Slashdot Mirror
US Senators Ask DHS To Look Into US Government Workers Using Foreign VPNs (zdnet.com)
Two US senators have asked the Department of Homeland Security (DHS) to look into the possible dangers of US government workers using VPN apps that are owned by foreign companies and which redirect sensitive government-related traffic through servers located in other countries -- namely China and Russia. From a report: "If U.S. intelligence experts believe Beijing and Moscow are leveraging Chinese and Russian-made technology to surveil Americans, surely DHS should also be concerned about Americans sending their web browsing data directly to China and Russia," said Senator Ron Wyden (D-OR) and Marco Rubio (R-FL) in a letter sent to Christopher Krebs, Director of the DHS' newly founded Cybersecurity and Infrastructure Security Agency (CISA). The two would like the DHS to issue an emergency directive and ban the use of foreign VPN apps if intelligence experts deem them a national security risk.
At my corporation I sure as hell am not allowed to use third-party VPN or traffic anonymizer services.
Federal employees are almost impossible to fire compared to how things are in the private sector (e.g. real world)
As if a VPN located anywhere even in the US is rated for any clearance.
I don't see why some congressional oversight is needed -- just block VPN apps on government owned laptops. If employees are using the apps on their personal devices, they should not have sensitive government data on those devices.
the secret back-channel between "Individual 1" and Alfabank.
..."Look into the POSSIBLE dangers"
Why in the hell isn't this against some existing rule RIGHT NOW that makes any VPN access totally a big NO? I think the lack of such rule should be investigated, someone was asleep at the switch - "possible dangers", what nonsense.
Using unapproved VPNs on a government computer is already against policy and should lead to severe repercussions. Is this letter random fearmongering or is there actually evidence of unapproved VPN use?
The use of foreign VPN apps to download porn is not an intelligence risk.
I needed to ssh into a server for testing. Company policy blocked ssh outgoing.
If you get desperate enough, you can probably do it over DNS.
There seems to be widespread confusion about VPNs, to the point where the vast majority of the public thinks that VPNs have to be a hosted service
The services have the public confused and hoodwinked. Since most are either free or insanely cheap, it does make one question their motivations.
There are no good reasons for anybody to be using a VPN SERVICE to access their home/office/work resources. They should be using a VPN server installed in their home/office/work. For home, it's a easy as enabling the VPN feature present in most home routers. (Better and probably more trustworthy to use third-party router firmware...)
For safe mobile connections, there may be some use for a service. For example, your home Internet connection has asymmetrical bandwidth (e.g. cable) with poor uplink bandwidth.
I do have a VPN service subscription (OpenVPN). So far, I've used it for one thing and one thing only.... sneaking across the Brexit Border to view the Monty Python video library via iPlayer. I think the services are safe for that purpose. ;)
The confusion seems to be YOURS. VPN's being inexpensive has no bearing on the motivations of the end users. I use one frequently for professional and personal expediency reasons. Nothing untoward or illegal at all.
They encrypt your traffic so the ISP can't mine it, and other 3rd parties can't readily hijack the data in stream as happens on public-accessible networks. Saying there's "no good reason" is uneducated horseshit.
"For home, it's a easy as enabling the VPN feature present in most home routers. (Better and probably more trustworthy to use third-party router firmware...)" - UNFOUNDED HORSESHIT.
Most routers are not running the latest firmware nor is the latest firmware available updated with the latest VPN security protocols, unlike several VPN services. You have no idea what you're talking about.
You are not making this decision based on factual information, so obviously you have some other underlying motivation for making all this shit up. What is it?
"Federal employees are almost impossible to fire compared to how things are in the private sector (e.g. real world)" = Absolutely horseshit. You have no idea about either sector and your generalizations are retarded on their face.
And when your AOL caliber people use VPNs, its more than likley so they can access their HomeCountriesâ streaming services than anything nefarious because media companies STILL dont understand the WORLD WIDE WEB, still clinging onto their 20th century notions of X Country pays X and Y Country pays Y, divie up the globe using dubious 3rd party ip2location databases to enforce their old ideas, ban geo restrictions and lets get back to a WORLD WIDE WEB and not some bastardized version of cable TV.
They encrypt your traffic so the ISP can't mine it, and other 3rd parties can't readily hijack the data in stream as happens on public-accessible networks. Saying there's "no good reason" is uneducated horseshit.
So instead of letting your ISP mine your traffic, you're allowing a 3rd party (whatever vpn service you are using) mine it instead? And that 3rd party service is set up specifically for offering a vpn service, so they wind up with a single point of mining lots of traffic from lots of users. This is better then just using https/secure protocols directly over your ISP?
