S Moonesamy | 6 Jun 08:39 2014

Logging Recommendations for Internet-Facing Servers

Hello,

BCP 162 contains logging recommendations for internet-facing 
servers.  Quoting the document:

   "Discussions about data-retention policies are out of scope for this
    document.  Server security and transport security are important for
    the protection of logs for Internet-facing systems.  The operator of
    the Internet-facing server must consider the risks, including the
    data and services on the server, to determine the appropriate
    measures.  The protection of logs is critical in incident
    investigations.  If logs are tampered with, evidence could be
    destroyed."

In other words, the BCP makes a recommendation without any discussion 
about privacy considerations.  The issue is traceability.  It has 
been the practice to log IP addresses.  Keeping the logs for years is 
not a good idea as it is difficult to argue that the information is necessary.

I suggest that the BCP be reconsidered given the lack of privacy 
considerations.

Regards,
S. Moonesamy 
David Singer | 28 May 00:03 2014
Picon

cursory PPM Review of RFC 4368

<http://tools.ietf.org/html/rfc4368>

This is about low-level access (SNMP) to low-level (multi-protocol switching) network information, and
has an apparently well-developed security considerations. Privacy is only mentioned once:
"It is RECOMMENDED that implementers consider the security features as
   provided by the SNMPv3 framework (see [RFC3410], section 8),
   including full support for the SNMPv3 cryptographic mechanisms (for
   authentication and privacy)."

Since not even IP addresses are exposed, or traffic details, it's hard to see direct privacy implications
here. However, the whole area of being able to interrogate network equipment over protocols such as SNMP
might well have such implications (e.g. if it's possible to work out which addresses a given IP address is
communicating with). 

David Singer
Manager, Software Standards, Apple Inc.
=JeffH | 15 May 00:59 2014

Big Data Ethics (was: recent scholarship wrt privacy law, obligations, legal theories & frameworks

And, building upon Solove's work, there's this...

Big Data Ethics
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2384174

Neil M. Richards
Jonathan H. King

January 23, 2014

Wake Forest Law Review, 2014

Abstract:

We are on the cusp of a "Big Data" Revolution, in which increasingly large 
datasets are mined for important predictions and often surprising insights. 
The predictions and decisions this revolution will enable will transform our 
society in ways comparable to the Industrial Revolution. We are now at a 
critical moment; big data uses today will be sticky and will settle both 
default norms and public notions of what is "no big deal" regarding big data 
predictions for years to come.

In this paper, we argue that big data, broadly defined, is producing 
increased powers of institutional awareness and power that require the 
development of a Big Data Ethics. We are building a new digital society, and 
the values we build or fail to build into our new digital structures will 
define us. Critically, if we fail to balance the human values that we care 
about, like privacy, confidentiality, transparency, identity and free choice 
with the compelling uses of big data, our Big Data Society risks abandoning 
these values for the sake of innovation and expediency.
(Continue reading)

=JeffH | 15 May 00:59 2014

recent scholarship wrt privacy law, obligations, legal theories & frameworks

Some interesting recent research/thinking around privacy law, obligations, 
legal theories & frameworks...

The FTC and the New Common Law of Privacy
by Daniel Solove * April 13, 2014
http://www.concurringopinions.com/archives/2014/04/the-ftc-and-the-new-common-law-of-privacy-2.html

10 Reasons Why Privacy Matters
by Daniel Solove * January 14, 2014
http://www.concurringopinions.com/archives/2014/01/10-reasons-why-privacy-matters.html

What Is Personally Identifiable Information (PII)? Finding Common Ground in 
the EU and US
by Daniel Solove * June 26, 2013
http://www.concurringopinions.com/archives/2013/06/what-is-personally-identifiable-information-pii-finding-common-ground-in-the-eu-and-us.html

Privacy Self-Management and the Consent Dilemma
by Daniel Solove * May 21, 2013
http://www.concurringopinions.com/archives/2013/05/privacy-self-management-and-the-consent-dilemma.html

Harvard Law Review Privacy Symposium Issue
http://www.concurringopinions.com/archives/2013/05/harvard-law-review-privacy-symposium-issue.html
May 21, 2013

The privacy symposium issue of the Harvard Law Review is hot off the 
presses.  Here are the articles:

SYMPOSIUM
PRIVACY AND TECHNOLOGY
Introduction: Privacy Self-Management and the Consent Dilemmas
(Continue reading)

Hannes Tschofenig | 5 May 19:43 2014
Picon
Picon

Status?

