SlideShare a Scribd company logo

Dealing with pervasive monitoring - Networkshop44

Download as PPTX, PDF
Jisc
Jisc

Dealing with pervasive monitoring

Education
1 of 32
Pervasive Monitoring - 2.5 years in Stephen Farrell
stephen.farrell@cs.tcd.ie 2/30 Pervasive Monitoring 2.5 years in stephen.farrell@cs.tcd.ie Networkshop44 March 22nd 2016
Talk Outline  Me: Trinity College Dublin, topics: security/privacy/DTN;  IETF security area director (but not speaking for IETF)  Expecting wisdom? Vision? Apologies:-)  A quick reminder of how we got here...  Good stuff people are doing or have done  Some harder questions arising  What should we all be doing about this?  These slides https://down.dsg.cs.tcd.ie/n44/  More refs at end stephen.farrell@cs.tcd.ie 3/30
It's an attack  The actions of NSA and their partners (nation-state or corporate, coerced or not) are a multi-faceted form of attack, or are indistinguishable from that  Not unique, others are likely doing the same... or will  The scale arguably makes this an example of a new pervasive monitoring threat model that is neither purely passive nor a classic Man-in-the-Middle and that we have not normally considered in protocol design, implementation or deployment  A purely technical response will not “solve the problem” but we should treat an attack as we usually do and try mitigate it stephen.farrell@cs.tcd.ie 4/30 Nov 2013 IETF Technical Plenary (W) https://www.ietf.org/proceedings/88/technical-plenary.html
What have we learned?  We've mostly learned the unexpectedly broad scope and scale of Intelligence agency snooping  If there is a way to get at data or meta-data, then they are trying or doing it, including “offensively”  “Offensive” weapon foot-gun offends common sense  Send the bytes of your “offensive” weapon out and they will be used against your customers  If there is >1 way, they'll try/do them all  “Collection” fallacy (and others) happily trotted out stephen.farrell@cs.tcd.ie 5/30
What else have we learned?  Partial timelines:  https://en.wikipedia.org/wiki/Global_surveillance_disclosure  https://www.theguardian.com/us-news/nsa  My favourite:  https://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images- internet-yahoo  My most interesting (politically):  http://www.scmagazineuk.com/gchq-faces-new-belgacom-hack- allegations/article/388531/  My most interesting (technically):  The short-range radar thing  https://en.wikipedia.org/wiki/NSA_ANT_catalog  Recent (March 2016) survey (US focused)  https://www.brennancenter.org/sites/default/files/publications/Overseas_Surveilla nce_in_an_Interconnected_World.pdf stephen.farrell@cs.tcd.ie 6/30
A Definition • Pervasive Monitoring (PM) is widespread (and often covert) surveillance through intrusive gathering of protocol artefacts, including application content, or protocol meta-data such as headers. Active or passive wiretaps and traffic analysis, (e.g., correlation, timing or measuring packet sizes), or subverting the cryptographic keys used to secure protocols can also be used as part of pervasive monitoring. PM is distinguished by being indiscriminate and very large-scale, rather than by introducing new types of technical compromise. stephen.farrell@cs.tcd.ie 7/30 From RFC7258/BCP188: “Pervasive Monitoring is an Attack”
PM is not everything  PM is far from the only security or privacy issue on which we need to work  Spam, malware, DDoS, …  But mitigations for PM can also help a lot with other problems  Hypothesis: If we work to address PM, and prioritise services and mechanisms that mitigate PM and that are also effective against other attacks then we will be doing the “right thing” stephen.farrell@cs.tcd.ie 8/30
IETF (Re)Action  Overall: snowdonia has re-energised folks to do better on security and privacy in general (and not solely in response to PM)  Side meeting in Berlin @ IETF-87 (July 2013)  Tech plenary, major discussion @ IETF-88 (Nov 2013)  STRINT workshop before IETF-89 (Feb 2014) [RFC7687]  Topic at many meetings/BoFs @ IETF-89 (July 2014)  Seeing results from IETF-90 (Nov 2014) onwards...  Unsurprisingly this is similar to the more broad technical community reaction stephen.farrell@cs.tcd.ie 9/30
IETF work related to PM  RFC 7258/BCP188 published after major IETF LC debate – sets the basis for further actions  RFC 7435 defines “Opportunistic Security” - less gold-plating, more deployment  IAB Statement on Internet Confidentiality: basically: encrypt everything!  New working groups established:  UTA: update BCPs on how to “Use TLS in Applications” - RFC7525  DPRIVE: “DNS Privacy”- unthinkable before snowdonia RFC7626  TCPINC: “TCP INCreased security”: tcpcrypt proposed two years earlier but rejected  Mistakenly, including by me, as ack'd at mic @ IETF-88, bummer  IAB re-factored security and privacy programme  Developing PM threat model document  Stuff not going so well  Old-RFC privacy/PM review team – go back and see what needs fixing: moribund  Endymail email list for discussion of ways IETF can help those working on new e2e interpersonal messaging solutions: hard problem stephen.farrell@cs.tcd.ie 10/30
PM is an Attack RFC 7258  RFC7258/BCP188 says that all IETF work will consider PM as an attack to be mitigated as part of our normal design processes for all protocol development  Note: this does not mean PM is always relevant nor that it's always practical to mitigate PM via protocol mechanisms, but if you can't, you need to be able to say why  Took ~1000 emails to get rough consensus on that since countering PM is not free  Impacts on network management  Some folks scared of unreasonable security/privacy nerd dominance stephen.farrell@cs.tcd.ie 11/30
Opportunistic Security RFC 7435  IETF modus operandi has (in practice) been to define mandatory to implement security that works for higher security environments • => often hard/expensive to deploy => often not used => cleartext often sent even when better options exist  Opportunistic Security (OS) aims to evaluate these trade-offs on a connection-by-connection basis, explicitly allowing for e.g. unauthenticated endpoints for confidentiality (open-channel key exchange) as an option that is better than cleartext  I (personally) hope that this concept is followed very often and is fleshed out to the point where we end up with a new security development approach that is based around OS  Not there yet: TLS deprecation of RC4 was interesting because of differing perspectives from web and mail folks about what conclusion to draw when following the OS approach stephen.farrell@cs.tcd.ie 12/30
OS example: Deprecating RC4  RC4 past sell-by date: agreed by all  For the web ~15% of https sites were using TLS/RC4 (FF 2014 measurement)  When RC4 zapped 99% of those just picked a better option (AES, 3DES)  SMTP+STARTTLS between MTAs  There is a widely deployed MTA that only does RC4, 3DES is buggy and won't work (so I'm told)  Zapping RC4 means emails will be sent in clear between MTAs when one is the buggy one  So – which is better: deprecate RC4 entirely or add this and possibly other caveats?  IETF rough consensus was to deprecate entirely, but some mail folks were in the rough  Interesting example implying conclusion from following OS protocol design pattern will depend on scope  OS requires us each to figure out some kind of utility or objective function and where those differ enough, different well meaning folks will reach different conclusions  It is OK that it is harder to figure out what to do when following the OS approach stephen.farrell@cs.tcd.ie 13/30
IAB Statement • “We recommend that encryption be deployed throughout the protocol stack since there is not a single place within the stack where all kinds of communication can be protected. • The IAB urges protocol designers to design for confidential operation by default. We strongly encourage developers to include encryption in their implementations, and to make them encrypted by default. We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and we urge firewall policy administrators to permit encrypted traffic.” • https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/ stephen.farrell@cs.tcd.ie 14/30
DNS Privacy  DNSSEC provides integrity and origin authentication but confidentiality/privacy was never considered a requirement  Since 2013 that has changed, IETF DPRIVE working group was formed to tackle this issue  Problem statement set out in RFC 7626  QNAME minimisation (in RFC editor queue)  TLS/TCP on port 853 between stub and recursive almost done, DTLS/UDP equivalent in the works  Work on recursive to authoritative starting stephen.farrell@cs.tcd.ie 15/30
