RESPONSIBLE - Research and Engineering on Security and Privacy Of Networks and Systems for Ireland and a Better onLine Environment

2018-04-24: I'm doing some zmap measurements using this host as the source of probes. Any problems with that - please just contact me stephen.farrell@cs.tcd.ie. Details of that published so far are here.

We're a loose collective of folks in Ireland interested in security and privacy. We have a charter and we held a workshop (at which we took notes).

Charter, September 2017

It is in the interests of all stakeholders in the Internet (Fixed, Mobile, of Things) in Ireland that its security and privacy properties be well understood and improved. Perhaps the most important stakeholder is now the average citizen, whose privacy, safety and general well-being is being increasingly impacted by technological advances. We wish to address these issues by carrying out research, probing for weaknesses, and issuing occasional advisories and recommendations.

In the absence of a “Geneva Convention” around the issues of cyber-warfare, and the fact of being the subject of external threat, we feel it appropriate to work within the context of the island of Ireland, and our local laws. Therefore ours is a local organisation. However we will be happy to work with like-minded organisations in other jurisdictions.

Our group consists of academics, researchers, employees of big and small companies, those involved in Internet Infrastructure civil society, and from government. We believe that by pooling our resources we can form a “critical mass” in terms of expertise and thus be more likely to succeed in having useful local impact.

We particularly welcome members of the security services and law enforcement. We respect your valid interest in these matters. As a group we will always respect the rule of law, and will at all times operate within the existing law (while remaining free to lobby for changes in the law through the normal democratic processes).

We will at all times adhere to the principles of “responsible disclosure” - see https://en.wikipedia.org/wiki/Responsible_disclosure. Therefore although we may probe for vulnerabilities without prior notice, our intention is to help identify and fix them, not to exploit them for gain, notoriety, publicity, or just because we can.

We’re a “semi-open” group – we intend the results of our work to be public whenever possible, but we will do our work via a moderated mailing list. If you’re interested in participating, please feel free to contact mailto:stephen.farrell@cs.tcd.ie

RESPONSIBLE Workshop - Research and Engineering on Security and Privacy Of Networks and Systems for Ireland and a Better onLine Environment

201700907, v0.999, stephen.farrell@cs.tcd.ie

Many thanks to our generous sponsors:

If you're interested in this activity, feel free to send us an emailto

Slides used on the day of the w/s

Ireland has a thriving ICT environment, both commercial and academic, but yet lags many countries in terms of the availability of expertise in the security and privacy space. While the history that lead us to this point is understandable, and while that was not a hugely pressing problem in the past, given today's risk profile, the lack of local critical-mass collections of expertise could turn out to be hugely damaging for the people of Ireland, if it leads to our systems and networks being more vulnerable or privacy-unfriendly than others.

The RESPONSIBLE workshop is the next step in an effort to marshall the existing talents and efforts from Irish-based industry, government, civil society and academia in order to start to build a sustainable above-critical-mass collection of people interested in collaborating to improve the local (and global) security and privacy properties of the networks and systems on which we all depend more and more, both for the benefit of those operating such systems and networks, but also for the benefit of the people of Ireland and beyond.

Background/Overview:

Since April, one of the workshop organisers (SF) has had meetings about doing local work on Internet security and privacy with folks from a varied set of organisations (listed below). The main hypothesis being that Irish academia alone lacks critical mass to do significantly impactful and sustained work in this space, and that industry, government and civil society involvement is necessary in order to achieve that critical mass and have worthwhile impact locally and more broadly. Bringing together the varied interests and expertise of people in all those areas should also help to improve any work done and help towards sustainable efforts in this space. This workshop is aiming to take the output of that set of meetings to the next level where we identify sets of people and topics on which to work... and then start that work.

