nanog mailing list archives
Re: update
From: Jay Ashworth <jra () baylink com>
Date: Sat, 27 Sep 2014 21:10:28 -0400 (EDT)
----- Original Message -----
From: "Keith Medcalf" <kmedcalf () dessus com>
Unfortunately, that page contains near the top the ludicrous and impossible assertion: ""Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities", by Clark, Fry, Blaze and Smith makes clear that ignoring these devices is foolhardy; unmaintained systems become more vulnerable, with time." It is impossible for unchanged/unmaintained systems to develop more vulnerabilities with time. Perhaps what these folks mean is that "vulnerabilities which existed from the time the system was first developed become more well known over time".
That's not actually true. A running process, instantiated from a file of object code, derives its behavior from a number of interfaces; to the kernel, the libc, the filesystem of the machine it's run on, and even network interfaces off the machine. While the device itself may be -- or seem to be -- immutable, unless you're certain that *nothing around it changed either*, then you cannot assume that things became vulnerabilities *as deployed* which were not so previously. Ok, yes, that's partially equivalent to what you said, at least in the case of, say, consumer routers, booting from flash. But for code running on real OSs, it's possible for a vulnerability to "appear" because something under or beside the code got updated, turning something which could not be attacked into something which could. I haven't an example case, but it is theoretically possible. Cheers, -- jra -- Jay R. Ashworth Baylink jra () baylink com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Current thread:
- Re: update, (continued)
- Re: update Jim Popovitch (Sep 24)
- Re: update William Herrin (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update Mikael Abrahamsson (Sep 24)
- Re: update Will Yardley (Sep 24)
- Re: update Jimmy Hess (Sep 24)
- Re: update William Herrin (Sep 24)
- Re: update Jimmy Hess (Sep 24)
- Re: update Jim Gettys (Sep 26)
- RE: update Keith Medcalf (Sep 26)
- Re: update Jay Ashworth (Sep 27)
- Re: update Jimmy Hess (Sep 27)
- RE: update Keith Medcalf (Sep 27)
- Re: update Kenneth Finnegan (Sep 28)
- RE: update Keith Medcalf (Sep 27)
- Re: update Valdis . Kletnieks (Sep 28)
- RE: update Keith Medcalf (Sep 27)
- Re: update Valdis . Kletnieks (Sep 27)
- RE: update Keith Medcalf (Sep 27)
- Re: update Jimmy Hess (Sep 28)
- RE: update Keith Medcalf (Sep 28)