Lurk – Limited Use of Remote Keys  All this lovely crypto changes how we can manage the network and who gets to see what – we need to recognise that improving security and privacy means changes to current n/w mgmt and operations  One outcome of MARNEW IAB/GSMA workshop on the topic of how to deal with much more crypto in mobile networks  One change is that CDNs are seeing much more use of TLS and supporting that  Would like to not have to give the CDN a private key (with a cert for your name) in doing that  LURK aims to see if we can keep the TLS server authentication private key at the content owner while still allowing a CDN to serve the content  Birds of a Feather (BoF) meeting at April 2016 IETF Meeting stephen.farrell@cs.tcd.ie 16/30
Other relevant IETF Things  TLS 1.3 aiming for better handshake encryption properties and learning from previous TLS problems in various ways  HTTP/2.0, [RFC7540] the major deployment model for which seems to be to run much much more HTTP traffic over TLS  Extension to HTTP/2.0 defining opportunistic security way of sending http URI schemed content over TLS  Negatively: deprecate RC4 [RFC7465] in TLS, SSL3 [RFC7568]  And since all this is IETF stuff, you can (and please do) join in and help if you're willing and able – that's how to make it better!  Even a small amount of good researcher input is hugely valuable (but you need to be able to deal with a noisy environment;-)  New Curves and deprecating old crypto (CURDLE WG)  OPENPGP WG updating crypto stephen.farrell@cs.tcd.ie 17/30
Non-IETF Things Relevant to IETF  Crypto Forum Research Group (CFRG) in Internet Research Task Force (IRTF)  Goal: provide venue bridging academic crypto and Internet technical community  Curve25519, Curve448 [RFC7748]  Chacha20/Poliy1305 AEAD construct [RFC7664]  IEEE 802 have started work on privacy and are considering e.g. MAC address randomisation  Collaborating with IETF  W3C TAG statement on “Securing the Web”  Builds on RFC7258 and IAB statement  https://www.w3.org/2001/tag/doc/web-https  … there are loads more stephen.farrell@cs.tcd.ie 18/30
Longer Term Factors at Play  Spooks will be spooks (whether govt. or private sector)  Privacy invasive commerce (legitimate and not)  Legal accountability mechanisms (courts of various kinds)  Small+good things can transition to (big+bad, dead or living-dead)  Badly-informed decision makers/commentators/twits  Government regulation of business (e.g. Data Protection Agencies)  Commercial reaction to user privacy requirements (even evil corporate behemoths have many good folks working for 'em)  NGOs working to enhance privacy (and get attention)  Constantly refreshed naivety of yet another generation of clean-slaters (producing occasional good ideas)  Guilt-by-association is a fallacy no matter who makes the error  Technical privacy enhancing/enforcement mechanisms (when those work) stephen.farrell@cs.tcd.ie 19/30
So what else?  We've outlined the problem  We've seen there's work ongoing  Most addressing relatively low-hanging fruit in a sense  Still hard to get agreed/done/finished/deployed  Esp. deployed, which is REQUIRED for this to be at all useful – Fantasy is of no use here  But almost are fairly obvious things to do  Encrypt more, do more/better security, yay!  So how about a hard problem or two? stephen.farrell@cs.tcd.ie 20/30
Hard Problem #1 Targeted Monitoring or so-called “LI”  Many people against PM, but ok with targeted monitoring (e.g. wiretap under warrant), sometimes called “lawful interception” (LI)  Requirements for LI from 19th century, (IMO)  LI deployments can be, and have been, used for PM  21st century Internet is not amenable to those requirements • => tension, tussle, cases like Apple/FBI  The “right thing”™ : openly evaluate requirements taking equal account of Internet-scale interoperability, security and privacy alongside law enforcement needs  I doubt it'll happen, for various reasons  More on this: “Requirements Analysis Required – otherwise Targeted Monitoring Enables Pervasive Monitoring,” March 2016 IEEE Computer Magazine  http://www.qmags.com/R/?i=3110a8&e=3193789&doi=60830608&uk=2FE1161B1640F7E013144D46111630BBC52FF1 4A391.htm  https://down.dsg.cs.tcd.ie/cpus/ (preprint/extended version of above) stephen.farrell@cs.tcd.ie 21/30
Hard Problem #2 Collaborative Corporate Collection  Advertising-driven or captured-user walled-gardens are inimical to privacy; always will be; ensnare even educated users; almost ubiquitous; lead corporations to “collect it all,” even more than TLAs  Non-solutions include: user education, FOSS, legislation, cleverer crypto  Someone has to pay to keep the lights on  We, the technical community, are bad actors here (along with advertisers)  How to balance toxicity of data vs. data-mining benefits?  How to convince browsers/web-sites to not enable ad-trackers?  I have no idea how to get to substantive improvement  But if we don't, PM will continue and accelerate  TLAs can convince or coerce companies into collaborating stephen.farrell@cs.tcd.ie 22/30
What to do? (1)  Discuss the issue openly in whatever fora are relevant for you, (it's not a secret:-)  Consider privacy issues in your networks and the data you make available  Avoid logging potentially sensitive data if you can  That means more work! But you should do it  Turn on crypto wherever you can  Consider the OS approach to make that easier stephen.farrell@cs.tcd.ie 23/30
What to do? (2)  When deploying stuff:  Turn on crypto – ciphertext should be base assumption for new things  Data minimisation – don't use new stuff without considering privacy implications  Help with better implementations  https://cryptech.is/ and similar  Encourage target diversity - Don't all use the same services all the time  Even if you're not a huge population, you can start trends stephen.farrell@cs.tcd.ie 24/30
What to do? (3)  Don't demand the impossible (and do nothing in the meantime)!  Encourage clean-slate work, but don't imagine it can all be deployed now – and only deployed things help  Agitate (if that's your kind of thing:-)  Consider privacy trade-offs when deploying e.g. IDS, anti-spam or malware detection technologies  Go and be responsible network operators and take the broader implications of your work into account before, while and after doing it stephen.farrell@cs.tcd.ie 25/30
Summary  IETF has consensus PM is an attack (RFC7258) and is working that problem, as are others  We all should consider how we can work to make PM harder, since those doing it will not just stop  When/if societies do decide that PM is as bad as it is, then the technical community should have in place the tools to effect that decision stephen.farrell@cs.tcd.ie 26/30
stephen.farrell@cs.tcd.ie 27/30 Thanks Offline questions welcome too stephen.farrell@cs.tcd.ie These slides: (W) https://down.dsg.cs.tcd.ie/ndss/
More References (1)  General IETF stuff:  https://www.ietf.org/  https://www.ietf.org/newcomers.html  Working group details for WG <foo>:  https://tools.ietf.org/wg/<foo> - links to charter, docs, mail archive etc  Suggested <foo> values:  tls, dprive, tcpinc, httpbis, uta stephen.farrell@cs.tcd.ie 28/30
References (2)  Relevant IETF non-wg lists:  All of them (loads): https://www.ietf.org/list/nonwg.html  Perpass – triage list for PM related stuff:  https://www.ietf.org/mailman/listinfo/perpass  Secruity area list (saag)  https://www.ietf.org/mailman/listinfo/perpass  Possible e2e interpersonal messaging discussion  https://www.ietf.org/mailman/listinfo/endymail  General privacy discussion  https://www.ietf.org/mailman/listinfo/ietf-privacy  IRTF:  https://www.irtf.org/  IRTF Crypto Research Forum Goup: https://irtf.org/cfrg stephen.farrell@cs.tcd.ie 29/30
References (3)  Videos (ISOC hint:-)  IETF youtube stuff in general  https://www.youtube.com/user/ietf/videos?sort=p&view=0&flow=gri d  Nov'13 IETF technical plenary video  https://www.youtube.com/watch?v=oV71hhEpQ20  Dan york videos 5 minute summaries of IETF meetings  There are loads but these are about PM  https://www.youtube.com/watch?v=HG54EsHYKr0  https://www.youtube.com/watch?v=fbjs_6Mz-6s  STRINT workshop (RFC7687)  Has all 66 position papers  https://www.w3.org/2014/strint/ stephen.farrell@cs.tcd.ie 30/30
References (4)  IEEE Internet Computing “soapbox” column on why PM is bad:  http://www.computer.org/csdl/mags/ic/2014/04/mic2014 040004.pdf  Some Internet drafts not referenced above:  PM Threat model  https://tools.ietf.org/html/draft-iab-privsec-confidentiality-threat  DNS Privacy problem statement`  RFC7626  “Modern” TLS best current practices  RFC7525 stephen.farrell@cs.tcd.ie 31/30
Thanks to all our sponsors and exhibitors