Organisations who've taken meetings so far (in alpha order): Cisco, Citibank, DCENR, Dell, DRI, Enterprise Ireland, Google, Heanet. IBM, IEDR, INEX, Intel, Miracl, NUIG, NUIM, Office of the Data Protection Commissioner, TCD, UCD. Note that nothing here claims to represent the opinions of those organisations, or the people in those meetings - everything here is just anonymised reporting of topics in which people expressed interest. If you're not on the above list, but would like to chat to figure out your level of interest in this please do feel free to contact the organisers, we'd be delighted to chat with more folks in advance of the workshop.

Meetings were held using so-called "Chatham House rule" so that we can report on the topics in which folks are interested but have agreed to not identify who is interested in which topics (nor more generally, who said what:-). People can feel free to be more open about things according to their tastes. The Chatham House rule makes it easier for some people to be more open, so is worthwhile at this stage in this effort. (Workshop participants can collectively decide to use this rule or not.)

Most of the meetings so far have indicated interest in doing some local, co-operative work in the security and privacy space, though of course not everyone is interested in everything, and different people and organistions will need to work in different ways.

Discussions so far indicate three broad buckets into which specific topics seem to fit:

• Bucket1 - Communications and systems security and privacy
• Bucket2 - Patterns and measurement
• Bucket3 - Advice and best current practices (BCPs)

Some of the topics in each bucket can seem fairly mundane, but can also in fact lead to interesting research questions. And not all impactful work needs to, or ought, require advancing on the state of the art. Note that the buckets above categorise problem spaces, so while a good few people were interested in e.g. IoT issues or cryptocurrencies/blockchain, technology-specific things like that are less visible at this point, even if they remain important.

Workshop Logistics

• Web site: https://down.dsg.cs.tcd.ie/responsible
• Mailing list: responsible@scss.tcd.ie (subscription via invite)
• Dates: Monday Sep 11/Tuesday Sep 12 2017
• Location: TCD, CONNECT seminar room, Oriel House,
  • map
  • where's the door?
  • what's the door look like?
• Times: Start at noon on the 11th, finish at 1pm on 12th.
• Evening event: Monday 11th, 6pm-late, venue (sent by email)

Scope:

The main criterion for possible work being interesting is that topics should be such that it is credible that work done in Ireland can move the needle locally in a useful manner, relating to Internet security and privacy. If topics are globally interesting too, that's great.

The results of work done are intended to be public - so this is not dealing with operational data and hopefully generally with less sensitive data (though there may be some sharing of sensitive data for research purposes of course). Rather than do operational work, the goal is more to develop e.g. proofs of concept that can later be used by ops folks.

Workshop Organisation:

The workshop is sponsored by the SFI-funded CONNECT centre and IEDR. There is no cost to attend, but attendance is by invite only. Additional sponsorship is welcome, if interested contact the organisers.

The way to structure further work is a topic for discussion at the workshop. For example, we may want to identify an existing organisation of some sort under whose umbrella we can locate ourselves, so as to avoid having to develop new IPR rules etc.

As stated, the workshop is invite only, there is no need for submissions or position papers, but position papers are welcome. Note that the agenda will not consist of a set of paper-presentations, but will be developed by the TPC to try encourage attendees to reach the workshop goals. (IOW, more chat, less PPT:-) We are happy to discuss construction of the agenda on the workshop mailing list.

Our goal is that people who'd actually want to, and actually do, work on relevant topics attend - so not their bosses mostly:-)

If you'd like to attend please contact the organisers. A position paper would be welcome (1-2 pages of PDF or text ideally). Position papers received will be circulated to the mailing list. If you are happy for your position paper to be linked to the workshop web site, please indicate that when sending.

No formal proceedings will be produced, but attendees will be subscribed to the workshop mailing list by the TPC and (links to) all notes, presentations and position papers will be posted to that list. Materials received by September 1st will be sent to the mailing list ahead of the workshop.

We will follow Chatham House rule for the workshop, unless the attendees decide to be more open at the start of the event.

