On another security note... (of sorts)

Dobbins, Roland rdobbins at arbor.net
Fri Jul 16 22:17:14 CDT 2010

On Jul 16, 2010, at 9:42 PM, Lamar Owen wrote:

> I'm sure the collective wisdom here is capable of pulling the task off at least in theory;

The thorniest issues aren't technology-related, per se; they're legal exposure (both real and imagined), regulatory concerns (both real and imagined), antitrust concerns (both real and imagined), management/marketing/PR concerns (largely imagined), skillset shortages/concerns (very real), customer perception concerns (both real and imagined), and so forth.

The second tier of barriers are those surrounding trust.  It's basically a sociological analogue of 'the PKI problem'.

Technology issues form the third set of barriers.  Yes, they're real and they're important, but if we could wiggle our noses a la Elizabeth Montgomery and make all the technology issues go away, the other sets of issues would still preclude any kind of universal solution, for some value of 'solution'.

There's a great deal of opsec coordination and work which takes place in a sub rosa fashion, via individual actions, closed, vetted mitigation communities, ad hoc personal relationships, etc.  In actuality, a very great deal of the useful opsec work that gets done is accomplished by folks who in some cases are going beyond their portfolios to do so, as their management, legal teams, PR/marketing teams, et. al. would actively forbid them to do this work, were they to know about it.

That's one of the reasons why a lot of people who make sweeping generalizations and recommendations about 'cyber-this' and 'cyber-that' tend not to have a good grasp of even the fundamentals - they aren't the folks who do the actual work, they don't know who does the actual work, and they often don't know anybody who knows somebody who actually does the actual work.  They often don't even know that actual work is taking place, or what it entails, in the first place, because the actual work takes place out of the limelight.

> the hard part would be deciding whether to do it in hardware or software....


Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken

More information about the NANOG mailing list