just to let you guys know, i'm not ever joining #infragard ever. infragard for starters, is now using cloudflare for its products. now I guess that's not a sin on its own, I have used cloudflare, and use it for workers applications.
but as we know, cloudflare ended up in a data breech. now for someone like me, that's fine. I know what I 'mdoing, I use 2factor authentication, i'm pretty good...
but for infragard? yeah, that's...pretty fucking stupid, because they want their own information sharing network.
again, my website is just want average Joe website.
it can withstand a couple hours of outage.]
but infragard absa fucking lutely cannot take a hit, because this isn't some average Joe website, it's an entire threat assessment #threat information sharing network.
they need absolute uptime.
second, I don't know if you're aware, but infragard was actually using #microsoft #windows server 2012 in the passed. keep in mind, this isn't supported anymore. in fact, I have to bet they're still using it today.
just hiding it to make us not think they're using it by putting it behind cloudflare.
and also, they're using a service called id.me which had a major unauthorized access incedent back in 2018.
o and infragard had a hole registration fuckin breech which involved a user called USDOD registering as a CEO with no legal verification.
if I was running infragard, I'd do things a lot differently.
first off, maybe run some actual fucking hardware, I don't know? maybe run some new up to date shit? sounds like a great idea, right? it's never been done before, it's absolutely amazing right?
...no!
it can be done, and I don't know why it hasn't.
but second, i'd use PIVs, not some email/and/or password. in fact, if you are working for the military you must use a PIV/CAC to login. it's mandatory.
also, I wouldn't run the application online. i'd have them vetted at a local FBI office and/or in a friendly country the US partners with.
this will be a lot more secure than vetting online which clearly didn't work last time.
so really this information sharing act congress had was basically useless on the point it was not secure.
@kkarhan #infosec #opsec #cybersecurity