nanog mailing list archives
RE: update
From: "Keith Medcalf" <kmedcalf () dessus com>
Date: Sun, 28 Sep 2014 01:19:42 -0600
On Sunday, 28 September, 2014 00:39, William Herrin said:
On Fri, Sep 26, 2014 at 11:11 PM, Keith Medcalf <kmedcalf () dessus com> wrote:On Friday, 26 September, 2014 08:37,Jim Gettys <jg () freedesktop org> said:http://cyber.law.harvard.edu/events/luncheon/2014/06/gettys
""Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities", by Clark, Fry, Blaze and Smith makes clear that ignoring these devices is foolhardy; unmaintained systems become more vulnerable, with time."
It is impossible for unchanged/unmaintained systems to develop more vulnerabilities with time. Perhaps what these folks mean is that "vulnerabilities which existed from the time the system was first developed become more well known over time".
Keith,
Any statement can be made foolish if you tweak the words a little. They said, "Unmaintained systems become more vulnerable with time," a reasonable and possibly correct claim. You paraphrased it as, "unmaintained systems develop more vulnerabilities with time," which is, of course, absurd.
The vulnerabilities were there the whole time, but the progression of discovery and dissemination of knowledge about those vulnerabilities makes the systems more vulnerable. The systems are more vulnerable because the rest of the world has learned more about how those systems may be successfully attacked.
You are absolutely correct, Bill. The truly correct statement of affairs is that the pre-existing vulnerabilities, which have not been mitigated, become more likely to be exploited over time. That premise would change the tenor of the paper entirely from crack addict encouragement to giving the useful advice that the issue stems not from the failure of the dealer to continue providing more crack, but rather from the consumers failure to realize that smoking crack is dangerous and may be deleterious to one's health unless suitable precautions are taken before engaging in the activity. If one fully and correctly assess the avenues by which exploitation may occur and fully mitigates those avenues of attack, then the system, although unmaintained, does not become subject to increased likelihood of having vulnerabilities exploited over time.
Regards, Bill Herrin
Current thread:
- RE: update, (continued)
- RE: update Keith Medcalf (Sep 27)
- Re: update Valdis . Kletnieks (Sep 27)
- RE: update Keith Medcalf (Sep 27)
- Re: update Jimmy Hess (Sep 28)
- RE: update Keith Medcalf (Sep 28)
- Re: update Jay Ashworth (Sep 28)
- Re: update Barry Shein (Sep 29)
- Re: update Valdis . Kletnieks (Sep 29)
- Re: update Jay Ashworth (Sep 28)
- Re: update William Herrin (Sep 27)
- RE: update Keith Medcalf (Sep 28)
- Re: update Valdis . Kletnieks (Sep 28)
- RE: update Keith Medcalf (Sep 28)
- Re: update Valdis . Kletnieks (Sep 28)
- Re: update Pete Carah (Sep 28)
- Re: update Valdis . Kletnieks (Sep 29)
- Message not available
- Re: update Larry Sheldon (Sep 28)
- Re: update George Michaelson (Sep 28)
- Re: update Merike Kaeo (Sep 29)
- Re: update Stephen Satchell (Sep 28)
- Re: update Pete Carah (Sep 29)