Workshop organisers/TPC:

• Stephen Farrell, TCD, stephen.farrell@cs.tcd.ie
• Mike Scott, MIRACL, mike.scott@miracl.com

Collective email for TPC: responsible-tpc@scss.tcd.ie

Potential work/discussion topics:

The list below is (a brief synopsis of) a subset of the specific problems identified during the meetings mentioned above on which people might like to work.

Identifying details have been elided and the lists are in alphabetical order. Clearly, addressing all of these topics in the near future would not be realistic, so progress will require that the workshop attendees are able to prioritise and hopefully agree on the set of next steps.

Bucket1 - Communications and systems security and privacy

• Better local security in a BYOD world
• Carrying out example risk analyses of local systems/infrastructure
• Dealing with new security technologies in current and legacy systems (e.g. performance and network management impacts of increased encryption)
• Developing/piloting privacy-sensitive non-commercial local sharing for DDoS mitigation and malware detection
• Improving back-end transparency in a locally significant manner
• Low-cost forensics for SMEs and others
• Methods for integrating post-quantum cryptography into protocols/applications used locally
• Piloting local authentication infrastructure (PKI/2FA)
• Piloting new security and privacy technologies locally, e.g. DNS privacy
• Reproducible/curated builds/mirrors of open-source technologies for local use, possibly SME focused
• Securing local IoT testbeds/pilots/demonstrators
• What can replace outmoded concepts of "consent" locally?
• Whitehat hacking/testing of devices used/considered-for-use locally with responsible disclosure route back to vendors/users if appropriate/possible
• Privacy by design for data analytics

Bucket2 - Patterns and measurement

• Audit tools to help detect local instances of PII
• Audits of data using current BCP security mechanisms that could be vulnerable in the presence of a quantum computer
• Automating production of locally useful evidence as part of incident handling
• Developing meta-data guidelines so holders of (large) data-sets can share (or interface with one another) in a more privacy sensitive manner respecting the wishes of data holders/subjects and in accordance with local regulation
• Local co-operative network intrusion detection
• Local detection of unwanted surveillance devices (IMSI catchers, MitM boxen)
• Local impact of analog sensing (video,audio etc.) on security and privacy
• Local surveys (e.g. zmap of HTTP/TLS,SMTP/STARTTLS, AS112 etc.) with some kind of responsible disclosure route back to asset holders with detected issues
• Mechanisms e.g. public ledgers/blockchain to support governance of the large-data meta-data just mentioned
• Measurements (e.g. of data set) aiming to provide empirical evidence of (non)compliance with local laws
• Measuring local IoT deployments, e.g. to scan for vulnerabilities
• Uses of, or acquisition of, passive DNS locally

Bucket3 - Advice and best current practices (BCPs)

• Advice and training for local law enforcement
• BCPs for local SMEs on dealing with privacy and security
• Locally, what do we consider provides "consent"
• Minimising impedence mismatch between technology deployments and regulation
• Personal infosec/privacy training for legislators
• Provide advice on policy and appliation impacts of current and near-future cryptographic mechanisms
• Providing advice to help avoid common damagine attacks, e.g. ransomware and Wordpress hacks and measuring the efficacy of such advice when offered
• Technical aspects of dealing locally with current and upcoming EU directives, helping gov.ie and similar folks understand the consequences of possible regulatory actions,
• What does (not) constitute local critical infrastructure?

Workshop goals:

Main goal1: Find 2-3 feasible projects on which attendees want to, and do, start work. ("Start" might mean write proposal, or just go do work, depending, with a preference for the latter.)

Main goal2: Figure out what structure might suit making progress on those identified topics, and longer-term.

Sub-goal: Connect people in Irish government, industry, academia and civil society interested in Internet and systems security and privacy to foster effective, impactful research and learning on topics with measurable benefit to Ireland and more generally.

Long-term goal: Build a sustainable collaboration on relevantly-scoped topics.

Short-term goal: Decide how to organise for the next while, if the workshop is a success.

