Total transparency in security matters works about as well as it would for law enforcement: fine for tactical concerns, but not so great for long-term strategic concerns. -David Barak On Fri Mar 19th, 2010 9:44 AM EDT William Pitcock wrote:
On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote:
An ongoing area of work is to build better closed, trusted communities without leaks.
Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit.
Just saying.
William
IMHO, I think you have it backwards. I see strategic discussions (like new crypto algorithms, technologies, initiatives, etc) should be open to public debate, review, and scrutiny. But operational/tactical discussions (like new malware, software exploits, virus infected hosts, botnets, etc) don't need public review. Rather, those types of communications should be streamlined that would allow for quick resolution. -----Original Message----- From: David Barak [mailto:thegameiam@yahoo.com] Sent: Friday, March 19, 2010 8:55 AM To: nenolod@systeminplace.net; jtk@cymru.com Cc: nanog@nanog.org Subject: Re: NSP-SEC Total transparency in security matters works about as well as it would for law enforcement: fine for tactical concerns, but not so great for long-term strategic concerns. -David Barak On Fri Mar 19th, 2010 9:44 AM EDT William Pitcock wrote:
On Fri, 2010-03-19 at 08:31 -0500, John Kristoff wrote:
An ongoing area of work is to build better closed, trusted communities without leaks.
Have you ever considered that public transparency might not be a bad thing? This seems to be the plight of many security people, that they have to be 100% secretive in everything they do, which is total bullshit.
Just saying.
William
On Fri, 19 Mar 2010 10:08:55 CDT, Adam Stasiniewicz said:
IMHO, I think you have it backwards. I see strategic discussions (like new crypto algorithms, technologies, initiatives, etc) should be open to public debate, review, and scrutiny. But operational/tactical discussions (like new malware, software exploits, virus infected hosts, botnets, etc) don't need public review.
Reducto ad absurdum: The police don't usually phone ahead to a suspect and say "We're planning to stop by around 4PM and execute a search warrant, so please don't destroy any evidence before then, ktxbai"
--- On Fri, 3/19/10, Adam Stasiniewicz <adam@adamstas.com> wrote:
IMHO, I think you have it backwards. I see strategic discussions (like new crypto algorithms, technologies, initiatives, etc) should be open to public debate, review, and scrutiny. But operational/tactical discussions (like new malware, software exploits, virus infected hosts, botnets, etc) don't need public review. Rather, those types of communications should be streamlined that would allow for quick resolution.
Fair point - I was using "strategic" in the law enforcement with things like "long-term undercover investigation" in mind, but your point is well taken. I think we agree that some things benefit from increased transparency and other things don't. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com
participants (3)
-
Adam Stasiniewicz
-
David Barak
-
Valdis.Kletnieks@vt.edu