[98853] in North American Network Operators' Group
Re: For want of a single ethernet card, an airport was lost ...
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Mon Aug 20 23:59:52 2007
From: "Paul Ferguson" <fergdawg@netzero.net>
Date: Tue, 21 Aug 2007 03:48:13 GMT
To: stephen@sprunk.org
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -- "Stephen Sprunk" <stephen@sprunk.org> wrote:
>Such secondary procedures are okay in the banking world, where you can
>back =
out transactions that an audit reveals are fraudulent after the fact. T=
he =
same does not apply to letting persons across a border where you can't =
retroactively deny them entry after they've killed a bunch of people (an=
d, =
most likely, martyred themselves). It's the same problem with voting =
systems, actually: the anonymity requirements mean all security hinges o=
n =
making sure only authorized people vote, and only once at that; you can'=
t =
back out fraudulent votes after they're cast, which is why all of the =
attacks are on the authorization system and being undetected in an audit=
=
doesn't matter.
>
It does matter.
Unfortunately, find ourselves in a position where easy business
decisions allow people to make very bad technical decisions, and
put the integrity of their network security directly in the path of
"test".
"Test" is not a good business decision, because if there is
a possibility where things can be compromised, generally they will be.
We (collectively) have done a very fine job of delivering
functionality first, and security secondly.
That puts most of us in the position of the 'Little Dutch Boy',
with our finger in the security dike.
So, having said all that, it's pretty difficult to figure out
where the problems and solutions actually meet.
We're actually at a very difficult cross-roads right now.
Cheers,
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
wj8DBQFGymB3q1pz9mNUZTMRAssqAJ4+J5jhtDoFWO81cjSvZ9JXArTMqgCguyzL
R3oyka3IzcgVPtiFaYNOUUo=3D
=3D2oUE
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