Recommended

Software defined networking - huawei - Networkshop44
Software defined networking - huawei - Networkshop44Software defined networking - huawei - Networkshop44
Software defined networking - huawei - Networkshop44Jisc
 
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44Jisc
 
Development of Jisc security programme - Networkshop44
Development of Jisc security programme - Networkshop44Development of Jisc security programme - Networkshop44
Development of Jisc security programme - Networkshop44Jisc
 
Security and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewSecurity and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewragibhasan
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECDeploy360 Programme (Internet Society)
 
Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...APNIC
 
Greenbone vulnerability assessment - Networkshop44
Greenbone vulnerability assessment - Networkshop44Greenbone vulnerability assessment - Networkshop44
Greenbone vulnerability assessment - Networkshop44Jisc
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbersAPNIC
 

Recommended

Software defined networking - huawei - Networkshop44
Software defined networking - huawei - Networkshop44Software defined networking - huawei - Networkshop44
Software defined networking - huawei - Networkshop44Jisc
 
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44
The importance of Wi-Fi to students - Hewlett Packard Enterprise - Networkshop44Jisc
 
Development of Jisc security programme - Networkshop44
Development of Jisc security programme - Networkshop44Development of Jisc security programme - Networkshop44
Development of Jisc security programme - Networkshop44Jisc
 
Security and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewSecurity and Privacy in Cloud Computing - a High-level view
Security and Privacy in Cloud Computing - a High-level viewragibhasan
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECDeploy360 Programme (Internet Society)
 
Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...
Internet of Things... Let's Not Forget Security Please!, by Eric Vyncke [APNI...APNIC
 
Greenbone vulnerability assessment - Networkshop44
Greenbone vulnerability assessment - Networkshop44Greenbone vulnerability assessment - Networkshop44
Greenbone vulnerability assessment - Networkshop44Jisc
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbersAPNIC
 
Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computingAhmed Nour
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSDeploy360 Programme (Internet Society)
 
Data Center Trends And Network Security Impact
Data Center Trends And Network Security ImpactData Center Trends And Network Security Impact
Data Center Trends And Network Security ImpactKingfin Enterprises Limited
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Netskope
 
Nas nie zaatakują!
Nas nie zaatakują!Nas nie zaatakują!
Nas nie zaatakują!Biznes to Rozmowy
 
Introduction to Operational Technology 0.1
Introduction to Operational Technology 0.1Introduction to Operational Technology 0.1
Introduction to Operational Technology 0.1Richard Hudson
 
San Francisco Fog Computing Meetup
San Francisco Fog Computing MeetupSan Francisco Fog Computing Meetup
San Francisco Fog Computing MeetupBreaux Walker
 
WHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingWHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingAPNIC
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...PRISMACLOUD Project
 
Ramin elahi fog_computing_ecosystem_final_dec22_updated
Ramin elahi fog_computing_ecosystem_final_dec22_updatedRamin elahi fog_computing_ecosystem_final_dec22_updated
Ramin elahi fog_computing_ecosystem_final_dec22_updatedHarshitParkar6677
 
Solution BluePrint v. Smart Parking
Solution BluePrint v. Smart ParkingSolution BluePrint v. Smart Parking
Solution BluePrint v. Smart ParkingJisc
 
Security Issues of IoT with Fog
Security Issues of IoT with FogSecurity Issues of IoT with Fog
Security Issues of IoT with FogAchu Anna
 
Cloud computing assignment
Cloud computing assignmentCloud computing assignment
Cloud computing assignmentACCA Global
 
Two years of good MANRS
Two years of good MANRSTwo years of good MANRS
Two years of good MANRSAPNIC
 
Netskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope
 
Cloud computing
Cloud computingCloud computing
Cloud computingUttam Kumar
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?Deploy360 Programme (Internet Society)
 
Palo Alto Networks - Magnifier
Palo Alto Networks - MagnifierPalo Alto Networks - Magnifier
Palo Alto Networks - MagnifierJisc
 
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...Cohesive Networks
 
Defcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and ControlDefcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and ControlNetskope
 
Next gen insight networkshop44
Next gen insight networkshop44Next gen insight networkshop44
Next gen insight networkshop44Jisc
 
Eduroam in portsmouth's wireless city - Networkshop44
Eduroam in portsmouth's wireless city - Networkshop44Eduroam in portsmouth's wireless city - Networkshop44
Eduroam in portsmouth's wireless city - Networkshop44Jisc
 

More Related Content

What's hot

Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computingAhmed Nour
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Netskope
 