Agenda

Day 1:

• 1100-1200: Lunch for those who asked!
• 1200-1300: gather/get laptop sorted/lunch
• 1300-1315: Opening/intro/scope/logistics (Stephen Farrell, TCD)
• 1315-1330: Attendee intros - ~1 minute per person, a few folks at a time
• 1330-1430: Overview of problem space presentation/discussion (Stephen Farrell, TCD)
• 1430-1500: Coffee
• 1500-1515: Attendee intros - ~1 minute per person, a few folks at a time
• 1515-1600: Technical pressie#1 - "A summary of security-related network measurements" (David Malone, NUIM)
• 1600-1615: Attendee intros - ~1 minute per person, a few folks at a time
• 1616-1700: Technical pressie#2 - "Selling Crypto - an experience of developing crypto in Ireland. (Mike Scott, MIRACL)
• 1700-1715: Bio-break/coffee
• 1715-1745: Unconference planning for day 2

Day 1+:

• 1800-late: Pub, Kennedy's for food/bev/chat

Day 2:

• 0900-0930: Day 2 plan review
• 0930-1030: Separate interest parties (maybe 3x)
• 1030-1100: Coffee
• 1100-1200: Summarise plans for work
• 1200-1230: Wrap-up/further actions/meetings
• 1230: End/lunch/maybe more pub

RESPONSIBLE Workshop - Research and Engineering on Security and Privacy Of Networks and Systems for Ireland and a Better onLine Environment - Meeting Notes

Agenda

Day 1:
1100-1200: Lunch for those who asked!
1200-1300: gather/get laptop sorted/lunch
1300-1315: Opening/intro/scope/logistics  (Stephen Farrell, TCD)
1315-1330: Attendee intros - ~1 minute per person, a few folks at a time
1330-1430: Overview of problem space presentation/discussion (Stephen Farrell, TCD)
1430-1500: Coffee
1500-1515: Attendee intros - ~1 minute per person, a few folks at a time
1515-1600: Technical pressie#1 - "A summary of security-related network measurements" (David Malone, NUIM)
1600-1615: Attendee intros - ~1 minute per person, a few folks at a time
1616-1700: Technical pressie#2 - "Selling Crypto - an experience of developing crypto in Ireland. (Mike Scott, MIRACL)
1700-1715: Bio-break/coffee
1715-1745: Unconference planning for day 2
Day 1+:
1800-late: Pub, Kennedy's for food/bev/chat
Day 2:
0900-0930: Day 2 plan review
0930-1030: Separate interest parties (maybe 3x)
1030-1100: Coffee
1100-1200: Summarise plans for work
1200-1230: Wrap-up/further actions/meetings
1230: End/lunch/maybe more pub

Notes - Day 1

Logistics, Stephen Farrell, TCD

• Kicking off about 13:00
• Introduction
• Thanks for coming, sponsors,
• Will be at Kennedy's this evening
• WiFi - check the wall
• Web page at responsible.ie - we have a mailing list
• Chatham House Rules
• Please interrupt!
• Prizes will be given in pub (18:00-late).

Participant Intros (part 1)

Scoping, Stephen Farrell, TCD

Slides

• Overview of Problems
• IoT, Data Leaks,
• Do you have data?
• GDPR requirements - do people delete?
• Implementation Issues
• buffer overflows,
• Post-quantum cryptography
• What data might be vulnerable if we had quantum computer in 10yrs?
• Regulation
• GDPR, NIS directive (see UCD),
• need to define reportable incidents,
• need to define critical infrastructure,
• Regulation of AI and Algorithms,
• Counter terrorism vs. privacy tension,
• Would be good to have discussion on requirements.
• Pervasive Monitoring is an attack (RFC 7258).
• Old dependable (buffer overflows, SQL injection, no wordpress updates, ...)
• Local way to help people with this?
• Agree that?
• Internet and systems security worth improving.
• There is expertise in Ireland to work on this, but without critical mass
• Can we work on problems of local significance to make ourselves more effective? E.g. could we look at TLS upgrading?
• Loads of expertise - how do you get people talking? Getting groups together good. Want to get people doing things and not just talking.
• We want to find common interests today, where we can make progress and have a local impact.
• What would Information Systems angle be?
• A lot of standards and people turning them into marketable products.
• List of three buckets (see w/s page)
• Quick intro to passive DNS
• Advice or BCPs?
• Mismatch between what technology does and regulation requires.
• Could we define any student projects that might be helpful.
• Willing to give it a go.

