Educause Security Discussion mailing list archives
Re: Shodan value
From: Cameron Dixon <cameron.dixon () HQ DHS GOV>
Date: Thu, 27 Jul 2017 23:53:22 -0600
Hello there, new listserv-er here. I'm the ops lead for the DHS NCATS scanning service mentioned previously-- a colleague of mine alerted me to this discussion, so I hope you'll forgive the interjection. Cyber Hygiene, our service that scans internet-facing systems, is (basically) available to all comers, and the https://github.com/dhs-ncats/services link outlines the contours of the service decently-- I'm also happy to answer any questions you might have. One thing we encourage (particularly) our education sector stakeholders to think through is that Cyber Hygiene is optimized around the presumption that a host’s IP address generally stays the same over time. This may not be the case in some of your environments; e.g., you may assign public IP addresses to clients on your wireless network. Networks with high IP addressing volatility are probably not good subjects for our service, since it cannot be presumed that the host that gets scanned will be the same device at vulnerability notification, and it's our intention to help organizations find and fix *their* vulnerabilities. So, Cyber Hygiene is best suited to those environments where an enterprise maintains the network *and* manages the devices that use it. Yes, it could be asserted by e.g., a university, that the vulnerabilities found on their network impact them regardless of whether they manage the devices on their network. A university could also attempt to claim some ‘ownership’ over user devices by stating that an acceptable use agreement was signed, binding their uses to some conditions. While both may be true, it is not reasonable that the Department of Homeland Security should be, or have the appearance of, scanning individual, independent citizens who didn't sign up to be scanned. ...But I mostly joined to respond that there's nothing inherently scary about DHS or any federal agency using GitHub. We use (and create!) open source software like many of you; indeed, we're required to (https://code.gov/#/policy-guide/policy/open-source). Even a decent chunk of the Intelligence Community is on GitHub (https://government.github.com/community/#us-military-and-intelligence). While having a service catalog on GitHub isn't our first choice, I promise it's nicer than waiting for an email back from us! Cheers.
Current thread:
- Shodan value Ford, Bryan (Jul 20)
- Re: Shodan value Reyor, William F. (Jul 20)
- Re: Shodan value Andre DiMino (Jul 20)
- Re: Shodan value Nicholas Garigliano (Jul 21)
- Re: Shodan value Andre DiMino (Jul 24)
- Re: Shodan value Andre DiMino (Jul 20)
- Re: Shodan value Rich Graves (Jul 20)
- Re: Shodan value Reyor, William F. (Jul 20)
- Re: Shodan value Valdis Kletnieks (Jul 20)
- Re: Shodan value Reyor, William F. (Jul 20)
- Re: Shodan value Reyor, William F. (Jul 20)
- <Possible follow-ups>
- Re: Shodan value Cameron Dixon (Jul 27)
- Re: Shodan value Kevin Wilcox (Jul 28)
- Re: Shodan value Ashley Penchion (Jul 28)
- Re: Shodan value Dixon, Cameron (Jul 31)
- Re: Shodan value Valdis Kletnieks (Jul 28)
- Re: Shodan value Kevin Wilcox (Jul 28)