nanog mailing list archives

RE: update

From: "Keith Medcalf" <kmedcalf () dessus com>
Date: Sun, 28 Sep 2014 01:19:42 -0600


On Sunday, 28 September, 2014 00:39, William Herrin said:

On Fri, Sep 26, 2014 at 11:11 PM, Keith Medcalf <kmedcalf () dessus com>
wrote:

On Friday, 26 September, 2014 08:37,Jim Gettys <jg () freedesktop org>
said:

http://cyber.law.harvard.edu/events/luncheon/2014/06/gettys

""Familiarity Breeds Contempt: The Honeymoon Effect and the Role of
Legacy Code in Zero-Day Vulnerabilities",  by Clark, Fry, Blaze and
Smith makes clear that ignoring these devices is foolhardy;
unmaintained systems become more vulnerable, with time."

It is impossible for unchanged/unmaintained systems to develop more
vulnerabilities with time.  Perhaps what these folks mean is that
"vulnerabilities which existed from the time the system was first
developed become more well known over time".

Keith,

Any statement can be made foolish if you tweak the words a little.
They said, "Unmaintained systems become more vulnerable with time," a
reasonable and possibly correct claim. You paraphrased it as,
"unmaintained systems develop more
vulnerabilities with time," which is, of course, absurd.

The vulnerabilities were there the whole time, but the progression of
discovery and dissemination of knowledge about those vulnerabilities
makes the systems more vulnerable. The systems are more vulnerable
because the rest of the world has learned more about how those systems
may be successfully attacked.


You are absolutely correct, Bill.

The truly correct statement of affairs is that the pre-existing
vulnerabilities, which have not been mitigated, become more
likely to be exploited over time.

That premise would change the tenor of the paper entirely from
crack addict encouragement to giving the useful advice that
the issue stems not from the failure of the dealer to continue
providing more crack, but rather from the consumers failure
to realize that smoking crack is dangerous and may be deleterious
to one's health unless suitable precautions are taken before
engaging in the activity.

If one fully and correctly assess the avenues by which exploitation
may occur and fully mitigates those avenues of attack, then the
system, although unmaintained, does not become subject to increased
likelihood of having vulnerabilities exploited over time.

Regards,
Bill Herrin

Current thread:

RE: update, (continued)
- - - RE: update Keith Medcalf (Sep 27)
    - Re: update Valdis . Kletnieks (Sep 27)
    - RE: update Keith Medcalf (Sep 27)
    - Re: update Jimmy Hess (Sep 28)
    - RE: update Keith Medcalf (Sep 28)
    - Re: update Jay Ashworth (Sep 28)
    - Re: update Barry Shein (Sep 29)
    - Re: update Valdis . Kletnieks (Sep 29)
    - Re: update Jay Ashworth (Sep 28)
    - Re: update William Herrin (Sep 27)
    - RE: update Keith Medcalf (Sep 28)
    - Re: update Valdis . Kletnieks (Sep 28)
    - RE: update Keith Medcalf (Sep 28)
    - Re: update Valdis . Kletnieks (Sep 28)
    - Re: update Pete Carah (Sep 28)
    - Re: update Valdis . Kletnieks (Sep 29)
    - Message not available
    - Re: update Larry Sheldon (Sep 28)
    - Re: update George Michaelson (Sep 28)
    - Re: update Merike Kaeo (Sep 29)
    - Re: update Stephen Satchell (Sep 28)
    - Re: update Pete Carah (Sep 29)

(Thread continues...)