Carview!

CARVIEW

MOTORHOMES

Select Language

HTTP/2 302 server: nginx date: Tue, 15 Jul 2025 01:13:44 GMT content-type: text/plain; charset=utf-8 content-length: 0 x-archive-redirect-reason: found capture at 20170104100514 location: https://web.archive.org/web/20170104100514/https://www.internetsociety.org/node/199377/feed/ server-timing: captures_list;dur=0.803035, exclusion.robots;dur=0.024904, exclusion.robots.policy;dur=0.012012, esindex;dur=0.016689, cdx.remote;dur=69.454867, LoadShardBlock;dur=229.756974, PetaboxLoader3.datanode;dur=140.310222 x-app-server: wwwb-app220 x-ts: 302 x-tr: 371 server-timing: TR;dur=0,Tw;dur=0,Tc;dur=0 set-cookie: SERVER=wwwb-app220; path=/ x-location: All x-rl: 0 x-na: 0 x-page-cache: MISS server-timing: MISS x-nid: DigitalOcean referrer-policy: no-referrer-when-downgrade permissions-policy: interest-cohort=() HTTP/2 200 server: nginx date: Tue, 15 Jul 2025 01:13:45 GMT content-type: application/rss+xml; charset=utf-8 x-archive-orig-date: Wed, 04 Jan 2017 10:05:14 GMT x-archive-orig-server: Apache x-archive-orig-x-powered-by: PHP/5.6.29-0+deb8u1 x-archive-orig-expires: Sun, 19 Nov 1978 05:00:00 GMT x-archive-orig-cache-control: no-cache, must-revalidate x-archive-orig-x-content-type-options: nosniff x-archive-orig-content-language: en x-archive-orig-x-frame-options: SAMEORIGIN x-archive-orig-vary: Accept-Encoding x-archive-orig-x-varnish: 26370153 x-archive-orig-age: 0 x-archive-orig-via: 1.1 varnish-v4 x-archive-orig-x-cache: MISS x-archive-orig-connection: close x-archive-orig-accept-ranges: bytes cache-control: max-age=1800 x-archive-guessed-content-type: text/xml x-archive-guessed-charset: utf-8 memento-datetime: Wed, 04 Jan 2017 10:05:14 GMT link: ; rel="original", ; rel="timemap"; type="application/link-format", ; rel="timegate", ; rel="first memento"; datetime="Tue, 01 Apr 2014 16:51:59 GMT", ; rel="prev memento"; datetime="Sun, 24 Apr 2016 04:00:00 GMT", ; rel="memento"; datetime="Wed, 04 Jan 2017 10:05:14 GMT", ; rel="next memento"; datetime="Wed, 04 Jan 2017 10:05:25 GMT", ; rel="last memento"; datetime="Sat, 14 May 2022 07:03:24 GMT" content-security-policy: default-src 'self' 'unsafe-eval' 'unsafe-inline' data: blob: archive.org web.archive.org web-static.archive.org wayback-api.archive.org athena.archive.org analytics.archive.org pragma.archivelab.org wwwb-events.archive.org x-archive-src: ARCHIVEIT-1827-QUARTERLY-JOB257885-20170104-00003/ARCHIVEIT-1827-QUARTERLY-JOB257885-20170104095338455-00144.warc.gz server-timing: captures_list;dur=3.929045, exclusion.robots;dur=0.124391, exclusion.robots.policy;dur=0.054568, esindex;dur=0.067797, cdx.remote;dur=79.840625, LoadShardBlock;dur=430.635663, PetaboxLoader3.datanode;dur=451.714966, load_resource;dur=249.736411, PetaboxLoader3.resolve;dur=151.022635 x-app-server: wwwb-app220 x-ts: 200 x-tr: 975 server-timing: TR;dur=0,Tw;dur=0,Tc;dur=0 x-location: All x-rl: 0 x-na: 0 x-page-cache: MISS server-timing: MISS x-nid: DigitalOcean referrer-policy: no-referrer-when-downgrade permissions-policy: interest-cohort=() https://www.internetsociety.org/node/199377/feed en 'Security Fatigue' Complicates the Battle Against Data Breaches https://www.internetsociety.org/blog/tech-matters/2016/12/security-fatigue-complicates-battle-against-data-breaches <div id="file-16487" class="file file-image file-image-jpeg"> <h2 class="element-invisible"><a href="/file/stocksnapvg49081nddjpg-4">StockSnap_VG49081NDD.jpg</a></h2> <div class="content"> <img src="https://www.internetsociety.org/sites/default/files/styles/618width/public/StockSnap_VG49081NDD_4.jpg?itok=3HO02fbi" alt="" title="" /> </div> </div> With the news of a second, even bigger hack of Yahoo user data, common sense might conclude that consumers would be scurrying to batten down their Internet hatches. But a new study indicates otherwise, concluding that “security fatigue" has made many of us numb to the dangers lurking in cyberspace. “Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security,” a team from the U.S. National Institutes of Standards and Technology concluded in an article for<a href="https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly"> IT Professional</a>, which is published by IEEE Computer Society. “All of this leads to security fatigue, which causes a sense of resignation and a loss of control.” The study by Brian Stanton, Mary F. Theofanos and Susanne Furman, all of NIST, along with independent consultant Sandra Spickard Prettyman have indeed reached this saturation point. So, the announcement in December by Yahoo that it has identified another security breach, from 2013, that compromised passwords, birthdays and other personal information from more than 1 billion accounts, will likely do little to bolster Internet security – at least among average users. In fact, with the rise of mobile, the Internet of things and the continued linking of just about everything in our personal and professional lives to global networks, the study underscores what many have long warned will be a growing number of increasingly bigger security breaches, from distributed denial of service, or DDoS, attacks, to hacks of retail, banking, healthcare and other sites that we freely share our personal information with on a daily basis. The report is based on an analysis the authors did of a larger study of average computer users in the Washington, D.C., and Central Pennsylvania in 2011. Although that original study did not specifically address security fatigue, the authors say they began to notice “many indicators in which fatigue surfaced as participants discussed their perceptions and beliefs about online privacy and security.”  After recoding the data, they said, security fatigue surfaced in 25 of 40 interviews, and was one of the most consistent codes among the dataset. “I think I am desensitized to it,” one respondent is quoted as saying. “I know bad things can happen. You get this warning that some virus it going to attack your computer, and you get a bunch of emails that say don’t’ open any emails, blah, blah, blah. I think I don’t pay attention to those anymore because it’s in the past. People get weary of being bombarded by ‘watch out for this or watch out for that.’” The authors said the data shows participants often don’t feel personally at risk, or assume they are not important enough for anyone to care about stealing their information. They highlight several comments in which they say the “frustrated tone, minimization of risk and devaluating of information is evident.  “It doesn’t appear to me that it poses such a huge security risk,” one wrote. “I don’t work for the state department, and I am not sending sensitive information in an email. So, if you want to steal the message about (how) I made blueberry muffins over the week, then go ahead and steal that.” Another wrote: “If someone needs to hack into my emails to read stuff, they have problems. They need more important things to do.” What many of the respondents apparently don’t realize, is that while their personal communications and information may be of little value to hackers and cyber thieves on its face, their lax security practices enable the bad guys to hijack their computers and networks and use them in broader attacks, such as DDoS attacks that can cause huge crashes across the Internet. So what can the IT community do? The researchers said it’s time to “rethink the way we currently conceptualize the public’s relationship to cybersecurity.” They make three specific recommendations: (i) limit the decisions users have to make related to security, (ii) make it easier for them to do the right thing and (iii) provide consistency whenever possible. For example, in the workplace, they suggest offering different ways for users to log into the system, including an option between a traditional user name and password or the use of a personal identification and verification card. “As IT professionals, it is our responsibility to take up this challenge and work to alleviate the security fatigue users’ experience,” they write. “…We must also continue to investigate users’ beliefs, knowledge, and use of cybersecurity advice and the factors, such as security fatigue, that inform them, so we can ultimately provide more benefit and less cost for adopting cybersecurity advice that will keep users safe online.” In other words, improving online security is going to require a concerted effort to not only educate computer users about the need to follow security guidelines, but also provide them much easier ways to keep their data safe on an ongoing basis. <hr> Editor's note: For more on data breaches and their impact, please see the <a href="https://www.internetsociety.org/globalinternetreport/2016/">Internet Society's 