►
From YouTube: IETF96-LUNCH-20160721-1300
Description
LUNCH meeting session at IETF96
2016/07/21 1300
A
A
So,
first
of
all,
I
want
to
thank
you
for
allowing
me
to
spend
some
time
with
you
and
share
some
some
thoughts.
Some
experiences
and
I
have
some
requests
and
suggestions
in
that
order.
I
hope
I
am
I'm
an
interloper
I'm,
not
an
ietf
member.
I
have
read
our
seas
of
question
rfcs
and
implement
rfcs,
but
that's
the
limit
of
my
IETF
exposure
I.
A
What
I
want
to
share
with
you
is
what
I
call
a
you
know
view
from
the
field
report
from
the
field.
I've
been
a
security
practitioner
for
quite
some
time,
but
I
say
secured
I
mean
traditional
cyber
security,
but
before
that,
then
there
wasn't
before
that.
I
was
deeply
involved
with
several
engineering
disciplines
and
as
many
of
us,
especially
those
of
us
over
40,
we
fell
into
networking.
We
didn't
design,
we
didn't
desire
to
go
into
networking
so
for
the
con
for
context.
A
Setting
for
this
conversation,
let
me
tell
you
a
little
bit
about
myself:
I
am
I
started
to
read,
mark
twain
when
I
was
forced
to
in
Jesuit
High
School,
so
I
always
take
Liberty
with
some
of
his
quotes
and
over
the
years
the
more
I've
been
involved
with
the
internet.
Truly,
the
more
I
love
my
dog
and
my
dog
does
haven't,
does
have
an
IP
address
by
the
way
is
it
chip
and
that
ship
is
more
than
just
tracking
it
has
all
of
her
health
records.
A
A
Ietf
is
30
years
old
and
congratulations
very
few
organizations
of
any
type
can
last
30
years,
30
years
ago,
I
had
just
completed
my
first
major
sitter
of
series
of
projects.
Let
me
give
a
little
bit
background.
My
first
job
out
of
university
was
at
Argonne
National
Laboratories
now
I
didn't
know
anything
about
nuclear
physics.
I
didn't
know
anything
about
national
battery
testing.
Labs
I,
don't
know
anything
about
much
of
anything
except
like
a
right,
good,
real
time
code
and
by
real-time
it
meant
it
was
done.
A
It
was
not
done
in
real
time,
but
those
persistence
that
ran
in
real
time
and
basically
today
we
call
these
embedded
systems
so
I'm
from
Cleveland,
Ohio,
Midwest
boy,
dried,
Chicago
and
I
go
to
the
labs
and
big
burly
men
with
guns,
greet
me
and
I'm
thinking.
What
am
I
doing?
What
am
I
getting
to
hear
and
as
a
escort
me
to
my
first
building?
A
There
are
these
very
short,
very
albino
deer
and
I'm
thinking,
women
I
know
they
have
nuclear
stuff
here,
and
you
know
I'm
thinking
dear
and
seeing
deer
and
something's
not
correlating
and
I'm
thinking
what
am
I
getting
myself
into
and
then
I
meet
the
lab
director.
Who
was
very
gracious
and
welcome
the
newcomer
and
said
I
know
you're
thinking
about
the
deer.
Are
you
and
it's
not
honestly?
Yes,
sir,
it
did
cross
my
mind
goes,
don't
worry,
they
were
bred.
A
So
my
first
job
was
writing
code
for
one
of
the
reactors
that
are
going
to
had
at
times
called
the
treat
reaction.
Thermal
test
reactor
and
I
wrote
code
for
folks,
who
were
far
far
smarter
than
I,
am
in
fact
several
or
up
from
the
bill
for
the
Nobel
years
later,
but
it
was
like
a
Disneyland
for
nerds.
You
know
you
could
do
anything
everything
you
want.
It
was
there.
There
was
no
time
was
kind
of
an
option,
but
delivery
and
accuracy
was
critical.
A
So
I
wrote
code
for
the
treat
reactor
to
manage
to
collect
the
kilometer
which
moved
back
and
forth,
and
the
physicist
can
do
their
physics,
stuff
or
whatever,
and
they
wanted
to
make
sure
that
the
data
game
was
correct
and
it
was
all
that
kind
of
nonsense.
So
I
did
that
they
were
happy.
My
boss
was
happy
and
nothing
glowed,
so
that
was
success,
I'm
good
times
right.
A
So
back
in
the
day,
you
know
people
play
around
the
middle
of
nuke
reactor.
How
quaint
yeah
yeah
I
guess,
then
they
decided
for
the
signs
up,
so
I
cut
my
teeth
on
real
time
systems
and
part
of
that
was
making
not
only
the
anode
digital
digital
analog
conversion
is
all
my
cell,
which
is
easy,
but
making
systems
that
weren't
meant
to
talk
to
each
other
talk
to
each
other.
That
was
my
introduction
to
working.
A
Although
we
didn't
call
it
networking,
then
we
just
come
control
plane
not
to
use
not
to
convert,
not
to
be
confused
with
today's
control
playing
so
about
25
years
after
I
left
this
program,
I
ran
across
one
of
the
departmental
directors
that
retired
I
was
invited
to
his
retirement.
He
goes
you
know.
Kevin
they're
still
running
this
the
reactor
with
your
code
25
years
later
now
this
is
in
western
Idaho.
A
So
if
you
ever
go
to
western
Idaho,
don't
I
would
fly
all
around
it
to
make
sure
that
Kevin's
40
year
old
code
is
still
running
there
somewhere
on
the
reactor,
but
what
I?
What
I
did
realize
was
that
I
liked
the
communications
narrative
I
like
that
it
was
fun
in
a
university
I
had
instead
of
takin
a
spoken
language,
I
took
Fortran
and
APL,
and
it
qualifies
for
fort
fort
language,
which
was
hilarious,
but
I
really
enjoyed
making
things
work
that
weren't
meant
to
work
together.
