The other main reason why it's controversial is because they wrap vulnerability discussions in a series of NDAs. InfraGard-coordinated vulnerabilities do not necessarily see public disclosure.
Personally, I am not really a fan of InfraGard, for both the NDAs and FBI background: friends of mine have been burned by the FBI before when trying to ethically handle vulnerabilities.
But this does not mean that somebody should be faulted for choosing to participate in InfraGard. At worst it just means they believe in something others don't.
You wouldn't defederate someone for drinking chocolate milk out of a wine glass, right? InfraGard membership is, maybe at worst, the infosec equivalent of that type of social faux pas.
When it comes to vulnerability disclosure though, I believe public disclosure is in the public interest. And, well, InfraGard doesn't. And that's the real controversy... they aren't cops or law enforcement of any kind.
more description of InfraGard (1084 words, cw: Thelema religious language) (boost with CW; threading with my post above because related; I am still an uninformed outsider)
Infragard for laybeings:
Infragard is described as a public sector/private sector partnership (part of the FBI, though I don't know off the top of my head which one) where they share intel pertaining to information security with active security professionals. This means, you have to work for a company which is in a fairly important field, such as aerospace, a tier-1 or tier-2 ISP, finance, or software products. I worked at NASA at the time, and later went into fintech. Both times I had to join Infragard because I did information security as my job. When I worked as a pen tester for a consultancy, it was before Infragard existed, otherwise I'd have had to join.
Yes, I had to undergo a background check. They want to make sure that members work for established companies, actually do security work, and don't have any connections to criminal groups that would try to misuse the information (at the time it was Russian organized crime they were worried about).
Being a member of Infragard means you get access to bulletins a couple of weeks before the information goes public. Most of it is under Chatham House rules - you can use it, but you can't say "I got this from Infragard."
Unfortunately, most of this information is between three and six months out of date. If you do even a minimal amount of proactive intel gathering as a security practitioner (run honeypots, read your server logs manually once or twice a week), or have any kind of intelligence system in place (#exocortex) you'll scoop them easily.
Supposedly they have classified infosec intel that they disseminate, but I've never seen any of it. If I had, common sense says I'd stay the hell away from a site like hackers.town and not say a damned thing about this tempest in a teapot.
Infragard has periodic members-only meetings where they talk about stuff going on. The group nomenclature /APT [0-9]*/ was first brought up during some of these seminars. Once in a great while a speaker will bring up something timely, but most of the time the meetings are pretty much a waste of time. Most of the ones I went to had to do with security policy compliance (meaning, "Did you follow all the steps in $handbook to lock your shit down?"), logging and analysis, that Windows XP wasn't going out of support just yet (at the time), and stuff like that. It's usually two or three speakers with an MC from Infragard while the rest of us sit in uncomfortable plastic chairs drinking crappy coffee and eating more-than-halfway-decent bagels and muffins for breakfast.
Yes, I had to wear a suit to attend. Highly uncomfortable in the DC metroplex in the summer, I can assure you.
No super-secret info, tips, or tricks were given out. I wish. It's all stuff that you'd know anyway if you'd ever been a system administrator. Hell, most of the people there weren't even techies, they were policy wonks. Quite a few times I was the only person there who actually worked /with/ and /on/ computers in any capacity. I was certainly the only person there with long hair.
For the record, if you want the High Gibson 0-day intel, crash a room party or two at Defcon or HOPE. That's where the good stuff is.
Infragard does not solicit, demand, or even request intel from its members. Everything was push (they tell us stuff), not pull (we tell them stuff). I doubt they'd even listen to us if we did tell them anything. A couple of times I spoke to presenters during breaks to correct them, because their knowledge of something was incorrect (see above remark about doing proactive infosec stuff) and either their eyes glazed over or they "Well, actually"'d me.