Hi all,

I was wondering what the status of the review activities is.
Various folks expressed interest to do some reviews at the last f2f
meeting in London.

Did anything happen already?

Ciao
Hannes

_______________________________________________
ietf-privacy mailing list
ietf-privacy <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-privacy
S Moonesamy | 29 Apr 22:14 2014

Re: CFP: The 6th International Symposium on Cyberspace Safety and Security (off-topic)

Hello,

Was the message at 
http://www.ietf.org/mail-archive/web/ietf-privacy/current/msg00394.html 
approved by the ietf-privacy mailing list moderator?

Regards,
S. Moonesamy
Peter Mueller | 29 Apr 21:37 2014
Picon

CFP: The 6th International Symposium on Cyberspace Safety and Security

===============================================================
CALL FOR PAPERS CSS 2014
The 6th International Symposium on Cyberspace Safety and Security
August 20-22, 2014, Paris, France
http://www.computational-science.org/CSS2014/
===============================================================
*IMPORTANT DATES*
Paper submission: 28 April, 2014 -> Extended to 12 May, 2014
Notification of acceptance: 23 June, 2014
Camera-Ready due: 15 July, 2014

*SCOPE*
A large fraction of the population in the world now spends a great deal of time in cyberspace. Cyberspace has become a critical infrastructure that is embedded in almost all other critical infrastructures and enables every movement of human society. It is thus very much in the public interest to have a safe and secure cyberspace.
In the past several years, there has been large number of attacks in cyberspace, such as attacks on the Internet, attacks on embedded/real-time computing and control systems, and attacks on dedicated computing facilities. Many research efforts have been made to achieve cyberspace safety and security, such as blocking and limiting the impact of compromise, enabling accountability, promoting deployment of defense systems, and deterring potential attackers and penalizing attackers.
In this context, we focus our program on Cyberspace Safety and Security, such as authentication, access control, availability, integrity, privacy, confidentiality, dependability and sustainability issues of cyberspace. The aim of this symposium is to provide a leading edge forum to foster interaction between researchers and developers with the cyberspace safety and security communities, and to give attendees an opportunity to network with experts in this area. The symposium will be a highly focused, professional, high quality, and social event.

Distinguished papers presented at the conference, after further revision, will be recommended for possible publication in special issues of the SCI Indexed Journals.
 
Topics of interest include, but are not limited to:

(1) Data and Applications Security
- Digital Rights Management
- Secure Information Integration and Transaction Processing
- Secure Semantic Web and Web Services
- Security in E-Commerce and M-Commerce
- Watermarking
- Privacy and Data Protection
- Emerging Technologies and Applications
- Database Security
- Data Mining Security

(2) Network and Communications Security
- Active Defense Techniques and Systems
- Distributed Intrusion Detection/Prevention Systems
- Denial-of-Service Attacks and Countermeasures
- Intelligent Defense Systems
- Internet and Network Forensics
- Secure Network Architectures
- Security for Ad-Hoc and Sensor Networks
- Spam Detection and Prevention
- 5G Mobile Networks Security and Trust
- Trust, Security and Privacy in Social Networks
- Privacy Enhancement Technologies
- Security issues in emerging networking technologies (e.g., SDN, CCN)

(3) Software and Systems Security
- Analysis, identification, prevention, and removal of vulnerabilities
- Audit and digital forensics
- Authorization and access control of software objects
- Dependable computing and fault tolerance
- Detection of, defense against, containment of, and recovery from attacks
- Operating system and mobile operating system security
- Risk modeling, assessment, and management in software engineering
- Security for large-scale systems and critical infrastructures
- Security in distributed systems and pervasive computing
- Viruses, worms, Trojans, and other malicious codes

(4) Cloud Security
- Cloud and mobile cloud computing data access control
- Privacy preservation and data privacy in cloud
- Trust management in cloud computing
- Big data trust in cloud
- Secure cloud data storage
- Verifiable cloud computing
- Security solutions based on cloud computing
- Trustworthy identity management in cloud
- Media cloud security and cloud security policy
- Security for personal cloud

(5) Cyberspace Safety
-Access Control and Trust Management
-Identity Management and Authentication
-Security and Usability
-Security in Pervasive and Embedded Systems
-Privacy Models, Privacy Enhancing Technologies
-Human Factors in Computer Security
-Risk Assessment in Cyber Security
-Cyber-Physical System Security
-Benchmark, Analysis and Evaluation of Cyber Security
-Implementation, Deployment and Management of Cyber Security

*PAST HISTORY*
Previously CSS has been held in Zhangjiajie, China (2013), Melbourne, Australia (2012), Milan, Italy (2011), Chengdu, China (2009), and Sydney, Australia (2008).

