Skip to main content
  • IETF 116 Yokohama registration now open

    Registration is now open for IETF 116 Yokohama

    • Jay DaleyIETF Executive Director
    24 Nov 2022
  • IETF 115 post-meeting survey

    IETF 115 London was held 5-11 November 2022

    • Jay DaleyIETF Executive Director
    22 Nov 2022
  • Catching up on IETF 115

    Recordings are now available for sessions held during the IETF 115 meeting and the IETF Hackathon, where more than 1500 participants gathered in London and online 5-11 November 2022.

      13 Nov 2022
    • Opportunities for university researchers and students during IETF 115

      The upcoming IETF 115 meeting in London on 5-11 November 2022 is a unique opportunity for networking researchers to learn how RFCs are written, to engage with the Internet standards community to begin to develop research impact, and to meet more than 1,000 leading technologists from around the world currently working in industry, academia, and other organizations.

        1 Nov 2022
      • Suggested IETF 115 Sessions for Getting Familiar with New Topics

        These IETF 115 meeting sessions are likely to include discussions and new proposals that are accessible to a broad range of Internet technologists whether they are new to the IETF or long-time participants.

          24 Oct 2022

        Filter by topic and date

        Filter by topic and date

        Observations on the CIA Revelations

        • Jari ArkkoIETF Chair
        • Stephen FarrellSecurity Area Director

        10 Mar 2017

        Recent news stories, and some IETF list discussion, have related to the release of (claimed) CIA materials relating to surveillance, hacking and information warfare.

        Aerial imagery of Hungary
        Photo credits: Image of the toxic leak in a reservoir in Ajka, Hungary affecting the villages of Kolontar and Devecsar, photo by DigitalGlobe, sourced from Wikimedia (CC BY 3.0)

        There has been quite a bit of discussion about the details of the various attacks contained in this leak, such as those relating to surveillance through smart TVs, or hacking vehicles. But are there more general conclusions that we can draw from release of this information?

        First, we think the content of leaks is not particularly surprising, especially given knowledge of other leaks in recent years, such as those from Edward Snowden. Malware is another tool in the same toolbox that is already known to include many other efforts that attempt to compromise security, such as pervasive surveillance.

        But the release of the current tranche of documents does seem to nicely support a number of things that we knew already and that are arguably more worthy of consideration:

        1. Security is not a single feature, rather the level of security one experiences needs to be thought of as an emergent property of the whole system. Communications security, for instance, is necessary but not sufficient. You also have to worry about the security of your devices, platforms, operating systems, and components. And the reliability of your communication partners.
        2. There is no such thing as privileged access for the good guys once there are more than a very small number of people involved. Sooner or later the privileged way to access information or hacks will either leak, be re-discovered independently by others, or be shared to parties that do not have your best interest in mind. In addition, systems built to take advantage of the privileged access will get broken and misused.
        3. All malware is just that, malicious software designed to disrupt or compromise other systems. And all will eventually leak. Secretly held knowledge of vulnerabilities makes us all less safe. The vulnerabilities will be exploited, perhaps traded or shared, instead of being reported and fixed. And when they leak out, they do damage to your friends as well as your supposed enemies.
        4. The security of our communications and applications matters a lot. Lives are at stake, not just your browsing history. Our entire societies run on top of our technical infrastructure, from hospitals and power plants to political processes and our economy. We cannot afford to compromise the security of these systems.

        As noted, we think these are matters that are already known, but reminding ourselves of the big picture now and then can be useful.

        From the IETF perspective we are of course committed to continuing our effort to provide the best possible technical tools for the Internet and the users. One technical observation that may be of use is that focusing on protecting data and not merely links or transport needs better support, make it easier to achieve in practise and at scale.


        Share this page