It's nothing really impressive if you have a technical background. Most of the time you'd be bored out of your mind, unless you were a checkbox-checker that did C&A (certification and accreditation) work (which is NOT actually testing security, it's asking questions on a checklist, only about 1/3 to 1/2 actually have anything to do about actual infosec; but that's a rant for another time).
Ostensibly I'm still an active member even though I haven't logged into the Infragard portal in about three years, though I still get the e-mails (I currently have over 200 in a folder, unopened, because most of the information is simply useless), and I can't be bothered to sit on the phone for three hours until I get through to a human who can unlock the account I never log into, anyway.
At no time, to the best of my knowledge, were any of us questioned about things we knew about or did. We were never even asked about stuff we saw going on in our own networks. I certainly wasn't, and I saw a lot of shit flying around on the Net at the time. Nobody ever told (or even gently suggested) to any us to keep an eye and ear open for anything interesting happening on Twitter, Facebook, or anything else. Hell, at the time Infragard didn't even seem to know anything about Lulzsec's shenanagains at the time, nor did any of the other members I talked to at seminars. I was the only person in the DC Infragard chapter who did, because I'd tasked part of me with monitoring the situation.
If the FBI /did/ want to monitor the Fediverse... well, pull up your profile and hit View Source. You'll see an RSS feed for everything you post. Here's mine: https://hackers.town/users/drwho.atom
tl;dr, they could surveil the Fediverse with a feed reader or even a shitty Perl script. No NSA magick required. Not even an account on that instance is required. So, there would be no point to standing up an instance for the purpose of surveillance.
Ask me anything I forgot about. I'll answer honestly and to the best of my ability. If I don't know, I'll say "I don't know."
Love is the Law, Love under Will.
updated tl;dr of the cop instance thing from yesterday (472 words)
(I suggest boosting this toot rather than the one at the top of this thread; I believe it is more accurate.)
Yesterday, the instance admin of hackers.town - TheGibson - posted a toot with three slides from a PowerPoint presentation - I think about advertising infosec as a career. (It's deleted now - https://web.archive.org/web/20190304191940/https://hackers.town/@thegibson/101693197693941092 is a copy on the Wayback Machine, https://web.archive.org/web/20190304192001/https://hackers.town/system/media_attachments/files/000/666/042/original/5b6195e9e881954e.png?1551714968 - cw: glancing reference to prison rape - is a copy of the first slide.) Among other remarks, they referred to themself as a "Proud Member of FBI Infragard".
Understandably, given the large fraction of the Fediverse population who are leftists, social justice advocates, anti-war activists, or any combination of the above, a great many people were very upset at sharing their private correspondence with someone bragging of their participation in an FBI-affiliated organization. We are who the FBI has targeted for decades.
What is InfraGard? Going by my own limited research and what infosec people have said in response to this outpouring of distrust:
InfraGard, as an organization, is a public-private partnership that presents itself as having a broad mandate to share information between (implicitly, in both directions) private organizations like major corporations and the FBI. InfraGard, as an organization, has little in the way of transparency - in fact, what information it shares, it tends to share confidentiality and with a rule that those receiving it cannot cite InfraGard as a source. (This kind of thing is called "Chatham House Rules", apparently.) According to those who have interacted with it and spoken up, said information is no more than "hey, here is a computer security threat we've seen and some things you all can do to deal with it" - basically on par with the FDA sharing advice on how to comply with new food regulations.
This hasn't particularly allayed the fears of people who viscerally distrust the FBI. Like the ACLU said in 2004, from what little is shared with the general public, InfraGard could easily be another organization designed to facilitate the funneling of private information to the FBI without a warrant so they can better spy on the public - something US intelligence and law enforcement agencies have done many times under many names, changing those names but not the practice whenever outsiders find out about one and scream bloody murder. We don't know, and we have every reason to distrust.
And that 'proudly' from TheGibson - the entire tone of the slides, in fact - doesn't foster confidence in anyone that they draw their lines on what they are willing to participate in /anywhere near/ where they'd have to for people to feel comfortable trusting their judgment.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!