*SUBMISSION INSTRUCTIONS*
Submitted manuscripts should be written in English conforming to the IEEE conference proceedings format (8.5" x 11", Two-Column, template available at http://www.computer.org/portal/web/cscps/formatting). Manuscripts should not exceed 8 pages for full papers and 4 pages for short papers, including tables and figures. All paper submissions must represent original and unpublished work. Papers must be submitted electronically in PDF format through EasyChair:
https://www.easychair.org/conferences/?conf=css20140
For more information on submission please contact:
css2014-0 <at> easychair.org

*PUBLICATIONS*
The accepted papers from this conference will be submitted for publication in IEEE Xplore as well as other Abstracting and Indexing (A&I) databases (EI Compendex). Distinguished papers, after further revisions, will be considered for possible publication in several SCI & EI indexed special issues of prestigious international journals. By submitting a paper to the conference, authors assure that if the paper is accepted, at least one author will attend the conference and present the paper. Selected excellent papers of CSS2014 will be recommended to be published in reputable journal SIs after further extension and improvement.

*CONFERENCE COMMITTEES*
General Chairs
Julien Bourgeois, UFC/FEMTO-ST Institute, France
Frédéric Magoulès, Ecole Centrale Paris, France

Program Chairs
Zheng Yan, Xidian University, China / Aalto University, Finland
Peter Mueller, IBM Zurich Research, Switzerland
Robert H. Deng, Singapore Management University, Singapore

Steering Chairs
Yang Xiang, Deakin University, Australia
Laurence T. Yang, St. Francis Xavier University, Canada

Vice-program Chairs
(1) Data and Applications Security
Xinyi Huang, Fujian Normal University, China
Ioanna Dionysiou, University of Nicosia, Cyprus

(2) Network and Communications Security
Marinella Petrocchi, istituto di Informatica eTelematica, CNR, Italy
Tanveer A Zia, Charles Sturt University Australia

(3) Software and Systems Security
WenTao Zhu, Chinese Academy of Sciences, China
Jin Li, Guang Zhou University, China

(4) Cloud Security
Honggang Wang, University of Massachusetts Dartmouth, USA
Igor Kotenko, SPIIRAS, Russia

(5) Cyberspace Safety
Ming Li, Utah State University, USA
Shucheng Yu, University of Arkansas at Little Rock, USA

Program Committee
Track 1: Data and Applications Security

Man Ho Au, University of Wollongong, Australia
Xiaofeng Chen, Xidian University, China
Thoshitha Gamage, Washington State University, USA
Jinguang Han, Nanjing University of Finance & Economics, China
David Johnson, Imperial College London, UK
Daniel Conte de Leon, University of Idaho, USA
Jiguo Li, Hohai University, China
Joseph Liu, Institute for Infocomm Research, Singapore
Yuko Murayama, Iwate Prefectural University, Japan
Luca Spalazzi, Università Politecnica Delle Marche, Italy
Chunhua Su, JAIST, Japan
Ruben Trapero, TU Darmstadt, Germany
Raylin Tso, National Chengchi University, Taiwan
Wun-She Yap, University Tunku Abdul Rahman, Malaysia
Yong Yu, University of Wollongong, Australia

Track 2: Network and Communications Security

Marco Casassa Mont, Hewlett-Packard Labs Bristol, UK
David Chadwick, University of Kent, UK
Roberto Di Pietro, Bell Labs, France
Carmen Fernandez Gago, University of Malaga, Spain
Weili Han, Fudan University, China
Mohammed Kaosar, Charles Sturt University, Australia
Muhammad Khurram Khan, King Saud University, Saudi Arabia
Gabriele Lenzini, University of Luxembourg, Luxembourg
Fabio Martinelli, IIT-CNR Pisa, Italy
Paolo Mori, IIT-CNR Pisa, Italy
Federica Paci, University of Trento, Italy
Pierangela Samarati, Universitˆ degli Studi di Milano, Italy
Daniele Sgandurra, Imperial College, UK
Gianluca Stringhini, University of California at Santa Barbara, USA
Willy Susilo, University of Wollongong, Australia
Jianming Yong, University of Southern Queensland, Australia
Dajiang Zhang, Microsoft, China