Participant Intros (part 2)

A summary of security related network measurements - David Malone

Slides

• Picked out things gaining on around measurement which people may be interested in
• Conferences for network measurement results: IMC PAM TMA SIGCOMM, USenix Sec, IEEE SS&P, NDSS
• Tried to pick out things people doing across these
• Packet Processing Frameworks
• BPF - in kernel monitoring, do we want to analyse
• PF_RING - ket packets out of kernel faster, allow data to be split over several processors for analysis
• DPDK/netmap - higher level at network cards rather than kernel,
• Others, tcpdump, shark, radiator for WiFi, usbdump
• People in Connect writing code to get data of base stations but not in common use
• Scanning
• nmap nc zmap - scan the whole network pretty quickly, knows how to spread packet out
• scanned 65536 hosts in 10s
• somoone buit a search engine - https://censys.io
• All the tools are there to do meaningful analysis
• How many people are using TLS
• You can add yourself to a blacklist not to be scanneRIPE Atlas
• Scamper - more sophisticated
• Measurment Infrastructure
• Looking glasses - trace route,
• Moved on - the ring - a group of engineers from RIPE, you donate a VM and get SSH access etc,.
• Passive Network Telescopes - monitor DDOD events,
• if you do a random scan it appears as attack from address block
• Your see swathes of traffic when there is an attack
• RIPE Atlas
• series of RIPE atlas probes -10,000 small computer which they provide and use to take measurments e.g., Response times from different parts of Europe
• Measurment conferences
• If you run a node to get credits
• CAIDA ARC
• Topology measurments
• Raspberry Pi based
• Facebook adds
• Place a Facebook add and see how many users look at your page e.g. DNSSec
• Mechanical Turk
• IPv6
• goole sees 20%
• Ireland 10%
• Eircom IPv6 by default
• Getting logfiles HEANET to see who was using IPv6
• Google supporting with services - perhaps provides them cutomer profiling data
• Routing
• Problem for measurment
• If you send out packets who can get them from you
• source addresses of an attacker often spoofed
• Spammers hijack an AS to some spamming and vanish and none knows what to do.
• DNSSEC
• Significant interest
• Server/client side.. who signs, what algo, who verifies.?
• deployment challenges - EDNS0 for large responses
• Someone asked what XXX but it doesn't exist - NSEC
• Other - anycast
• TLS/SSL
• Who is issuing what CERT
• COMODO - who is issuing for my domain https://crt.sh/
• Attacks n keys - data available - really interesting analysis can be done
• New devices, not much entropy,First thing when turned on is generate prime which is likely to overlap - 1 in 32k
• Network Censorship
• Understand the Great wall of China
• What parts of the internet are dropped in which order
• What key words are being stopped and correlating
• ToR deanonymisation
• Modern Mobile /App /Web infrastructure
• Compare the query you get to the query expected
• What are mobile operators middle boxes doing
• how to find PII
• how to apps behave
• Sites which you can use to look other sites e.g. cross scripting attacks
• Interesting high level measurments
• Deanonymisation of bitcoin transactions
• Injections to see where money is being spent
• Analysis of fake news - corellation of sources e.g. blogger at Russia time
• Doxing - personal attack to get your PII and provide
• Who gets email. what happens to stolen email addresses
• https://www.w3.org/WAI/ER/tools/ maybe another project
• SF Summary : There is lots of technology / capability already to get started. We could look at government sites and analyse characteristics

Selling Crypto - an experience of developing crypto in Ireland, Mike Scott, MIRACL

No slides. (Thanks Mike!)

