tag:blogger.com,1999:blog-7347279.post652416754621812995..comments2023-08-26T05:04:33.009-04:00Comments on anti-virus rants: availability > confidentiality + integrity?kurt wismerhttp://www.blogger.com/profile/03810635947269551517noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-7347279.post-50264474858266208482008-02-28T19:15:00.000-05:002008-02-28T19:15:00.000-05:00"that's great that we're able to agree on where av..."that's great that we're able to agree on where availability-centric thinking comes from... can we also agree that the one-sided process that creates it is wrong-headed?"<BR/><BR/>Sure. I never said that I endorsed this approach, I merely presented the case that it exists -- a lot -- and that in certain cases and from certain perspectives, one might be moved to consider *why* these thoughts exist.<BR/><BR/>/HoffAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7347279.post-60793015307746367052008-02-27T11:02:00.000-05:002008-02-27T11:02:00.000-05:00"I'm simply presenting the case that offers the of..."I'm simply presenting the case that offers the oft proffered opinion by those OUTSIDE security that C and I aren't always looked at in a balanced approach."<BR/><BR/>sorry if i mischaracterized your post, but i went back and reread it and i still don't come away with the above after reading it...<BR/><BR/>"2) Did you miss the entire paragraph from the Renesys blog that was in the middle of the post that clearly demonstrated that the Pakistani ISP announced a more specific route to YouTube's address space?"<BR/><BR/>did you miss the part where it was demonstrably an <B>invalid</B> route to youtube?<BR/><BR/>"BTW, that's *NOT* corruption at ALL...it's a perfectly allowable action given the way BGP functions -- without authentication."<BR/><BR/>just because it's <I>allowable</I> (which is a bit of a misnomer as most seem to agree that what happened <B>shouldn't</B> be allowed) doesn't mean it isn't corruption... there are no controls preventing me from drawing new highways on a map but that doesn't mean i'm not corrupting the map by doing so...<BR/><BR/>"This underscores the issue with systems and protocols designed for A with little or no regard for C and I."<BR/><BR/>and by extension the issue with over-focusing on A...<BR/><BR/>"At the end of your post after disagreeing with what you interpret as my point you basically say the same thing...and very well, I may add:"<BR/><BR/>that's great that we're able to agree on where availability-centric thinking comes from... can we also agree that the one-sided process that creates it is wrong-headed?kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-7347279.post-7431838831587295822008-02-27T06:15:00.000-05:002008-02-27T06:15:00.000-05:00Kurt, I think you missed reading about 1/2 my post...Kurt, I think you missed reading about 1/2 my post:<BR/><BR/>1) I'm not endorsing the position regarding availability as an "argument" suggesting it's more important at all. <BR/><BR/>I'm simply presenting the case that offers the oft proffered opinion by those OUTSIDE security that C and I aren't always looked at in a balanced approach.<BR/><BR/>2) Did you miss the entire paragraph from the Renesys blog that was in the middle of the post that clearly demonstrated that the Pakistani ISP announced a more specific route to YouTube's address space?<BR/><BR/>BTW, that's *NOT* corruption at ALL...it's a perfectly allowable action given the way BGP functions -- without authentication. This underscores the issue with systems and protocols designed for A with little or no regard for C and I.<BR/><BR/>At the end of your post after disagreeing with what you interpret as my point you basically say the same thing...and very well, I may add:<BR/><BR/>ultimately i think the notion that availability trumps other aspects of security comes from the notion of aligning security with business... the alignment is often one-sided (security changes but management doesn't) and availability (and it's affect on the bottom line) is the thing that management understands best so that's what business-aligned security focuses on most... i wonder what it would be like if aligning security and business was a 2-way street...<BR/><BR/>That's exactly right. You're not disagreeing with me at all.<BR/><BR/>/HoffAnonymousnoreply@blogger.com