Track 3: Software and Systems Security

Rafael Accorsi, University of Freiburg, Germany
Rose Gamble, University of Tulsa, USA
Dieter Gollmann, Hamburg University of Technology, Germany
Xiaoqi Jia, Chinese Academy of Sciences, China
Nan Jiang, East China Jiao Tong University, China
Muhammad Khurram Khan, King Saud University, Saudi Arabia
Junzuo Lai, Jinan University, China
Cheng-Chi Lee, Fu Jen Catholic University, Taiwan
Patrick P.C. Lee, The Chinese University of Hong Kong, Hong Kong
Chun-Ta Li, Tainan University of Technology, Taiwan
Jay Ligatti, University of South Florida, USA
Jingqiang Lin, Chinese Academy of Sciences, China
Jianxun Liu, Hunan University of Science and Technology, China
Joseph Liu, Institute for Infocomm Research, Singapore
Peng Liu, The Pennsylvania State University, USA
Zheli Liu, Nankai University, China
Gerardo Pelosi, Politecnico di Milano, Italy
Damien Sauveron, University of Limoges, France
Juan E. Tapiador, Universidad Carlos III de Madrid, Spain
Duncan Wong, City University of Hong Kong, Hong Kong
Shouhuai Xu, University of Texas at San Antonio, USA
Xianfeng Zhao, Chinese Academy of Sciences, China

Track 4: Cloud Security

Fabrizio Baiardi, University of Pisa, Italy
Miguel Correia, IST/INESC-ID, Portugal
Qian Duan, Penn State University, USA
Dennis Gamayunov, Moscow State University, Russia
Kun Hua, Lawrence Technological University, USA
Jun Huang, South Dakota School of Mines & Technology, USA
Hong Liu, University of Massachusetts Dartmouth, USA
Gregorio Martinez Perez, University of Murcia, Spain
Rongxing Lu, Nanyang Technological University, Singapore
Nuno Neves, University of Lisboa,L, Portugal
Vladimir Oleshchuk, University of Agder, Norway
Roland Rieke, Fraunhofer Institute for Secure Information Technology SIT, Germany
Joel Rodrigues, University of Beira Interior, Portugal
Houbing Song, West Virginia University, USA
Yun Tian, California State University, Fullerton, USA
Dalei Wu, Massachusetts Institute of Technology, USA
Shaoen Wu, Ball State University, USA
Yan Wu, National Institute of Standards and Technology, USA
Igor Saenko, St.Petersburg Institute for Information and Automation of RAS, Russia
Jianjun Yang, University of North Georgia, USA
Qing Yang, Montana State University, USA
Liang Zhou, Nanjing University of Post and Telecommunications, China

Track 5: Cyberspace Safety

Ryan Gerdes, Utah State University, USA
Hui Li, Xidian University, China
Xiaodong Lin, University of Ontario Institute of Technology, Canada
Yao Liu, University of South Florida, USA
Javier Lopez, University of Malaga, Spain
Aziz Mohaisen, Verisign Labs, USA
Chiu C. Tan, Temple University, USA
A. Selcuk Uluagac, Georgia Institute of Technology, USA
Cong Wang, City University of Hong Kong, China
Qian Wang: Wuhan University, China
Mengjun Xie, University of Arkansas at Little Rock, USA
Qing Yang, Montana State University, USA
Kai Zeng, University of Michigan - Dearborn, USA
Rui Zhang, University of Hawaii, USA
_______________________________________________
ietf-privacy mailing list
ietf-privacy <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-privacy
Horne, Rob | 24 Mar 13:31 2014

Re: [perpass] Wiki for managing PPM reviews of existing RFCs

Hi, I’m interested in reviewing RFCs so could someone tell me – or point me in the direction of – what the goals are, how to conduct a review and what exactly are we looking for?

