<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, May 30, 2013 at 7:27 AM, spike <span dir="ltr"><<a href="mailto:spike@rainier66.com" target="_blank">spike@rainier66.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link="blue" vlink="purple" lang="EN-US"><div><p class="MsoNormal">WOW what a GREAT article!<u></u><u></u></p><p class="MsoNormal">
<u></u> <u></u></p><p class="MsoNormal"><a href="http://queue.acm.org/detail.cfm?id=2479677" target="_blank">http://queue.acm.org/detail.cfm?id=2479677</a><u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">
Do check out the summary:<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal" style="background:white"><b><span style="font-size:13.0pt;font-family:"Arial","sans-serif";color:#222222;text-transform:uppercase">SUMMING UP<u></u><u></u></span></b></p>
<p class="MsoNormal" style="margin-bottom:12.0pt;line-height:11.25pt;background:white"><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#333333">Risk is a consequence of dependence. Because of shared dependence, aggregate societal dependence on the Internet is not estimable. If dependencies are not estimable, then they will be underestimated. If they are underestimated, then they will not be made secure over the long run, only over the short. As the risks become increasingly unlikely to appear, the interval between events will grow longer. As the latency between events grows, the assumption that safety has been achieved will also grow, fueling increased dependence in what is now a positive feedback loop…<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt;line-height:11.25pt;background:white"><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#333333"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-bottom:12.0pt;line-height:11.25pt;background:white">
<span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#333333">Spike comment: Any phenomenon described in terms of feedback loops will resonate with all controls engineers everywhere. {8-] What Geer is describing sure as heck looks to me like simultaneously suppressing negative feedback and creating positive feedback, a sure path to eventual instability and catastrophic failure.</span></p>
</div></div></blockquote><div><br></div><div>Unfortunately, the logic does not hold.<br><br>For "the Internet", you could substitute "the weather", "gravity",<br></div><div>"physical security of the US" (9-11 was a classic case of such<br>
an event, when the risk was underestimated), or any of a long<br>list of things where safety is mostly assumed. Note that the<br>above logic dismisses any possibility of an analysis proving<br>things secure, and instead assumes that if we depend on it,<br>
it's insecure, with logic that does not care which "it" it applies<br>to.<br><br></div><div>Seriously. How do we "know" the sky won't be blanketed with<br>ash by a supervolcano tomorrow? Because there has been a<br>
long latency since the last such event. According to the above<br>analysis, no other factor is relevant.<br> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US"><div><span style="font-size:9.0pt;font-family:"Verdana","sans-serif";color:#333333">Is centralizing authority the answer, or is avoiding further dependence the better strategy?</span></div>
</div></blockquote><div> <br></div><div>No. That is to say, the optimal strategy is neither of the above.<br></div></div></div></div>