[54350] in North American Network Operators' Group
Re: Acceptable Losses (was Re: Whoops! (re: WH network monitoring plan response))
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Dec 24 20:08:02 2002
From: "Steven M. Bellovin" <smb@research.att.com>
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
Date: Tue, 24 Dec 2002 20:07:27 -0500
Errors-To: owner-nanog-outgoing@merit.edu
In message <Pine.GSO.4.44.0212241538270.9020-100000@clifden.donelan.com>, Sean
Donelan writes:
>
>On Tue, 24 Dec 2002, Richard Forno wrote:
>> In my last post when I said this:
>> > If something's deemed 'critical' to a large segment of the population, the
>n
>> > security must NEVER outweigh conveinience. Period. Non-negotiable.
>>
>> I meant to say that security must ALWAYS outweigh convienience.
>
>Sigh, people are playing games with words to force false choices. Of
>course its negotiable because the act of defining something "critical"
>is a negotiation.
>
>
Not only that -- security is not 0/1, all or nothing. It is possible
to be more or less secure; building a security system -- like a
firewall -- that has only the two states of "wide open" and "absolutely
impenetrable" is a bad idea.
Security is about risk management -- see Schneier's book "Secrets and
Lies".
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)
