Skip to main content
  • IETF Administration LLC 2025 Budget

    A draft budget was shared previously for community consultation and the IETF Administration LLC now has finalised its budget for 2025.

    22 Jan 2025
  • RFC Production Center management transition

    After an extensive review of recent developments in the RFC Editor function, the IETF Administration LLC (IETF LLC) and Association Management Solutions LLC (AMS) have agreed that the IETF LLC will assume management of existing RFC Production Center (RPC) staff, under an Employer of Record arrangement with AMS, the employer of the RPC team.

    5 Jan 2025
  • Workshop on the Decentralization of the Internet at ACM CoNEXT 2024

    The recent Decentralization of the Internet (DIN) workshop at ACM CoNEXT-2024 brought together network researchers, law and policy experts, and digital right activists to discuss the consolidation and centralization of the existing Internet applications, services, and infrastructure observed in recent years.

    19 Dec 2024
  • Launch of the IETF Community Survey 2024

    The IETF Community survey is our major annual survey of the whole of the IETF community and is used to inform the actions of IETF leadership throughout the year. The 2024 IETF Community Survey is live and we want to hear from you!

    19 Dec 2024
  • Second IASA2 Retrospective Report

    The IETF Administration LLC (IETF LLC) has now completed the second IETF Administrative Support Activity (IASA 2.0) retrospective. The report was developed with community input and review, and is now available online.

    18 Dec 2024

Filter by topic and date

Filter by topic and date

Observations on the CIA Revelations

10 Mar 2017

Recent news stories, and some IETF list discussion, have related to the release of (claimed) CIA materials relating to surveillance, hacking and information warfare.

Aerial imagery of Hungary
Photo credits: Image of the toxic leak in a reservoir in Ajka, Hungary affecting the villages of Kolontar and Devecsar, photo by DigitalGlobe, sourced from Wikimedia (CC BY 3.0)

There has been quite a bit of discussion about the details of the various attacks contained in this leak, such as those relating to surveillance through smart TVs, or hacking vehicles. But are there more general conclusions that we can draw from release of this information?

First, we think the content of leaks is not particularly surprising, especially given knowledge of other leaks in recent years, such as those from Edward Snowden. Malware is another tool in the same toolbox that is already known to include many other efforts that attempt to compromise security, such as pervasive surveillance.

But the release of the current tranche of documents does seem to nicely support a number of things that we knew already and that are arguably more worthy of consideration:

  1. Security is not a single feature, rather the level of security one experiences needs to be thought of as an emergent property of the whole system. Communications security, for instance, is necessary but not sufficient. You also have to worry about the security of your devices, platforms, operating systems, and components. And the reliability of your communication partners.
  2. There is no such thing as privileged access for the good guys once there are more than a very small number of people involved. Sooner or later the privileged way to access information or hacks will either leak, be re-discovered independently by others, or be shared to parties that do not have your best interest in mind. In addition, systems built to take advantage of the privileged access will get broken and misused.
  3. All malware is just that, malicious software designed to disrupt or compromise other systems. And all will eventually leak. Secretly held knowledge of vulnerabilities makes us all less safe. The vulnerabilities will be exploited, perhaps traded or shared, instead of being reported and fixed. And when they leak out, they do damage to your friends as well as your supposed enemies.
  4. The security of our communications and applications matters a lot. Lives are at stake, not just your browsing history. Our entire societies run on top of our technical infrastructure, from hospitals and power plants to political processes and our economy. We cannot afford to compromise the security of these systems.

As noted, we think these are matters that are already known, but reminding ourselves of the big picture now and then can be useful.

From the IETF perspective we are of course committed to continuing our effort to provide the best possible technical tools for the Internet and the users. One technical observation that may be of use is that focusing on protecting data and not merely links or transport needs better support, make it easier to achieve in practise and at scale.


Share this page