@@kreuner11 That's because you're not allowed to see the lists, and anyone who has them doesn't want to throw away their 70k a year job. Jk. Nah, in the UK, the terrorjism lists don't even really do much. Our system kinda runs on a 'no complaint, no harm, no fowl' basis. It's why I can punch a guy on CCTV and be fine, but if you call a politician a Nazi it'll be *a* fine.
I mean in this case its probably a good thing. private companies arent going to spend money on this at least on this scale, this is a step to a bit less data breaches being exploited. We already know they're watching us they might as well keep an eye out on hackers instead. Until the day we get a fool proof system this is unfortunately going to be somth we'll have to deal with.
Fun fact about "Wix" since you mentioned their brand - In my country their advertising literally consists of putting their name into a pun regarding "self-satisfaction" (yes, *that* suggestive kind of self-satisfaction). Their ads are beyond cringe.
Lmao wixen You mean this one right? ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-afOPTRKZvko.html Ignore what that yes dude posted, it's some video about potatoes
I find that this is a very interesting government program that can be actually useful for once. That is of course, if the NCSC actually upholds their word and no, you know, keep the pen-testing data for themselves to misuse.
That's exactly why they're doing it. It's naive to think they do it just to help. No, they're doing this to have a legal excuse to scan all of their internet in search of potential "criminals", like people serving some crypto, torrents, tor, etc.
These are public websites on the internet, so they are allowed to do scanning. Of course penetration testing isn't the best thing ever, and keeping the data is definitely a risk you take when you opt in.
3:42 The main thing IMO is that people using these kind of websites usually are in sales / marketing, and are very aware that using these services will be the fastest way for them to have a website up and running so that they can then focus on finding / building the product they want to sell.
Exactly you dont want to be dealing with webb development and pen testing if youre trying to get a business idea going. Sure you could but that has time for when you already kmow that you can invest more time into your idea and the infrastructure behind it.
a hacked/shutdown website, ransomware and leaked customer data don't do well for reputation and revenue tell the marketing bois that security is like insurance, you don't need it until you do
@@counterleo If you're a brand starting out, picking between a Shopify (or alike) and building a website from scratch makes almost no difference when it comes to security. Migrating to your own thing is a decision you can make later once your business is stable enough. Marketing people are not "wrong" for picking that choice. It financially, and timely, and risk taken into account makes the most sense in very many situations.
The government website scanning, even if it is for a good cause and they're completely open about what they're doing is still very spooky. I'm glad I live in the USA where they at least lie about it and pretend they don't do it. Edit: it was a joke
Nah if enough ppl do it, it won't be sus. You gotta drop the mindset of not getting on that list, because then the ppl who actually want to opt out will be sus
"They said leave me alone" is not grounds in the UK to subject someone to further surveillance. Quite the opposite. Offering an opt out, and then not observing said opt out will just land the government in court and they know it.
No thank you. 11:40 I believe this is a big step in the wrong direction. I can't speak directly for what the UK does since I'm in the US, but the argument should be around the NSA performing the scan in the first place, not being complacent that "well they do it anyways so might as well get some benefit from it". Eff the Patriot Act. Love your content even though I disagree with you here.
If they don’t run the scans, can’t they just pay for Shodan though? It’s not just Gov’ts that are running scans (albeit Shodan isn’t ‘looking for new 0-days’, but is a fairly comprehensive mass scan) so a lot of the info is already out there, right?
@@Will-kt5jk the infrastructure, mainly the policy, is what bothers me. In 10 years once everyone is used to the government performing these "helpful" scans, it always goes a step further. "We need to scan your db now for any *thing, you have nothing to hide so why do you care if we scan your file system, this is for the greater good, for safety." That door should remain tightly closed.
It’s like police just staring in all your windows, walking around your garden, asking your neighbours about you, looking in your garage… all without a warrant. To keep you “safe”.
Nah its more like they're walking around a parking lot looking for old cars that have vulnerabilities that make them easy to break into, and leaving you a polite little note telling you about it and how to fix it instead of waiting for the thief to notice and just steal your car.
@@aeases- No, your analogy is wrong. Seems like you don't know what pentesting is. The act of "looking" here means making multiple connections and requests to every machine out there, in order to obtain as much information as possible about its vulnerabilities. And it's done by a government that can easily use this information against the very people it claims to protect. If it were done by an NGO then I wouldn't be worried.
