Re: update

[Jay Ashworth <jra () baylink com>]

----- Original Message -----
> From: "Valdis Kletnieks" <Valdis.Kletnieks () vt edu>

> On Sun, 28 Sep 2014 02:39:15 -0400, William Herrin said:
>
> > The vulnerabilities were there the whole time, but the progression of
> > discovery and dissemination of knowledge about those vulnerabilities
> > makes the systems more vulnerable. The systems are more vulnerable
> > because the rest of the world has learned more about how those
> > systems may be successfully attacked.
>
> Hopefully, Keith will admit that *THAT* qualifies as a "change" in his
> book as well. If attackers are coming at you with an updated copy
> of Metasploit, things have changed....

I will actually grant to Keith this: the thing he's saying, actually is true.

If you change *anything* on a computer, its attack surface may change one
way or another.

The question is: which of those things can you be reliably be expected to
know about.  And whom you are.

If you are the developer of Sendmail, you can't be expected to know that
*a change to the API of Linux* will make something attackable; there are
too many possible changes, which no one is positing at any given moment, 
and that way lies madness.

Because that's true, you can't be expected to warn your users of it, either,
just as the manufacturer of concrete used to build a bridge could be expected
to warn people who build and use the bridge that "the creation of a 
nanobot that likes to eat portland cement might cause your bridge to 
crumble".

It's true, but it's not especially helpful. To anyone.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates       http://www.bcp38.info          2000 Land Rover DII
St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647 1274