nanog mailing list archives

Re: On another security note... (of sorts)

From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Sat, 17 Jul 2010 03:17:14 +0000


On Jul 16, 2010, at 9:42 PM, Lamar Owen wrote:

I'm sure the collective wisdom here is capable of pulling the task off at least in theory;

The thorniest issues aren't technology-related, per se; they're legal exposure (both real and imagined), regulatory
concerns (both real and imagined), antitrust concerns (both real and imagined), management/marketing/PR concerns
(largely imagined), skillset shortages/concerns (very real), customer perception concerns (both real and imagined), and
so forth.

The second tier of barriers are those surrounding trust. It's basically a sociological analogue of 'the PKI problem'.

Technology issues form the third set of barriers. Yes, they're real and they're important, but if we could wiggle our
noses a la Elizabeth Montgomery and make all the technology issues go away, the other sets of issues would still
preclude any kind of universal solution, for some value of 'solution'.

There's a great deal of opsec coordination and work which takes place in a sub rosa fashion, via individual actions,
closed, vetted mitigation communities, ad hoc personal relationships, etc. In actuality, a very great deal of the
useful opsec work that gets done is accomplished by folks who in some cases are going beyond their portfolios to do so,
as their management, legal teams, PR/marketing teams, et. al. would actively forbid them to do this work, were they to
know about it.

That's one of the reasons why a lot of people who make sweeping generalizations and recommendations about 'cyber-this'
and 'cyber-that' tend not to have a good grasp of even the fundamentals - they aren't the folks who do the actual work,
they don't know who does the actual work, and they often don't know anybody who knows somebody who actually does the
actual work. They often don't even know that actual work is taking place, or what it entails, in the first place,
because the actual work takes place out of the limelight.

the hard part would be deciding whether to do it in hardware or software....



;>

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

Current thread:

On another security note... (of sorts) J. Oquendo (Jul 15)
- Re: On another security note... (of sorts) Valdis . Kletnieks (Jul 15)
  - Re: On another security note... (of sorts) Kornelijus Survila (Jul 15)
  - Re: On another security note... (of sorts) Sean Donelan (Jul 16)
    - Re: On another security note... (of sorts) J. Oquendo (Jul 16)
- Re: On another security note... (of sorts) Michael Holstein (Jul 15)
  - Re: On another security note... (of sorts) todd glassey (Jul 15)
  - Re: On another security note... (of sorts) Lamar Owen (Jul 16)
    - Re: On another security note... (of sorts) Dobbins, Roland (Jul 16)
    - Re: On another security note... (of sorts) J. Oquendo (Jul 19)
    - Re: On another security note... (of sorts) Dobbins, Roland (Jul 19)
    - Re: On another security note... (of sorts) Valdis . Kletnieks (Jul 19)
    - Re: On another security note... (of sorts) William Allen Simpson (Jul 19)
    - Re: On another security note... (of sorts) Eric Brunner-Williams (Jul 19)