RESPONSIBLE - Research and Engineering on Security and Privacy Of Networks and Systems for Ireland and a Better onLine Environment

We're a loose collective of folks in Ireland interested in security and privacy. We have a charter and we held a workshop (at which we took notes).


Charter, September 2017

It is in the interests of all stakeholders in the Internet (Fixed, Mobile, of Things) in Ireland that its security and privacy properties be well understood and improved. Perhaps the most important stakeholder is now the average citizen, whose privacy, safety and general well-being is being increasingly impacted by technological advances. We wish to address these issues by carrying out research, probing for weaknesses, and issuing occasional advisories and recommendations.

In the absence of a “Geneva Convention” around the issues of cyber-warfare, and the fact of being the subject of external threat, we feel it appropriate to work within the context of the island of Ireland, and our local laws. Therefore ours is a local organisation. However we will be happy to work with like-minded organisations in other jurisdictions.

Our group consists of academics, researchers, employees of big and small companies, those involved in Internet Infrastructure civil society, and from government. We believe that by pooling our resources we can form a “critical mass” in terms of expertise and thus be more likely to succeed in having useful local impact.

We particularly welcome members of the security services and law enforcement. We respect your valid interest in these matters. As a group we will always respect the rule of law, and will at all times operate within the existing law (while remaining free to lobby for changes in the law through the normal democratic processes).

We will at all times adhere to the principles of “responsible disclosure” - see https://en.wikipedia.org/wiki/Responsible_disclosure. Therefore although we may probe for vulnerabilities without prior notice, our intention is to help identify and fix them, not to exploit them for gain, notoriety, publicity, or just because we can.

We’re a “semi-open” group – we intend the results of our work to be public whenever possible, but we will do our work via a moderated mailing list. If you’re interested in participating, please feel free to contact info@responsible.ie


RESPONSIBLE Workshop - Research and Engineering on Security and Privacy Of Networks and Systems for Ireland and a Better onLine Environment

201700907, v0.999, stephen.farrell@cs.tcd.ie

Many thanks to our
generous sponsors:

If you're interested in this activity, feel free to send us an email.

Slides used on the day of the w/s

Ireland has a thriving ICT environment, both commercial and academic, but yet lags many countries in terms of the availability of expertise in the security and privacy space. While the history that lead us to this point is understandable, and while that was not a hugely pressing problem in the past, given today's risk profile, the lack of local critical-mass collections of expertise could turn out to be hugely damaging for the people of Ireland, if it leads to our systems and networks being more vulnerable or privacy-unfriendly than others.

The RESPONSIBLE workshop is the next step in an effort to marshall the existing talents and efforts from Irish-based industry, government, civil society and academia in order to start to build a sustainable above-critical-mass collection of people interested in collaborating to improve the local (and global) security and privacy properties of the networks and systems on which we all depend more and more, both for the benefit of those operating such systems and networks, but also for the benefit of the people of Ireland and beyond.

Background/Overview:

Since April, one of the workshop organisers (SF) has had meetings about doing local work on Internet security and privacy with folks from a varied set of organisations (listed below). The main hypothesis being that Irish academia alone lacks critical mass to do significantly impactful and sustained work in this space, and that industry, government and civil society involvement is necessary in order to achieve that critical mass and have worthwhile impact locally and more broadly. Bringing together the varied interests and expertise of people in all those areas should also help to improve any work done and help towards sustainable efforts in this space. This workshop is aiming to take the output of that set of meetings to the next level where we identify sets of people and topics on which to work... and then start that work.

Organisations who've taken meetings so far (in alpha order): Cisco, Citibank, DCENR, Dell, DRI, Enterprise Ireland, Google, Heanet. IBM, IEDR, INEX, Intel, Miracl, NUIG, NUIM, Office of the Data Protection Commissioner, TCD, UCD. Note that nothing here claims to represent the opinions of those organisations, or the people in those meetings - everything here is just anonymised reporting of topics in which people expressed interest. If you're not on the above list, but would like to chat to figure out your level of interest in this please do feel free to contact the organisers, we'd be delighted to chat with more folks in advance of the workshop.

Meetings were held using so-called "Chatham House rule" so that we can report on the topics in which folks are interested but have agreed to not identify who is interested in which topics (nor more generally, who said what:-). People can feel free to be more open about things according to their tastes. The Chatham House rule makes it easier for some people to be more open, so is worthwhile at this stage in this effort. (Workshop participants can collectively decide to use this rule or not.)

Most of the meetings so far have indicated interest in doing some local, co-operative work in the security and privacy space, though of course not everyone is interested in everything, and different people and organistions will need to work in different ways.

Discussions so far indicate three broad buckets into which specific topics seem to fit:

Some of the topics in each bucket can seem fairly mundane, but can also in fact lead to interesting research questions. And not all impactful work needs to, or ought, require advancing on the state of the art. Note that the buckets above categorise problem spaces, so while a good few people were interested in e.g. IoT issues or cryptocurrencies/blockchain, technology-specific things like that are less visible at this point, even if they remain important.

Workshop Logistics

Scope:

The main criterion for possible work being interesting is that topics should be such that it is credible that work done in Ireland can move the needle locally in a useful manner, relating to Internet security and privacy. If topics are globally interesting too, that's great.