A
So
after
argon
I
ended
up
at
a
company
who
was
subcontracted
to
do
ddm.
If
you
remember
that
defense
data
network,
then
I
MILNET
separation
and
then
I
really
got
to
understand
and
no
networking
the
hard
way
in
a
classified
environment
with
where
time
was
a
commitment
and
the
notion
of
security
was
now
introduced
to
me
at
a
very
young
as
a
very
young
engineer.
A
We
had
the
mat
esky,
remember
that,
but
I
was
the
first
time
that
the
Apple
that
the
Macintosh
gained
credibility
in
business.
So
it
was
a
big
thing
for
some
of
us
who
were
Apple
devotees
back
in
the
day
and
we
had
the
internet.
Looking
something
like
this
and
as
I
said,
I
was
working
on.
Dd
had
just
come
off
working
on
DD
n
yep
done,
and
then
I
had
moved
to
this
little
University
on
the
East
Bay
of
the
San
Francisco
Bay
Area.
Some
of
you
may
have
heard
of
it
berkeley
yeah.
A
Well,
if
he
knows
all
the
universities
to
the
right
are
all
east
coast,
and
then
they
threw
in
a
little
carrot
to
berkeley,
but
I
was
working
on
bsd
and,
among
other
things,
the
sum
of
the
bsd
stack
came
my
way.
My
team's
way,
including
bind
and
I,
always
thought
that
was
a
terrible,
terrible
name
because
it
really
put
us
in
a
bind
everywhere
from
where
we're
in
a
period
who
were
making
the
transitions
from
proprietary
networks
to,
of
course,
tcp/ip
base.
But
it
was
a
learning
experience.
A
We
won't
know
them
wasn't
that
we
were
so
prescient
that
we
Porton
that
we
foresaw
the
collapse
of
32-bit
address
space,
not
even
close,
but
we
were
already
going
from
2000
networks
to
30,000
networks
in
a
very
short
period
and
all
they
always
want
people
that
we
knew
they
always
weren't
associations
that
we
knew
we
needed
a
different
model.
So
there
were
a
group
of
us
who
kind
of
banded
together.
A
Of
course,
if
you've
been
to
Berkeley,
but
the
one
of
the
great
the
Great
artifacts
of
the
university
of
some
the
best
food
in
the
world,
we
call
it
gourmet
ghetto
I
think
there's
have
been
at
least
20
companies
started
on
either
on
the
Telegraph
side
or
the
the
other
side
of
campus.
But
we
would
go
and
just
collaborate
and
say:
look
what
can
we
do?
That's
different.
What
can
we
do
with
the
tools
available
or
by
the
way
we
know
how
to
write
code?
So
we
can
write
new
tools.
A
What
could
we
do
and
we
got
shot
it
down?
We
got
a
shadow
downs
quite
simply
by
the
moat
sand
castle.
Folks,
who
simply
said,
put
a
big
barriers
and
move
on.
We
don't
have
time
so
I
share
that
with
you,
because
I
look
back
now
as
a
practitioner
in
which
in
wish
that
I
had
the
the
temperament,
the
experience
and
the
voice
for
that
team,
then
to
have
stood
up
and
say
no.
We
need
to
do
this.
A
The
right
way
now
now
fast
forward,
I'm
going
to
close
out
a
little
bit
about
about
me,
and
that
is
the
last
18
years
have
been
solely
focused
on
cybersecurity
and
including
multiple
see
so
roles
and
a
few
startups
successful
startups
correctly.
To
which
is
it's
a
benefit
to
excuse
me,
but
what
I
want
to
share
with
you
are
some
of
the
pitfalls
challenges
that
we
all
face.
Those
who
are
designing
the
internets
I
said
plural
intentionally
and
those
who
are
operating
the
internet,
internet.
A
1986
also
was
a
time
where
things
that
weren't
so
pleasant
happened
to
noble
by
the
way.
Chernobyl
wasn't
the
first
run
away.
We
all
know
that,
but
it
was
one
of
the
largest,
in
fact,
for
those
who
are
interested.
The
first
knelt
down
on
control
meltdown
was
actually
at
argonne
in
55
and
of
course
we
had
the
Challenger.
Now
keep
these
in
mind
as
we
go
through
the
this
afternoon's
discussion.
A
A
A
I
had
the
situation
where
customers,
200
million
customers,
came
to
me
already
compromised,
but
want
to
buy
things.
That's
the
real
world,
that's
amazon,
that's
us,
I
mean
them
sorry
Freudian
slip.
That's
a
companies
who
have
to
take
financial
instruments
with
a
username
and
a
password
and
then
oh
by
the
way,
I,
don't
care
how
strong
your
password
is.
It
doesn't
matter
when
the
key
when
the
keystroke
logger
has
been
on
your
computer
for
the
last
two
years.
A
I
would
get
data
dumps
from
the
dark
web
purveyors
and
it
would
start
with
a
thousand
credentials
a
week
than
2,000
until
hit
a
crescendo
of
250,000
unique
credentials
in
a
week
of
my
customers
and
oh
by
the
way
they
have
some
great
passwords
in
there
extremely
good
tech,
I
use
one
of
them
now
that
so
good,
but
they
were
compromised,
so
it
doesn't
matter.
So
how
do
you
actually
conduct
commerce
when
your
customers
coming
to
you
and
you
have
to
determine
whether
whether
she's
real
or
not?
A
A
Whether
or
not
you
change
your
shipping
address
is
another
hint,
whether
you
do
the
myriad
of
activities
that
the
traditional
themes
will
do
are
the
hints,
not
your
user
password
and
not
your
geolocation,
so
I'm
just
throwing
out
there,
it's
just
a
little
bit
of
a
pet
peeve
of
mine
where
people
think
no
stronger
pass
for
throwing
their
passwords,
and
I
can
give
you
all
the
strong
pass.