Introduction to Operational Technology 0.1
Introduction to Operational Technology 0.1Introduction to Operational Technology 0.1
Introduction to Operational Technology 0.1Richard Hudson
 
San Francisco Fog Computing Meetup
San Francisco Fog Computing MeetupSan Francisco Fog Computing Meetup
San Francisco Fog Computing MeetupBreaux Walker
 
WHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingWHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingAPNIC
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...PRISMACLOUD Project
 
Ramin elahi fog_computing_ecosystem_final_dec22_updated
Ramin elahi fog_computing_ecosystem_final_dec22_updatedRamin elahi fog_computing_ecosystem_final_dec22_updated
Ramin elahi fog_computing_ecosystem_final_dec22_updatedHarshitParkar6677
 
Solution BluePrint v. Smart Parking
Solution BluePrint v. Smart ParkingSolution BluePrint v. Smart Parking
Solution BluePrint v. Smart ParkingJisc
 
Security Issues of IoT with Fog
Security Issues of IoT with FogSecurity Issues of IoT with Fog
Security Issues of IoT with FogAchu Anna
 
Cloud computing assignment
Cloud computing assignmentCloud computing assignment
Cloud computing assignmentACCA Global
 
Two years of good MANRS
Two years of good MANRSTwo years of good MANRS
Two years of good MANRSAPNIC
 
Netskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope
 
Palo Alto Networks - Magnifier
Palo Alto Networks - MagnifierPalo Alto Networks - Magnifier
Palo Alto Networks - MagnifierJisc
 
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...Cohesive Networks
 
Defcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and ControlDefcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and ControlNetskope
 

What's hot (20)

Privacy in cloud computing
Privacy in cloud computingPrivacy in cloud computing
Privacy in cloud computing
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
Data Center Trends And Network Security Impact
Data Center Trends And Network Security ImpactData Center Trends And Network Security Impact
Data Center Trends And Network Security Impact
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
 
Nas nie zaatakują!
Nas nie zaatakują!Nas nie zaatakują!
Nas nie zaatakują!
 
Introduction to Operational Technology 0.1
Introduction to Operational Technology 0.1Introduction to Operational Technology 0.1
Introduction to Operational Technology 0.1
 
San Francisco Fog Computing Meetup
San Francisco Fog Computing MeetupSan Francisco Fog Computing Meetup
San Francisco Fog Computing Meetup
 
WHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingWHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & Handling
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...
 
Ramin elahi fog_computing_ecosystem_final_dec22_updated
Ramin elahi fog_computing_ecosystem_final_dec22_updatedRamin elahi fog_computing_ecosystem_final_dec22_updated
Ramin elahi fog_computing_ecosystem_final_dec22_updated
 
Solution BluePrint v. Smart Parking
Solution BluePrint v. Smart ParkingSolution BluePrint v. Smart Parking
Solution BluePrint v. Smart Parking
 
Security Issues of IoT with Fog
Security Issues of IoT with FogSecurity Issues of IoT with Fog
Security Issues of IoT with Fog
 
Cloud computing assignment
Cloud computing assignmentCloud computing assignment
Cloud computing assignment
 
Two years of good MANRS
Two years of good MANRSTwo years of good MANRS
Two years of good MANRS
 
Netskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack Vector
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
Palo Alto Networks - Magnifier
Palo Alto Networks - MagnifierPalo Alto Networks - Magnifier
Palo Alto Networks - Magnifier
 
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...
 
Defcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and ControlDefcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and Control
 

Viewers also liked

Next gen insight networkshop44
Next gen insight networkshop44Next gen insight networkshop44
Next gen insight networkshop44Jisc
 
Eduroam in portsmouth's wireless city - Networkshop44
Eduroam in portsmouth's wireless city - Networkshop44Eduroam in portsmouth's wireless city - Networkshop44
Eduroam in portsmouth's wireless city - Networkshop44Jisc
 
Managing and monitoring large scale data transfers - Networkshop44
Managing and monitoring large scale data transfers - Networkshop44Managing and monitoring large scale data transfers - Networkshop44
Managing and monitoring large scale data transfers - Networkshop44Jisc
 
Jisc and janet network updates from network operations, operational services ...
Jisc and janet network updates from network operations, operational services ...Jisc and janet network updates from network operations, operational services ...
Jisc and janet network updates from network operations, operational services ...Jisc
 
End to end performance - Networkshop44
End to end performance - Networkshop44End to end performance - Networkshop44
End to end performance - Networkshop44Jisc
 
Find out about Jisc - Networkshop44 2016
Find out about Jisc - Networkshop44 2016Find out about Jisc - Networkshop44 2016
Find out about Jisc - Networkshop44 2016Jisc
 
Edupert best practices in supporting end users - Networkshop44
Edupert best practices in supporting end users - Networkshop44Edupert best practices in supporting end users - Networkshop44
Edupert best practices in supporting end users - Networkshop44Jisc
 
Eduroam workshop nic mitev probes - networkshop44
Eduroam workshop nic mitev probes - networkshop44Eduroam workshop nic mitev probes - networkshop44
Eduroam workshop nic mitev probes - networkshop44Jisc
 
Jisc update janet6 upgrade networkshop44
Jisc update janet6 upgrade networkshop44Jisc update janet6 upgrade networkshop44
Jisc update janet6 upgrade networkshop44Jisc
 
Whats new in ict law - Networkshop44
Whats new in ict law - Networkshop44Whats new in ict law - Networkshop44
Whats new in ict law - Networkshop44Jisc
 
End to end performance networkshop44
End to end performance networkshop44End to end performance networkshop44
End to end performance networkshop44Jisc
 
Welcome to Networkshop44 - Networkshop44
Welcome to Networkshop44 - Networkshop44Welcome to Networkshop44 - Networkshop44
Welcome to Networkshop44 - Networkshop44Jisc
 
Eduroam seminar - Networkshop44 2016
Eduroam seminar - Networkshop44 2016Eduroam seminar - Networkshop44 2016
Eduroam seminar - Networkshop44 2016Jisc
 
Network performance lessons from the coal face - Networkshop44
Network performance lessons from the coal face - Networkshop44Network performance lessons from the coal face - Networkshop44
Network performance lessons from the coal face - Networkshop44Jisc
 
Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44
Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44
Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44Jisc
 
Eduroam workshop nic mitev proactive learning - networkshop44
Eduroam workshop nic mitev proactive learning - networkshop44Eduroam workshop nic mitev proactive learning - networkshop44
Eduroam workshop nic mitev proactive learning - networkshop44Jisc
 
Hyper efficient data centres – key ingredient intelligence networkshop44
Hyper efficient data centres – key ingredient intelligence networkshop44Hyper efficient data centres – key ingredient intelligence networkshop44
Hyper efficient data centres – key ingredient intelligence networkshop44Jisc
 
Eduroam workshop nic mitev loughborough uni - networkshop44
Eduroam workshop nic mitev loughborough uni - networkshop44Eduroam workshop nic mitev loughborough uni - networkshop44
Eduroam workshop nic mitev loughborough uni - networkshop44Jisc
 
Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Jisc
 
Dev ops, noops or hypeops - Networkshop44
Dev ops, noops or hypeops - Networkshop44Dev ops, noops or hypeops - Networkshop44
Dev ops, noops or hypeops - Networkshop44Jisc
 

Viewers also liked (20)

Next gen insight networkshop44
Next gen insight networkshop44Next gen insight networkshop44
Next gen insight networkshop44
 
Eduroam in portsmouth's wireless city - Networkshop44
Eduroam in portsmouth's wireless city - Networkshop44Eduroam in portsmouth's wireless city - Networkshop44
Eduroam in portsmouth's wireless city - Networkshop44
 
Managing and monitoring large scale data transfers - Networkshop44
Managing and monitoring large scale data transfers - Networkshop44Managing and monitoring large scale data transfers - Networkshop44
Managing and monitoring large scale data transfers - Networkshop44
 
Jisc and janet network updates from network operations, operational services ...
Jisc and janet network updates from network operations, operational services ...Jisc and janet network updates from network operations, operational services ...
Jisc and janet network updates from network operations, operational services ...
 
End to end performance - Networkshop44
End to end performance - Networkshop44End to end performance - Networkshop44
End to end performance - Networkshop44
 
Find out about Jisc - Networkshop44 2016
Find out about Jisc - Networkshop44 2016Find out about Jisc - Networkshop44 2016
Find out about Jisc - Networkshop44 2016
 
Edupert best practices in supporting end users - Networkshop44
Edupert best practices in supporting end users - Networkshop44Edupert best practices in supporting end users - Networkshop44
Edupert best practices in supporting end users - Networkshop44
 
Eduroam workshop nic mitev probes - networkshop44
Eduroam workshop nic mitev probes - networkshop44Eduroam workshop nic mitev probes - networkshop44
Eduroam workshop nic mitev probes - networkshop44
 
Jisc update janet6 upgrade networkshop44
Jisc update janet6 upgrade networkshop44Jisc update janet6 upgrade networkshop44
Jisc update janet6 upgrade networkshop44
 
Whats new in ict law - Networkshop44
Whats new in ict law - Networkshop44Whats new in ict law - Networkshop44
Whats new in ict law - Networkshop44
 
End to end performance networkshop44
End to end performance networkshop44End to end performance networkshop44
End to end performance networkshop44
 
Welcome to Networkshop44 - Networkshop44
Welcome to Networkshop44 - Networkshop44Welcome to Networkshop44 - Networkshop44
Welcome to Networkshop44 - Networkshop44
 
Eduroam seminar - Networkshop44 2016
Eduroam seminar - Networkshop44 2016Eduroam seminar - Networkshop44 2016
Eduroam seminar - Networkshop44 2016
 
Network performance lessons from the coal face - Networkshop44
Network performance lessons from the coal face - Networkshop44Network performance lessons from the coal face - Networkshop44
Network performance lessons from the coal face - Networkshop44
 
Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44
Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44
Solving access for hybrid it Axians (introducing pulse secure) - Networkshop44
 
Eduroam workshop nic mitev proactive learning - networkshop44
Eduroam workshop nic mitev proactive learning - networkshop44Eduroam workshop nic mitev proactive learning - networkshop44
Eduroam workshop nic mitev proactive learning - networkshop44
 
Hyper efficient data centres – key ingredient intelligence networkshop44
Hyper efficient data centres – key ingredient intelligence networkshop44Hyper efficient data centres – key ingredient intelligence networkshop44
Hyper efficient data centres – key ingredient intelligence networkshop44
 
Eduroam workshop nic mitev loughborough uni - networkshop44
Eduroam workshop nic mitev loughborough uni - networkshop44Eduroam workshop nic mitev loughborough uni - networkshop44
Eduroam workshop nic mitev loughborough uni - networkshop44
 
Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44Multiprotocol label switching (mpls) - Networkshop44
Multiprotocol label switching (mpls) - Networkshop44
 
Dev ops, noops or hypeops - Networkshop44
Dev ops, noops or hypeops - Networkshop44Dev ops, noops or hypeops - Networkshop44
Dev ops, noops or hypeops - Networkshop44
 

Similar to Dealing with pervasive monitoring - Networkshop44

[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014Aaron Zauner
 
IETF building block in the LwM2M Ecosystem (IoT World 2017 Workshop)
IETF building block in the LwM2M Ecosystem (IoT World 2017 Workshop)IETF building block in the LwM2M Ecosystem (IoT World 2017 Workshop)
IETF building block in the LwM2M Ecosystem (IoT World 2017 Workshop)Open Mobile Alliance
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksDamaineFranklinMScBE
 
1.Architecture
1.Architecture1.Architecture
1.Architecturephanleson
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of ThingsPaul Fremantle
 
Improving Cloud Security Using Multi Level Encryption and Authentication
Improving Cloud Security Using Multi Level Encryption and AuthenticationImproving Cloud Security Using Multi Level Encryption and Authentication
Improving Cloud Security Using Multi Level Encryption and AuthenticationAM Publications,India
 
Analysis Of Internet Protocol ( IP ) Datagrams
Analysis Of Internet Protocol ( IP ) DatagramsAnalysis Of Internet Protocol ( IP ) Datagrams
Analysis Of Internet Protocol ( IP ) DatagramsEmily Jones
 
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A SurveyTowards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A SurveyIRJET Journal
 
The Security Of Cloud Computing
The Security Of Cloud ComputingThe Security Of Cloud Computing
The Security Of Cloud ComputingJulie May
 
Security And Privacy Issues Of Iots
Security And Privacy Issues Of IotsSecurity And Privacy Issues Of Iots
Security And Privacy Issues Of IotsSamantha Randall
 
Improving Efficiency of Security in Multi-Cloud
Improving Efficiency of Security in Multi-CloudImproving Efficiency of Security in Multi-Cloud
Improving Efficiency of Security in Multi-CloudIJTET Journal
 
Devcon2上海 参加報告
Devcon2上海 参加報告Devcon2上海 参加報告
Devcon2上海 参加報告Hiroyasu NOHATA
 
Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Jayanth Dwijesh H P
 
Global Transition Of Internet Protocol
Global Transition Of Internet ProtocolGlobal Transition Of Internet Protocol
Global Transition Of Internet ProtocolMiles Priar
 
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...IRJET Journal
 
IRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on CloudIRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on CloudIRJET Journal
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxJezer Arces
 
Applications of RSA and AES256 in End-to-End encryption using Diffie- Hellman...
Applications of RSA and AES256 in End-to-End encryption using Diffie- Hellman...Applications of RSA and AES256 in End-to-End encryption using Diffie- Hellman...
Applications of RSA and AES256 in End-to-End encryption using Diffie- Hellman...IRJET Journal
 

Similar to Dealing with pervasive monitoring - Networkshop44 (20)

[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
[IETF Part] BetterCrypto Workshop @ Hack.lu 2014
 
ION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network OperatorsION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network Operators
 