@@damnedmadman That is the whole point, they are making basic NMAP requests that any rando on the internet might make to determine whether outdated, known insecure software, e.g. older version of Java vulnerable to Log4J, are still being run and are notifying the technically inept that this is an issue and directing them on how to solve it. It makes self-hosting at least a little bit more viable to someone who doesn't keep up w/ the latest vulnerabilities/keep their server up to date. though yea I do agree it would be better for a NGO to do it since it does provide them a bunch of data that they wouldn't have had otherwise which they might misuse. though that can be kinda avoided by just not accepting connections from the IP's that they say they use.
I can already feel the scammers getting ready to send fake NCSC notifications to people with some shady instructions about what they should do to increase their security, which will in fact decrease their security or let them install some malware :q
Reminds me of Nintendo telling people to "forward all ports" on their router because they are too daft to fix the multiplayer games on switch, wouldn't be shocked if something like that is done to fool gullible idiots into opening their network wide for easy exploitation
@@l3g3ndarybanana didn't know that, then again my net back then was so aweful there was no helping it, that's hilarious that console makers are just so terrible at networking and security
I disagree with what you said about shopify. I think it's great to abstract away security details because it just makes the chance of making a mistake resulting in a vulnerability much smaller. Dont go code your own shopping system if you're not familiar with basic app security.
Germany already does this, and if you run a server there using insecure technologies you will get a polite letter explaining what they detected and how it can be fixed.
@@pkelly20091 Well, if your server is hosted on premise then they look up the details of all ISP's to find out who provides service to that premise and then ask for the contact details that were provided when the owner of the ISP service originally signed up/their bank details (depends how you pay for your internet service). If you server is hosted off-site they contact the people hosting your off-site services to try and work out who owns that server and then contact you once they've worked out who owns it. This is why anonymous sign-up services are heavily disliked by government entities, because anybody could sign-up from anywhere and they can't easily track you down, that isn't to say they couldn't track you down if they wanted to, only that it is unlikely that as a regular person you will be worth the financial outlay of trying to work out who you are only to discover you just want to host an off-site encrypted backup elsewhere or something equally boring and average.
The headline made it sound like the NCSC was compelling everyone in the UK to give them access to their machines. I see nothing wrong with them doing pen testing and reaching out to system admins/ owners about thei findings.
learn2code: "UK just asked every ISP to tear a gaping hole in their firewalls and traffic shaping to install a police lane for those who drive the sh0rt bus." I suggest you run a honeypot with every vulnerability they mention on that site. And when they call you out for camouflaging the vulnerable, tell them to f' off with their treason. (RU-vid is clamping down hard on this dialogue.)
As a UK resident with a public facing server, I'm totally happy about this. They're only doing what anyone else on the internet can do, poke my public vulnerabilities, and tell me about them so I can mitigate. I'd say this is one of the better ways to spend taxpayer money in the UK lmao
@@quercus3290 _"The government if it so chooses could remote into your computer, smart phone any time it likes without you ever knowing."_ [citation needed]
@@lelonfurr1200 It doesn't matter if you believe it or not, they will continue because it's been proven time and time again that absolutely nobody will stop them. Our children will curse our names for allowing the NWO
You do realize that scanning the whole range of possible IP addresses is absolutely trivial? It only takes about half an hour. Even if you're going to do the most thorough port scan it takes less than a day. So if you have any machine with an IP address, it's going to be scanned anyway, multiple times a day, from the script kiddie to the state actor. At least, the NCSC lets you opt out of it, but you would be naive to think the MI6 (or really any other alphabet agencies) hasn't been already doing it for years.
Trump's 2018 Cybersecurity and Infrastructure Security Agency Act has had the government controlling the internet here in the United States ever since Trump signed it into law
This is kinda like the Police coming to your house and shaking your door handle to make sure you've locked the door to keep you safe from burglarly. And one can't help but think there's an ulterior motive here.
That, except all your tax documents from the last 5 years and all your padlock codes fall out of the mail slot when they do it and they pick it all up and file it in your profile folder.
@@vorynrosethorn903 The Snowden documents revealed that the GCHQ have been close partners with the NSA when it comes to developing their SIGINT and mass surveillance capabilities. No doubt they will abuse this for a similar purpose. It gives them lots of data which can be used to find commonly vulnerable services are being used, which can help them divert effort towards developing vulnerabilities for that specific platform/software/service. Also it enables them to more easily mask active offensive cyber operations as passive port scanning by an automated system. Now when the GCHQ port scans your servers you don't know if they're doing it as a control or if they're doing it because they are actively looking for ways to break into your system. It's a genius move, really.