What
you
want
it's
irrelevant.
A
So
after
practicing
this
wonderful
fun
and
you
know
low
taxing
occupation
for
18
years
figure.
What
can
we
do
to
change
the
internet?
So
I
did
what
anyone
with
a
modicum
of
intelligence
would
do
and
as
I
ask
Siri
so
as
Siri
how
to
improve
the
interview
the
internet
for
security.
You
know
you
can
see
some
of
our
answers.
It
wasn't
really
that
helpful.
A
So
if
you
know
Syria,
you
know
that
is
something
like
Google
search.
You
have
to
ask
the
question
in
the
right
way,
so
I
try
it
again
and
that
much
help
so
I
figured.
You
know
what
better
place
to
go
to
ask
these
questions
then
IETF.
So
here
I
am
so
a
little
bit
of
quick,
quick
right
on
history.
Many
of
us
in
a
room
have
been
there,
but
some
of
us
have
not
or
may
have
intentionally
forgotten.
The
in
1986
went
the
year
in
ITA
founded
there
were
zero
known
internet
attacks.
A
0,
it's
easy
I
mean
this
is
a
trick
question.
Why?
But
I
think
we
all
know
it
was
really
there
yet
was
kind
of
their
we're,
not
quite
there,
and
we
all
we
all,
knew
all
2,000
besides,
but
in
88
we
had
the
person.
Of
course
that's
the
Morris
worm.
I
was
a
cow
still
at
a
research
team
and
we
got
slammed
with
with
the
Morris
worm.
It
was
more
like
a
more
slug,
but
but
our
machines
were
slow,
so
worm
was
fast
enough,
but
what
that
did
was
that
raise
the
consciousness
of?
A
Oh,
my
god.
We
really
have
to
do
something
because
I'm,
not
in
control
of
my
assets.
I
had
I
was
between
the
bsd
team
and
the
acs,
which
is
academic,
commuter,
student
team,
so
the
academic
side.
I
had
professors
and
in
true
nobel
laureates
screaming
at
me,
from
from
switzerland
and
from
all
parts
of
Europe,
saying
I
can't
get
to
my
system.
I
can't
get
to
my
system
giving
a
presentation
or
whatever
it's
like
dude
chill
before
we
said
dude
chill.
I
said
we
don't
know.
What's
going
on.
A
That
was
wake
up
moment
for
me
and
my
team,
especially
the
folks
who
were
riding
a
lot
of
the
code
that
people
were
relying
on.
We
didn't
know
what
was
going
on.
We
didn't
have
the
wherewithal
and
the
tools
at
the
time
to
determine
it.
So
if
you
read
the
Cuckoo's
Nest
know
cliff
Stoll
and
all
that
kind
of
stuff.
A
You
know
anybody
who
would
spend
as
much
time
as
cliff
to
hit
way
through
his
phone
records
probably
needs
a
life,
but
we
were
trying
to
figure
out
what
was
going
on
in
real
time
and
I'm
gonna
tell
you.
This
was
an
eye-opening
experience
and
one
I
don't
want
I,
don't
want
to
repeat,
because
we
no
one
knew,
and
I
underscore
that
the
NSF
folks
didn't
know
we
had
context
of
IBM.
A
They
didn't
know
nobody
really
knew
and
on
the
first
day
when
it
was
started,
but
I
bring
this
up
because
since
then,
of
course,
the
attacks
have
gotten
far
more
sophisticated,
far
more
a
targeted
and
far
more
effective,
so
2016
don't
even
worry
about
counting
it's
just
insane.
You
can
spend
their
companies
built
on
trying
to
calculate
how
much
of
the
impact
there
is
on
the
internet
from
a
taxes.
A
Silly,
it's
a
specious
to
suspicious
serif
descriptors
for
my
perspective,
because
it
doesn't
matter
the
real
number
that
matters
of
how
many
our
reaches
of
significance
and
the
best
estimates
are
around
about
one
a
week
of
a
significant
personality
and
I
say
this
for
authority.
I
use
to
also
be
to
see
so
at
symantec
in
iran,
one
of
the
first
research
groups
we
had
on
on
breach
detections,
so
the
consensus
around
those
who
do
this
daily
is
as
about
of
one
a
week.
This
was
fifty
plus
a
year
of
successful
breaches.
A
So,
on
the
malware
side,
things
are
a
little
different
because,
frankly,
if
you
pay
me
to
break
in
and
oh
by
the
way,
I
used
to
do
that
as
well,
we
we
didn't
use
the
term
white
at
backing
at
hated
that
term,
but
we
were
favorable
hackers
and
I
almost
always
got
in
a
layer.
Seven,
in
fact,
we
never
not
got
in.
A
There
are
few
times
we
got
in
through
the
plumbing
by
bit,
by
virtue
of
looking
at
change
control,
for
example,
and
in
fact
we
could,
through
our
reconnaissance
we
can
tell
most
companies,
we
actually
had
a
log
now
the
bad
guys
in
the
dark
net
Selat
of
when
companies
have
their
change
control.
Jpmorgan
Chase,
for
example,
destroy
a
name
out
there,
if
not
necessary
them
tuesday,
at
7pm.
We
knew
it
so
tuesday
about
10pm
is
when
we
try
our
pens,
because
guess
what?
A
Typically,
through
a
change
control
window
mistakes
are
made,
so
that
was
that
was
just
the
right
time
for
fishing
right.
So
we
did
that
until
later,
seven.
Now,
having
said
that,
when
people
make
mistakes
on
changes
and
change
controls
as
usual
was
it
was
either
a
deprecated
or
an
older
release,
for
example,
good
one
who's,
always
a
person
to
everyone
goes
right,
go
for
SNMP
and
DNS.
You
just
go
right,
for
that
is
easy.