IETF building block in the LwM2M Ecosystem (IoT World 2017 Workshop)
IETF building block in the LwM2M Ecosystem (IoT World 2017 Workshop)IETF building block in the LwM2M Ecosystem (IoT World 2017 Workshop)
IETF building block in the LwM2M Ecosystem (IoT World 2017 Workshop)
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering Attacks
 
1.Architecture
1.Architecture1.Architecture
1.Architecture
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of Things
 
Improving Cloud Security Using Multi Level Encryption and Authentication
Improving Cloud Security Using Multi Level Encryption and AuthenticationImproving Cloud Security Using Multi Level Encryption and Authentication
Improving Cloud Security Using Multi Level Encryption and Authentication
 
Analysis Of Internet Protocol ( IP ) Datagrams
Analysis Of Internet Protocol ( IP ) DatagramsAnalysis Of Internet Protocol ( IP ) Datagrams
Analysis Of Internet Protocol ( IP ) Datagrams
 
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A SurveyTowards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
Towards Secure Data Distribution Systems in Mobile Cloud Computing: A Survey
 
The Security Of Cloud Computing
The Security Of Cloud ComputingThe Security Of Cloud Computing
The Security Of Cloud Computing
 
Security And Privacy Issues Of Iots
Security And Privacy Issues Of IotsSecurity And Privacy Issues Of Iots
Security And Privacy Issues Of Iots
 
Improving Efficiency of Security in Multi-Cloud
Improving Efficiency of Security in Multi-CloudImproving Efficiency of Security in Multi-Cloud
Improving Efficiency of Security in Multi-Cloud
 
Kumar cscl final
Kumar cscl finalKumar cscl final
Kumar cscl final
 
Devcon2上海 参加報告
Devcon2上海 参加報告Devcon2上海 参加報告
Devcon2上海 参加報告
 
Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)
 
Global Transition Of Internet Protocol
Global Transition Of Internet ProtocolGlobal Transition Of Internet Protocol
Global Transition Of Internet Protocol
 
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...
 
IRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on CloudIRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on Cloud
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptx
 
Applications of RSA and AES256 in End-to-End encryption using Diffie- Hellman...
Applications of RSA and AES256 in End-to-End encryption using Diffie- Hellman...Applications of RSA and AES256 in End-to-End encryption using Diffie- Hellman...
Applications of RSA and AES256 in End-to-End encryption using Diffie- Hellman...
 

More from Jisc

Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...Jisc
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxJisc
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxJisc
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Jisc
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...Jisc
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptxJisc
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxJisc
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxJisc
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxJisc
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJisc
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxJisc
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptxJisc
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptxJisc
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxJisc
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptxJisc
 

More from Jisc (20)

Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptx
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptx
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptx
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptx
 

Recently uploaded

INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Mental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young mindsMental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young mindsPooky Knightsmith
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxDhatriParmar
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Projectjordimapav
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...DhatriParmar
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Developmentchesterberbo7
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationdeepaannamalai16
 
Scientific Writing :Research Discourse
Scientific Writing :Research DiscourseScientific Writing :Research Discourse
Scientific Writing :Research DiscourseAnita GoswamiGiri
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptxmary850239
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQuiz Club NITW
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvRicaMaeCastro1
 
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxMan or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxDhatriParmar
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1GloryAnnCastre1
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDhatriParmar
 

Recently uploaded (20)

INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Mental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young mindsMental Health Awareness - a toolkit for supporting young minds
Mental Health Awareness - a toolkit for supporting young minds
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
 
ClimART Action | eTwinning Project
ClimART Action | eTwinning ProjectClimART Action | eTwinning Project
ClimART Action | eTwinning Project
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Development
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentation
 
Scientific Writing :Research Discourse
Scientific Writing :Research DiscourseScientific Writing :Research Discourse
Scientific Writing :Research Discourse
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx
 
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITWQ-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
Q-Factor HISPOL Quiz-6th April 2024, Quiz Club NITW
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
 
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxMan or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
 
Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1Reading and Writing Skills 11 quarter 4 melc 1
Reading and Writing Skills 11 quarter 4 melc 1
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
 