2016 Global Internet Report</a>. Wed, 21 Dec 2016 13:06:35 +0000 Jeri Clausing 512591 Dan Geer Revisits 2014 BlackHat Recommendations: More Industry Recognition of the Problem, Much Left To Do https://www.internetsociety.org/blog/tech-matters/2016/12/dan-geer-revisits-2014-blackhat-recommendations-more-industry-recognition <div id="file-16481" class="file file-image file-image-jpeg"> <h2 class="element-invisible"><a href="/file/computer-15910181920jpg-0">computer-1591018_1920.jpg</a></h2> <div class="content"> <img id="1" src="https://www.internetsociety.org/sites/default/files/styles/618width/public/computer-1591018_1920_0.jpg?itok=pHB2TB1e" alt="" title="" /> </div> </div> Computer security analyst and risk management specialist Dan Geer used his keynote at the Black Hat conference in 2014 to make <a href="https://geer.tinho.net/geer.blackhat.6viii14.txt">10 policy recommendations</a> for increasing the state of cybersecurity. Among his suggestions: mandatory reporting of cybersecurity failures, product liability for Internet service providers and software companies, and off-the-grid alternative control mechanisms for increasingly Internet-reliant networks like utility grids and government databases. I caught up with Geer for an update on his proposals, and his views on the current state of cybersecurity. First, let’s talk about your policy recommendations for making the digital world safer. Have you seen any progress on any of these fronts? Not in the concrete sense of here’s a law, or here’s a dollar or here’s a new organization, but in the sense there is broader recognition that we actually have to do something. This isn’t just a bunch of ninnies complaining. We have to do something. The sensitivity to all of this is getting higher. I hope that doesn’t result in panic or doing something silly, which could happen. I hope instead that the reaction is more, “you’re right, we really have to do something substantial.” Can you point to some examples of this broader recognition? If you look at the topics that are discussed at meetings that are not academic meetings, more and more of them have a policy flavor, and only a small number still that “here’s a technological nicety that’s really cool.” Again, I take that as a marker in time, as a change in opinion, as to whether the threats are real or not. Also, just as we thought that some banks were too big to fail, I think we have to think about things on the Internet that are too connected to fail. That idea is beginning to get a little play. For instance, there is a bill in the U.S. Senate, The Securing Energy Infrastructure Act (S.B. 3018), that argues that electric systems need to have, at least in part, analog not digital controls. Like a fire line or firebreak, where a failure can’t jump from this point to that. I think the very idea that a sitting senator would introduce something talking about the need for non-digital controls on the grounds of resilience is indicative of minds coming around. You also call for mandatory reporting of security breaches. Is there any progress being made on that front and why do you think that is important? It’s going to happen and I think it’s going to happen for public companies first. The Securities and Exchange Commission has been ramping up its rule-making in this area for a couple of years now. The issue goes to materiality and what do I have to tell my stockholders. Cyber failure has clearly become material. And things related to it that are secondary, like loss of trade secrets and customer data, have become material. Most of your recommendations focus on organizations and companies. Where do consumers fit into this and the liability issues of cyber failures? It’s getting harder for consumers to avoid being recruited into problems. There was a recent example of closed-circuit televisions that were recruited for a giant distributed denial of service attack. Consumers are not in a position to prevent what they own being used as a weapon against someone else. If my car is stolen and is used in a bank robbery, I probably won’t face and repercussions. If my handgun is stolen and used in a bank robbery, I might, especially if I left it on the front porch. Where is the line for computers? Probably closer to the automobile. But on the other hand, Internet service providers have to take some responsibility. If they want dumb clients then it’s their problem. We have seen some big companies report massive breaches recently, albeit quite a while after the fact. Do you think more are stepping up on their own to announce security breaches, or are they only coming out when they are forced to? According to <a href="https://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/">Data Breach Investigations Report</a> from Verizon, 80 percent of data breaches are discovered not by the victims but by someone else. That is important, and it hasn’t changed. If people don’t report cyber failures then you are encouraging silent failure – silent in the sense that you discover there has been a cyber invasion and you repair it but don’t tell anyone. I am sympathetic, but I’m afraid you’re going to have to tell. It’s like driving off the end of a bridge and not telling anyone. And silent failure is the problem we have more of than anything else. Silent failures often are gateways or stair steps to other failures. So it is essential that we get a handle on this kind of thing. In the medical world, you have medial privacy unless you have a disease that is too important. If you show up with the plague, that’s a big deal. Sorry about your medical privacy, but we have to notify all sorts of people. Some people may object to that, and they may have an argument of principle, but they don’t have an argument of logic. That same logic should apply in cyber space. As the definition of a material event changes, like you lost all your client data or accidentally shipped something that had malware in it, those things all have to be reported. I am not sure how to make that pleasing for all concerned. It’s one of those things that it’s a bad solution but I don’t have a better one. You run the <a href="x-webdoc://5FE2B279-A47A-4528-94EB-44CFD1DAF480/cybersecurityindex.org">Index of Cyber Security</a> which regularly polls those on the front line about the state of cybersecurity. What are some of the trends you are seeing? A steady increase in risk more than anything else, but other things as well. Three years ago, we asked what fraction of the security tools that the respondents are using now would they install again if starting from scratch. Three years ago, they expressed buyer’s remorse for about a third. This year buyer’s remorse had grown to half. So, my reading between the lines is “I am buying one of everything and my unhappiness is growing.” Another thing that I think is quite fascinating is that the size of data breaches seems to be on a curve known as power law, an interesting kind of curve that says in effect the biggest one you’ve ever seen to date will be eclipsed by a bigger one but bigger in a certain substantial kind of way. That is what is happening and while we are talking, just such a report (from Yahoo) has appeared. To quote Nassim Taleb, “We are undergoing a switch between continuous low grade volatility to the process moving by jumps, with less and less variations outside of jumps.” Using a forest fire analogy, if there are no little forest fires, then eventually you will get a whopper. In the woods, that is due to a buildup of combustible timber. On the Internet, that is due to a buildup of unwarranted trust and dependence. <hr> Editor's note: For more on data breaches and their impact, please see the <a href="https://www.internetsociety.org/globalinternetreport/2016/">Internet Society's 2016 Global Internet Report</a>. Wed, 21 Dec 2016 13:19:53 +0000 Jeri Clausing 512595 Princeton's "War of The Lights" - The Pitfalls of Enterprise-Level IoT Projects https://www.internetsociety.org/blog/tech-matters/2016/12/princetons-war-lights-pitfalls-enterprise-level-iot-projects <div id="file-16475" class="file file-image file-image-jpeg"> <h2 class="element-invisible"><a href="/file/baseball-1553412jpg-1">baseball-1553412.jpg</a></h2> <div class="content"> <img id="2" src="https://www.internetsociety.org/sites/default/files/styles/618width/public/baseball-1553412_1.jpg?itok=ZXVFYgpK" alt="" title="" /> </div> </div> The stadium lights ripped the darkness over an empty field. They weren’t supposed to be on. The lights at Princeton University’s stadium, recently upgraded, should have followed an automated cycle, reducing the need for human oversight. Instead, the lights went to war. That’s how Jay Dominick, the vice president for information technology