A
It's
like
know
the
slope
gazelle
and
when
they,
when
they
made
a
mistake,
BAM
wherein
they
don't
know
it
we're
sitting
there.
It
was
just
very,
very
common,
fast
forward
today,
it's
a
lot
harder,
because
so
much
is
also
being
done
in
the
cloud
I'ma
talk
about
that
later,
but
the
cloud
actually
is
a
really
great
buffer
from
a
security
perspective,
a
very
great
buffer
makes
it
a
lot
harder
now
impossible.
A
So
in
1986
there
were
six
confirmed
well
known
viruses,
because
what
happened
was
the
folks
who
were
actually
collecting
the
viruses.
First
of
all
were
doing
sneakernet.
That's
the
only
way
of
really
doing
it.
It
was
very
difficult
to
transfer
viruses
other
than
physical
media
and
the
virus.
Riders
were
basically
academics
anyway,
so
it
wasn't
it.
The
lens
give
us
into
bed.
You
know
you
had
John
McAfee
and
Peter
and
Peter
Norton
running
around
in
their
bands
and
spin
in
San,
Jose,
literally
driving
around
their
vans,
a
pickup.
A
A
When
you
talk
to
the
Transamerica
semantics
and
like
they'll,
tell
you
and
sofas
they'll
tell
you
that
it's
not
a
lot
uniqueness
there,
but
it's
enough
of
a
spin
just
so
cause
a
problem,
and
this
is
today's
threat
threat
level,
we're
always
at
orange
I.
Don't
know
why
they
even
bother
it's
always
there,
but
we
had
a.
We
had
a
time
when
it
was
easy
to
identify
and
and
prevent
malware.
Av
is
dead.
A
It
doesn't
know
it
yet
it's
dying
under
its
own
demise
from
having
to
maintain
20-30
years
of
history,
because
all
I
do
isn't
need
is
an
attacker
is
to
go
back
to
an
old
problem,
an
old
sea
de
right-
and
that
happens
all
the
time
because
we're
all
we're
all
focused
on
the
latest
and
greatest.
But
we
forget
about
what
the
CBE
one,
which
still
exists,
is
there,
so
AV
is
dying
and
it's
dying,
a
slow
death.
A
A
It's
no
longer
site
to
face
been
taking
over
with
some
exception,
especially
around
activist
on
political
activism,
but
now
we're
talking
about
changing
records,
changing
records
in
the
financial
community
to
put
your
thumb
on
the
scale
for
Euro
two-dollar
transfer
rates.
It's
talking
about
modifying
health
records
to
intentionally
harm
an
individual
or
hospital,
we're
talking
about
taking
over
hvac
systems,
we're
talking
about
what
filtration
systems
we're
talking
about
the
things
that
can
hurt
people
or
killed
people.
This
is
reality.
This
is
reality
cause
less
Evalia,
the
financial
impact
which
we
all
hear
about.
A
We
hear
about
this
all
the
time
about
taking
your
credit
cards
by
the
way
the
credit
card
value
has
been
dropping
precipitously
over
the
years.
Your
credentials
are
the
coin
of
the
realm
right
now
in
the
dark
net.
So
the
financial
impact
is
interesting.
It's
important,
but
those
who
want
to
cause
harm
by
leveraging
the
internet
itself
can
cause
death
and
destruction.
A
Remember
the
Challenger
and
remember
Chernobyl.
Well,
the
nuclear
sites,
of
course,
are
air-gapped.
I,
don't
know
I'm
not
involved
anymore,
but
what
I
hear
is
that
there
there's
a
pause
and
they
said
yes,
we're
air-gapped,
but
still
they
still
use,
of
course
up
tcp/ip
throughout,
so
somebody
can
jump
the
fence
or
enter
or
interject.
Who
knows
it's
scary
to
me
as
a
practitioner
as
someone
who's
been
involved?
Masturbates,
it's
a
little
scary
to
me
on
the
on
the
side
with
like
the
sorry
aviation,
then
it's
a
server,
the
Challenger
I'm
very
scared.
A
We
hear
these
stories
about
people
taking
over
nervous
nonsense
by
the
way
they
basically
did
the
maintenance
mode.
That's
on
the
ground
can
do
in
the
air.
Yet
the
Tesla
had
their
first
incident
with
with
their
autonomous
driving
software
is
going
to
have
problems.
Unfortunately,
someone
did
die
now
that
person,
probably
shouldn't
have
a
should
have
been
taking,
pin
more
attention
for
I
understand
without
thrown
in
on
the
details,
but
the
fact
of
having
cars
being
taken
up,
we
have
has
been
demonstrated
time
and
time
and
time
again.
A
2010
was
a
pivotal
year.
A
lot
of
things
happen
on
the
malware
and
the
attack
scene.
Project
Aurora.
If
you
had
not
heard
of
it,
that
was
a
very
widespread,
very
likely
nation-state
attack,
but
it
it
doesn't
matter
who
did
it?
It
happened.
Code
was
expunged,
I
mean
was
I'm,
sorry
was
removed
from
a
lot
of
companies,
but
reason
why
bring
up
a
roar
in
particular
is
because
five
years
prior,
that
exact
same
attack
happened
to
me
and
a
couple
of
other
companies,
but
we
didn't
share,
we
could
have
prevented
it.
A
Had
there
been
mechanism
to
make
some
of
these
changes,
it
didn't
happen.
So
we're
came
back
five
years
later
far
more
effective.
We
also
had
a
couple
of
we
had
stuff
sent
right.
Well,
Stuxnet
forever
changed
the
game.
We
also
had
a
shoe
moon.
If
you
don't
member,
if
you
remember
that
Sherman
I'm.
Sorry,
if
you
remember
that
as
well,
both
holes
in
around
two
thousand
ten,
the
reason
why
they
were
so
impactful,
because
now
they're
showing
that
I
can
do
destruction
on
equipment.
A
Over
the
internet,
ok,
ok,
the
genies
out
of
the
bottle.