We have become too suspicious of our own governments these days. Why is that? Because every single little mistake they make is blown up on Twitter and thus outshines the thousands of great achievements maybe? I doubt there is an ulterior motive, the government isn't evil like China's. If they were evil you would know by now.
It would be fine if this was opt-in, but I doubt King Britbong would give a shit about opt-out. And if someone defends the feds scanning your public boxes under the "plain view" doctrine, I'm defending hacking back under the second amendment.
0:45 that's funny because the UK has terrible security practises when it comes to computers. When I was at high school I successfully installed a copy of Kubuntu on a school computer without permission because the sysadmins were dumb enough to have the 1st boot device be USB instead of Hard Drive or Network, once they found the install they reinstalled Windows 7 and changed the boot order on all PCs in the canteen where the PC was located; I repeated the same thing but at College a year later on a HP AIO computer in a GCSE English Language classroom but these sysadmins were even dumber because they didn't password protect the computer's bios but this time I installed KDE Neon and this was all around 2017-2018, within a week they had reinstalled Windows 7 and password protected the computer's bios. It is safe to say that I do not care for or trust any part of GCHQ incl. the NCSC or MI5 or MI6 or any other Government Organisation... EDIT: I should also note that I live in a suburb of London, GB
Public schools in general don't have great security. In the US our IT person was just some random lady that didn't have any certifications or anything, she just happen to teach the typing/basic information systems class. This was a high school with 2000 students.
BIOS protection has always been garbage anyways because of the need to manually set it up across potentially thousands of devices one at a time. Even with a team of people that’s still one hell of a time consumer and the more people you have is just more chances for that password to get out. That’s one of the reasons why schools specifically have gone to things like Chromebooks, which were built from the ground up to be managed by a centralized system over a network.
Trump's 2018 Cybersecurity and Infrastructure Security Agency Act has had the government controlling the internet here in the United States ever since Trump signed it into law
Privacy in the UK is so non existent that the government scanning you is normal. It's not the NSA does bad things and government in UK doesn't, in the UK It's the golden standard to have the government do everything. Remember, not saying something out loud isn't keeping a secret, and the UK gov knows that better than anyone. Not that people in the UK would give a shit.
Something needs to change, but that won't happen until all the current UK politicians die out. Making way for a generation that knows about Internet privacy and everything related to it.
@@newaccountbecauseytvanceds1465 A politician understanding internet privacy will only lead to them more proactively trying to undo it. Why would any politician bother giving more rights to people when it's clear you can give a good sounding excuse to not lose any votes.
Trump's 2018 Cybersecurity and Infrastructure Security Agency Act has had the government controlling the internet here in the United States ever since Trump signed it into law
Just like the RIPE spooks constantly portscanning every publicly accessible device I own. You should do a video on them. Definitely a government operation.
That title made me think the UK was doing something really nefarious. I mean they probably still are. Would you ever consider making a guide to having a home media server, specifically which programs/apps are best. My ideal would be to let me use my phone to stream something to a chromecast/smart TV (useful for home gym workouts).
You can stream from an iPhone using Airplay or use the Android equivalent. On a computer set up file sharing SMB for your media folders and create a sharing account for authentication then use VLC player to connect to server, put in the local IP address and enter the credentials for the sharing account you created.
Nobody would be happy if cops tried to enter your house on a regular basis to keep you safe.. I don't see why this is any different. Anytime government does something for your safety, you know its a scam.
I run a small UK web hosting company and can verify exactly what you're saying, but the issue goes a lot further and deeper. Most of my clients are ones who have been shut down by the bigger hosting companies and their access logs show thousands upon thousands of penetration attacks from governmental bodies from around the world. On top of this there's also the amateur hacker who just wants to see what is out there by leaving their scanning software running constantly in a loop day after day. I blame the creators of AngyIPScanner - they started it all off twenty years or so ago! :) What really annoys me though, is that these attempts are stealing MY expensive bandwidth and NOT allowing my clients the full experience their customers deserve while browsing their websites. Also, got to mention the amount of my time and effort required to check that these IP addresses have been automatically permanently banned - just in case. They say it is for our own safety but come on, does anyone really believe what our governments say any more? Really?
Do you have any videos on independent web dev/hosting already, and if not, would you be interested in making one? I’m all for self-hosting, but it seems like a lot of work, especially on top of designing the website yourself too.