 

Thanks,

Rob

 

 

 

 

From: ietf-privacy [mailto:ietf-privacy-bounces <at> ietf.org] On Behalf Of Scott Brim
Sent: 24 March 2014 12:23
To: yaojk
Cc: ietf-privacy <at> ietf.org; perpass
Subject: Re: [ietf-privacy] [perpass] Wiki for managing PPM reviews of existing RFCs

 


On Mar 23, 2014 10:49 PM, "Jiankang Yao" <yaojk <at> cnnic.cn> wrote:
> since there are thousands of RFCs, it is better that they can be reviewd by category.
> for example, based on the following category:
> http://www.faqs.org/rfcs/np.html
>  
> Jiankang Yao

We want to make sure the essential RFCs are reviewed, and categories are a good way to organize that if you know what categories to use. We don't have enough experience yet to know what good categories would be -- we don't know how many reviewers we will have our their interest areas. To start with let's just get everyone doing reviews. We can organize them later, once we get over a hundred.

Thanks... Scott

_______________________________________________
ietf-privacy mailing list
ietf-privacy <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-privacy
Scott Brim | 22 Mar 22:21 2014
Picon

Wiki for managing PPM reviews of existing RFCs

(I'm sending to both perpass and ietf-privacy for this announcement,
but follow-up should be only to ietf-privacy)

Greetings. At the London IETF we had a Monday lunch meeting to talk
about doing systematic reviews of existing RFCs. We finally have a
wiki page for tracking that activity. It is at
<https://trac.tools.ietf.org/group/ppm-legacy-review/>.

We are using the Trac ticket system. If you have used tickets for
working group issues, it's essentially the same but with a few
different parameters. There are instructions on how to fill out a
ticket on the web page.

 If you were at the Monday lunch and announced an intention to working
on a particular set of RFCs, now there's a home for your reviews. If
you couldn't commit to doing reviews but want to do some, here is your
chance! (If you don't have a login on the wiki, it's easy to
register.) In both cases, please add a ticket when you _start_ your
review -- don't wait until you finish, people will want to know all
about it from the start.

Thanks,

Scott and Avri
Stephane Bortzmeyer | 20 Mar 15:49 2014
Picon

[ietf-secretariat <at> ietf.org: New Non-WG Mailing List: dns-privacy]

A new "official" effort in privacy at IETF. DNS privacy discussions
went out of the DNSOP working group, to this new mailing list.
Picon
From: IETF Secretariat <ietf-secretariat <at> ietf.org>
Subject: New Non-WG Mailing List: dns-privacy
Date: 2014-03-17 18:10:46 GMT
A new IETF non-working group email list has been created.

List address: dns-privacy <at> ietf.org
Archive: http://www.ietf.org/mail-archive/web/dns-privacy/
To subscribe: https://www.ietf.org/mailman/listinfo/dns-privacy

Purpose: This list is for the discussion of the problem statement surrounding the addition of privacy to
the DNS protocol.

For additional information, please contact the list administrators.
_______________________________________________
ietf-privacy mailing list
ietf-privacy <at> ietf.org
https://www.ietf.org/mailman/listinfo/ietf-privacy
Christian Huitema | 16 Mar 07:46 2014
Picon

FW: New Version Notification for draft-huitema-perpass-dhcp-identifiers-00.txt

For what it is worth, the draft about DHCP, identifiers and privacy is now published on the IETF servers.

-----Original Message-----
From: internet-drafts <at> ietf.org [mailto:internet-drafts <at> ietf.org] 
Sent: Wednesday, March 12, 2014 10:40 PM
To: Christian Huitema; Christian Huitema
Subject: New Version Notification for draft-huitema-perpass-dhcp-identifiers-00.txt

A new version of I-D, draft-huitema-perpass-dhcp-identifiers-00.txt
has been successfully submitted by Christian Huitema and posted to the
IETF repository.

Name:		draft-huitema-perpass-dhcp-identifiers
Revision:	00
Title:		Unique Identifiers in DHCP options enable device tracking
Document date:	2014-03-13
Group:		Individual Submission
Pages:		9
URL:            http://www.ietf.org/internet-drafts/draft-huitema-perpass-dhcp-identifiers-00.txt
Status:         https://datatracker.ietf.org/doc/draft-huitema-perpass-dhcp-identifiers/
Htmlized:       http://tools.ietf.org/html/draft-huitema-perpass-dhcp-identifiers-00

Abstract:
   Some DHCP options carry unique identifiers.  These identifiers can
   enable device tracking even if the device administrator takes care of
   randomizing other potential identifications like link-layer addresses
   or IPv6 addresses.  This document reviews these options and proposes
   solutions for better management.

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat

Gmane