Now
it's
not
going
back.
No,
she
moon
was
kind
of
cool
because
it
just
destroyed.
30,000
pcs,
which
was
interesting,
I
mean
it
was
a
rumor
that
Dell
did
it,
but
it's
just
a
rumor,
but
it
forever
changed
the
face
of
these
attackers
because
some
are
politically
motivated.
Some
are
financially
motivated,
someone
just
motivated,
but
the
fact
is
they
can
actually
cause
harm,
shut
down,
refineries
shut
down.
Hospitals,
things
are
changing.
A
On
the
network
side,
everybody
can
take
deep
breaths,
not
a
lot
going
on
there.
Why
I
think
we
all
know
the
answer,
we're
fairly
resilient
right.
Pedido
still
does
work
and
the
reason
why
I
works
is
because
it
works.
It's
you
know,
remember
the
first
time,
I
140
gig
attack,
I'm,
going
no
I,
don't
have
141
gay
pipes,
I'm
in
trouble.
Right
and
I
talked
to
my
peers.
I
said:
how
do
you
guys
defend
that
gets?
Ddos
attacks,
add
more
pipes.
Well,
things
are
changing.
We
have
other
mitigation
strategies.
A
We
have
the
cloud
many
organizations,
especially
fortune
100
companies
are
pushing,
as
you
well
know,
they're
pushing
their
the
term
points
into
the
into
the
cloud,
and
you
know
like
a
I
can
Akamai
with
kona
and
all
that
good
stuff.
It
works,
it's
not
the
ideal,
but
it
works.
So
50
50
GS
are
still
fairly
prevalent.
There
was
a
26
20
claimed.
We
know
of
a
510
feel
successful.
We
believe
the
620
cuz
it
was
claimed.
A
But
the
point,
though,
is
a
lot
of
times
the
DDoS
attack
director,
aru's
and
and
the
reason
why
I
brought
this
point
up
was
because
actually
again
happened
to
me
where,
where
everyone
is
scrambling,
the
student
body
left
to
focus
on
the
DDoS
attack.
When
we
realize
we
were
actually
already
being
just
snarfed
like
crazy,
so
it
does
still
occur
if
the
efficacy
from
the
from
the
attackers
perspective
is
not
there.
If
I'm
an
attacker
I
want
your
content.
Who
cares
I'm
going
to
take
your
site
down?
I?
Don't
care
about
that?
A
A
This
is
nothing
that
you
can
necessarily
address
from
IETF
perspective.
The
masterÃs
I
believe
there
are
some
of
the
talk
about
some
suggestions
that
I
have,
but
the
loop,
the
need
for
companies
to
do
a
better
job
is
acute
and
there
are
reasons
why
we
don't.
For
example,
if
you
ask
a
CIO
how
many
applications
she
has
in
her
portfolio
well
over
a
thousand
some
20
22
years
old-
and
you
know
it's
just
not
easy
to
refresh
that
so
they're
a
lot
of
their
their
mitigating
rationale.
A
For
some
of
the
hygiene,
probably
hiding
problem
is
the
biggest
one,
because
again
is
an
attacker.
That's
how
I
get
in
poor
designs,
poor
procedures
and
horrific
coding
again,
that's
how
I
get
in
automation
is
something
we
talk
a
lot
about
on
the
operation
site
and
do
very
very
little
about
it.
But
the
one
of
the
reasons
why
we
don't
do
a
lot
of
more
automation
is
because
it's
hard,
it's
extremely
hard
and
we're
doing
automation
on
systems
that
weren't
designed
to
be
automated.
A
The
complexity
dialogue
is
one
that
we
know
we
have
to
address,
but
I
don't
hear
answers
of
how
to
address
it.
If
you
look
at
a
typical
organization,
4535
to
70,000
compute
elements,
physical
we've
got
to
virtual,
yet
probably
an
order
of
with
several
thousand
routers
and
switches
right
and
firewalls,
several
thousand
many
many
thousand
and
then
oh
by
the
way
that
a
thousand
plus
applications
that
the
CIO
is
struggling
with.
Ask
anyone
what's
going
on.
A
A
The
average
fortune
500
company
has
someone
or
40
different
products,
count
them
40
different
products,
and
so
what
I
asked
my
last
two
teams
to
do
was
tell
me
where
you're
spending
your
time,
not
that
I'm
micromanage
just
want
to
know,
and
we
came
up
with
forty
two
percent
of
the
time
in
my
last
order-
was
managing
the
management
plane.
That's
Karen
feeding
patches
updates
tuning,
that's
insane
totally
insane,
but
yet
that's
what
so
many
organizations
are
doing.
A
It's
a
roller
coaster
ride
that
we
got
to
get
off
of
so
one
of
the
things
I
did.
It
was
I
pick
an
arbitrary
number.
I
said:
okay
I'll,
tell
you
why
we're
going
to
go
from
X
was
42
from
42
products
to
10
and
Miley
darkest
is
a
white
10,
Kevin
I
said
well,
because
I
can
count
to
10
easily
I
can
manage
that
I
can
manage
these
companies.
So
that's
where
I
often
cite
full
Zimmerman
and
PGP
is
pretty
good
privacy.
A
It's
not
perfect
privacy,
so
I
had
a
lot
of
overlap
and
products
in
a
portfolio
and
all
that
we
collapse
it
down
and
sure
enough.
It
really
helped
us
I
got
time
back
in
our
pockets
to
actually
do
the
hard
work
that
we
should
be
doing.
But
this
is
not
sustainable
and
oh
by
the
way,
I
argue
that
that
even
those
ten
that
I
came
down
to
didn't
make
me
tremendously
safer,
secure
should
say
we
have
a
problem
and
we
have
to
be
able
to
manage
through
this
without
being
so
tied
to
our
own
solutions.