China and Russia have been scanning every box I put online since the mid 2000s. Sadly they don't tell me my vulnerabilities, they just try to get in to see what's going on and then leave.
@@paaao I noticed a large amount of the same activity in my logs. On the chance you're unaware, if you're not worried about denying access to those countries you could always setup an iptables rule to block CH and RU ips.
@@horsemology I have no password login, and ssh never running on standard port, so they always fail at whatever they're up to. It's interesting to watch though...
This guy is the modern equivalent of a digital Amish person. His suggested solution to every problem is literally "just spend several years learning all the skills and do everything yourself"
This is basically the equivalent of the government driving around the country and making note of the color and material of your house and the size of your driveway. Kind of benign but a waste of resources and annoying if you know about it. However, tons of entities online do this. Anyone who ever did monitoring or security stuff for a large network will see some Chinese or Russian IPs knocking every couple minutes or even seconds. It's usually just botnets hoping to get lucky. If you don't want your frontend scanned by the UK gov. you can simply blacklist the provided IPs so that all incoming packets from them are dropped and move on with your life.
At least in the states, they pretty much do that the county assessor keeps track for taxes on the property. ( based on value of the property) Some things are reported to the assessor when you get permits for upgrades (remodeling etc)
That was surprising that you kinda approve what they do. And it could be nice to cooperate with governments if they wouldn't become dictatorships one day.
Oh, my sweet summer child. Dictatorships are far too unstable for those megalomaniacs who run our stable democracies. These evil villains have more long term goals.
MSc cyber Security student here, we had a discussion on this issue in one of our lectures and it was quite interesting listening to people on both sides of the argument for and against this move by the NCSC. I have a strong feeling these guys know something that a lot of commercial bodies,businesses and corporations just don't know yet. I'd also be very interested to know what in-house NCSC data assurance (GDPR,etc) and risk policies are in place to mitigate any unforeseen problems that would come out of this
My immediate thought is that it has something to do with Russia. Correct me if I'm wrong but I believe they're fairly hot on cyber and economic warfare so it's not implausible that if things keep going bad for Russia that they could potentially seek to cause economic damage through these vulnerabilities? Please don't think I'm being conspiratorial, it just seems like a potential route to further weakening Britain in terms of finances.
@@DudeSoWin Oh, you've already learned _everything_ have you? Only someone in the deepest grasp of the Dunning Kruger effect would say something this dumb.
I’m glad that the NCSC has nothing better to do than look at my collection of cross stitch and knitting patterns, as well as photos of pets past and present. Oh, and some emails to friends complaining about my arthritis and other ailments.
Just to confirm, this is true. Spotted them in server logs a few weeks back. They were not doing a lot though. Fairly minimal number of entries looking for stuff we were not running. Can't remember exactly what. Things with admin and references to mysql in the URLs IIRC.
Castle doctorin, nice we need a voluntary opt in. I agree with your perspective, the public needs tech education 100% this is good. The USA needs a Linux forum for public educatio n. Good video!
I've built my own website from ground up, I've used Wordpress, I even am pretty experiences in js and can make some very nice aesthetic animations. I will happily help someone build a custom site. But, when it came to my own portfolio site, I didn't want the hassle or maintaining it. So much easier to just outsource.
This is the digital equivalent of police driving around the neighbourhood, looking for houses with doors and windows left wide open, and leaving a leaflet with tips on how to avoid being robbed. Fairly benign imo, it would only be an issue if they started testing the locks without permission.
More like driving around testing everyone's doors and windows with a crowbar and keeping records for later use by anyone they sell, give or leak that data to.
On the first glance, pentesting by government sounds like a neat idea. But what you get is somehow the stuff, that is already out there - the bots, that many "hackers" use to scan the internet. You can simply download scripts which do this for you. I mean: Most of the people don't do it, because they set up a webserver and never come back again. A nice mail from the govs won't change that. I have a bot running which scans for hacked amazon-vendor accounts. If it finds one, i write an email to owners. Guess how many of them reply... Less than 1%. So you gain basically nothing out of it. On the other hand, there are a lot of suspicious actions which could be hidden by such "pentesting". If you - for example - want to controll a medium like the internet, a map of private servers which could post critical content, might be helpfull. Even more if you also have a map of their vulnerabilities. This might be the perfect curtain to hide such things. Not that i want to imply that, but... It is possible, you know?
