Hacker News new | ask | show | jobs
by NZiozis 2685 days ago
This may seem weird, but I think the idea of what they're doing is spot on. If anyone were to get access to my things I'd rather it be the government and then have them disclose it to me. Additionally, if you don't want your information accessible you've had your notice to hire someone to lock it down or lock it down yourself. I would liken the service to the government checking the insulation on your house.
8 comments
w00kie 2685 days ago
I live in Japan.

The main issues I see with this is, rather than just "I don't trust the government":

1. They'll do a scan of all devices then ask the ISPs to provide customer information for the vulnerable IPs found so that the government can contact them. So now you'll end up with a big fat list somewhere with names and addresses next to known vulnerability and that list is bound to leak sooner than later. See "My Number" (Japanese equivalent of social security numbers) leaks recently.

2. This makes for great phishing. All newspapers and TV channels have said you might receive notice from the government about security. Now you just have to send emails or letter claiming to be the government, saying "we have found your network to be vulnerable, please run this program to clean it up" and it's way more likely people will run your malware. FREE Advertisement provided by public funds!

link
NZiozis 2684 days ago
I really don't have a rebuttal to your first point. The way people handle PII will always be an issue. My frame of mind comes from the fact that I'd rather some public entity privy to it than a private one like someone lower mentioning Google or Facebook. The second point seems more like a problem with tech literacy than this program. There should be some way to differentiate a government email from a regular one. That and people should understand how to confirm it. Now I get it, I've had family members believe they have a virus because a pop up told them they did, but sitting down with them for 5 mins and telling them not to stopped that. I'm curious, lower someone mentioned the idea that the government was already taking this kind of action. How do you respond to that?
link
ip26 2685 days ago
I'm with you, seems like a core service for improving digital security of a nation.

Yeah, people don't trust the government. But most of the conspiracists are convinced the government is already secretly accessing their home devices (or trying to). If that's your belief, then really, nothing has changed!

link
dontbenebby 2685 days ago
>This may seem weird, but I think the idea of what they're doing is spot on. If anyone were to get access to my things I'd rather it be the government

I feel very differently, especially if it's a government whose "expert" minister doesn't know what a USB drive is:

https://www.theguardian.com/world/2018/nov/15/japan-cyber-se...

link
harry8 2685 days ago
Options:

1) don't do it at all. Vulnerable families remain vulnerable to organised crime and we have systemic weakness to state and/or vandal attack (worms, botnets or whatever else.)

2) Government does it, in public, performed by public servants, with appropriate guidelines that are enforced under pain of criminal prosecution. This has the opportunity to shame and possibly sue ISPs who provide default routers that suck giving indirect systemic benefits.

3) Private enterprise does it. Facebrick and Gogglers being the obvious candidates who one would think would just love to get in there, probably with the same checks and balances they've enjoyed so far.

4) Some rumsfeld style unknown unknown, beyond my limited imagination - really keen to hear if anyone has an idea here.

I absolutely agree with you that the number of people in positions of power who are completely f&^ing clueless about the domain over which they make decisions is astounding and a huge, massive problem. It still isn't required to have someone who knows what a usb drive is on your board of directors while they sign billion dollar contracts with Oracle, IBM Global Services, Accenture and whoever else has the best con, for example. Same for public service IT consulting contract ripoffs of which ripoffs utterly dominate the space.

So the "expert" minister thing you raise is really bad. Just as you say it is in fact and must be remedied across the board in all countries.

And I'm still going with (2) govt. doing it, with public scrutiny as the best of the available options.

link
Gpetrium 2685 days ago
Although I agree with the base of your point, I think it is worth noting that there are likely plenty of folks underneath him with the knowledge to sway policies and implement them. In other words, a department can still be functional and even successful if their boss listens and applies the ideas offered.
link
dontbenebby 2685 days ago
>Although I agree with the base of your point, I think it is worth noting that there are likely plenty of folks underneath him with the knowledge to sway policies and implement them.

True, and while I understand that high level officials do not necessarily need to be able to write code or explain the difference between public and private key crypto, they should have a base level of understanding to make decisions on the materials prepared by their employees.