I tend to agree with the parent, though we do use VPN services for testing how our site looks from other countries/regions. For access to our corporate systems, we have our own on-site vpn server.
They encrypt your traffic so the ISP can't mine it, and other 3rd parties can't readily hijack the data in stream as happens on public-accessible networks. Saying there's "no good reason" is uneducated horseshit.
They encrypt your traffic from you to them, then it's unencrypted. Unless you have an end to end VPN where you or your IT department control both ends, then you are just changing the 3rd parties that can readily hijack the data in stream. Sure the hotel you are in can't. The local ISP can't. The VPN provider CAN - do you trust them? The VPN provider's ISP CAN - who are they? Any other ISP between the VPN provider and the final destination CAN. What have you gained?
Most routers are not running the latest firmware nor is the latest firmware available updated with the latest VPN security protocols
If you care enough and are technically savvy enough to run a VPN, this should not be a great barrier to you.
My ISP is Comcast, which actively mines traffic. My VPN service has an extensive list of things it DOES NOT DO in the EULA. My ISP makes no such guarantees and operates in much the opposite fashion.
In fact yes, I am 100% sure that my traffic is safer from prying eyes in the VPN than outside of it. That's as close to a verifiable fact as one can get in security.
Read about it if you like :
https://nordvpn.com/terms-of-service/
But really, they need an “emergency directive” to tell people not to use foreign vpns? Will they make “emergency directives” for people not to use foreign phone and laptop devices too?
Any local VPN will get a national security letter, and hence be utterly useless.
If in China, as a non-US-American, I'll prefer a US-based VPN.
But if in the USA, I sure as hell prefer a Icelandic VPN over a US-based one!
Duh!
That's like China demanding people only use local VPNs. ... ... ... Oh, wait!
I do trust the VPN provider over my ISP (Comcast) or Hotel wifi (Marriott?) in question by default, yes, absolutely. To operate the opposite way is ignorant of reality. https://nordvpn.com/terms-of-service/
" Any other ISP between the VPN provider and the final destination CAN" - There is no protection for unencrypted traffic on the general internet. So yes, adding a layer of IP obscurity and encryption for 90% of the packet travel is a step up.
"If you care enough and are technically savvy enough to run a VPN, this should not be a great barrier to you." - Who said it was? I said they did a more competent job than the VAST majority of routers' firmware, which is a fact.
Updating firmware is a PITA for many if even updates are available, which many times are flawed until EOL. Not so with a frequently updated service.
I also have a choice of endpoints around the world to circumvent arbitrary local restrictions, which I can employ or not at the click of a button.
AND they guarantee in plain writing there is no logging, no harvesting, no filtering - so if they violate that, unlike the ISP, I could literally sue their asses on the merits.
Face it, anyway you slice it, having some encryption and avoiding a known data harvesting operation like Comcast or other ISP / local public network provider like a Hotel IS A NET WIN, and provides better overall security. It's a fact.
You can dither but you can't supplant that.
The network is hostile. If you think you don't need it, you are very naive.
In those cases, obviously you run your own VPN.
It's not like OpenVPN takes more than a morning to set up and secure, even for huge user counts.
Especially for international organizations, this is the obvious route to go.
$15 lifetime VPN.... so no then?
[($)]
This is better then just using https/secure protocols directly over your ISP?
Yes, it is radically better!
I have no choice regards my ISP, because there is only one in the local area. I can pick any VPN provider i want. I can find one with acceptable TOS and a good street rep. I can switch out to a different VPN provider if they screw up. There are hundreds to pick from, so there is competition to keep them on the up-and-up. I can chain multiple VPN providers. I have flexibility and control.
I question the motivations of those who argue against VPNs. Virtually everyone should be using a VPN these days.
Actually if you assume the user is basically competent and knows how to apply his own security updates or switch router vendors when one refuses to issue a necessary one, everything he said is true. Maybe you're forgetting the possibility of conflicts-of-interest amongst the staff at any free 3rd party VPN service (the part where the traffic they're supposed to be hiding for you is more valuable than the service of hiding it for you) evaporates any possible improvement in network security unless you're assuming it's a given that the user is functionally illiterate and technically inept.
When the Ds and the Rs get together on something it means money. Someone is afraid that a US citizen might be hiding some wealth somewhere.
Have gnu, will travel.
