Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Senators Ask DHS To Look Into US Government Workers Using Foreign VPNs (zdnet.com)

Posted by msmash on from the tussle-continues dept.

Two US senators have asked the Department of Homeland Security (DHS) to look into the possible dangers of US government workers using VPN apps that are owned by foreign companies and which redirect sensitive government-related traffic through servers located in other countries -- namely China and Russia. From a report: "If U.S. intelligence experts believe Beijing and Moscow are leveraging Chinese and Russian-made technology to surveil Americans, surely DHS should also be concerned about Americans sending their web browsing data directly to China and Russia," said Senator Ron Wyden (D-OR) and Marco Rubio (R-FL) in a letter sent to Christopher Krebs, Director of the DHS' newly founded Cybersecurity and Infrastructure Security Agency (CISA). The two would like the DHS to issue an emergency directive and ban the use of foreign VPN apps if intelligence experts deem them a national security risk.

42 of 93 comments (clear)

  1. We Amelican VPN we Plomise! by Anonymous Coward · · Score: 5, Insightful

    As if a VPN located anywhere even in the US is rated for any clearance.

  2. Just block them? by hawguy · · Score: 4, Informative

    I don't see why some congressional oversight is needed -- just block VPN apps on government owned laptops. If employees are using the apps on their personal devices, they should not have sensitive government data on those devices.

    1. Re:Just block them? by hawguy · · Score: 1

      So you still don't see why oversight is needed to verify that, eh? Gee. Maybe it will just happen all by itself like the invisible jackoff hand of the free market?

      Oh my god, I would hope that it doesn't take congress to oversee standard security practice that every large business follows - if any oversight is needed at all, then use it to put competent IT staff in place.

    2. Re:Just block them? by PuckSR · · Score: 1

      It isn't needed.
      This is obviously already part of Federal IT policy.

    3. Re:Just block them? by cordovaCon83 · · Score: 1

      Government is one of the few sectors where outsourcing and getting replaced by visa workers is a major fear. Perhaps this also explains why government systems tend to be antiquated?

    4. Re:Just block them? by ShanghaiBill · · Score: 1

      if any oversight is needed at all, then use it to put competent IT staff in place.

      The competency deficiency in government is in the overseers, not the workers.

      One of the most technical areas is the Department of Energy. This is the guy running it.

    5. Re:Just block them? by drinkypoo · · Score: 4, Insightful

      If employees are using the apps on their personal devices, they should not have sensitive government data on those devices.

      Sensitive data should never be on personal devices, period. If users need sensitive data on portable devices, those devices should be provided by the employer, and no personal data (or use) should be permitted on those devices. There are zero exceptions. If that means users need to carry two devices, so be it. What are they getting paid for, anyway?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    6. Re:Just block them? by cayenne8 · · Score: 1

      "Competant IT staff" == H-1Bs.

      Not really, at least on the Federal end of things.

      Especially if it has any security requirements at all, you have to be a US citizen....contractor or govy.

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    7. Re:Just block them? by liquid_schwartz · · Score: 1

      I don't see why some congressional oversight is needed -- just block VPN apps on government owned laptops. If employees are using the apps on their personal devices, they should not have sensitive government data on those devices.

      Yeah. Next they'll be saying no using our own webservers and the like. The nerve of some people.

    8. Re:Just block them? by chill · · Score: 2

      Putting this in context, the article cites a study about VPN Apps on the Apple Store and Google Play Store. We're not talking gov't issued laptops, but rather BYOD cell phones.

      BYOD is a security nightmare.

      --
      Learning HOW to think is more important than learning WHAT to think.
    9. Re:Just block them? by joe_frisch · · Score: 1

      Sometimes there isn't a clear boarder between sensitive and non-sensitive information. Many people do work at home, or on personal laptops while traveling. While that certainly woudln't include classified information, it might be related to work that is sensitive - sometimes just in work emails.

      Often this work is done on people's personal time, so expecting them to go to extra effort to carry additional devices is likely to result in them just not doing the work, and a reduction in productivity.

      If I were required to carry a work laptop when on personal travel, I would stop doing work for free when traveling.

