From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bosmailout10.eigbox.net (bosmailout10.eigbox.net [66.96.189.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 575983B29D for ; Thu, 9 Nov 2023 01:21:41 -0500 (EST) Received: from bosmailscan08.eigbox.net ([10.20.15.8]) by bosmailout10.eigbox.net with esmtp (Exim) id 1r0yQ8-00049Y-Tn for nnagain@lists.bufferbloat.net; Thu, 09 Nov 2023 01:21:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=alum.mit.edu; s=dkim; h=Sender:Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:Date:Subject:In-Reply-To:References:To:From:Reply-To: Cc:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gZwiXIkxev24qm1hdUW6AUY6N6itvuR1IS/SGrm0jE4=; b=mHF802b/gr/6+fXHFsrLv8XRSX jaTx9nQuhH2NHVnRha2PNnZdB5SbWNWgrcXN7aQLULvA5Ip7cOZNh8IrFx1qR5e+Q06nKAUeisnLN 3KYwVuSfxdGS9zM9o/tvrB4zI9L4LEzA6fXJg75+tM/BHh+mqVm7w6+Og4KTc3GimfhE+H9bpLw1P SctrFOKvOBqVEPf693uQfO/I3CV8+f1ktAZEoG4dhLmvT/n8CGK920/SI11zRNXnXkVwD8eTLpFU+ fzpeRlyurU4/Gz78PNF2ObA/v/n6ZnllyoXUO3n59tVhCReb2ZvoUo4Ezu551WaGcSge/FJAEpCPK DFoiWRxw==; Received: from [10.115.3.33] (helo=bosimpout13) by bosmailscan08.eigbox.net with esmtp (Exim) id 1r0yQ8-0007Sa-HJ for nnagain@lists.bufferbloat.net; Thu, 09 Nov 2023 01:21:40 -0500 Received: from bosauthsmtp13.yourhostingaccount.com ([10.20.18.13]) by bosimpout13 with id 86Md2B0010GvDVm016Mgnw; Thu, 09 Nov 2023 01:21:40 -0500 X-Authority-Analysis: v=2.3 cv=Q6tJH7+a c=1 sm=1 tr=0 a=UH8/iCWBfdUmbm4Ft4Vi3Q==:117 a=tKttg/DTfI8zZz0UFxdR5w==:17 a=IkcTkHD0fZMA:10 a=BNY50KLci1gA:10 a=pGLkceISAAAA:8 a=jU4qhlNgAAAA:8 a=n4ZJIn57AAAA:8 a=kurRqvosAAAA:8 a=Vnx8TXp4DekFfjdt1iMA:9 a=QEXdDO2ut3YA:10 a=cptdHya-68s0_OJVBoNk:22 a=kbxRQ_lfPIoQnHsAj2-A:22 Received: from c-73-158-253-41.hsd1.ca.comcast.net ([73.158.253.41]:54782 helo=SRA6) by bosauthsmtp13.eigbox.net with esmtpa (Exim) id 1r0yQ5-0006a2-1H; Thu, 09 Nov 2023 01:21:37 -0500 Reply-To: From: "Dick Roy" To: "'Lee'" , =?UTF-8?Q?'Network_Neutrality_is_back!_Let?= =?UTF-8?Q?=C2=B4s_make_the_technical_aspects_he?= =?UTF-8?Q?ard_this_time!'?= References: In-Reply-To: Date: Wed, 8 Nov 2023 22:21:31 -0800 Organization: SRA Message-ID: <7497471B8F2F41DE9A93E0532E606142@SRA6> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 Thread-Index: AdoStC7VSXhy2pDrTWCcSXqtBvM/kgAH/YdA x-mimeole: Produced By Microsoft MimeOLE X-EN-UserInfo: f809475445fb8041985048e338e1a001:931c98230c6409dcc37fa7e93b490c27 X-EN-AuthUser: dickroy@intellicommunications.com Sender: "Dick Roy" X-EN-OrigIP: 73.158.253.41 X-EN-OrigHost: c-73-158-253-41.hsd1.ca.comcast.net Subject: Re: [NNagain] cybersecurity is not a talent problem X-BeenThere: nnagain@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: =?utf-8?q?Network_Neutrality_is_back!_Let=C2=B4s_make_the_technical_aspects_heard_this_time!?= List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2023 06:21:41 -0000 Your points are mostly if not all quite valid. And so is Paul's. = AFAICT, you are speaking ex post facto, which is perfectly fine given = that we all live "ex post facto". IMO, Paul's point is that going = forward the thinking must change from "filling security holes when you = find them" to "do your best to eliminate the ability to dig holes in the = first place." Thus, your arguments have merit "ex post facto", and = Paul's have merit "a priori". So ... you are both right!=20 RR -----Original Message----- From: Lee [mailto:ler762@gmail.com]=20 Sent: Wednesday, November 8, 2023 6:26 PM To: dickroy@alum.mit.edu; Network Neutrality is back! Let=C2=B4s make = the technical aspects heard this time! Subject: Re: [NNagain] cybersecurity is not a talent problem On Wed, Nov 8, 2023 at 7:58=E2=80=AFPM Dick Roy via Nnagain wrote: > > Yes, today one can argue that there is a shortage of talent, however = Paul's point was that that I s not the first problem to solve, in fact = the problem that must be solved first is: > > " We're in a hole, here, folks. The first thing we should do is: stop = digging.