(Replying to PARENT post)

Taking responsibility for collecting and using vulnerabilty scan data in this case also means assuming authority to do so. A good test would be whether citizens are also free to inspect the vulnerabilities of government systems, or have a right to do so. If they don't, that's worth scrutinizing.

Canada has a different approach, where institutions can sign up to using a federal DNS service provided through the domain registrar, which I interpret is not unlike 1.1.1.1 or 9.9.9.9, but with malware detection. I believe it's called Canadian Shield, and it's not active scanning, but rather passive collection from institutions that manage infrastructure.

Active scans by government seems a bit like domestic intelligence collection. Given the techincal capabilities of most of these agencies when they work with ISPs, hairpinning traffic from one of these scanned servers for inspection is trivial. Fine if the threat model involved exceptional cases with clear oversight, and individual decision accountability in response to ticking bomb situations, but the examples of how similar powers have been used in the past are so abundant that I'm having trouble remembering a situation where they were used to protect a mere citizen.

๐Ÿ‘คmotohagiography๐Ÿ•‘3y๐Ÿ”ผ0๐Ÿ—จ๏ธ0

(Replying to PARENT post)

I can personally attest to the fact that yes, british citizens can assess vulnerabilities in UK government systems. This was something I worked with the UKNCSC on: https://www.ncsc.gov.uk/information/vulnerability-reporting
๐Ÿ‘คzemnmez๐Ÿ•‘3y๐Ÿ”ผ0๐Ÿ—จ๏ธ0

(Replying to PARENT post)

The NCSC also has a similar service to the Canadian approach you mention, Protected DNS - https://www.ncsc.gov.uk/information/pdns

I believe CISA in the US has something similar too.

๐Ÿ‘คsecstu๐Ÿ•‘3y๐Ÿ”ผ0๐Ÿ—จ๏ธ0

(Replying to PARENT post)

Active scans by government seems a bit like domestic intelligence collection.

This is like saying foot patrols are a bit like SWAT raids. They are, a bit, but they are a lot more than a bit entirely unlike them.

๐Ÿ‘คpvg๐Ÿ•‘3y๐Ÿ”ผ0๐Ÿ—จ๏ธ0

(Replying to PARENT post)

> Canada has a different approach, where institutions can sign up to using a federal DNS service

It seems far more invasive to route all your DNS traffic through a untrusted source than having that same source use the exact types of scans attackers are using every day already and report problems they find to you.

I can learn a hell of a lot more about you by your DNS history than I can from knowing what ports you have open and what vulnerable services you're running.

๐Ÿ‘คautoexec๐Ÿ•‘3y๐Ÿ”ผ0๐Ÿ—จ๏ธ0

(Replying to PARENT post)

"where institutions can sign up to using a federal DNS service provided through the domain registrar..."

The domain registrar is CIRA, and has only one of twelve board members having a federal government affiliation. See cira.ca for the facts. Their Canadian Shield services uses data from Akamai, Mozilla, and CCCS.

It is not "federal".

Sigh. Another comment from someone's memory that takes only 2 minutes to fact-check and discover to be incorrect.

๐Ÿ‘คj_not_j๐Ÿ•‘3y๐Ÿ”ผ0๐Ÿ—จ๏ธ0