A
We
have
we
lack
insights
into
the
networking
as
a
consumer
as
a
practitioner
we
lacked
in
session
to
the
network
and
of
course
we
all
know
the
challenge
would
be
like
I
problems.
Everyone
has
that
that's
universal,
but
is
it
made
more
acute
when
I'm
spending
forty
two
percent
of
my
time
management,
my
management
system,
oh
yeah
complexity,
so.
A
The
consumers
want
ease,
which
is
why
I'm
back
to
my
you
know,
username
password
for
buying
lots
of
lots
of
stuff
online.
They
don't
wanna
change
it,
they
won't,
they
won't
use,
ot,
ot,
peas
or
anything.
This
okay,
we'll
work
around
it.
The
designers,
the
administrators
and
the
attackers
hope
to
see
a
theme
coming
out
here
and
we're
stuck
with
okay
I
tell
you
what
I'm
gonna
I'm
going
to
help
you
the
certificate
for
this
site
by
the
way
this
is
made
up.
Its
not
real
Jonah
provides
made
up
is
not
trust.
It
okay.
A
This
is
not
going
to
go
away
from
the
user
community.
It's
not!
Let's.
Let's
understand
that.
We
have
to
understand
that
someone
decided
to
throw
this
up.
It's
awarding
to
the
user
that
a
you
may
not
want
to
do
this
and
there's
going
to
whatever
I
got
to
get
over
there.
This
is
what
we
are
dealing
with
and
we're
dealing
with
it
at
a
very,
very
large
scale.
We.
A
A
paradigm
we
really
fundamentally
change
the
paradigm,
and
this
is
the
beginning.
My
asked
of
I
80
f,
so
we've
been
working
in
the
world
for
almost
40
years
now
have
assumed
trust
right.
If
you,
if
you
give
me
if
you,
if
you
can
shake
my
hand
in
the
proper
way
in
a
nestle
secret
way,
we're
good
come
on
in
well,
we
have
to
start
to
change
that
I
think
you
know
DNA
suckers
on
the
right
direction,
why
the
adoption
isn't
higher
I
have
no
idea
I.
A
Just
really
don't
understand
that
one
I
scratched
my
head,
like
all
the
time
on
this
one's
like
well,
we
know
they
have
a
really
good
solution.
Why
aren't
we
using
go
ahead?
Please
I'm!
Sorry,
you
read
the
slide
exactly
and
that's
exactly
the
challenge
we
have.
We
have
to
get
past
that
we
collectively
that's
me
on
the
user
community
and
you
on
the
design
community.
We
have
to
do
a
better
job,
because
this
is
not
sustainable.
A
A
Who
is
the
one
is
in
convenience,
the
designer
the
implementer
or
the
or
the
other
consumer
consumer
being,
in
this
case?
I'm?
Sorry,
no
wrong
answer.
All
of
us
should
be
in
convincing
bully
that
we're
the
ones
who
have
to
deal
with
it
right,
we're
the
ones
would
have
to
implement
and
in
oh
by
the
way,
add
more
stuff
to
to
circumvent
the
weaknesses
back
to
my
42
different
security
services
that
is
not
sustainable.
A
We
have
to
inconvenience
everyone
a
little
bit
we're
all
in
this
together,
all
three
all
three
organizations,
all
three
groups,
so
I-
think
one
of
the
things
is
to
consider
in
any
new
design.
Reputation.
I
am
a
tremendous
believer
in
crowdsourcing.
It
works
it's
hard
with
your
thumb
on
the
scale
and
crowdsourcing
people
may
be
wrong
in
a
crowd
right.
We
see
this
all
the
time
in
elections.
Right
people
can
be
wrong
in
a
crowd,
but
that's
okay,
because
you
have
a
now.
A
A
One
of
the
things
we
don't
do,
as
we
all
know,
is
that
we
don't
we
don't
associate
firmly
with
the
exception
of
sexy
and
ashes
example.
I
mean
Dean
a
second,
so
I
like
it.
That's
a
great
model
to
use.
Yes,
it's
hard,
yes
circuit
I
mean
such
certificates
in
PTI
it
hard,
and
it's
and
clearly
it's
not
a
panacea.
A
One
of
the
that
was
a
semantic
we
were
going
to
know.
We
were
in
the
PTI
business
and
you
know
we
all
know
if
you've
been
to
a
signing
ceremony
with
your
hood
and
everything
right,
kind
of
cool,
it's
difficult,
it's
difficult
to
manage
it's
difficult
to
management.
When
individuals
leave
your
company
who
are
part
of
the
signing
right.
This
is
hard.
This
is
very
hard,
but
we
have
to
stand
up
and
take
that
challenge.
I.
A
This
is
the
one
that
troubles
me
the
most.
On
the
implementer
side,
I
have
three
implementations
of
SNMP,
one
that
meets
the
letter
in
a
spirit
of
the
RFC
one
that
meets
the
letter.
When
is
the
spirit
guess
which
two
I'm
going
to
attack
and
guess
which
two
I
probably
will
get
in?
We
have
to
reduce
that
ambiguity.
Now.
A
But
at
the
end
there
was
a
very
little
room
for
ambiguity.
There
was
some
of
course,
because
why
humans
are
still
involved,
but
we
need
to
address
this
problem
because,
as
a
practitioner
I
see
variations
all
over
the
place
and
symbols,
variations
are
well-known
weaknesses.
Some
are
not
some
Ark
strong
storm
is
subtle,
but
that,
but
the
bad
guys
can
figure
it
out.
Could
they've
got
time
and
money
on
their
side
and
oh
by
the
way
they
have
conferences
like
this.
They
share
knowledge.
They
sell
in
the
haulage
to
assume
ill
intent.
A
That's
what's
happening.
This
is
not
new
news.
I'm!
Sorry,
it's
not
news
breaking!
This
is
what's
happening.