1. Learn to read and parse English.
2. Wash your mouth out with soap.
I never said anything about the motivations of the ends users. "their" clearly refers to the VPN services. I question to motivations of the services that give services away for free. How are they making money?
Testing how your site looks from other countries/regions is a good use case of a VPN service. But MOST users do not need this.
On-site VPN server for access to corporate systems is the right way to go for remote access.
Trusting a third party who un-encrypts and re-encrypts for anything that you need/want to be secure is not.
I'm guessing my original post got modded down to 0 by Russian/Chinese/North Korean operatives.
I just don't under stand it, I keep chanting "LOCK HER UP" and they keep arresting our guys!
That's it, I'll give him 6 more years and then the hell with him!
You're making similar assumptions about your router vendor's (closed source, proprietary, uneditable) firmware security, and saying it's more likely that a service that actively collects money from ongoing subscribers is somehow MORE likely to have conflicts of interest as a greater risk than 1, the router vendor being incompetent, 2, the router vendor's security extending vulnerabilities to 3rd party solutions it 1/2-assed implements, 3, the router being up to date AND having up-to-date VPN protocols incorporating the newest regimes and deprecations, 4, random people who have access to that router firmware since release date finding flaws and exploiting them actively, and 5, the end user being competent enough of a network admin to KNOW ALL OF THIS, rather than just being required to launch the VPN service which updates itself and has the latest protocols by default.
Face it, the most popular VPN's are more secure and less intrusive BY ANY METRIC than the most popular ISP's and public hotspot providers. Fact. Dithering will not supplant that, your under-thought reasons/excuses may vary.
I don't see anybody here arguing against VPNs. I argued against VPN SERVICES. Even though I put SERVICES in caps, some people still didn't get it.
YOU DON'T NEED TO USE A VPN "SERVICE" TO USE A VPN! The VPN Service companies have thoroughly muddled the minds of the public.
For most use cases, there is no need to involve a third-party SERVICE. Certainly, for work-related stuff - which is what the article was about - the workplace should install a VPN server. The article didn't say WHY government workers were using VPN services. (Indeed, it didn't even say that they ARE...) It is an investigation.
OK, I get it about the sadsacks who are stuck with cable companies that spy on them for the sake of advertising dollars. If that's you're situation - and you are paranoid - fine. Go ahead and tunnel through a proven liar to an unproven liar. But let me ask them - are you on Facebook? HAHAHAHAHAHAHAHA! Most of the paranoids that are worried about their cable company spying on them - FOR THE PURPOSE OF PROFIT, SO REALLY WHO GIVES A SHIT - have almost certainly already given their privacy away to others.
I have to guess that it's been discovered that government workers are inadvertently using the VPN services that they use to hide their pr0n browsing - or guard against being inundated with advertising for products they've already bought - to access work/government websites.
"Trusting a third party who un-encrypts and re-encrypts for anything that you need/want to be secure is not." THE ISP IN MANY PLACES IN THE US DOES THAT BY DEFAULT WITH ~ZERO PROTECTIONS FOR PRIVACY.
Saying that adding a layer of encryption and endpoint abstraction somehow makes you insecure by default compared to the known intrusion of the ISP is just bad logically, you are being stupid for a purpose.
What is it?
Well, you're obviously astro-turfing because you've assumed i'm using a shitty off-the-shelf plastic router in the first place, rather than something a little bit more auditable like a Linux or BSD box.
But wasn't that nothing to do with VPN? Maybe they just want you using american VPN so they can be sure "they" WILL be spying on you!
The motives of the parent are apparent in the final line of the post.
propaganda
Most people, the average user, uses plastic off the shelf routers. You want to specify a subset that is power users or Linux admins, that's in addition to the use-case I was talking about and which could benefit from a VPN service.
Astroturfing means something else entirely, you're being stupid again. Post your configuration if you want it to be accurately summarized, you didn't specify that before and I'm not actually psychic despite frequent coincidences.
Absolutely BSD/pfsense/xyz is better than Dlink FUK4213, but where you have to maintain your BSD competently THAT COSTS EXPERTISE = MONEY, or you're not actually secure. With the service, you're 99% there without kernel edits.
By any actual criteria there is a comparable advantage in convenience that is also as-functional or better than your "auditable" as-yet unspecified system that you would need expertise to build correctly.
The point is basic. Look up what astroturfing means so you can be less confused when you reply.
if the troll's title didn't tip you off, he's a sack of human waste and not worth your time.
Tell that to Turing...
Who the fuck would trust "domestic" ones? And yes it does run Linux.