de-peering for security sake

Owen DeLong owen at
Sun Dec 27 21:08:32 UTC 2015

> On Dec 27, 2015, at 11:26 , Christopher Morrow <morrowc.lists at> wrote:
> On Sun, Dec 27, 2015 at 1:59 PM,  <Valdis.Kletnieks at> wrote:
>> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
>>> SSH password + key file is accepted as two factor by PCI DSS auditors, so
>>> yes it is in fact two factor.
>> They also accept NAT as "security".  If anything, PCI DSS is yet another example
>> of a money grab masquerading as security theater (not even real security).
> is it that? or is it that once you click the checkboxes on /pci audit/
> 'no one' ever does the daily due-diligence required to keep their
> security processes updated/running/current/etc ?

You ask this as if those two were mutually exclusive. They are not. I believe
that both are actually true. The PCI-DSS checklist can be completed without
relatively weak security and involves a lot of theatrical requirements that have
nothing to do with actual security.

Beyond that, yes, most organizations survive the audit and then go back to
ignore it until time for the next audit mode.

> I'm not a fan of the compliance regimes, but their goal (in a utopian
> world where corporations are not people and such) is the equivalent of
> the little posterboard person 42" tall before the roller-coaster
> rides, right?
> "You really, REALLY should have at least these protections/systems/etc
> in place before you attempt to process credit-card transactions…"

Right. And that’s a decent goal. Unfortunately, if you read the actual document,
the standards require lots of things that don’t actually improve (and in some
cases can actually degrade) security, such as NAT.

> In the utopian world this list would be sane, useful and would include
> daily/etc processes to monitor the security controls for issues... I
> don't think there's a process bit in PCI about: "And joey the firewall
> admin looks at his logs daily/hourly/everly for evidence of
> compromise" (and yes, ideally there's some adaptive/learning/AI-like
> system that does the 'joey the firewall admin' step... but let's walk
> before running, eh?)

Yeah, it doesn’t actually require anyone or anything to ever really look at
logs at all.

> so, it's not really a mystery why failures like this happen.

This is a bit of a tangent, really. The discussion was about authentication factor
counts and Baldur tried to use PCI-DSS acceptance of password-encrypted
private key authentication as two-factor to bolster his claim that it was, in fact
two-factor, when it clearly isn’t actually two-factor as has been stated previously.

The comments about PCI-DSS being a non-credible standard were primarily
an additional note that his argument was built on thin air.

>> I remember seeing a story a while ago that stated that of companies hit
>> by a data breach on a system that was inside their PCI scope, something
>> insane like 98% or 99% were in 100% full PCI compliance at the time of
>> the breach.  The only conclusion to be drawn is that the PCI set of checkboxes
>> are missing a lot of really crucial things for real security.  (And let's
>> not forget the competence level of the average PCI auditor, as the ones
>> I've encountered have all been very nice people, but more suited to checking
>> boxes based on buzzwords than actual in-deopth security analysis).
> people toss pci/sox/etc auditors under the bus 'all the time', and i'm
> guilty of this i'm sure as well, but really ... if you put systems on
> the tubes and you don't take the same care you would for your
> brick/mortar places ... you're gonna have a bad day. 'cyber security'
> really isn't a whole lot different from 'lock your damned doors and
> windows' brick/mortar security.

Conceptually, sure. However, in actual implementation, there’s a plethora of
decent locksmiths and reasonably good security contractors out there to provide
good solutions for physical security.

In the cyber security world, the waters are a lot murkier. There are no good
standards to allow a lay person to identify a good capable contractor vs. a
charlatan with a flashy web site. Most of the widely known standards are
crap. I’ve met some really good CISSPs in my day, but I’ve also met a number
of people touting their CISSP certification who don’t realize that NAT is actually
detrimental to security and a few who even claimed that NAT was good.

Several couldn’t even get the concept of separating NAT from stateful inspection
after repeated attempts to explain it to them in kindergarten terms.

Cyber security is a lot harder to understand well and quite a bit more complicated
than physical security.


More information about the NANOG mailing list