Dealing with pervasive monitoring - Networkshop44

  • 1. Pervasive Monitoring - 2.5 years in Stephen Farrell
  • 2. stephen.farrell@cs.tcd.ie 2/30 Pervasive Monitoring 2.5 years in stephen.farrell@cs.tcd.ie Networkshop44 March 22nd 2016
  • 3. Talk Outline  Me: Trinity College Dublin, topics: security/privacy/DTN;  IETF security area director (but not speaking for IETF)  Expecting wisdom? Vision? Apologies:-)  A quick reminder of how we got here...  Good stuff people are doing or have done  Some harder questions arising  What should we all be doing about this?  These slides https://down.dsg.cs.tcd.ie/n44/  More refs at end stephen.farrell@cs.tcd.ie 3/30
  • 4. It's an attack  The actions of NSA and their partners (nation-state or corporate, coerced or not) are a multi-faceted form of attack, or are indistinguishable from that  Not unique, others are likely doing the same... or will  The scale arguably makes this an example of a new pervasive monitoring threat model that is neither purely passive nor a classic Man-in-the-Middle and that we have not normally considered in protocol design, implementation or deployment  A purely technical response will not “solve the problem” but we should treat an attack as we usually do and try mitigate it stephen.farrell@cs.tcd.ie 4/30 Nov 2013 IETF Technical Plenary (W) https://www.ietf.org/proceedings/88/technical-plenary.html
  • 5. What have we learned?  We've mostly learned the unexpectedly broad scope and scale of Intelligence agency snooping  If there is a way to get at data or meta-data, then they are trying or doing it, including “offensively”  “Offensive” weapon foot-gun offends common sense  Send the bytes of your “offensive” weapon out and they will be used against your customers  If there is >1 way, they'll try/do them all  “Collection” fallacy (and others) happily trotted out stephen.farrell@cs.tcd.ie 5/30
  • 6. What else have we learned?  Partial timelines:  https://en.wikipedia.org/wiki/Global_surveillance_disclosure  https://www.theguardian.com/us-news/nsa  My favourite:  https://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images- internet-yahoo  My most interesting (politically):  http://www.scmagazineuk.com/gchq-faces-new-belgacom-hack- allegations/article/388531/  My most interesting (technically):  The short-range radar thing  https://en.wikipedia.org/wiki/NSA_ANT_catalog  Recent (March 2016) survey (US focused)  https://www.brennancenter.org/sites/default/files/publications/Overseas_Surveilla nce_in_an_Interconnected_World.pdf stephen.farrell@cs.tcd.ie 6/30
  • 7. A Definition • Pervasive Monitoring (PM) is widespread (and often covert) surveillance through intrusive gathering of protocol artefacts, including application content, or protocol meta-data such as headers. Active or passive wiretaps and traffic analysis, (e.g., correlation, timing or measuring packet sizes), or subverting the cryptographic keys used to secure protocols can also be used as part of pervasive monitoring. PM is distinguished by being indiscriminate and very large-scale, rather than by introducing new types of technical compromise. stephen.farrell@cs.tcd.ie 7/30 From RFC7258/BCP188: “Pervasive Monitoring is an Attack”
  • 8. PM is not everything  PM is far from the only security or privacy issue on which we need to work  Spam, malware, DDoS, …  But mitigations for PM can also help a lot with other problems  Hypothesis: If we work to address PM, and prioritise services and mechanisms that mitigate PM and that are also effective against other attacks then we will be doing the “right thing” stephen.farrell@cs.tcd.ie 8/30
  • 9. IETF (Re)Action  Overall: snowdonia has re-energised folks to do better on security and privacy in general (and not solely in response to PM)  Side meeting in Berlin @ IETF-87 (July 2013)  Tech plenary, major discussion @ IETF-88 (Nov 2013)  STRINT workshop before IETF-89 (Feb 2014) [RFC7687]  Topic at many meetings/BoFs @ IETF-89 (July 2014)  Seeing results from IETF-90 (Nov 2014) onwards...  Unsurprisingly this is similar to the more broad technical community reaction stephen.farrell@cs.tcd.ie 9/30
  • 10. IETF work related to PM  RFC 7258/BCP188 published after major IETF LC debate – sets the basis for further actions  RFC 7435 defines “Opportunistic Security” - less gold-plating, more deployment  IAB Statement on Internet Confidentiality: basically: encrypt everything!  New working groups established:  UTA: update BCPs on how to “Use TLS in Applications” - RFC7525  DPRIVE: “DNS Privacy”- unthinkable before snowdonia RFC7626  TCPINC: “TCP INCreased security”: tcpcrypt proposed two years earlier but rejected  Mistakenly, including by me, as ack'd at mic @ IETF-88, bummer  IAB re-factored security and privacy programme  Developing PM threat model document  Stuff not going so well  Old-RFC privacy/PM review team – go back and see what needs fixing: moribund  Endymail email list for discussion of ways IETF can help those working on new e2e interpersonal messaging solutions: hard problem stephen.farrell@cs.tcd.ie 10/30
  • 11. PM is an Attack RFC 7258  RFC7258/BCP188 says that all IETF work will consider PM as an attack to be mitigated as part of our normal design processes for all protocol development  Note: this does not mean PM is always relevant nor that it's always practical to mitigate PM via protocol mechanisms, but if you can't, you need to be able to say why  Took ~1000 emails to get rough consensus on that since countering PM is not free  Impacts on network management  Some folks scared of unreasonable security/privacy nerd dominance stephen.farrell@cs.tcd.ie 11/30
  • 12. Opportunistic Security RFC 7435  IETF modus operandi has (in practice) been to define mandatory to implement security that works for higher security environments • => often hard/expensive to deploy => often not used => cleartext often sent even when better options exist  Opportunistic Security (OS) aims to evaluate these trade-offs on a connection-by-connection basis, explicitly allowing for e.g. unauthenticated endpoints for confidentiality (open-channel key exchange) as an option that is better than cleartext  I (personally) hope that this concept is followed very often and is fleshed out to the point where we end up with a new security development approach that is based around OS  Not there yet: TLS deprecation of RC4 was interesting because of differing perspectives from web and mail folks about what conclusion to draw when following the OS approach stephen.farrell@cs.tcd.ie 12/30
  • 13. OS example: Deprecating RC4  RC4 past sell-by date: agreed by all  For the web ~15% of https sites were using TLS/RC4 (FF 2014 measurement)  When RC4 zapped 99% of those just picked a better option (AES, 3DES)  SMTP+STARTTLS between MTAs  There is a widely deployed MTA that only does RC4, 3DES is buggy and won't work (so I'm told)  Zapping RC4 means emails will be sent in clear between MTAs when one is the buggy one  So – which is better: deprecate RC4 entirely or add this and possibly other caveats?  IETF rough consensus was to deprecate entirely, but some mail folks were in the rough  Interesting example implying conclusion from following OS protocol design pattern will depend on scope  OS requires us each to figure out some kind of utility or objective function and where those differ enough, different well meaning folks will reach different conclusions  It is OK that it is harder to figure out what to do when following the OS approach stephen.farrell@cs.tcd.ie 13/30
  • 14. IAB Statement • “We recommend that encryption be deployed throughout the protocol stack since there is not a single place within the stack where all kinds of communication can be protected. • The IAB urges protocol designers to design for confidential operation by default. We strongly encourage developers to include encryption in their implementations, and to make them encrypted by default. We similarly encourage network and service operators to deploy encryption where it is not yet deployed, and we urge firewall policy administrators to permit encrypted traffic.” • https://www.iab.org/2014/11/14/iab-statement-on-internet-confidentiality/ stephen.farrell@cs.tcd.ie 14/30
  • 15. DNS Privacy  DNSSEC provides integrity and origin authentication but confidentiality/privacy was never considered a requirement  Since 2013 that has changed, IETF DPRIVE working group was formed to tackle this issue  Problem statement set out in RFC 7626  QNAME minimisation (in RFC editor queue)  TLS/TCP on port 853 between stub and recursive almost done, DTLS/UDP equivalent in the works  Work on recursive to authoritative starting stephen.farrell@cs.tcd.ie 15/30