@@MrDoomedtofail I thought that might be a possibility but how does sending someone a message saying their acct was hacked help them to hack you? It's possible some of them contacted Amazon or some government agency if they can find one that will do something. They should have contacted Amazon at the very least.
nmap scans for services on a network. So basically anything that responds after you ping it. Basically if you’re affected, you’re probably already tech savvy enough to know that you are
This is great. Once set up, this is cheap to run and maintain as a service to provide to all British companies meaning fewer economic losses on home soil helping British businesses and making more than the cost back in additional VAT and income taxes.
I think the future is self-hosting where people host more and more privately, and away from big tech. I've been running OpenBSD as my private firewall for years without incident, and want to use that and only that for anything open to the general Internet whenever possible.
Hosted on what? Connected to the Internet how? Domain name from where and for what price? Money where from? Payments how? First one needs to answer such questions in order to be truly "self-hosted", because many of these things are getting harder and harder to do for an individual when compared to 5…10 years ago :q
Decentralisation was how the Internet was initially meant to function back in the days. Web2.0 saw a great shift towards centralisation, with all the Cloudflares and the CDNs and the AWS and all the other SaaS BS. I sure hope Web3 will initiate a shift back to the basics :)
@@bonbonpony For most people this may be nothing more than a NAS, for others, a firewall with storage, etc. Answering your questions would require too many generalities and assumptions.
@@adrianfisher3349 My point was that the Internet is closed with so many locks now that it's getting more and more easy for corporations and govrnments to cut you off of it. The ISP can deny to connect you. The domain name registry can cancel your domain even if you paid for it. The hosting provider can deny you service and dump your website down the drain and you can't do much about it. If you wanted to host it yourself, you would need your own server machine and Internet connection with good throughput, hence see above. If you want an SSL certificate, you need to buy one from the CAs and they can deny you too. And lastly, browsers can block your website as "malicious" if they decide to blacklist you from some reason. Therefore, until you remove all those obstacles, "self-hosted" is a myth.
@@counterleo The Internet was never decentralized, if you study its history and protocols carefully enough. Sure, the protocols might be public, but there's always some "blank areas" in their description and "reserved stuff" for certain organizations that keep the authority over it. From registering new protocols or protocol extensions, through cryptographic algorithms, through certification authorities, domain name registry, so called W3C standards (which are mostly managed by only a bunch of corporations, and wider public, Internet users, web developers etc., usually have no say about their shape), web browser technologies, and even the physical infrastructure of the links is mostly star topology, either physically or logically. To this day, the last word about the shape and function of the Internet is held by just a bunch of government institutions from the USA, where it originally started as a DARPA project. If you want a decentralized Internet, I'm afraid that we have to build it for yourself, from the ground up. Only then it will be truly decentralized and free.
CSE (Canadian version of the NSA essentially) offers a virus scanning program that you can code into the backend of your services. That is, if you can convince anyone in your dev team to do it lol
Meahwhile the NCSC thinks the UK only has a couple active webservers after every good sysadmin's fail2ban policies firewall off NCSC's automated scans...
I see this as a bad idea, and it's going to catch on here as well. Opt out you're screwed. As for nmap, I use it on occasion myself. It's a pretty useful program for all kinds of different things.
They are scanning to take dissenter websites down later on. If they started scanning without this bunk "for your safety" excuse, some admins would notice the port scanning and call them out.
I think if that if government start actually testing server security for their citizens properly it would be great! BUT, asking a governement not to spy on you while doing anything is like throwing your gaming PC in the bath for better performance, it's not gonna end well.
NCSC are usually pretty chill compared to other lettered agencies in the UK. Happy for them to do this. I have only had positive experiences with the NCSC as a security professional.
A rare case where I disagree with author, on managed web site platforms. Their main cases are IMO: 1) super small businesses where one or two people is the whole business, and they have hands full with other things, and their size is unlikely make them a target 2) MVPs In both cases, as long as business survives the impact, site should migrate. Small businesses will benefit from saved money from self-hosting. And MVP matures and quickly outgrows boundaries set by managed platform.
Trump's 2018 Cybersecurity and Infrastructure Security Agency Act has had the government controlling the internet here in the United States ever since Trump signed it into law
I think it's funny how we're now footing the bill for open source software that these "experts" barely know how to use in the first place. Now I can "major' in cybersecurity. It's rich.
I think this is terrific and countries R. and C. should do something like this, too. And of freaking course it's not for anyone's safety and certainly not freedom, because the potential for abuse is astronomical. It's to R.-proof / C.-proof the local segment of the Internet. But from a purely statecraft pov, this is terrific.