    10. Re:Just block them? by hawguy · · Score: 1

      Sensitive data should never be on personal devices, period.

      Well, wrong. As usual on slashdot. Good rule of thumb in a company hiring idiots, of course. Not all do that.

      Nothing wrong in hiring people using their own tools - if they are competent to set them up right. Which some people are.

      If you hire consultants from some consulting company, they may very well come with their own computers for development+documentation. Hiring a person is very much like hiring a consultant from a one-man company. Might come with his own computer. Ok if he is a computer security expert.

      Everything is wrong with letting people set up their own tools if they are going to be storing your data -- even if the people know what they are doing, people are not infallible, so eventually someone's going to slip up and install malware or configure something insecurely. The only way to be sure is to enforce policies with policy enforcement and automatic monitoring.

      Ok if he is a computer security expert

      If he is, then he'll tell you why he shouldn't have free reign to configure his computer and why the company shoud be enforcing policies and monitoring compliance.

    11. Re:Just block them? by drinkypoo · · Score: 1

      If you hire consultants from some consulting company, they may very well come with their own computers for development+documentation.

      That's fine. If he's using the same devices for work and personal use, then he's doing it wrong, and any contract should reflect that fact and prohibit such behavior.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. Nobody mention by Anonymous Coward · · Score: 1

    the secret back-channel between "Individual 1" and Alfabank.

    1. Re:Nobody mention by GameboyRMH · · Score: 1, Funny

      Just a perfectly innocent ongoing stream of repeated DNS lookups. No collusion!

      https://www.newyorker.com/maga...

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  4. Re:catching up to private business practices by Austerity+Empowers · · Score: 3, Interesting

    At my corporation I sure as hell am not allowed to use third-party VPN or traffic anonymizer services.

    Allowed? No. But in companies with strict firewalls and web proxies, many people who have the know-how to do it, are doing it. I have never used a VPN, I always have been able to create an SSH tunnel to a server I own, one way or another. But given the popularity of VPNs for bypassing other forms of spying and eavesdropping, it's not a surprising this ends up being the more popular way of doing the same thing... just not a good idea whether you work for the government or the corporate world. Plenty of shady Chinese companies are looking for the opportunity to steal trade secrets, don't open the door for them.

    If your companies forces web proxies, or lets your bosses spy on your browsing habits, or has some other ridiculous oppression over their network, expect it to happen.

  5. SSL over HTTP/HTTPS for the win by bobstreo · · Score: 2

    I needed to ssh into a server for testing. Company policy blocked ssh outgoing.

    If you get desperate enough, you can probably do it over DNS.

    1. Re:SSL over HTTP/HTTPS for the win by SuricouRaven · · Score: 1

      DNS tunneling is indeed a thing. Overhead is nasty. Ping tunneling is also a thing.

    2. Re:SSL over HTTP/HTTPS for the win by Anonymous Coward · · Score: 1

      If you need to do this for testing, and policy blocks it, then the correct answer is to have your boss request a documented exception to the security policy.

      The security people will either do it, or work with you to find a better way. If they don't, your boss will have leverage to go higher. If you don't, and you are found to be attempting to get around security, the security people will have leverage against you.

      I know, as a security administrator, I would be asking why are you doing ssh over the Internet to outside servers that security doesn't already know about, wasn't involved in setting up and securing, and don't already have rules in place to allow ssh or vpn administration?

    3. Re:SSL over HTTP/HTTPS for the win by bobstreo · · Score: 1

      If you need to do this for testing, and policy blocks it, then the correct answer is to have your boss request a documented exception to the security policy.

      The security people will either do it, or work with you to find a better way. If they don't, your boss will have leverage to go higher. If you don't, and you are found to be attempting to get around security, the security people will have leverage against you.

      I know, as a security administrator, I would be asking why are you doing ssh over the Internet to outside servers that security doesn't already know about, wasn't involved in setting up and securing, and don't already have rules in place to allow ssh or vpn administration?

      Yeah, I actually sat on the connection exception review team. Still took a long while to get through the process.

    4. Re:SSL over HTTP/HTTPS for the win by cob666 · · Score: 1

      I experienced something similar at a company I was working for as a contractor. We developed an application that had to ftp payroll ACH information to the bank for payroll and the IT policies didn't allow any type of ftp.

