de-peering for security sake

Mike Hale at
Sun Dec 27 20:32:14 UTC 2015

"done right the cost shouldn't be super much more."
I disagree.  Done wrong, it's not super much more.

Done right, it's massively more.

Like Randy said, compare salaries alone.  A good security employee
will run you, what, 100k or more in the major job markets?  And how
many do you need, full time, to provide acceptable coverage for your

The costs add up really fast without a corresponding return.

On Sun, Dec 27, 2015 at 12:27 PM, Christopher Morrow
<morrowc.lists at> wrote:
> On Sun, Dec 27, 2015 at 2:49 PM, Mike Hale < at> wrote:
>> "really isn't a whole lot different from 'lock your damned doors and
>> windows' brick/mortar security."
>> Except it's *massively* more expensive.
> is it? how much does a datacenter pay for people + locks + card-key +
> pin-pad + ...
> vs
>  the requisite bits for security their customer portal/backoffice/etc ?
> done right the cost shouldn't be super much more.
> -chris
>> On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow
>> <morrowc.lists at> wrote:
>>> On Sun, Dec 27, 2015 at 1:59 PM,  <Valdis.Kletnieks at> wrote:
>>>> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
>>>>> SSH password + key file is accepted as two factor by PCI DSS auditors, so
>>>>> yes it is in fact two factor.
>>>> They also accept NAT as "security".  If anything, PCI DSS is yet another example
>>>> of a money grab masquerading as security theater (not even real security).
>>> is it that? or is it that once you click the checkboxes on /pci audit/
>>> 'no one' ever does the daily due-diligence required to keep their
>>> security processes updated/running/current/etc ?
>>> I'm not a fan of the compliance regimes, but their goal (in a utopian
>>> world where corporations are not people and such) is the equivalent of
>>> the little posterboard person 42" tall before the roller-coaster
>>> rides, right?
>>> "You really, REALLY should have at least these protections/systems/etc
>>> in place before you attempt to process credit-card transactions..."
>>> In the utopian world this list would be sane, useful and would include
>>> daily/etc processes to monitor the security controls for issues... I
>>> don't think there's a process bit in PCI about: "And joey the firewall
>>> admin looks at his logs daily/hourly/everly for evidence of
>>> compromise" (and yes, ideally there's some adaptive/learning/AI-like
>>> system that does the 'joey the firewall admin' step... but let's walk
>>> before running, eh?)
>>> so, it's not really a mystery why failures like this happen.
>>>> I remember seeing a story a while ago that stated that of companies hit
>>>> by a data breach on a system that was inside their PCI scope, something
>>>> insane like 98% or 99% were in 100% full PCI compliance at the time of
>>>> the breach.  The only conclusion to be drawn is that the PCI set of checkboxes
>>>> are missing a lot of really crucial things for real security.  (And let's
>>>> not forget the competence level of the average PCI auditor, as the ones
>>>> I've encountered have all been very nice people, but more suited to checking
>>>> boxes based on buzzwords than actual in-deopth security analysis).
>>> people toss pci/sox/etc auditors under the bus 'all the time', and i'm
>>> guilty of this i'm sure as well, but really ... if you put systems on
>>> the tubes and you don't take the same care you would for your
>>> brick/mortar places ... you're gonna have a bad day. 'cyber security'
>>> really isn't a whole lot different from 'lock your damned doors and
>>> windows' brick/mortar security.
>>>> So excuse me for not taking "is accepted by PCI auditors" as grounds for
>>>> a claim of strong actual security.
>> --
>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

More information about the NANOG mailing list