Mass Surveillance: The Internet’s best engineers are fighting back

The Internet Engineering Task Force (IETF) has played down suggestions that the NSA is weakening the security of the Internet through its standardization processes, and has insisted that the nature of those processes will result in better online privacy for all.

d174ad2a-7500-4c80-b3d8-653c8a7ca9b5.jpgAfter the Snowden documents dropped in mid 2013, the IETF said it was going to do something about mass surveillance. After all, the Internet technology standards body is one of the groups that’s best placed to do so and a year and a half after the NSA contractor blew the lid on the activities of the NSA and its international partners, it looks like real progress is being made.

The IETF doesn’t have members as such, only participants from a huge variety of companies and other organizations that have an interest in the way the Internet develops. Adoption of its standards is voluntary and as a result sometimes patchy, but they are used. This is a key forum for the standardization of Web-RTC and the Internet of Things, for example, and the place where the IPv6 communications protocol was born. And security is now a very high priority across many of these disparate strands.

With trust in the Internet having been severely shaken by Snowden’s revelations, the battle is back on. In May last year, the IETF published a “best practice” document stating baldly that, “pervasive monitoring is an attack.” Stephen Farrell, one of the document’s co-authors and one of the two IETF Security Area Directors, explained that this new stance meant focusing on embedding security in a variety of different projects that the IETF is working on.

Recently Germany’s Der Spiegel published details of some of the efforts by the NSA and its partners, such as British signals intelligence agency GCHQ, to bypass Internet security mechanisms, in some cases by trying to weaken encryption standards. The piece stated that NSA agents go to IETF meetings “to gather information but presumably also to influence the discussions there,” referring in particular to a GCHQ Wiki page that included a write-up of an IETF gathering in San Diego some years ago.

Snowden’s revelations prompted a fundamental rethink within the IETF about what kind of security the Internet should be aiming for overall. Specifically, the IETF is in the process of formalizing a concept called “opportunistic security” whereby, even if full end-to-end security isn’t practical for whatever reason, some security is now officially recognized as being better than nothing.

Facebook and Google have stepped up mail-server-to-mail-server encryption in the wake of Snowden. Facebook sends a lot of emails to its users and, according to Farrell, 90 percent of those are now encrypted between servers. Google has also done a lot of work to send encrypted mail to more providers.

Meanwhile, a separate working group is trying to develop a new DNS Private Exchange (DPRIVE) mechanism to make DNS transactions – where someone enters a web address and a Domain Name System server translates it to a machine-friendly IP address – more private.   gigaom

« US Media Goes Into Overdrive Blaming North Korea for the Sony Hack: Is It Justified?
Google faces US privacy suit over user data policy »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSIRT Panama

CSIRT Panama

CSIRT Panama is the national Computer Incident Response Team for Panama.

Cyber Akademie (CAk)

Cyber Akademie (CAk)

Cyber Akademie is a training and education center providing high-quality training and information events on information security and data protection.

UL

UL

UL is a safety, security and compliance consulting and certification company. Areas covered include cyber security.

Apomatix

Apomatix

Apomatix is a platform that simplifies the complexity of cyber risk audit and management.

SafeBreach

SafeBreach

SafeBreach's platform simulates hacker breach methods across the entire kill chain to identify breach scenarios in your environment before an attacker does.

Fujitsu

Fujitsu

Fujitsu is the leading Japanese global information and communication technology company, offering a full range of products, solutions and services including Managed IT Services and Cyber Security.

Exein

Exein

Exein are on a mission to build the world’s first ecosystem for firmware security so that all different types of firmware are secure around the world.

Cyber Craft

Cyber Craft

CyberCraft is an innovative and dynamic software development, outsourcing and consulting company. Services offered include penetration testing.

IAmI Authentications

IAmI Authentications

IAmI is a first in Tokenization Cloud-based IAM Security Services, delivering the most advanced form of Two-Factor Authentication.

Granted Consultancy

Granted Consultancy

Granted Consultancy is a business consultancy that specialises in securing funding to support companies with the development and commercialisation of new and innovative products and technologies.

Aujus Cybersecurity

Aujus Cybersecurity

Aujas is a pure-play cyber security services company with deep expertise in Identity and Access Management, Managed Security and Security Testing services.

DataEndure

DataEndure

DataEndure helps companies build digital resilience so that their critical information assets are protected and available to the right people, at the right time.

Mitiga

Mitiga

Mitiga uniquily combines the top cybersecurity minds in Incident Readiness and Response with a cloud-based platform for cloud and hybrid environments.

Hexens

Hexens

Hexens introduces a whole new approach to cybersecurity solutions. Indisputable skills and a unique super-focused perspective on every single case are the values we create.

Darknone Global

Darknone Global

Darknone is a consortium of elite hackers and security leaders united by an unbridled passion for augmenting the security of the digital realm.

TetherView

TetherView

TetherView provides leading virtual desktop and email security technology to help businesses stand up and manage digital workspaces.