nanog mailing list archives
Re: Technology risk without safeguards
From: William Herrin <bill () herrin us>
Date: Thu, 5 Nov 2020 09:05:34 -0800
On Thu, Nov 5, 2020 at 5:59 AM Tom Beecher <beecher () beecher cc> wrote:
Let's say roughly half of the science says the hypothesis is false, and half says it is true. It is absolutely fair in this case to state "We don't know enough."
Hi Tom, Strictly speaking, if a hypothesis is disproven by even one repeatable experiment then the hypothesis is disproven. It doesn't rule out that a similar hypothesis could be true but that particular one is false. Suresh's case can also be dismissed with Security 101: never spend more protecting an asset than the value of the asset. Practically speaking this means you assign a risk cost to a particular kind of attack and then consider whether there are any protections from the attack which cost less than the risk. That's Vulnerability * Threat * Incident Cost. The vulnerability to someone tunnelling under your data center to set up an RF generator is not high. The logistics of such an effort are very complicated and the inverse square law dictates that the power in an RF signal deteriorates quickly with distance even in free air, let alone with ground between you and the recipient. It is, in a nutshell, impractical. The threat for someone tunnelling under your data center to set up an RF generator is basically zero. There are examples of tunnelling in crime and war but both involve clandestinely overcoming a superior force, such as breaking someone out of prison, evading detection by authorities when smuggling or destroying a fortified military position with explosives. There is no superior force guarding a data center. Following staff home and picking them off with a rifle is so much cheaper and carries a better probability of success. Nearly zero times zero times some possibly high incident cost still equals zero. The risk-cost from Suresh's scenario is zero. Hence the security efforts it justifies are zero. Regards, Bill Herrin -- Hire me! https://bill.herrin.us/resume/
Current thread:
- Re: Technology risk without safeguards, (continued)
- Re: Technology risk without safeguards Tom Beecher (Nov 04)
- Re: Technology risk without safeguards nanog08 (Nov 04)
- Technology risk without safeguards Suresh Kalkunte (Nov 05)
- Re: Technology risk without safeguards Sabri Berisha (Nov 04)
- Technology risk without safeguards Suresh Kalkunte (Nov 05)
- Re: Technology risk without safeguards Max Harmony (Nov 04)
- Re: Technology risk without safeguards Randy Bush (Nov 04)
- Re: Technology risk without safeguards Sabri Berisha (Nov 04)
- Re: Technology risk without safeguards Tom Beecher (Nov 05)
- Re: Technology risk without safeguards Suresh Kalkunte (Nov 05)
- Re: Technology risk without safeguards William Herrin (Nov 05)
- Re: Technology risk without safeguards Rich Kulawiec (Nov 06)
- Re: Technology risk without safeguards William Herrin (Nov 06)
- Technology risk without safeguards Suresh Kalkunte (Nov 06)
- Re: Technology risk without safeguards Jon Sands (Nov 10)
- Technology risk without safeguards Suresh Kalkunte (Nov 10)
- Re: Technology risk without safeguards Sabri Berisha (Nov 10)
- Technology risk without safeguards Suresh Kalkunte (Nov 10)
- Re: Technology risk without safeguards Sabri Berisha (Nov 05)
- Re: Technology risk without safeguards Suresh Kalkunte (Nov 05)
- Message not available
- Re: Technology risk without safeguards Suresh Kalkunte (Nov 05)