and the chief information officer for the Office of the Vice President for Information Technology at Princeton University, described to me what happened when I followed-up with him after he spoke at the <a href="https://citp.princeton.edu/event/conference-internet-of-things/">Conference on Security and Privacy for the Internet of Things</a>, held Oct. 16, 2016 at Princeton University. The lights weren’t entirely replaced, and therein lies the problem — and the lessons for any larger enterprise-level project that brings analog projects into the age of the Internet of Things. The lights flipped on well after midnight because, as Dominick explains, the technology behind the bulbs couldn’t communicate. It’s not something anyone could have predicted or tested for, like they might a software upgrade, before going live. “The network guys run out there and run disparate packets and say, ‘Yep, the network works, the lights tested and work’,” he says. “And at 3 a.m. the lights go on, and they start whole process again. “Eventually, through a rigorous process of elimination, you wind up figuring out what you think might have happened, and then it’s the argument about who’s going to fix it. “We wound up creating a new network for the new lights,” he says. “The new lights liked to talk to each other quite a bit. They were very chatty. And when they would get to talking, the old lights couldn’t process the packets fast enough, so they failed into some obscure state, and that failure would put the old lights in a failure which turned them on.” “It was essentially a DDOS [Distributed Denial of Service] attack,” he says — just within the same system. The broader lesson here, he says, is that you can’t upgrade an enterprise Internet of Things system as it were an iPhone -- expecting all the parts to run perfectly, out of the box. “When the next generation comes out as an upgrade to the operating system, now we have a change management process that might not have been familiar to the operational tech world — how does the new software interact with the old software, how do the new lights interact with the old lights? “There’s just a lot of friction where we’re seeing with these large-scale electromechanical, formerly analog systems now all automated, on a network, and suddenly there are IT people and operations technology people trying to figure out how it all works together, and sometimes it just doesn’t.” Princeton faced a second problem with a fire alarm system that failed across campus. Today, campus fire alarms have panels that report their status via fiber optic connections to a central controller. The buildings are supposed to ping the central system frequently — if they don’t, the system assumes that building alarm is broken. Every time communication failed, the university would have to send a person with a walkie talkie to monitor the building while the staff figured out why communication halted, Dominick says. Dominick cites four key lesson from the light war: 1. Change management has to change. Take the fire alarm example, Dominick says. “In the analog world, if you have continuity on the table, you’re good. Things were largely electromechanical devices that either worked or didn’t work… Now, as we begin to put processors with software and communication stacks at both ends, you tend to get into typical IT problems, which is how you engage in change management. How do you do version control between different parts of the software stack that are going in at different parts, and how do you manage that change?” 2. IT leaders and operational experts need to talk. A lot. “For us, it was taking some recognition by our operational technology friends that they’ve become dependent on IT to get their work done, which unfortunately usually comes up when something goes wrong. “Now our facility colleagues, our public safety colleagues and IT realize how totally interdependent we are. It would have been nice if that had been a self-realization without having to have been pushed to that realization [when something went wrong] but that’s how it works — you respond to stimuli in the environment.” 3. Talk to vendors. “The intersection of operational technology and information technology is full of friction. This shows up in things like lighting systems that were installed a dozen years ago or so that have a certain set of performance characteristics getting upgraded, and the IT change control not being well understood, either by the vendor or the operational technology folks,” Dominick says. The light issue resolved, in part, thanks to “very complex discussions with the vendor.” Much of the technology involved in enterprise-level IoT projects likely started as a consumer product or consumer-based technology, Dominick says. Talking to vendors about processes, testing, upgrades and security can help head of issues, Dominick says. 4. The Internet of Things needs a roadmap. There are no guidelines or universally accepted best practices for IoT, Dominick says. “Whether it's IEE (Institute of Electrical and Electronics Engineers) or the NIST (National Institute of Standards and Technology), they have got to come together for the rules of the road for how the different products are going to inter-operate. End-to-end security, trust standards, operations — there are some out there working on that,” he says. [Ed. note: NIST released cybersecurity guidelines in mid-November, but it’s not wholesale IoT guidelines:<a href="https://www.federaltimes.com/articles/nist-unveils-internet-of-things-cybersecurity-guidance"> https://www.federaltimes.com/articles/nist-unveils-internet-of-things-cybersecurity-guidance</a>] So far, technology has quickly outpaced many enterprise agencies’ ability to ensure reliability. Enterprise leadership must serve as their own watchdogs — and ensure the lights don’t go to war. <hr> Editor's note: For more information, see our report "<a href="https://www.internetsociety.org/doc/iot-overview">The Internet of Things (IoT): An Overview - Understanding the Issues and Challenges of a More Connected World</a>". Wed, 21 Dec 2016 13:09:03 +0000 Ann Miller 512592 What India's Banking Industry Breach Can Teach Us About the Importance of Collaboration https://www.internetsociety.org/blog/tech-matters/2016/12/what-indias-banking-industry-breach-can-teach-us-about-importance <div id="file-16479" class="file file-image file-image-jpeg"> <h2 class="element-invisible"><a href="/file/office-12096401920jpg-2">office-1209640_1920.jpg</a></h2> <div class="content"> <img id="3" src="https://www.internetsociety.org/sites/default/files/styles/618width/public/office-1209640_1920_2.jpg?itok=TdnuVaW0" alt="" title="" /> </div> </div> Towards the end of October 2016, several Indian banks announced they would be recalling millions of debit cards in the wake of a data breach that affected the backend of software that powered an ATM network there. It was a situation that could have been better mitigated; a government-sponsored organization tasked with sharing information about data breaches completely missed the warning signs that a breach was taking place. As a result, no one connected the dots until millions of fraud cases had been detected. Raj Singh, Regional Bureau Director for the Asia-Pacific region, Internet Society, recently gave me his insights into the lessons that organizations in all industries can learn about mitigation from this incident, as well as how to overcome barriers that prevent collaboration, which is vital to mitigation efforts. Information Sharing and Collaboration: The Keys to Successful Mitigation Data breaches are all too prevalent nowadays. “Hackers will always try to find a weakness in the system,” Singh asserted. While organizations should continue their efforts to prevent such breaches, they must also have a mitigation strategy in place to offset the disastrous effects of cyber crime. In the case of the Indian ATM data breach, the Information Sharing and Analysis Centre (ISAC) established by the Indian government failed to detect the breach in time because each compromised debit card was flagged as a case of fraud rather than the result of a cyber attack. Before this incident, banks bore the responsibility of tracking and handling fraud cases. No one raised an alarm until millions of debit card customers complained of fraudulent charges. Singh pointed out that the situation could have been managed much better “if people had realized that hacks and breaches have multiple dimensions.” If ISAC had treated each case of debit card fraud as a cyber crime, a pattern would have emerged much sooner. When the Indian government founded ISAC, no one considered the possibility that credit and debit cards were so vulnerable to hackers. “People are focused on the door when the hacker is coming in through the window,” Singh added. In general, the finance industry has some strong information sharing mechanisms in place that have a good reputation for mitigating the impact of data breaches. Singh noted that Singapore’s Association of Banks (SAB) and the global Financial Services - Information Sharing and Analysis Center (FS-ISAC) are two examples of organizations that enable members to share news of threats so that others can attempt to prevent or at least mitigate attacks. It’s becoming abundantly clear that information sharing and collaboration must take place outside of the finance industry, too. The EU’s Agency for Network and Information Security (ENISA) published a <a href="https://www.google.ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwiHsf_P_e7QAhUB1WMKHbfTA7EQFggaMAA&url=https%3A%2F%2Fwww.enisa.europa.eu%2Fpublications%2Fcybersecurity-information-sharing%2Fat_download%2FfullReport&usg=AFQjCNGLEOlYoDV1gq97hP0vVcliYfJv1A&sig2=sfYb100leZLFDoOQVbgyFg&bvm=bv.141320020,d.cGc&cad=rjahttps://www.google.ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwiHsf_P_e7QAhUB1WMKHbfTA7EQFggaMAA&url=https%3A%2F%2Fwww.enisa.europa.eu%2Fpublications%2Fcybersecurity-information-sharing%2Fat_download%2FfullReport&usg=AFQjCNGLEOlYoDV1gq97hP0vVcliYfJv1A&sig2=sfYb100leZLFDoOQVbgyFg&bvm=bv.141320020,d.cGc&cad=rja">report</a> at the end of December 2015 about the importance of information sharing and collaboration in prevention and mitigation of cyber attacks for all industries. In the Obama administration’s final cybersecurity report, released at the beginning of December 2016, researchers stressed how crucial it is that the private sector and the public sector share information to prevent mass cyber attacks from taking place. Easier Said than Done: Barriers to Information Sharing and Collaboration Making recommendations and even being a member of an information sharing network still isn’t enough to keep incidents such as the one in India from unfolding. Singh observed that barriers hamper vital collaboration between firms and organizations that would otherwise counter or at least mitigate the consequences of a cyber attack. For a start, SAB and FS-ISAC only share information with members. So, if your company doesn’t operate within the finance industry, you don’t have access to details of threats submitted by SAB or FS-ISAC members. Secondly, Singh observed that businesses tend to be quite competitive and hesitant to share information about any possible weakness. <a href="https://uk.reuters.com/article/uk-yahoo-cyber-data-idUKKCN11T2DD?utm_campaign=e4&utm_medium=social&utm_source=FRblog&utm_content=%20Largest-breach-internet-history-concerns-dat">Yahoo</a> is a recent example of just such a company. In 2014, hackers stole encrypted passwords and personal data from over 500 million accounts. It took Yahoo over two years to uncover the breach and disclose it. Users responded by threatening to shut down their accounts. American senators expressed their dismay at Yahoo’s slow detection and response to the attack. After disclosing the breach, the value of Yahoo’s stock fell three percent. Another barrier to information sharing and collaboration is the “it can’t happen here” mindset. “There’s a lack of empathy and understanding,” Singh explained. Businesses might say, “Oh, a data breach hit a bank. We’re not in the banking sector, so we don’t need to worry about something like that affecting us.” While some businesses in industries outside of finance might pay attention, others won’t because they haven’t been hit by hackers yet, or they’re unaware that they’ve been attacked. Of course, that mindset leads to firms falling prey to hackers. “A data breach can happen anywhere, anytime,” Singh emphasized. Overcoming the Hurdles to Improve Breach Mitigation Singh doesn’t view these burdens as insurmountable. He believes that organizations can improve collaboration and information-sharing efforts in order to mitigate breaches. One of the first steps is stronger regulations and enforcement of existing rules on data breach disclosure and data sharing. “From what I hear, everyone says that they’re talking to each other and working with each other,” Singh remarked. “But that’s taking place at conferences. What’s happening on the ground?” He added that self-regulation is unreliable, because of the competitive nature of business and the desire to be seen as strong and invulnerable. Although many countries have enacted personal data protection laws, they don’t seem to be powerful enough to force companies to collaborate so that incidences such as the one in India don’t take place again. As consumers share more information with organizations, and those organizations rely on interconnected digital systems that are prone to breaches, the risk for hacks will only continue to rise. When businesses work together and treat information on data breaches as something to be disclosed rather than a closely guarded secret, they have the power to better protect their customers and keep their reputations (and profits) intact. <hr> Editor's note: For more on data breaches and their impact, please see the <a href="https://www.internetsociety.org/globalinternetreport/2016/">Internet Society's 2016 Global Internet Report</a>. Wed, 21 Dec 2016 13:21:56 +0000 Rachel Levy-Sarfin 512596 New Study Reveals More Than 200 Mobile Sites/Apps are Exposing Sensitive Consumer Information https://www.internetsociety.org/blog/tech-matters/2016/12/new-study-reveals-more-200-mobile-sitesapps-are-exposing-sensitive <div id="file-16470" class="file file-image file-image-jpeg"> <h2 class="element-invisible"><a href="/file/stocksnapc7ufjexev4jpg-0">StockSnap_C7UFJEXEV4.jpg</a></h2> <div class="content"> <img id="4" src="https://www.internetsociety.org/sites/default/files/styles/618width/public/StockSnap_C7UFJEXEV4_0.jpg?itok=FXx0t_ac" alt="" title="" /> </div> </div> The <a href="https://go.wandera.com/MobileLeakReport2017.html">Wandera 2017 Mobile Leak Report</a>, a global analysis of almost 4 billion requests across hundreds of thousands of corporate devices, found more than 200 mobile websites and apps leaking personally identifiable information across a range of categories - including those that are essential for work. Most notably, the study revealed: <ul> <li>More than 59 percent of all the leaks identified were from just three categories: news and sports, business and industry and shopping.</li> <li>Among leaked mobile sites and apps were well-known sites such as ESPN Fantasy Rugby, Fox Sports and Royal Mail</li> <li>A vast majority of leaks included sensitive information such as email/username (90 percent) and password/hash (86 percent)</li> <li>80 percent of the top 50 adult sites were leaking some form of PII.</li> </ul> I spoke with Michael Covington, vice president of Product at Wandera, about the report and what it means for both businesses and consumers. What is the Mobile Leak Report? The Mobile Leak Report is a summary of research that uncovered more than 200 well-known and reputable digital services responsible for exposing sensitive consumer and enterprise information. These “data leaks” are particularly relevant to mobile users because the primary culprits were apps and mobile-tailored websites that failed to protect the sensitive information as it was in transit. In your opinion, what was the biggest “take away” from this report? For me, the biggest take away from the report is a realization of how critical end-to-end visibility can be when assessing security risk. Most organizations have no visibility at the data level of how a corporate mobile device is being used. Simply understanding the risks is an essential first step to plugging the holes. I’m fairly confident that most users assume mobile apps and websites will protect their sensitive information; sadly, this report shows that those assumptions are flat out wrong. We found that these 200+ leaks were coming from devices in more than 20 countries that were using apps, websites and mobile websites – it seemed that no one was spared. The information at risk included credit card details, dates of birth, addresses, home phone numbers and passport information. Overall, it was a staggering amount of detailed information that was being exposed. Without some end-to-end visibility that could expose these leaks, most organizations are flying blind and have no idea how much they, or their employees, are exposed. What was the most shocking discovery within this report? In my opinion, the biggest shock contained within this report was the fact that so many mainstream apps were leaking the private information of the users and organizations