      --
      Do what thou wilt shall be the whole of the Law - Aleister Crowley
    5. Re:SSL over HTTP/HTTPS for the win by sjames · · Score: 1

      Yeah, I actually sat on the connection exception review team. Still took a long while to get through the process.

      And that's why it gets bypassed. By the time it gets through the process, the project is dead and half the department is laid off. It's a little like picking through the smoldering ruins of a crashed jetliner and telling the barely conscious pilot "yeah, go ahead and make an emergency landing if you think it's necessary.

      I'm not advocating lax security, just explaining how and why it happens. It's easier to get employees and their managers to go along with necessary security when it's reasonable AND responsive.

    6. Re:SSL over HTTP/HTTPS for the win by _merlin · · Score: 2

      At one place I worked they blocked certain HTTP headers with a (not so) transparent proxy. It was so annoying that we took to tunnelling data over ICMP echo requests to work around it.

  6. Re:catching up to private business practices by olsmeister · · Score: 1

    I just changed the DNS server to the Google one. Kind of scary that actually worked.

  7. Re:catching up to private business practices by Joce640k · · Score: 1

    Yep, the real solution is to change the Internet so that VPNs aren't needed.

    --
    No sig today...
  8. Everyone should use VPN 24/7 by Nocturrne · · Score: 1

    The network is hostile. If you think you don't need it, you are very naive.

    1. Re:Everyone should use VPN 24/7 by sjames · · Score: 2

      Not all VPN services are friendly. Make sure you're not jumping out of the frying pan into the fire.

    2. Re:Everyone should use VPN 24/7 by nehumanuscrede · · Score: 1

      My firewall logs are in full agreement with you :|

  9. Slashdot Deals... by wolfheart111 · · Score: 1

    $15 lifetime VPN.... so no then?

    --
    [($)]
  10. Re:"Almost nobody" needs a VPN? GO FUCK YOURSELF by Narcocide · · Score: 1

    Actually if you assume the user is basically competent and knows how to apply his own security updates or switch router vendors when one refuses to issue a necessary one, everything he said is true. Maybe you're forgetting the possibility of conflicts-of-interest amongst the staff at any free 3rd party VPN service (the part where the traffic they're supposed to be hiding for you is more valuable than the service of hiding it for you) evaporates any possible improvement in network security unless you're assuming it's a given that the user is functionally illiterate and technically inept.

  11. Bipartisan by PPH · · Score: 1

    When the Ds and the Rs get together on something it means money. Someone is afraid that a US citizen might be hiding some wealth somewhere.

    --
    Have gnu, will travel.
    1. Re:Bipartisan by tomhath · · Score: 1

      Someone is afraid that a US citizen might be hiding some wealth somewhere.

      More like putting a stop to government employees watching porn during work hours. Or spending most of their day campaigning for whatever politician they're beholden to.

  12. Re:"Almost nobody" needs a VPN? GO FUCK YOURSELF by jtara · · Score: 2

    VPN's being inexpensive has no bearing on the motivations of the end users

    1. Learn to read and parse English.
    2. Wash your mouth out with soap.

    I never said anything about the motivations of the ends users. "their" clearly refers to the VPN services. I question to motivations of the services that give services away for free. How are they making money?

  13. Re:"Almost nobody" needs a VPN? GO FUCK YOURSELF by jtara · · Score: 1

    I tend to agree with the parent, though we do use VPN services for testing how our site looks from other countries/regions. For access to our corporate systems, we have our own on-site vpn server

    Testing how your site looks from other countries/regions is a good use case of a VPN service. But MOST users do not need this.

    On-site VPN server for access to corporate systems is the right way to go for remote access.

    Trusting a third party who un-encrypts and re-encrypts for anything that you need/want to be secure is not.

    I'm guessing my original post got modded down to 0 by Russian/Chinese/North Korean operatives.

  14. Re:Unless they mean corporate ones, of course. by PPH · · Score: 1

    In those cases, obviously you run your own VPN.

