Jay Ashworth jra at baylink.com
Sun Sep 28 01:10:28 UTC 2014

----- Original Message -----
> From: "Keith Medcalf" <kmedcalf at dessus.com>

> Unfortunately, that page contains near the top the ludicrous and
> impossible assertion:
> ""Familiarity Breeds Contempt: The Honeymoon Effect and the Role of
> Legacy Code in Zero-Day Vulnerabilities", by Clark, Fry, Blaze and
> Smith makes clear that ignoring these devices is foolhardy;
> unmaintained systems become more vulnerable, with time."
> It is impossible for unchanged/unmaintained systems to develop more
> vulnerabilities with time. Perhaps what these folks mean is that
> "vulnerabilities which existed from the time the system was first
> developed become more well known over time".

That's not actually true.  A running process, instantiated from a file
of object code, derives its behavior from a number of interfaces; to the
kernel, the libc, the filesystem of the machine it's run on, and even 
network interfaces off the machine.

While the device itself may be -- or seem to be -- immutable, unless you're
certain that *nothing around it changed either*, then you cannot assume
that things became vulnerabilities *as deployed* which were not so previously.

Ok, yes, that's partially equivalent to what you said, at least in the
case of, say, consumer routers, booting from flash.  But for code running
on real OSs, it's possible for a vulnerability to "appear" because something
under or beside the code got updated, turning something which could not
be attacked into something which could.

I haven't an example case, but it is theoretically possible.

-- jra
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates       http://www.bcp38.info          2000 Land Rover DII
St Petersburg FL USA      BCP38: Ask For It By Name!           +1 727 647 1274

More information about the NANOG mailing list