that trusted them with this data in the first place. Our research shows that this problem is not isolated to a particular category or service domain. The fact that the data leaks are so broad and span geographies is what I found most disturbing. With data leaks being so broad, what can be done to mitigate these risks? First, companies that publish apps and maintain online services should have a security development lifecycle practice that considers security and privacy requirements early in the development process. These same organizations should also be going thorough security audits on a regular basis to ensure that their security requirements continue to be met. Secondly, companies with mobile users who utilize apps to handle sensitive data need to have tools in place to manage security risk. We have seen several instances where even the official app stores have been plagued by malicious apps, fake apps and apps that simply fail to protect the privacy of sensitive information. Companies that are embracing mobility must have a plan in place to deal with security issues when—not if—they occur. What is your advice to consumers on reducing leaks or protecting themselves from these mobile leaks when using their favorite apps? Enterprise security teams are usually the most organized when it comes to assessing their overall risk exposure, largely due to investment in third-party tools and services to help manage that risk. For consumers, however, it is difficult because there is no visual cue on an app that indicates when a connection is secured. Consumers can take some basic steps to help protect themselves. I recommend that mobile end users spend time reviewing app store comments and at least limit their downloads to the official app stores so they can minimize their overall risk exposure. What other steps need to be taken to address data leaks? When it comes to data leaks, the biggest change that’s needed is with the publishers and owners of content. Whether you are a major sports news website or a train operator or an online streaming music service, you absolutely must consider security and privacy as part of the transaction with your users. Time-to-market is important, but rushing an app through the review process or launching a mobile website before it’s been tested is a mistake because it could put your users—not to mention your brand—at risk. <hr> Editor's note: For more on data breaches and their impact, please see the <a href="https://www.internetsociety.org/globalinternetreport/2016/">Internet Society's 2016 Global Internet Report</a>. Wed, 21 Dec 2016 12:53:12 +0000 Heidi Brandes 512588 Is Your Reputation Safe on the Blockchain? https://www.internetsociety.org/blog/tech-matters/2016/12/your-reputation-safe-blockchain <div id="file-16265" class="file file-image file-image-jpeg"> <h2 class="element-invisible"><a href="/file/reputationjpg">reputation.jpg</a></h2> <div class="content"> <img id="5" src="https://www.internetsociety.org/sites/default/files/styles/618width/public/reputation.jpg?itok=NRFXPqp8" alt="" title="" /> </div> </div> Over on the Consult Hyperion blog, Dave Birch has written a characteristically lucid and engaging piece about <a href="https://www.chyp.com/mutable-and-immutable-blockchains/" target="_blank">hyperbole around the idea of the mutable blockchain</a>. One of the use cases Dave cites (not his, I hasten to add) is the use of mutable blockchains to implement the so-called "right to be forgotten" (RTBF) - or "droit à l'oubli", as I should perhaps call it while I am still allowed to. That prompted two thoughts which I felt deserved a blog post. First, a quick swipe at RTBF, a label which has caused more trouble than it deserves, given the merits of the underlying principle. The Google v Spain ruling interpreted RTBF as a requirement for search engines to "de-list" search results that linked Mr Consteja Gonzales, by name, to data about one aspect of his past. The ruling also does not affect search results outside the EU. That's a very qualified constraint on people's ability to find out about what happened. If you search for "Spanish guy bankrupt Google", you should get the details faster than you can say Streisand Effect. So, as a "right to be forgotten", this seems somewhat flimsy. And yet, it is the basis of a robust legal judgment - so what did the judges and lawmakers really intend? One thing the Google v Spain ruling definitely doesn't try and do is stamp out all the original instances of the data in question: one of the characteristics of the Internet is the ease and speed with which new copies of data can be published and disseminated globally. In that sense, the Internet has made such publication and dissemination almost entirely frictionless. However, readers still need to get to the information in order to read it -- and, of course, it follows from the above that there is an ever-increasing mass of information out there to search through. Seen from that perspective, the Spanish court's qualified constraints on access to data are best explained as a re-introduction of just some of the friction which the Internet as a whole, and search engines in particular, have removed. RTBF is really "the right to have some information made slightly more inconvenient to retrieve". Which is so catchy, I can't really understand why "the right to be forgotten" ever caught on in the first place. All that said, what I think this shows is that the technical "fix" (redacting the results of some online searches) is a rather clumsy and only partially effective way to achieve the desired social result, which is that the individual's reputation should not be inappropriately sullied by inaccurate or irrelevant data which happens to be easy to retrieve. Clumsy or not, I can't see any sensible way of applying blockchain technology to this problem that makes it any better. In fact, the idea that your Internet search results are based on a cumulatively-signed consensus among, say, the major search engines and the libel courts is mind-boggling, to put it mildly. Now, on to my second thought. When I've talked about identity and privacy over the past decade or so, I have noted that they are a function of social interaction. Almost exactly three years ago, <a href="https://www.cnet.com/news/vint-cerf-privacy-may-be-an-anomaly/" target="_blank">Vint Cerf observed that he thought privacy was probably an anomaly</a>. I disagreed, and set out some of the reasons why in a blog post which, I think, remains relevant. I don't think an expectation of privacy is an anomaly, because I don't think social interaction is an anomaly. However, to recap briefly from that post: social interaction has some characteristics which it is proving hard to replicate in our technically mediated online lives. If you live and work in a small village, you might have less expectation of privacy, but since people have to get along with each other in the long term, past indiscretions might be forgiven and forgotten, especially if the individual concerned demonstrates remorse and better behaviour. Over time, in other words, people develop a reputation, based on one's past experience of them, the narratives constructed by others, information in the public domain, and so on. And this, I think, is where we come to the point of intersection with the example that Dave Birch cited (and rightly dismissed), about using a mutable blockchain to implement the "right to be forgotten". First, I absolutely agree with Dave's argument that, in the ledger use-case, the way to deal with an incorrect ledger entry is to leave it exactly as it is, and append a corresponding correcting entry when the error is discovered. That way, you balance the books. But what does "balancing the books" mean, if the blockchain is being used, not for an ledger of accounts, but to record information that contributes (positively or negatively) to an individual's reputation? What is the right way to correct an entry that is recognised as being wrong? Let's make it a bit less abstract. Suppose that the blockchain in question is a record of someone's ratings as a Seller on an auction site. Most of them are 100% positive, but then there's one which is dreadful: "Terrible service; goods arrived late, I was wrongly charged, and the product fell apart. I will never buy from this seller again, and neither should you. 0/5" Then it turns out that this review was actually meant for another seller. What's the right way to make a correction? Is it to go back and delete the entry, or to leave it in place but ensure that it can only be viewed in conjunction with a full retraction and an explanation that it was a review of someone else? Either way, what do you do about the Seller's cumulative