If
we,
if
we
design
with
the
assumption
of
ill
intent,
we
won't
be
perfect
but,
as
full
Zimmerman
said,
we'll
be
pretty
good.
This
is
a
change
in
paradigm.
As
a
practitioner
I'm
asking
this
consideration.
A
Automation
is
going
to
help
us
collectively
in
profound
ways:
I
had
a
rule
for
what
a
mighty
for
a
couple.
My
team's
is
that
if
you
did
any
activity
more
than
twice
a
week,
it
was
subject
to
automation
than
me
have
to
automate
it,
but
consider
it
and
again
it
remarkable
when
folks,
at
the
time,
the
inconvenience
to
write
either
the
scripts
or
the
tool
to
help
them
automate,
it
paid
itself
back
time
after
time
after
time.
A
Federation
is
something
that
we
we
don't
talk
about
a
lot
when
I
mean
Federation
of
my
time,
identity
necessarily,
which
is
Federation
in
a
sense
that
my
domain,
especially
I'm,
a
large
organization
I,
have
the
wherewithal
to
manage
kind
of
what
we're
doing
right.
Let
us
do
that.
It's
so
that
we
can
do
that
from
everything
from
a
pen.
Occation
authorization
lookups
are
cashing,
could
be
a
control
and
vetted
cashing.
For
example,
let's
assume
that
that
Federation
capabilities
are
it's
not
there
for
everybody
won't
be,
but
for
large
organizations
it
certainly
can
be
and
virtualization.
A
Of
course,
we
all
know
this
is
nothing
new,
but
assume
that's
committed
to
fall
if
I'm,
if
I'm
building
anything
today,
it's
starting
with
with
virtualization
now
there
and
the
network
itself
has
to
be
part
of
the
solution.
It
does
so
for
all
the
network
practitioners.
We
have
to
be
part
of
the
solution
and
not
and
not
a
innocent
bystander.
It's
almost
like
this
smart
highway
and
we
have
to
be
part
of
the
solution.
A
So
if
we
don't
do
this
right,
when
that
intelligent
vehicle
is
a
targeted
attack
and
someone
dies,
we
will
see
far
more
legislation
which
gives
us
less
flexibility
to
do
the
things
that
we
believe
are
right.
I'm
not
saying
this
as
a
observer,
I've
been
very
active
on
the
hill,
been
brought
in
many
times
to
talk
to
both
Congress's
Senate
in
the
u.s.
in
the
EU
in
Brussels,
about
pending
legislation
and
the
impact.
Oh
look
mrs..
This
is
real.
There
are
some
terrible
legislations
that
are
already
in
place
to
to
date.
A
That's
the
next
generation
they're
going
to
tell
us
how
to
do
our
work,
bylaws
and,
of
course,
that's
something
we
don't
want,
but
if
we
now
the
mint
pause
there
for
a
quick
second,
because
in
the
US
there's
an
experienced
executive
order
in
2012,
the
president
said:
Val
shelf
6
share
intelligence
with
the
private
sector
didn't
happen.
Four
years
later,
three
years
later,
a
law
came
out,
see
is
a
in
the
u.s.
A
basically
said
the
same
thing,
but
who
to
share
with
was
always
the
problem,
because,
if
you're
a
vertical
like
a
financial
industries
and
like
fine
you've
been
doing
it
for
years,
but
if
you're,
not
who
d
shared
with
right
getting
so
now,
there's
a
statute
that
says
now
you
have
to
share.
You
have
to
consume
it
and
there's
no
vehicle
to
do
it.
So
this
is
this:
the
artifact
of
poor
artifact
of
laws
I'm
going
to
be
careful
with,
and
we.
If
we
do
our
job
right,
we
can
help
to
circumvent
some
of
this.
A
A
C
Lynn
in
an
earlier
century,
something
like
the
launch
of
sputnik
really
changed.
You
know
the
education
system
in
the
United
States,
and
a
lot
of
us
are
sort
of
the
product
of
that
at
least
those
of
us
with
gray
hair.
It
seems
to
me
that
you
know
what
you're
sort
of
implying
is.
We
really
need
to
do
things
a
lot
differently.
We
need
to
change
the
way
we
educate
computer
science,
students
who
exactly
is
going
to
make
that
clarion
call
and
who's
going
to
set.
You
know
the
agenda
that.
A
Is
a
very,
very
good
question
I
to
even
though
I
don't
have
gray
hair,
yet
if
I
had
a
beard
it
would
be.
I
was
a
student
of
the
60s
and
there
we
do
need
that
clearing
call
I,
don't
I,
don't
know
I'm
very
involved
in
stem.
Are
my
company
is
very
involved
with
them,
but
maybe
it's
as
an
example
where
an
ietf
cannot
reach
you
know,
I
don't
know
I
don't.
A
I
wish
I
had
to
answer
that,
but
that's
the
first
step
in
a
12-step
program
is
this
acknowledging
we
have
a
problem
and
I
I
intentionally
try
to
scare
people
and
I
don't
use
that
they
usually
don't
with
cybersecurity.
But
what
I'm
starting
to
see
now
is
starting
to
see
things
that
people
can
die.
I
get
nervous
and
we
collectively
are
part
of
that.
So
I
suggest
maybe
the
outreach
for
my
a
tip
I,
don't
again
I'm
an
interloper
I
just
happened
to
drop
in
and
hopefully
share.
A
Some
words
with
you,
but
we
have
to
do
something.
Stem
is
very,
is
a
very
in
thing
right
now
it
might
be
the
right
vehicle.
I
will
tell
you
coming
from
academia:
the
teaching
of
computer
science
is
woefully
on
it's
just
it's
just
ridiculous
still
is
people
are
focusing
on
pen
testing
and
breaking
things
not
designing
things
to
be
resilient
from
a
security
attack.
We
have
to
change
that
as
well,
but
I
hear
you
loud
and
clear
again,
the
IETF
and
if
I
can
help
I'm
more
than
happy
to
help
with
that,
sir.
