

CISA is a surveillance bill - elidourado
https://readplaintext.com/snowden-leaks-confirm-cisa-is-a-surveillance-bill-1e21a76abbab

======
tzs
My domain was on an Ubuntu LTS server that had reached the end of the LTS, so
I had to move it a couple weeks ago. I created a new virtual server at
Rackspace with a newer OS.

Within a very short time, there were several different IP addresses from
Russia trying to guess the passwords for root and several other common
accounts.

Not too long after, Chinese IP addresses joined the party.

Note that this was _before_ I had finished migrating my domain to the new
server (the Russians showed up before I even _started_ the migration). None of
my DNS entries pointed to the new server yet. They probably are scanning all
Rackspace IP addresses looking for new servers. I would expect that the same
happens at other major server providers.

I don't know if CISA is the right approach or not, but we need to do
_something_ to defend against this stuff.

If CISA is not the right approach, the opponents need to start suggesting an
alternative that addresses the problem better, because otherwise the pressure
is going to mount to pass something, and if CISA is the only proposal
available that will be the one that passes.

~~~
mindslight
You had set a strong root password, correct? So in what sense had you not
already "done something" that successfully defended against "this stuff" ?

You could ask Rackspace to implement a feature where newly setup servers have
most incoming traffic dropped until the customer finishes setting up. You're
also free to -j DROP all packets from outside the US if you think that would
help.

But your wording makes it sound like you think there exists some collective
action the government could take to prevent you even being scanned by
"others". If you believe this is the case, the burden is on you _by far_ to
propose a specific concrete solution and thoroughly convince others that it is
necessary.

I, for one, don't see how it's possible for an ambient authority to "secure" a
network based on peer to peer communication without destroying it in the
process.

~~~
programmernews3
One of the best practices for SSH is to never use passwords, always use keys.

[http://lackof.org/taggart/hacking/ssh/](http://lackof.org/taggart/hacking/ssh/)

------
grownseed
It is truly fascinating (and of course, terrifying) to watch governments
expect, demand and enforce complete transparency and blind trust from the
people, while providing absolutely none of either.

------
themeek
One of the reasons legal immunity is being offered is because corporations are
suspicious that the data will get used to enforce regulations, bring lawsuits
or otherwise be a tool of legal pressure.

The Government in this case is willing to make a promise (who knows how well
it will be kept) not to use the information for parallel construction or
explicit enforcement. In turn they get to protect the business and American
industries from cyber attacks and give the data for analysis and processing
for whatever national security purposes the DoD deems necessary.

There are industries that are already onboarded - financial and energy. CISA
would expand these to other industries.