reputation score? In the ledger example, a correcting entry balances the books - but in this case, a simple correcting entry of 5/5 can't restore the Seller's perfect record of 100% satisfaction scores, and 10/5 isn't a realistic option. So, the accounting ledger isn't a useful design template in this case. We're not looking for a technical solution that balances the books, we're trying to manage the effect on someone's reputation of the data that is recorded about them. Like trust, reputation is something which is hard to accrue and easy to forfeit. There's an asymmetry there, which explains why the "balancing" entry to a reputation-damaging assertion cannot simply be a statement of the opposite. Is the answer, then, to delete the original entry? Well, that might work in the hypothetical I've constructed (where the original entry was simply mistaken); but suppose the original entry was true, and the seller not only rectified the error, but did it so graciously that the customer was delighted. Deleting the truthful original entry, in that case, seems wrong - but neither do we want to leave the possibility that it might be seen and taken as definitive. Is the correct action to ensure that the original review can only be viewed in tandem with updates that explain the subsequent outcome? Here, a "balancing" entry might be part of the answer, but doesn't seem to be enough on its own. In other words, just as in the RTBF case, we are trying to replicate several nuanced features of social interaction (reputation, forgiveness, restitution...) using clumsy technical tools which simply don't fit. Blockchain might be the best possible technology for implementing crypto-currencies, but be a lousy way to try and build a reputation management system. Blockchain may be a perfectly good hammer, but I wish its fans would stop trying to re-cast every online trust problem as a nail. Mon, 05 Dec 2016 16:21:22 +0000 Robin Wilton 512488 WhatsApp with the UK's new Information Commissioner? https://www.internetsociety.org/blog/tech-matters/2016/11/whatsapp-uks-new-information-commissioner <div id="file-11583" class="file file-image file-image-jpeg"> <h2 class="element-invisible"><a href="/file/privacy1jpg">privacy1.jpg</a></h2> <div class="content"> <img id="6" src="https://www.internetsociety.org/sites/default/files/styles/618width/public/field/homepage_highlight/privacy1.jpg?itok=O6q1TvA9" alt="" title="" /> </div> </div> The UK’s Information Commissioner, Elizabeth Denham, has been in post just under four months, but already the differences between her approach and those of her two most recent predecessors (Richard Thomas and Christopher Graham) are starting to become clear. This may be due partly to the fact that she comes to the role with six years’ experience as the Information and Privacy Commissioner for British Columbia, whereas Thomas and Graham came, respectively, from legal practice and the BBC. Recently, Denham posted an update on the first eight weeks of her team’s investigation into personal data sharing between WhatsApp and Facebook. The bottom line is this: she thinks consumers and their data are not being properly protected, and she offers the prospect of enforcement action if Facebook uses consumers’ data without consent. Here’s how she thinks Facebook is falling short of the legal requirements: <ul> <li>Subscribers are not properly protected, or properly informed about uses of data about them;</li> <li>Facebook does not have valid consent for sharing personal data;</li> <li>Users are not given sufficient control over data about them.</li> </ul> The Commissioner also highlights risk in a number of other areas: <ul> <li>“Free” services are not a licence for the service provider to do as they please with users’ data;</li> <li>Vague terms of service don’t adequately protect the intimacy revealed by our online data;</li> <li>Company mergers, and aggregation of the resulting data, create privacy risks that go beyond simple data protection.</li> </ul> The tone of the Commissioner’s post is firm but understated. It focuses on basic steps: inform users, get meaningful consent, give users proper control, and be transparent about terms and conditions. The Commissioner’s concerns echo those expressed by the wider group of European information commissioners, the Article 29 Working Group. The head of that group, Isabelle Falcque-Pierrotin, has expressed its concern that, following WhatsApp’s acquisition by Facebook, personal data is being used for purposes that were not included in the terms users signed up to. Some may point out that, in strict legal terms, consent is just one of a number of valid grounds for the processing of personal data. My personal view is that there is no need for equivocation here. I don’t care (and neither should consumers) if consent isn’t the only basis for legal processing: if the end result is not what I signed up for, and it increases privacy risk, I should be made aware of that and given the option to say no. The Commissioner has set out her position, simply and clearly. It will be interesting to see what the next eight weeks bring. Wed, 30 Nov 2016 16:46:17 +0000 Robin Wilton 512456 Paul Vixie: Market Pressure to Churn Out IoT Products Key Cause of Compromised Safety, Security https://www.internetsociety.org/blog/tech-matters/2016/11/paul-vixie-market-pressure-churn-out-iot-products-key-cause-compromised <div id="file-16171" class="file file-image file-image-jpeg"> <h2 class="element-invisible"><a href="/file/paul-vixie-grey-976jpg">paul-vixie-grey-976.jpg</a></h2> <div class="content"> <img id="7" src="https://www.internetsociety.org/sites/default/files/styles/618width/public/paul-vixie-grey-976.jpg?itok=O-p_6Jhm" alt="" title="" /> </div> </div> "Humanity has been building and programming general purpose computers for about six decades now, with spectacular results, mostly good. As we contemplate the ‘Internet of Things’ in light of our collective experience, there are some disturbing conclusions to be drawn. Can we as a species safely place our economy and culture into a global distributed network of computers, if those computers are programmed by humans using commodity programming languages and tools?"  That’s the question renowned Internet security expert Paul Vixie, co-founder and CEO of Farsight Security and <a href="https://internethalloffame.org/inductees/paul-vixie">an Internet Hall of Fame inductee</a>, recently posed in his keynote address for the Security BSides gathering in Raleigh, N.C. I talked to Vixie following the address, to get his thoughts—and his advice—on the state of Internet security. That’s a pretty complex question you posed in Raleigh. Were you also able to provide an answer? PV: No. That was rhetorical. What I explained is that there is economic pressure to create more software companies or products that include software…and what we have seen is that the talent pool we have is already inadequate for the task. The reason is margin and time-to-market pressure. Everything that succeeds gets competition much faster than ever before in history. The first product in a category can dine well; latecomers sometimes get the table scraps. And not all companies know how to be software companies. If you come up with an Internet-enabled light bulb, you have to know how to test your product. You have to know how to report it if this lightbulb turns out to have critical software bugs. You have to know who your customers are so you can notify them. So ultimately, what I showed, is that by all indications, the Internet of Things is going to take everything that looks flaky and behaves badly about Internet-enabled devices today, and multiply it by about a million times. How can these risks be mitigated? PV:  I’m short on solutions. The thing I saw recently is that Underwriters Laboratories is going to begin doing cybersecurity certifications. It used to be that if you were going to buy a toaster for your kitchen, you would make sure it was on the UL list, to make sure it wasn’t going to start a fire in your house. So, we need to get there with Internet-enabled devices. I am glad UL is going to do that. And I am glad that the Obama White House hired Peiter Zatko, a hacker and Internet security expert also known as “Mudge,” to investigate starting a cyber security program. Regulation isn’t always the right answer, but I think that in this case, the only way we’re going to get wide-spread improvement of software quality is if being a little later to market or costing a little more doesn’t make your product uncompetitive – because your competitors have to meet the same quality standards as you do. What other steps need to be taken? PV: If <a href="https://en.wikipedia.org/wiki/Moore%27s_law">Moore’s