    Depends on why you are running it. If I run my own VPN from home or a local co-loc data center, then it looks to the remote site like I am at or near my present location. One uses a foreign VPN when one wants to appear to be in that country*. If Evil Foreign governments can hijack that VPN, they can also hijack the sites I am visiting. So this isn't about me being safe from Evil Foreigners. This is about the NSA not being able to (easily) sniff my traffic.

    *There are other reasons to run a VPN. Like connecting to an internal network or I just don't trust the local coffee shop ISP. But if I've gone out of my way to establish a virtual foreign presence, then in all probability I am connecting to a foreign site.

    --
    Have gnu, will travel.
  15. Re:"Almost nobody" needs a VPN? GO FUCK YOURSELF by jtara · · Score: 1

    I question the motivations of those who argue against VPNs

    I don't see anybody here arguing against VPNs. I argued against VPN SERVICES. Even though I put SERVICES in caps, some people still didn't get it.

    YOU DON'T NEED TO USE A VPN "SERVICE" TO USE A VPN! The VPN Service companies have thoroughly muddled the minds of the public.

    For most use cases, there is no need to involve a third-party SERVICE. Certainly, for work-related stuff - which is what the article was about - the workplace should install a VPN server. The article didn't say WHY government workers were using VPN services. (Indeed, it didn't even say that they ARE...) It is an investigation.

    OK, I get it about the sadsacks who are stuck with cable companies that spy on them for the sake of advertising dollars. If that's you're situation - and you are paranoid - fine. Go ahead and tunnel through a proven liar to an unproven liar. But let me ask them - are you on Facebook? HAHAHAHAHAHAHAHA! Most of the paranoids that are worried about their cable company spying on them - FOR THE PURPOSE OF PROFIT, SO REALLY WHO GIVES A SHIT - have almost certainly already given their privacy away to others.

    I have to guess that it's been discovered that government workers are inadvertently using the VPN services that they use to hide their pr0n browsing - or guard against being inundated with advertising for products they've already bought - to access work/government websites.

  16. Re:Why would I use a local VPN?? Are you crazy? by jtara · · Score: 1

    Any local VPN will get a national security letter, and hence be utterly useless

    Useless for what? Evading the law?

    MOST users are not evading the law. For MOST users, this is not a concern. I would be more concerned about somebody in a foreign country scraping credit cards, personal details with which to commit financial fraud. Unfriendly countries building up databases of personal details of the general public that can be banked and used in the future to create disruption.

  17. Re:Almost nobody needs a VPN SERVICE by jtara · · Score: 1

    Interesting how a reasonable post with a reasonable opinion, not flame bait, got modded to 0. While an obscenity-laced response that shows lack of comprehension gets modded up.

    Presume it was done by bots from hostile countries. I now have to presume the existence of a hostile bot net with /. mod points.

  18. Re:catching up to private business practices by Austerity+Empowers · · Score: 1

    I don't think there is a real solution. I don't even think I want one. A little bit of crime is a good thing.

  19. Re:"Almost nobody" needs a VPN? GO FUCK YOURSELF by Narcocide · · Score: 1

    Well, you're obviously astro-turfing because you've assumed i'm using a shitty off-the-shelf plastic router in the first place, rather than something a little bit more auditable like a Linux or BSD box.

  20. Re: catching up to private business practices by sarren1901 · · Score: 1

    The government already gets it from both my cable company that provides wired Internet and Verizon which controls wireless for my phone. If the government wants to get that information, especially if they have a warrant, they will.

    If I spent all my time worrying about what the government is doing I would not have time for anything else. This is not to say I trust the government but merely that they have such a stacked deck that I should probably either avoid committing crimes or I should definitely avoid getting caught because they will likely win.

    The most security you can really provide for yourself is owning a home off the grid that's not in the city with a well, water treatment and preferably a large enough solar power system to sustain your family. Owning guns and having lots of like-minded people in the surrounding region also helps a lot.

    That means 99.99% of us are in trouble when things hit the fan.

  21. Re:Unless they mean corporate ones, of course. by PPH · · Score: 1

    I might want to watch a foreign news stream. Some of these are geo-blocked outside of their home markets. BBC is notorious for doing this.

    --
    Have gnu, will travel.