[127862] in North American Network Operators' Group
Re: On another security note... (of sorts)
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Fri Jul 16 23:18:03 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Sat, 17 Jul 2010 03:17:14 +0000
In-Reply-To: <201007161042.40853.lowen@pari.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jul 16, 2010, at 9:42 PM, Lamar Owen wrote:
> I'm sure the collective wisdom here is capable of pulling the task off at=
least in theory;
The thorniest issues aren't technology-related, per se; they're legal expos=
ure (both real and imagined), regulatory concerns (both real and imagined),=
antitrust concerns (both real and imagined), management/marketing/PR conce=
rns (largely imagined), skillset shortages/concerns (very real), customer p=
erception concerns (both real and imagined), and so forth.
The second tier of barriers are those surrounding trust. It's basically a =
sociological analogue of 'the PKI problem'.
Technology issues form the third set of barriers. Yes, they're real and th=
ey're important, but if we could wiggle our noses a la Elizabeth Montgomery=
and make all the technology issues go away, the other sets of issues would=
still preclude any kind of universal solution, for some value of 'solution=
'.
There's a great deal of opsec coordination and work which takes place in a =
sub rosa fashion, via individual actions, closed, vetted mitigation communi=
ties, ad hoc personal relationships, etc. In actuality, a very great deal =
of the useful opsec work that gets done is accomplished by folks who in som=
e cases are going beyond their portfolios to do so, as their management, le=
gal teams, PR/marketing teams, et. al. would actively forbid them to do thi=
s work, were they to know about it.
That's one of the reasons why a lot of people who make sweeping generalizat=
ions and recommendations about 'cyber-this' and 'cyber-that' tend not to ha=
ve a good grasp of even the fundamentals - they aren't the folks who do the=
actual work, they don't know who does the actual work, and they often don'=
t know anybody who knows somebody who actually does the actual work. They =
often don't even know that actual work is taking place, or what it entails,=
in the first place, because the actual work takes place out of the limelig=
ht.
> the hard part would be deciding whether to do it in hardware or software.=
...
;>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