  • 16. Lurk – Limited Use of Remote Keys  All this lovely crypto changes how we can manage the network and who gets to see what – we need to recognise that improving security and privacy means changes to current n/w mgmt and operations  One outcome of MARNEW IAB/GSMA workshop on the topic of how to deal with much more crypto in mobile networks  One change is that CDNs are seeing much more use of TLS and supporting that  Would like to not have to give the CDN a private key (with a cert for your name) in doing that  LURK aims to see if we can keep the TLS server authentication private key at the content owner while still allowing a CDN to serve the content  Birds of a Feather (BoF) meeting at April 2016 IETF Meeting stephen.farrell@cs.tcd.ie 16/30
  • 17. Other relevant IETF Things  TLS 1.3 aiming for better handshake encryption properties and learning from previous TLS problems in various ways  HTTP/2.0, [RFC7540] the major deployment model for which seems to be to run much much more HTTP traffic over TLS  Extension to HTTP/2.0 defining opportunistic security way of sending http URI schemed content over TLS  Negatively: deprecate RC4 [RFC7465] in TLS, SSL3 [RFC7568]  And since all this is IETF stuff, you can (and please do) join in and help if you're willing and able – that's how to make it better!  Even a small amount of good researcher input is hugely valuable (but you need to be able to deal with a noisy environment;-)  New Curves and deprecating old crypto (CURDLE WG)  OPENPGP WG updating crypto stephen.farrell@cs.tcd.ie 17/30
  • 18. Non-IETF Things Relevant to IETF  Crypto Forum Research Group (CFRG) in Internet Research Task Force (IRTF)  Goal: provide venue bridging academic crypto and Internet technical community  Curve25519, Curve448 [RFC7748]  Chacha20/Poliy1305 AEAD construct [RFC7664]  IEEE 802 have started work on privacy and are considering e.g. MAC address randomisation  Collaborating with IETF  W3C TAG statement on “Securing the Web”  Builds on RFC7258 and IAB statement  https://www.w3.org/2001/tag/doc/web-https  … there are loads more stephen.farrell@cs.tcd.ie 18/30
  • 19. Longer Term Factors at Play  Spooks will be spooks (whether govt. or private sector)  Privacy invasive commerce (legitimate and not)  Legal accountability mechanisms (courts of various kinds)  Small+good things can transition to (big+bad, dead or living-dead)  Badly-informed decision makers/commentators/twits  Government regulation of business (e.g. Data Protection Agencies)  Commercial reaction to user privacy requirements (even evil corporate behemoths have many good folks working for 'em)  NGOs working to enhance privacy (and get attention)  Constantly refreshed naivety of yet another generation of clean-slaters (producing occasional good ideas)  Guilt-by-association is a fallacy no matter who makes the error  Technical privacy enhancing/enforcement mechanisms (when those work) stephen.farrell@cs.tcd.ie 19/30
  • 20. So what else?  We've outlined the problem  We've seen there's work ongoing  Most addressing relatively low-hanging fruit in a sense  Still hard to get agreed/done/finished/deployed  Esp. deployed, which is REQUIRED for this to be at all useful – Fantasy is of no use here  But almost are fairly obvious things to do  Encrypt more, do more/better security, yay!  So how about a hard problem or two? stephen.farrell@cs.tcd.ie 20/30
  • 21. Hard Problem #1 Targeted Monitoring or so-called “LI”  Many people against PM, but ok with targeted monitoring (e.g. wiretap under warrant), sometimes called “lawful interception” (LI)  Requirements for LI from 19th century, (IMO)  LI deployments can be, and have been, used for PM  21st century Internet is not amenable to those requirements • => tension, tussle, cases like Apple/FBI  The “right thing”™ : openly evaluate requirements taking equal account of Internet-scale interoperability, security and privacy alongside law enforcement needs  I doubt it'll happen, for various reasons  More on this: “Requirements Analysis Required – otherwise Targeted Monitoring Enables Pervasive Monitoring,” March 2016 IEEE Computer Magazine  http://www.qmags.com/R/?i=3110a8&e=3193789&doi=60830608&uk=2FE1161B1640F7E013144D46111630BBC52FF1 4A391.htm  https://down.dsg.cs.tcd.ie/cpus/ (preprint/extended version of above) stephen.farrell@cs.tcd.ie 21/30
  • 22. Hard Problem #2 Collaborative Corporate Collection  Advertising-driven or captured-user walled-gardens are inimical to privacy; always will be; ensnare even educated users; almost ubiquitous; lead corporations to “collect it all,” even more than TLAs  Non-solutions include: user education, FOSS, legislation, cleverer crypto  Someone has to pay to keep the lights on  We, the technical community, are bad actors here (along with advertisers)  How to balance toxicity of data vs. data-mining benefits?  How to convince browsers/web-sites to not enable ad-trackers?  I have no idea how to get to substantive improvement  But if we don't, PM will continue and accelerate  TLAs can convince or coerce companies into collaborating stephen.farrell@cs.tcd.ie 22/30
  • 23. What to do? (1)  Discuss the issue openly in whatever fora are relevant for you, (it's not a secret:-)  Consider privacy issues in your networks and the data you make available  Avoid logging potentially sensitive data if you can  That means more work! But you should do it  Turn on crypto wherever you can  Consider the OS approach to make that easier stephen.farrell@cs.tcd.ie 23/30
  • 24. What to do? (2)  When deploying stuff:  Turn on crypto – ciphertext should be base assumption for new things  Data minimisation – don't use new stuff without considering privacy implications  Help with better implementations  https://cryptech.is/ and similar  Encourage target diversity - Don't all use the same services all the time  Even if you're not a huge population, you can start trends stephen.farrell@cs.tcd.ie 24/30
  • 25. What to do? (3)  Don't demand the impossible (and do nothing in the meantime)!  Encourage clean-slate work, but don't imagine it can all be deployed now – and only deployed things help  Agitate (if that's your kind of thing:-)  Consider privacy trade-offs when deploying e.g. IDS, anti-spam or malware detection technologies  Go and be responsible network operators and take the broader implications of your work into account before, while and after doing it stephen.farrell@cs.tcd.ie 25/30
  • 26. Summary  IETF has consensus PM is an attack (RFC7258) and is working that problem, as are others  We all should consider how we can work to make PM harder, since those doing it will not just stop  When/if societies do decide that PM is as bad as it is, then the technical community should have in place the tools to effect that decision stephen.farrell@cs.tcd.ie 26/30
  • 27. stephen.farrell@cs.tcd.ie 27/30 Thanks Offline questions welcome too stephen.farrell@cs.tcd.ie These slides: (W) https://down.dsg.cs.tcd.ie/ndss/
  • 28. More References (1)  General IETF stuff:  https://www.ietf.org/  https://www.ietf.org/newcomers.html  Working group details for WG <foo>:  https://tools.ietf.org/wg/<foo> - links to charter, docs, mail archive etc  Suggested <foo> values:  tls, dprive, tcpinc, httpbis, uta stephen.farrell@cs.tcd.ie 28/30
  • 29. References (2)  Relevant IETF non-wg lists:  All of them (loads): https://www.ietf.org/list/nonwg.html  Perpass – triage list for PM related stuff:  https://www.ietf.org/mailman/listinfo/perpass  Secruity area list (saag)  https://www.ietf.org/mailman/listinfo/perpass  Possible e2e interpersonal messaging discussion  https://www.ietf.org/mailman/listinfo/endymail  General privacy discussion  https://www.ietf.org/mailman/listinfo/ietf-privacy  IRTF:  https://www.irtf.org/  IRTF Crypto Research Forum Goup: https://irtf.org/cfrg stephen.farrell@cs.tcd.ie 29/30
  • 30. References (3)  Videos (ISOC hint:-)  IETF youtube stuff in general  https://www.youtube.com/user/ietf/videos?sort=p&view=0&flow=gri d  Nov'13 IETF technical plenary video  https://www.youtube.com/watch?v=oV71hhEpQ20  Dan york videos 5 minute summaries of IETF meetings  There are loads but these are about PM  https://www.youtube.com/watch?v=HG54EsHYKr0  https://www.youtube.com/watch?v=fbjs_6Mz-6s  STRINT workshop (RFC7687)  Has all 66 position papers  https://www.w3.org/2014/strint/ stephen.farrell@cs.tcd.ie 30/30
  • 31. References (4)  IEEE Internet Computing “soapbox” column on why PM is bad:  http://www.computer.org/csdl/mags/ic/2014/04/mic2014 040004.pdf  Some Internet drafts not referenced above:  PM Threat model  https://tools.ietf.org/html/draft-iab-privsec-confidentiality-threat  DNS Privacy problem statement`  RFC7626  “Modern” TLS best current practices  RFC7525 stephen.farrell@cs.tcd.ie 31/30
  • 32. Thanks to all our sponsors and exhibitors