Law</a> gives us more transistors, and those transistors are switching faster, year by year, we are getting more computing horsepower. What we have been doing with that computing horsepower is using it to develop glitzier products with more features. But it turns out you could also use some of that new computing horsepower for safety. We’ve been writing everything in C since the early 1980s. It’s time to stop, to think if there are alternatives we might use, that would do additional run-time safety checks. But we are not using any of that new largesse in computing horsepower to make anything safer. The reason, frankly, is there is no market pressure to do so. That’s the transition that we have to go through or else the ‘Internet of Things’ is going to be the thing that stops the world, even sooner than climate change. Email hacks have made headlines recently, and there have been several high-profile breaches involving email and credit card databases of large companies. But we just recently saw the first widespread <a href="https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/">reporting</a> in quite a while about a distributed denial-of-service (DDoS) attack. Does that mean the number of DDoS attacks has declined? PV: They are not in the news as much anymore because we have them every week. What we have is a new normal, and it’s damn depressing. The problem is that nobody cares. It’s very hard to think accurately about the actual amount of unsafety that is in the world right now. It is stunning. Let’s talk about my special pet peeve. The thing that makes DDoS possible is the lack of source address validation at the edge of the Internet. That means [someone else’s] computer can send my computer a request pretending to be your computer, and my computer will answer yours. The source never used to matter because the Internet was born in an academic world where everybody knew and trusted everybody else. We took the same technology and gave it to 3 billion people, and they are not all trustworthy and sometimes they hate each other and they abuse this. And Internet service providers have no incentive to spend money to fix this. What can companies and consumers do to help thwart these different types of hacks and attacks? PV: I think that eventually people are going to realize that everything that is digital can be surveilled while it is in motion or it can be stolen, copied or damaged while it is at rest. We will probably start with these two things, both rightly headed, but they are probably going to end badly. There is encryption. You might invest in it. But your correspondents might not. So, you are keeping your files safe, but your text is running naked through the world. Also, I don’t think we should have access to all of our old email on a daily basis. We should have the equivalent of having to walk to another room by typing in a password, solving a puzzle. Because that email repository is so much more dangerous that when your files were locked in a filing cabinet. I think people probably won’t stop sending email, but they can use encryption, or digital shredding, or store that e-mail in some kind of one-way repository, where we won’t have a bunch of folders sticking out of our Outlook panel. But as you know, crowds move slowly. It’s going to take another 20 years. In the meantime, it’s just open season on all of us. What immediate steps can the average computer and smartphone user take to protect themselves and others? PV: Never turn down a software update from your vendor. It’s something the rest of us really need you to do. Accept that update to Windows 10, even it if it looks like it is going to spy on you more. Because if you run an older version of Windows, your computer is a clear and present danger to the rest of us—and we hate that. You need to give vendors a chance to fix their products. All software has bugs, the problem is you don’t know what they are at ship-time. That’s why everyone needs to keep their stuff up to date all the time. If you are buying a new gadget, say a thermostat that is connected to a smart phone, give some thought as to whether that company is going to be in business 10 years from now. It may not be getting software updates anymore. You really want to think about the long-term impacts instead of just buying the cheapest thing at the hardware store. It used to be that the worst thing was that the cheap hammer you bought would just break. With the massive adoption of IoT-enabled devices, you now are inviting potential security risk into your home, next to your family photos and your bank records.  If there is a camera on your laptop, do you really need it to be open all the time? Or should you put a post-it note over it?  Upgrade everything. Throw it away if the company goes out of business. And be suspicious as heck of anything that wants to connect to your network. <hr /> For more information about the security challenges of the Internet of Things (IoT), please see our Internet Society white paper: <a href="https://www.internetsociety.org/iot/">The Internet of Things: An Overview - Understanding the Issues and Challenges of a More Connected World</a> <hr /> Image credit: Farsight Security. Mon, 21 Nov 2016 16:35:47 +0000 Jeri Clausing 512441 Data Breaches and You - our Global Internet Report 2016 explains the critical steps you need to take now https://www.internetsociety.org/blog/tech-matters/2016/11/data-breaches-and-you-our-global-internet-report-2016-explains-critical <div id="file-16143" class="file file-image file-image-jpeg"> <h2 class="element-invisible"><a href="/file/gir2016jpg">gir2016.jpg</a></h2> <div class="content"> <img id="8" src="https://www.internetsociety.org/sites/default/files/styles/618width/public/gir2016.jpg?itok=BF1SB4iG" alt="" title="" /> </div> </div> Data breaches are the oil spills of the digital economy.  Over 429 million people were affected by reported data breaches in 2015 – and that number is certain to grow even higher in 2016. These large-scale data breaches along with uncertainties about the use of our data, cybercrime, surveillance and other online threats are eroding trust on the Internet.   This is why <a href="https://www.internetsociety.org/globalinternetreport/2016/">the 2016 edition of our Global Internet Report</a> is dedicated to exploring data breaches, their impact on user trust and their consequences for the global digital economy. These consequences, not surprisingly, can be serious. The purpose of the report is not to emphasize the problem, but to offer solutions and to emphasize the important role that companies and organizations play in building a more trusted Internet.  A key question raised by the report is: <ul> <li>why are organisations not taking all available steps to protect the personal information they collect from each of us? </li> </ul> The report examines the issues and walks through a number of case studies that highlight the concerns. It ends with a series of five concrete recommendations for actions we need to take. This video provides a preview:  <iframe width="560" height="315" src="https://www.youtube.com/embed/FxPRGDF-9iY" frameborder="0" allowfullscreen=""></iframe> We ask you to <a href="https://www.internetsociety.org/globalinternetreport/2016/">please read the 2016 GIR</a>, to share the report widely, and to take whatever actions you can to bring about a more trusted Internet. This issue of trust is so serious that we risk undoing all of the progress we have made over the past three decades. It is time we act together to solve it. Tue, 22 Nov 2016 23:23:03 +0000 Mr. Olaf Kolkman 512447 Rough Guide to IETF 97: DNSSEC, DANE and DNS Privacy and Security https://www.internetsociety.org/blog/tech-matters/2016/10/rough-guide-ietf-97-dnssec-dane-and-dns-privacy-and-security <div id="file-4521" class="file file-image file-image-png"> <h2 class="element-invisible"><a href="/file/4521">DNSSEC for Tech Matters.png</a></h2> <div class="content"> <img id="9" src="https://www.internetsociety.org/sites/default/files/styles/618width/public/DNSSEC%20for%20Tech%20Matters.png?itok=SK1wKcpb" alt="" title="" /> </div> </div> DNS privacy will get a good bit of focus at the <a href="https://www.ietf.org/meeting/97/">IETF 97 meeting in Seoul</a> with a special tutorial as well as a meeting of the DPRIVE working group and activity in the IETF 97 Hackathon. DNS privacy will also come up in the DNSSD group this time, too. The DNS Operations working group will meeting and a new DNS BOF will take place. In contrast to the past few meetings, the Using TLS in Applications (UTA) working group where DANE has been discussed will not meet as their work is moving along on the mailing lists. Similarly, the DANE working