The results of work done are intended to be public - so this is not dealing with operational data and hopefully generally with less sensitive data (though there may be some sharing of sensitive data for research purposes of course). Rather than do operational work, the goal is more to develop e.g. proofs of concept that can later be used by ops folks.

Workshop Organisation:

The workshop is sponsored by the SFI-funded CONNECT centre and IEDR. There is no cost to attend, but attendance is by invite only. Additional sponsorship is welcome, if interested contact the organisers.

The way to structure further work is a topic for discussion at the workshop. For example, we may want to identify an existing organisation of some sort under whose umbrella we can locate ourselves, so as to avoid having to develop new IPR rules etc.

As stated, the workshop is invite only, there is no need for submissions or position papers, but position papers are welcome. Note that the agenda will not consist of a set of paper-presentations, but will be developed by the TPC to try encourage attendees to reach the workshop goals. (IOW, more chat, less PPT:-) We are happy to discuss construction of the agenda on the workshop mailing list.

Our goal is that people who'd actually want to, and actually do, work on relevant topics attend - so not their bosses mostly:-)

If you'd like to attend please contact the organisers. A position paper would be welcome (1-2 pages of PDF or text ideally). Position papers received will be circulated to the mailing list. If you are happy for your position paper to be linked to the workshop web site, please indicate that when sending.

No formal proceedings will be produced, but attendees will be subscribed to the workshop mailing list by the TPC and (links to) all notes, presentations and position papers will be posted to that list. Materials received by September 1st will be sent to the mailing list ahead of the workshop.

We will follow Chatham House rule for the workshop, unless the attendees decide to be more open at the start of the event.

Workshop organisers/TPC:

Collective email for TPC: responsible-tpc@scss.tcd.ie

Potential work/discussion topics:

The list below is (a brief synopsis of) a subset of the specific problems identified during the meetings mentioned above on which people might like to work.

Identifying details have been elided and the lists are in alphabetical order. Clearly, addressing all of these topics in the near future would not be realistic, so progress will require that the workshop attendees are able to prioritise and hopefully agree on the set of next steps.

Bucket1 - Communications and systems security and privacy

Bucket2 - Patterns and measurement

Bucket3 - Advice and best current practices (BCPs)

Workshop goals:

Main goal1: Find 2-3 feasible projects on which attendees want to, and do, start work. ("Start" might mean write proposal, or just go do work, depending, with a preference for the latter.)

Main goal2: Figure out what structure might suit making progress on those identified topics, and longer-term.

Sub-goal: Connect people in Irish government, industry, academia and civil society interested in Internet and systems security and privacy to foster effective, impactful research and learning on topics with measurable benefit to Ireland and more generally.

Long-term goal: Build a sustainable collaboration on relevantly-scoped topics.

Short-term goal: Decide how to organise for the next while, if the workshop is a success.

Agenda

Day 1:

Day 1+:

Day 2:


RESPONSIBLE Workshop - Research and Engineering on Security and Privacy Of Networks and Systems for Ireland and a Better onLine Environment - Meeting Notes

Agenda


Day 1: 1100-1200: Lunch for those who asked! 1200-1300: gather/get laptop sorted/lunch 1300-1315: Opening/intro/scope/logistics (Stephen Farrell, TCD) 1315-1330: Attendee intros - ~1 minute per person, a few folks at a time 1330-1430: Overview of problem space presentation/discussion (Stephen Farrell, TCD) 1430-1500: Coffee 1500-1515: Attendee intros - ~1 minute per person, a few folks at a time 1515-1600: Technical pressie#1 - "A summary of security-related network measurements" (David Malone, NUIM) 1600-1615: Attendee intros - ~1 minute per person, a few folks at a time 1616-1700: Technical pressie#2 - "Selling Crypto - an experience of developing crypto in Ireland. (Mike Scott, MIRACL) 1700-1715: Bio-break/coffee 1715-1745: Unconference planning for day 2

Day 1+: 1800-late: Pub, Kennedy's for food/bev/chat

Day 2: 0900-0930: Day 2 plan review 0930-1030: Separate interest parties (maybe 3x) 1030-1100: Coffee 1100-1200: Summarise plans for work 1200-1230: Wrap-up/further actions/meetings 1230: End/lunch/maybe more pub

Notes - Day 1

Logistics, Stephen Farrell, TCD

Participant Intros (part 1)

Scoping, Stephen Farrell, TCD

Slides

Participant Intros (part 2)

A summary of security related network measurements - David Malone

Slides

Selling Crypto - an experience of developing crypto in Ireland, Mike Scott, MIRACL

No slides. (Thanks Mike!)

Notes - Day 2

Topics to pursue...

We discussed some and came up with a prioritised list of stuff we'll really do, starting this year:

  1. measurement campaign - web and mail servers, DNS
  2. mobile h/s traffic on-device VPN and off-device @ VPN or @ router/AP
  3. PII studies
  4. Building PoC of Personalised but more private services

And a list of other stuff we'd like to do (more aspirational, no hard actions for now)

How might we organise?

General agreement that the name is good and sends the right impression - Responsible - the name works! lets use it Mike to update responsible site with paragraph/charter - to be sent to mailing list by 26/09/2017

No fancy website - If someone wants something there mail Stephen

How do we want to operate in the future?

Open or Closed?

Future meetings? Twice per year?

Aspirations/"visions":

Consider folding ourseleves into the local ISOC Ireland chapter?

Victory declared, meeting closed.