I don't think someone who isn't familiar with the concept of a USB drive is at that base level of understanding.

link
zepearl 2685 days ago
I agree - nobody needs to be a crack in any area, but whoever will take decisions needs at least a base understanding of the theme to judge the validity of the foundations on which those recommendations are based upon; anybody could be a manager if blindly following recommendations by subordinates would always end up in the best choice.

EDIT: but "Gpetrium"'s statement is actually still correct ("a department can still be functional and even successful if their boss listens and applies the ideas offered") - maybe from this perspective it's more a "must" for a successful manager, but, after the "listening" comes the "judging" and that MUST be based on own know-how.

link
flattone 2685 days ago
Recently saw a pentester post stating that entry occurred when she asked a person to print something from usb which required showing the employee how to identify the usb once plugged in etc. (Baseline may be terrifying)
link
azinman2 2685 days ago
As long as you trust your gov.... I think Japan is probably in better relations with its citizens than most countries...
link
ardy42 2685 days ago
> As long as you trust your gov.... I think Japan is probably in better relations with its citizens than most countries...

I'd trust any democratic government doing a preventative security scan for vulnerable devices, over some hacker who's only out to exploit them for personal gain.

Most people have never patched their router nor even know how to. Someone needs to proactively inform that group that they're vulnerable, at scale, if we're even going to have a chance to solve a lot of network problems.

link
johnisgood 2685 days ago
Why do we have to choose? Personally I don't trust either.
link
gtirloni 2685 days ago
If you're competent enough to manage your digital security, you're fine (99% of the population isn't). If you're not, you're endangering the society you live in (by providing attackers with a device they can use). That's one way of looking at it.
link
Thorrez 2685 days ago
You can't nicely ask the hacker not to do it. The hackers are constantly scanning the internet regardless of what you want.
link
johnisgood 2684 days ago
Same goes for most Governments though.
link
icebraining 2685 days ago
Well, if you keep insecure stuff available to the world, you're trusting everyone with it, including every government.
link
crankylinuxuser 2685 days ago
Precisely.

It depends on what kind of actions they wish to do with the resulting scan/hack.

If they offer services to secure people/companies free or cheaply, then its a overall large positive.

If they give it to their equivalent NSA apparatus, that's a major bad.

link
bg24 2685 days ago
Agree. Skillset and response will determine the success. Japan govt has a good precedence of centralized security scanning for country’s Internet, so hopefully it is a positive.

Vast majority of Internet users are not security savvy. Doing a baseline scan with appropriate remediation guidance will go a long way.

link
eeZah7Ux 2685 days ago
Given that they are announcing it instead of doing it secretly they seem to be starting with the right foot...

I'm pretty sure security researchers will set up honeypots and monitor what the government probes are doing.

link
orblivion 2685 days ago
Arguably, if you don't trust the government, you wouldn't rely on them giving you a warning in the first place.
link
Johnny555 2685 days ago
You don't need to trust the government - just secure your devices and they won't be able to get in. It's not like they are requiring that you supply them passwords - they are hacking into your devices the same way anyone else in the world can.
link
AngryData 2685 days ago
Id trust them more than my own government just by them admitting that they are doing it. The US government for example would never admit to hacking random people's shit, but we know they can and that they do and they have been exposed doing even more shady shit without oversight and with zero public reports about it. Instead we get PR campaigns to try and cover up the shit that got leaked.
link
sosborn 2685 days ago
The person you say "yes" to now isn't the same person you will say "yes" to in 10 years.
link
dontbenebby 2685 days ago
You can trust the government's intentions while still being wary of the unintended consequences of a policy.
link
dhimes 2685 days ago
They are admitting they are going to do it. They didn't have to tell anybody.
link
TheAceOfHearts 2685 days ago
Based on what I've heard from some natives I befriended online, there is allegedly rampant corruption, many people don't really trust the government, and there's a big problem with organize crime (the Yakuza). I'll note that I'm not Japanese and I've never lived in Japan, so I am unable to ascertain the veracity of this claim, thus I would suggest taking this statement with a gigantic grain of salt.
link
hanniabu 2685 days ago
Invalid logic. If you don't trust the government then you probably assume they're already accessing your information.
link
ekianjo 2685 days ago
Most countries? How is that a good benchmark when most countries are dictatures? Compare with the best, if anything.
link
MrZongle2 2685 days ago
"If anyone were to get access to my things I'd rather it be the government and then have them disclose it to me."