group felt that work was moving along and no physical meeting was needed. <h3>DNS Privacy Tutorial - Streamed Live On YouTube</h3> On Sunday, November 13, one of the education tutorials will focus on DNS privacy and the work emerging out of the DPRIVE Working Group related to protecting the confidentiality of your DNS queries. Sara Dickinson will be leading this session and I expect it will be quite good. The session will be from 13:45-14:45 KST (UTC+9). The good news for anyone remote is that <a href="https://www.youtube.com/watch?v=2JeYIecfwdc">it will be streamed live on YouTube</a> - it will also be available at that URL as a recording for those who can't tune in live. <h3>IETF 97 Hackathon</h3> Over the weekend (12-13 Nov) we'll have a good-sized "DNS team" in the IETF 97 Hackathon working on various projects around DNSSEC, DANE, DNS Privacy, using DNS over TLS and much more. You can also get more info in <a href="https://www.ietf.org/registration/MeetingWiki/wiki/97hackathon">the IETF 97 Hackathon wiki</a>. Anyone is welcome to join us for part or all of that event. <h3>DNS Operations (DNSOP)</h3> The DNS Operations (DNSOP) Working Group meets on Tuesday afternoon from 13:30-15:30. Unfortunately at the time I am writing this post <a href="https://datatracker.ietf.org/meeting/96/agenda/dnsop/">the DNSOP agenda</a> does not have many details. There are a <a href="https://datatracker.ietf.org/wg/dnsop/">significant number of documents under discussion</a> on the mailing list and I expect a busy session. I am not sure if there will be discussion of <a href="https://datatracker.ietf.org/doc/draft-york-dnsop-deploying-dnssec-crypto-algs/">the Internet Draft on DNSSEC cryptographic algorithm agility</a> in the meeting, but I do intend to meet with the other authors to plan our next steps. <h3>DNSBUNDLED Birds of a Feather (BOF) session</h3> On Wednesday morning from 9:30-11:00 there will be a BOF about "bundled domains". It's an interesting issue: Bundled Domain will work on a DNS solution for fully mapping one domain name to another domain name. With the emergence of internationalized domain names and new TLDs, it is often useful to redirect one domain name tree fully to another domain name tree. Current DNS protocols have not provided such ability to satisfy these requirements. These documents - <a href="https://datatracker.ietf.org/doc/draft-yao-bundled-name-problem-statement/">draft-yao-bundled-name-problem-statement</a> and <a href="https://tools.ietf.org/html/draft-yao-dnsext-identical-resolution">draft-yao-dnsext-identical-resolution</a> - go into more detail. The security issue here is really to understand how solutions here might work in a world of DNSSEC. This BOF is not looking to form a working group but rather to identify work to be done by the IETF in general. <h3>DNS Service Discovery (DNSSD)</h3> On Thursday, the  Extensions for Scalable DNS Service Discovery (DNSSD) Working Group meets in the morning from 9:30-11:00am. DNSSD is not one of the groups we regularly mention as its focus is around how DNS can be used to discover services available on a network (for example, a printer or file server). But this time <a href="https://datatracker.ietf.org/meeting/97/agenda/dnssd/">the DNSSD agenda</a> includes specific discussion around the privacy of DNS queries when used in this context. <h3>DNS Privacy (DPRIVE)</h3> The DNS Privacy (DPRIVE) Working Group drew the short straw this IETF meeting and wound up in the last session block on Friday afternoon from 11:50-13:20. Regardless of how many people will be there, discussion should be lively as the group looks at expanding its efforts in a "Step 2" block of work.  To date, DNS privacy work right now has been focused around using DNS over TLS from the stub resolver on a computer or device to the recursive resolver. This has been defined in <a href="https://tools.ietf.org/html/rfc7858">RFC 7858</a> published in May 2016 and several other related documents are in the path to publishing (including using DNS over DTLS). But back with the DPRIVE BoF first took place there was recognition that the next step was to look at protecting the privacy of queries between the recursive resolver and the authoritative servers. It was decided to focus on the stub-to-recursive area first, but now that that work is finishing up, Stephane Bortzmeyer will lead a discussion about moving on to the recursive-to-authoritative space. He's <a href="https://datatracker.ietf.org/doc/draft-bortzmeyer-dprive-step-2/">written a draft that explores this issue</a>. The outcome of the discussion will guide the future work of DPRIVE. <h3>DNSSEC Coordination informal breakfast meeting</h3> Finally, on Friday morning before the sessions start we are planning an informal gathering of people involved with DNSSEC. We've done this at many of the IETF meetings over the past few years and it's been a good way to connect and talk about various projects. True to the "informal" nature, we're not sure of the location and time yet (and we are not sure if it will involve food or just be a meeting). If you would like to join us, please <a href="mailto:york@isoc.org">drop me an email</a> or <a href="https://elists.isoc.org/mailman/listinfo/dnssec-coord">join the dnssec-coord mailing list</a>. <h3>Other Working Groups</h3> We will be monitoring <a href="https://datatracker.ietf.org/meeting/97/agenda/tls/">the TLS WG</a>, particularly given the focus on TLS 1.3, the <a href="https://datatracker.ietf.org/meeting/97/agenda/saag/">Security Area open meeting</a> and other similar sessions. The DNSSD working group will also be meeting although it's not clear that security topics will be covered there right now. It will be busy week! P.S. For more information about DNSSEC and DANE and how you can get them deployed for your networks and domains, please see our Deploy360 site: <ul> <li><a href="https://www.internetsociety.org/deploy360/dnssec/">https://www.internetsociety.org/deploy360/dnssec/</a></li> <li><a href="https://www.internetsociety.org/deploy360/resources/dane/">https://www.internetsociety.org/deploy360/resources/dane/</a></li> </ul> <h3>Relevant Working Groups at IETF 96:</h3> DNSOP (DNS Operations) WG Tuesday, 15 November 2016, 1330-1530 KST (UTC+9), Grand Ballroom 1 Agenda: <a href="https://datatracker.ietf.org/meeting/97/agenda/dnsop/">https://datatracker.ietf.org/meeting/97/agenda/dnsop/</a> Documents: <a href="https://datatracker.ietf.org/wg/dnsop/">https://datatracker.ietf.org/wg/dnsop/ </a>Charter: <a href="https://datatracker.ietf.org/wg/dnsop/charters/">https://tools.ietf.org/wg/dnsop/charters/</a> DNSBUNDLED (Bundled Domains) BOF  Wednesday, 16 November 2016, 930-1100 KST (UTC+9), Grand Ballroom 1 Problem statement: <a href="https://datatracker.ietf.org/doc/draft-yao-bundled-name-problem-statement/">draft-yao-bundled-name-problem-statement/</a>  Charter: <a href="https://datatracker.ietf.org/wg/dnsbundled/charters/">https://tools.ietf.org/wg/dnsbundled/charters/</a> DNSSD (Extensions for Scalable DNS Service Discovery) WG  Thursday, 17 November 2016, 0930-1100 KST (UTC+9), Studio 4 Agenda: <a href="https://datatracker.ietf.org/meeting/97/agenda/dnssd/">https://datatracker.ietf.org/meeting/97/agenda/dnssd/</a>  Documents: <a href="https://datatracker.ietf.org/wg/dnssd/">https://datatracker.ietf.org/wg/dnssd/  </a>Charter: <a href="https://datatracker.ietf.org/wg/dnssd/charters/">https://tools.ietf.org/wg/dnssd/charters/</a> DPRIVE (DNS Privacy) WG Friday, 18 November 2016, 1150-1320 KST (UTC+9), Grand Ballroom 1 Agenda: <a href="https://datatracker.ietf.org/meeting/97/agenda/dprive/">https://datatracker.ietf.org/meeting/97/agenda/dprive/</a> Documents: <a href="https://datatracker.ietf.org/wg/dprive/">https://datatracker.ietf.org/wg/dprive/ </a>Charter: <a href="https://datatracker.ietf.org/wg/dprive/charters/">https://tools.ietf.org/wg/dprive/charters/</a> <h3>Follow Us</h3> There’s a lot going on in Seoul, and whether you plan to be there or <a href="https://www.ietf.org/meeting/97/remote-participation.html">join remotely</a>, there's much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the <a href="https://www.internetsociety.org/blog/tech-matters">Internet Technology Matters blog</a>, <a href="https://twitter.com/isoctech">Twitter</a>, <a href="https://www.facebook.com/InternetTechnologyMatters">Facebook</a>, <a href="https://plus.google.com/u/0/b/107990296884882883268/107990296884882883268/posts">Google+</a>, via <a href="https://www.internetsociety.org/node/199377/feed">RSS</a>, or see <a href="https://www.internetsociety.org/rough-guide-ietf97.">https://www.internetsociety.org/rough-guide-ietf97.</a> Tue, 11 Oct 2016 09:14:41 +0100 Dan York 512418

Original Source | Taken Source