• Developed crypto library Miracl MIRACL Crypto Library (Multiprecision Integer and Rational Arithmetic C ..
• How was i going to sell it
• Shareware was the medium of the day
• Packets to postoffice
• Fr. Software
• how do I price it? 50 punts
• how to advertise?
• Sold as a disk, turbo pascal - 1 page licence
• Bull? wanted to buy it but not happy with licence -new contract
• Why Crypto?
• Save the world - phone tapping etc
• many driven by libertarian ideals
• High assurance crytography software - conference every year
• Recruited to CertiVox, startup
• Excited to sell crypto
• Thought crypto industry was ripe for disruption
• old tech - ver primative in comparison to state-of-the-art zero knowledge proofs etc,
• Target: develop authentication to replace username/password.....how do you sell it?
• I was naive here - boss was no. 1 sales person for RSA
• crypto (a pdf) -> M.M -> Sales team (-> C.F.O) -> P.D (a ppt deck Yikes!)
• P.D would produce a memorandum of understanding
• lots of nonsense
• Patents - academics hate them, commercial insitiutions love them ... how do you square the circle?
• ..so how do you break out of cycle? sell to Estonia
• organised to meet the GCHQ, they kicked the tyres and like and then we went after Public services co.
• Cycle was broken as evryone asked GCHQ was crypto product ok who confirmed
• IRTF, crypto research group - anyone can join so a varied mix bullies, brats, libertarians, clever folks
• RFC -> Internet Draft, Mike did like this process much
• Robert H - counting number of points on binary EC in realtime
• Japanese liked our crypto products?
• Students issued with ID card which must swipe on attending lectures -surly privacy issues? but the student didn't seem to mind. so Just how important is security to people?
• What can we do in Ireland?
• Let's look back - Mike involved in electronic voting part of a group asked to write a report on accuracy
• Went to leinster house and received a machine
• central (hardened) computer and satellite nodes
• Booted node of USB and replaced business logic..Security was non existent- had not occured to 'em
• Nationwide - Eircodes
• Mike likes it!
• Irish public service cards - where is the biometric data? India?
• Post Quantum Crypto in 5 mins

  Prime number: 12289 
  generate polynomial
  A= 1274 + 8629x + 10102x^2......x^1023
  S = 6 + 7x + 3x^2.....
  B = A.s + e
  
  Hard mathematical problem
  
  Alice -> B -> Bob
  Bob -> u.c -> Alice
  
  Alice
  B = As +e
  
  Bob
  u = At + f
  C = Bt + g + K
  
  C - Us = et + g +K -fs
  
  Noise in peaks and troughs of binary  
  New Hope Algorithm
  

Notes - Day 2

Topics to pursue...

We discussed some and came up with a prioritised list of stuff we'll really do, starting this year:

1. measurement campaign - web and mail servers, DNS
   • Alex, Stephen, Tom, Dave,Tony, AIT/Brian Lee?
   • easy start: censys a/c, geoip list(s)
   • Stephen to start mail thread
2. mobile h/s traffic on-device VPN and off-device @ VPN or @ router/AP
   • Doug, Tony (eduroam or other), Maria
   • https://www.icsi.berkeley.edu/icsi/projects/networking/haystack
   • Doug to send mail
3. PII studies
   • Caroline, Maria (Stephen as an ignorant helper) Michael M, - test for "privacy paradox" over time longitudinal study
   • Designing such a study is a project in itself -
   • Maybe talk to Tilda http://www.tilda.ie ,
   • Growing Up in Ireland http://www.esri.ie/growing-up-in-ireland/
   • http://oxis.oii.ox.ac.uk/research/methodology/
   • Maria to send mail
4. Building PoC of Personalised but more private services
   • Doug, Maria to chat
   • Doug to send mail