=E2=80=9D > > ... and he is right IMHO! If Katherine Archuleta had enough talent to heed the warnings from the IG there's a chance there wouldn't have been a breach. The organization should have been well past the "stop digging" phase when the breach occurred. > > https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/ > > Nothing that happened at OPM, or failed to happen at OPM, was the = fault of its leadership team. Wrong. At the very least, management should have been closing the holes that had been identified. again, looking at = https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breac= h-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Ge= neration.pdf on page 6 How the Breach Happened. Despite this high value information maintained by OPM, the agency failed to prioritize cybersecurity and adequately secure high value data. The OPM Inspector General (IG) warned since at least 2005 that the information maintained by OPM was vulnerable to hackers. The leadership team ***was warned***. Given that they "failed to ... adequately secure high value data", how is whatever did or didn't happen at OPM _NOT_ the fault of the leadership team? I'll agree that > > Katherine Archuleta should not have had to ... be an expert on = "cyber" security But she _did_ need to listen to the experts that were warning her about how bad security was. And she needed enough talent to realize that she should heed the warnings from her cyber security experts. > and also because she had a reasonable expectation that somebody, = somewhere, knew how completely and ruinously bad all of the IT = (Information Technology) in the world was, and would have told her that = there was no safety anywhere except on paper, in filing cabinets, = guarded by the U.S. Military. Seriously? There is no absolute security so no matter how much leadership ignores warnings, or how bad the security is in the organization they're running, it's not their fault when a security breach happens? Do you really buy that? Would you be OK with your bank or any other organization that has your PII thinking like that? speaking of which.. How do you feel about Equifax? Oh well.. nothing that could have been done, they should have been put out of business or something in between? Regards, Lee > > RR > > -----Original Message----- > From: Nnagain [mailto:nnagain-bounces@lists.bufferbloat.net] On Behalf = Of Lee via Nnagain > Sent: Wednesday, November 8, 2023 2:47 PM > To: Network Neutrality is back! Let=C2=B4s make the technical aspects = heard this time! > Cc: Lee > Subject: Re: [NNagain] cybersecurity is not a talent problem > > On Wed, Nov 8, 2023 at 2:22=E2=80=AFPM Dave Taht via Nnagain wrote: > > > > Paul Vixie reposted this old piece of his, even more relevant today, = than 2015. > > > > https://www.linkedin.com/pulse/lack-talent-problem-cyber-paul-vixie/ > > I disagree. With a lot, but let's just go with this > > The "cyber" security problems that the US Government, and every = other government, and every large and medium enterprise are all coping = with today do not stem from lack of "cyber" talent. > > Take a look at > = https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breac= h-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Ge= neration.pdf > > on page 9: > The bottom line. The longstanding failure of OPM's leadership to > implement basic cyber > hugiene, such as maintaining current authorities to operate and > employing strong multi-factor > authentication, despite years of warnings from the Inspector General, > represents a failure of > culture and leadershit, not technology. > > There is no substitute for talent. > > Regards, > Lee > _______________________________________________ > Nnagain mailing list > Nnagain@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/nnagain > > _______________________________________________ > Nnagain mailing list > Nnagain@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/nnagain