Re: Comments on draft-cooper-privacy-policy-01.txt
That started when Jeff Schiller was security AD. Though I can't remember who actually did the code. Though at the time the issue was no so much the carelessness of the users as the fact that the IETF password protocols were broken. i am not confident of either of those statements randy ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: Comments on draft-cooper-privacy-policy-01.txt
Hannes, On 7/9/2010 4:32 AM, Hannes Tschofenig wrote: The Fair Information Practices are a set of principles most of us are quite likely to believe in, such as (copied from the Alissa's draft): Likely, yes. But do any of us know how to translate those principles into particular behaviors? Is it likely that any two of us will make the same translation? What about enough of us to constitute rough consensus? Note, for example, my earlier comment that the draft's use of the IETF treats it as an entity when in fact it has little legal standing and even less cohesiveness in its behaviors. Who does the term refer to? Principles need to be accompanied with very concrete behavioral prescriptions and proscriptions, for the principles to have real meaning. That's what the remaining sections of the draft seek to do. The draft currently gives too little introduction to IETF-specific precepts, concepts and motivation. All presented more simply, as Bob Hinden suggests. As an example, imagine some researchers doing some interesting network testing and collect data that travels over the IETF network then these principles say that you should be transparent in what you do, you should tell people what you collect and why, etc. I think that this is something we want people to do. And yes we have researchers looking into the traffic, people storing all sorts of data, etc. This issue of measuring the network for research raises a deeper and more serious problem: informed consent. Telling people about the work after the fact violates this requirement. As soon as the word privacy becomes relevant, an implication for research is that we are in the realm of human subjects ethics, and the research world has produced some fairly strict rules concerning this. For example: http://www.hhs.gov/ohrp/humansubjects/guidance/45cfr46.htm especially section 46.116 Has the IETF been authorizing people to conduct human subjects research without the informed consent of the subjects? d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: Comments on draft-cooper-privacy-policy-01.txt
The sniffed passwords were sometimes displayed in real time on a monitor facing the audience from the front of the room. This activity was never called research that I can recall. I think the majority reaction was that this was a fine thing to motivate improvements in security practice. Only one person was upset, that I remember. And several people, seeing that this was going on, wrote little network apps to give the appearance to sniffers that plaintext passwords were being sent so use they could display messages on said monitor, like this is not my real password, etc. Thanks, Donald On Fri, Jul 9, 2010 at 1:24 PM, Fred Baker f...@cisco.com wrote: Randy, we have had at least one researcher sniffing passwords in plenary WiFi traffic and posting them, to embarrass people into using more secure technology. I believe he was an Ops AD at the time :-) Agreed that personal net hygiene is the solution there. On Jul 9, 2010, at 5:04 AM, Randy Bush wrote: [ fwiw, i am not bothered if some folk well-versed in such things develop and put forth a policy about how the ietf treats data about members, attendees, network, ... ] And yes we have researchers looking into the traffic, people storing all sorts of data, etc. we do? about our traffic on the ietf meeting network? stuff other than the _ephemeral_ data the noc ops use to manage the network? as far as i know o data collection has been done very rarely. and when it has been, it has been widely announced. o there is no plan known by the net ops to do so in maastricht or beijing at either of those meetings. o aside from issues in the wireless deployment, the data about net use at ietf meeings seems pretty boring to me from a research view o but i am sure there are wifi spies snooping and playing. and i suspect that they will not be very respectful of any policy put in place. given the latter, i focus more on prudent personal net hygene and less on prose. randy ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf http://www.ipinc.net/IPv4.GIF ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