D
Ls
vulnerabilities,
you
guys
have
used
dual
EC
in
your
in
the
screen,
OS
devices
and
with
with
with
the
custom
cue
so
that
when
the
dual
EC
vulnerability
was
announced
and
make
and
made
quite
clear,
I
believe
your
response
was
it's
okay.
We
use,
we
use
our
own
cue.
So
my
question
for
you
was
well
I.
Guess
it's
sort
of
a
two-part
thing,
but
why
did
you
choose
to
use
dual
EC
RPG
when
it
was
slower
than
the
other,
our
energies
in
the
first
place,
and
to
how
did
you
generate
your
own
cue?
A
A
You
can
debate
rewinding
the
art,
the
RNG
discussion
at
that
time.
I
wasn't
with
juniper,
but
I
was
implementing
ECC
and
we
were
debating,
looks
ourselves
how
to
do
it
right.
Nobody
knew
the
proper
way
then,
when
this
was
originally
done,
so
I'm
gonna
leave
it
with
that
and
and
kindly
ask
that
you
review
the
FAQ
I
believe
it
may
have
been
refreshed,
I'm,
not
so
sure,
but
ok.
D
A
I
hear
and
I
really
I
really
am
and
I'm
not
I'm,
not
saying
this
to
to
to
kind
of
shortcut.
The
answer
but
I
do
appreciate
the
question.
It's
a
valid
question,
but
I
believe
we've
answered
with
exception
of
the
source
control
access,
which
we
do
for
certain
parties
under
NDA
and
and
licensing
I.
Think
we've
and
I
think
we've
answered
that
be
remember.
This
was
also
screen.
Os
product,
which
yes,
people
are
still
using
I,
was
a
completely
different
part
of
a
model
than
we
do
for
just
completely
different.
Ok,
any
questions,
yes,.
E
Sir,
my
name
is
Jim
Galvin
and
I.
Something
just
occurred
to
me
and
listening
to
the
last
question
because
he
asked
you
about,
you
know:
how
did
you
the
presumption
was
that
trust
of
Juniper
on
gown
result
of
the
incident,
and
so
what
are
you
doing
to
bring
it
back
up
and
actually
I
want
to
want
to
challenge
the
assertion
that
that's
what
happened
because
I
think
what
would
you
say?
E
I
mean
I
get
out
of
a
lot
of
what
you
said
and
something
that
I've
always
felt
about
security
and
security
incidents
is
the
fundamental
problem.
Is
the
fact
that
people
really
don't
seem
to
care
I
mean
not
enough
people
or
not
the
right
people
care.
So
did
your
trusted
trusted
juniper
go
down?
Maybe
there
was
a
you
know,
tiny
little
blip
for
a
moment
among
people
who
are
practitioners
but
in
reality
is
a
practical
matter
who
noticed
and
who
really
cared.
E
A
I
hear
it's
not
so
much
a
mess.
Amor
complacency
I
think
it's
kind.
What
you're,
addressing
it
and
I
say
no
I,
think
the
practitioners
at
we
had
without
a
doubt
our
biggest
response
was.
You
were
quick
to
respond,
you're,
open
and
transparent
as
much
as
you
can
be
on
this
problem
anywhere
better
than
you
corrected
it
right.
So
if
there
was
a
blip,
I
think
was
restored.
In
fact,
to
a
customer
that
was,
there's
been
their
response
and
that's
because
they're
being
nice,
they
were
dishonest
because
it
does
happen.
It's
not.
A
This
is
not
unique
to
Jennifer.
We
all
know
this
this
particular,
but
the
complacency
issue,
I
think,
is
less
about
lack
of
interest.
Then
that's
the
way
of
the
world.
How
many?
How
many
updates
do
we
get
across
our
portfolio
each
week
used
to
be
a
lot?
You
know,
patch
tuesday
was
ok,
I'm
going
on
vacation,
Monday
night
right,
there's
nowhere
to
be
around
and
patch
tuesday,
it's
gotten
better,
but
we
also
have
a
lot
more
an
hour
and
are
in
our
inventory,
so
we're
always
constantly
patching.
F
A
Know
that
Tobias,
correct
I
appreciate
the
question
two
quick
answers.
1
is
my
expectation.
I
ask
not
expectation
for
my
asked
of
I
hf
and
the
by
the
centralized.
If
I
have
the
same
conversations
with
the
open
source
communities
to
is
think
differently
to
to
abuse
apple
right,
think
different
yeah
when
you
design
assuming
harm
as
a
starting
principle,
can
go
a
long
way
we'll
find
out.
It's
the
other
question
earlier
question
with
regard
to
what
do
we
do
with
training?
A
The
next
generation
is
that
age
if
they
come
out
of
school
thinking
this
way,
can
you
imagine
the
next
to
the
next
generation
of
protocols
completely
different
right?
That's
my
ask
of
idea
to
think
a
little
differently
right
and
I
was
somewhat
prescriptive
of
what
I'm
asking
for
as
a
practitioner,
but
at
the
end
of
the
day
we
have
what
we
have
you
know.
What
we
have
is
what
we
have
for
now.
What
the,
if
you
think
about
30
years,
is
a
long
time
think
about
a
car
in
1986
in
the
car
in
2016.
A
Think
about
the
Internet
in
two
thousand,
I'm
in
1986
and
2016.
The
big
difference
is
just
scale
frankly,
but
car
is
a
radically
different,
they're,
smarter,
they're,
quicker,
they're
safer.
We
have
to
think
different
and
oh
by
the
way,
when
you
talk
to
the
car
folks,
they
came
in
at
kicking
and
screaming.
They
did
not
because
why
what
they
were
building
was
fine,
they
sold
they
made
money,
but
when
people
start
dying
being
started
to
change,
so
I'm
asked
my
ask
of
ietf
us
to
think
different.