tl;dr of the reports of a cop instance going around Show more
The admin of hackers.town recently posted https://hackers.town/@thegibson/101693197693941092 (cw: glancing allusion to prison rape) - a sampling of slides from a presentation in which they identified themself as a "Proud Member of FBI Infragard".
For those not familiar, InfraGard is a non-profit "partnership between the FBI and members of the private sector" that "provides a vehicle for seamless public-private collaboration with government that expedites the timely exchange of information and promotes mutual learning opportunities relevant to the protection of Critical Infrastructure", according to its website (linked from https://en.wikipedia.org/wiki/InfraGard which says much the same).
As you might imagine, a great many people are upset that a large fediverse instance is being run by someone who describes themselves as proud to be involved in the funneling of information to the FBI, especially given the long history of FBI informants being made to infiltrate left-wing groups for spying and entrapment purposes. See for example https://berries.space/@undyne/101694112267233862 from @undyne.
I think that probably gives everyone enough context to make decisions.
description of InfraGard (boost with CW; threading with my post above because related; I am still an uninformed outsider) Show more
From @kaniini in https://pleroma.site/notice/9gRG15Nl5QQy0YZAeW
FBI InfraGard is a CERT-like organization that acts as a liaison between security researchers, vendors and entities which are considered critical infrastructure: banks, utilities, etc. It is a reasonably harmless organization which intends to do well but is controversial for a few reasons.
The main reason it's controversial is due to being incubated by the FBI. The other main reason why it's controversial is because they wrap vulnerability discussions in a series of NDAs. InfraGard-coordinated vulnerabilities do not necessarily see public disclosure.
Personally, I am not really a fan of InfraGard, for both the NDAs and FBI background: friends of mine have been burned by the FBI before when trying to ethically handle vulnerabilities.
But this does not mean that somebody should be faulted for choosing to participate in InfraGard. At worst it just means they believe in something others don't.
You wouldn't defederate someone for drinking chocolate milk out of a wine glass, right? InfraGard membership is, maybe at worst, the infosec equivalent of that type of social faux pas.
When it comes to vulnerability disclosure though, I believe public disclosure is in the public interest. And, well, InfraGard doesn't. And that's the real controversy... they aren't cops or law enforcement of any kind.
updated tl;dr of the cop instance thing from yesterday (472 words) Show more
(I suggest boosting this toot rather than the one at the top of this thread; I believe it is more accurate.)
Yesterday, the instance admin of hackers.town - TheGibson - posted a toot with three slides from a PowerPoint presentation - I think about advertising infosec as a career. (It's deleted now - https://web.archive.org/web/20190304191940/https://hackers.town/@thegibson/101693197693941092 is a copy on the Wayback Machine, https://web.archive.org/web/20190304192001/https://hackers.town/system/media_attachments/files/000/666/042/original/5b6195e9e881954e.png?1551714968 - cw: glancing reference to prison rape - is a copy of the first slide.) Among other remarks, they referred to themself as a "Proud Member of FBI Infragard".
Understandably, given the large fraction of the Fediverse population who are leftists, social justice advocates, anti-war activists, or any combination of the above, a great many people were very upset at sharing their private correspondence with someone bragging of their participation in an FBI-affiliated organization. We are who the FBI has targeted for decades.
What is InfraGard? Going by my own limited research and what infosec people have said in response to this outpouring of distrust:
InfraGard, as an organization, is a public-private partnership that presents itself as having a broad mandate to share information between (implicitly, in both directions) private organizations like major corporations and the FBI. InfraGard, as an organization, has little in the way of transparency - in fact, what information it shares, it tends to share confidentiality and with a rule that those receiving it cannot cite InfraGard as a source. (This kind of thing is called "Chatham House Rules", apparently.) According to those who have interacted with it and spoken up, said information is no more than "hey, here is a computer security threat we've seen and some things you all can do to deal with it" - basically on par with the FDA sharing advice on how to comply with new food regulations.
This hasn't particularly allayed the fears of people who viscerally distrust the FBI. Like the ACLU said in 2004, from what little is shared with the general public, InfraGard could easily be another organization designed to facilitate the funneling of private information to the FBI without a warrant so they can better spy on the public - something US intelligence and law enforcement agencies have done many times under many names, changing those names but not the practice whenever outsiders find out about one and scream bloody murder. We don't know, and we have every reason to distrust.
And that 'proudly' from TheGibson - the entire tone of the slides, in fact - doesn't foster confidence in anyone that they draw their lines on what they are willing to participate in /anywhere near/ where they'd have to for people to feel comfortable trusting their judgment.