In the United States, I'm inclined to think that the former has already taken place and the latter will only happen after an extensive FOIA battle and enough years to make disclosure useless to the average citizen.

link
johnisgood 2685 days ago
> Additionally, if you don't want your information accessible you've had your notice to hire someone to lock it down or lock it down yourself.

What do you mean? Is it not the case that in some countries encryption, let alone hiding anything from the government is illegal?

link
sandov 2685 days ago
>If anyone were to get access to my things I'd rather it be the government

I feel the complete opposite way. The government having access to my things is worse than cyber-criminals having access to my stuff.

link
claudiawerner 2685 days ago
In the liberal imagination, governments are at least beholden to the people - with criminals you don't even have that much.
link
sandov 2685 days ago
The way I see it: Democratic states are institutions that enslave people in ways that the majority of people living there decided. If you think the same way as the majority then it doesn't feel like enslavement to you. Anyway, the state has complete physical domination over you.

Cyber-criminals, on the other hand do not have the power to exercise physical violence over you, they can only harm you in non-violent ways.

Practically speaking, you are more likely to be harmed by cyber-criminals than by your country's state, but if tomorrow there's a new law against certain political ideologies (not uncommon in third world countries), or against encryption, or against privacy and they happen to know that you're interested in those things, the consequences could include physical violence.

link
mindslight 2685 days ago
I agree with you philosophically with regards to democratic totalitarianism. But it's a moot point when we're talking about devices that are already vulnerable. The government is in the same position as any other Internet background radiation - if you want to keep them out, then just secure your shit.

There is a philosophical point to be made about one's right to willfully violate what are considered best practices (eg toad.com), but we're not debating penalties for running "insecure" devices. The sheer majority of vulnerabilities they find are going to be due to straight cluelessness.

link
porpoisely 2685 days ago
It's incredible that this is the top comment in this thread. When did blind trust in government become the norm on "hacker" news?
link
noir_lord 2685 days ago
Some trust is not blind trust and there are areas where I do trust government.

It’s why I don’t worry the medication I take is not genuine, why the water that comes out the tap is safe to drink and why if I get run over I’ll get medical treatment.

It’s why I can walk down the street without unduly fearing I’ll get robbed etc.

Blind distrust is as silly as blind trust is what I’m saying here.

The government taking cyber security seriously is a good thing if you trust that government and the Japanese government is pretty good in that specific area.

Also given that Japan is a regional and major economic competitor to China which along with Russia and the other major powers is currently waging and undeclared series of wars in the global networks it seems like a pretty smart move to me,

link
porpoisely 2685 days ago
Japanese government is pretty good in what specific area?

"Japan's cyber-security minister has 'never used a computer'"

https://news.ycombinator.com/item?id=18459016

As for medicine, water and medical treatment... Your government makes the medicine, your government runs the water company and your government runs your hospitals? Seems like a recipe for disaster. Just out of curiosity, what country do you live in?

Yes. Japan is a regional and major economic competitor to china, russia and korea and the US. But what's your point? They are also a major trading partner to all those countries.

Sure, blind mistrust is bad as blind trust. But there are plenty of reasons for people to distrust governments. It's why we have rights to protect ourselves from the government. And the last government I'd trust is the japanese government if I were the japanese people considering how they were so willing to throw their citizens lives away on kamikaze missions and endure endless firebombings and nukes.

link
NZiozis 2684 days ago
As the poster of the original comment, it's not blind trust of the government. Rather, it's a preference because I don't trust the ability of any single person, or private entity to handle this sort of thing. I get my stance is political, but I don't understand what isn't "hacker" about it. To me hacking means attacking a situation with the intent to solve it. In this situation, if the government is good, I am willing to see how they solve this issue.
link
chrinic83 2685 days ago
> When did blind trust in government become the norm on "hacker" news?

I trust my government more than Facebook or Huawei. Open source or neutral 3rd parties don't exist for this kind of thing.

link
RaceWon 2685 days ago
> When did blind trust in government become the norm on "hacker" news?

I agree with you 100% and up voted you too. Furthermore people speak of "Government" as if it were a thing--akin to say an apple, as opposed to what it is in reality: a random group of random people with possibly, if not probably, virtually unlimited ideas on the nature of what the citizens under their thumb (or hopefully stewardship) have the right to see, hear, think, say or do.

link