And a list of other stuff we'd like to do (more aspirational, no hard actions for now)

• device investigation

  • Card survey - NFC cards Dave (NFC reader HOWTO) NFCTools/Android, mag stripe
  • Android NFC tag reader: NFC tools
  • Dave & Caroline may write project paragraph (Peter also interested in this, i.e. NFC and smartcard investigation))
  • https://plus.google.com/+DavidMalone/posts/9y6uL4U8dBZ
  • Caroline
    • Dispatched from and sold by Amazon. Gift-wrap available.
    • Standalone NFC reader/writer accessory
    • Owners of the original Nintendo 3DS, Nintendo 3DS XL and Nintendo 2DS can use the NFC reader/writer accessory to enjoy amiibo functionality
    • Tap an amiibo figure or card to the NFC Reader/Writer (while playing compatible software) and you will uncover surprising new features

• "smart" meters

  • Water meters
  • Bob Shorten/UCD, has car charging kit

• medical devices - need more/other people in room?

• "smart" home (ikea,nest, phillps hue...) as used for assisted living

  • what traffic emerges? there exists data in Dundalk, casala Rob Boyd?
  • https://www.dkit.ie/tags/casala
  • Caroline, Peter, Maria

How might we organise?

General agreement that the name is good and sends the right impression - Responsible - the name works! lets use it Mike to update responsible site with paragraph/charter - to be sent to mailing list by 26/09/2017

No fancy website - If someone wants something there mail Stephen

How do we want to operate in the future?

• Be public with mailing list vs semi-open? Semi-open more likely to fit with private sector mindset?
• Work to be carried out on Mailing list
• Mailing list closed and access managed by Stephen/Mike
• Stephen will moderate the mailing list in the short-term and police non-member incoming emails.
• On joining the group or mailing list, by invitation at the moment.
• We're interested in consumers of outputs, genuinely interested parties and possible contributers.
• Meeting minutes to be distributed and agreed upon.
• Setup alias for info-at-responsible.ie that goes to Stephen/David
  • Note: that mail a/c switched off 2022-08-11, see below for new contact point.

Open or Closed?

• We would like our work to be more open than less open?
• Proceed for now as semi-open until work is produced.
• Work should tend towards being open rather than closed.
• Agree to make findings public on the website.
• Also need to be 'responsible' with findings, i.e. try let asset-owner know first, etc.
• General tone of output should be one of responsibility, doing something good/useful. Something that an interested party could approach easily.
• Look for a standard/good protocol for releasing findings. (Can't find a standard, but wikipedia outlines principles https://en.wikipedia.org/wiki/Responsible_disclosure)
• People yell if they dont want something to be shared
• Talk on mailing list.
• Getting more involvement from commercial folks.

Future meetings? Twice per year?

• Next meeting provionally hosted by HEANET early next year (Tony Gray offered to host, maybe half-day meeting.)

Aspirations/"visions":

• In distant future maybe we'd evolvee into something like chaos computer club (CCC) https://www.google.ie/search?client=safari&rls=en&q=chaos+computer+club&ie=UTF-8&oe=UTF-8&gws_rd=cr&dcr=0&ei=Gbe3Wf3nG6SbgAblvrOQBQ. - a white-hat organisation that entities consult from time to time on security.
• Also, look at ways to get money, from any sources, private compaines, SFI, Enterprise Ireland.
• Private funding - help each other to get money to do work
• If we find a vulnerability, we will be responsible - bring to attention of vulnerable party to fix first..
• Getting more operator/commercial input would be good- how to we become more friendly. How do we appear 'friendly' towards compainies/commercial.
• Vision to be translatable to ....co.uk. .fr, .de. The internet soc may be a route to something like that.

Consider folding ourseleves into the local ISOC Ireland chapter?

• ISOC as an umbrella under which we continue? Folks were explicitly happy with that.

Victory declared, meeting closed.