update

Keith Medcalf kmedcalf at dessus.com
Sun Sep 28 07:19:42 UTC 2014


On Sunday, 28 September, 2014 00:39, William Herrin said:
>On Fri, Sep 26, 2014 at 11:11 PM, Keith Medcalf <kmedcalf at dessus.com>
>wrote:
>> On Friday, 26 September, 2014 08:37,Jim Gettys <jg at freedesktop.org>
>>said:
>>>http://cyber.law.harvard.edu/events/luncheon/2014/06/gettys

>> ""Familiarity Breeds Contempt: The Honeymoon Effect and the Role of
>> Legacy Code in Zero-Day Vulnerabilities",  by Clark, Fry, Blaze and 
>> Smith makes clear that ignoring these devices is foolhardy; 
>> unmaintained systems become more vulnerable, with time."

>> It is impossible for unchanged/unmaintained systems to develop more
>> vulnerabilities with time.  Perhaps what these folks mean is that
>> "vulnerabilities which existed from the time the system was first
>> developed become more well known over time".

>Keith,

>Any statement can be made foolish if you tweak the words a little.
>They said, "Unmaintained systems become more vulnerable with time," a
>reasonable and possibly correct claim. You paraphrased it as,
>"unmaintained systems develop more
>vulnerabilities with time," which is, of course, absurd.

>The vulnerabilities were there the whole time, but the progression of
>discovery and dissemination of knowledge about those vulnerabilities
>makes the systems more vulnerable. The systems are more vulnerable
>because the rest of the world has learned more about how those systems
>may be successfully attacked.

You are absolutely correct, Bill.  

The truly correct statement of affairs is that the pre-existing 
vulnerabilities, which have not been mitigated, become more 
likely to be exploited over time.

That premise would change the tenor of the paper entirely from 
crack addict encouragement to giving the useful advice that 
the issue stems not from the failure of the dealer to continue
providing more crack, but rather from the consumers failure
to realize that smoking crack is dangerous and may be deleterious
to one's health unless suitable precautions are taken before
engaging in the activity.

If one fully and correctly assess the avenues by which exploitation 
may occur and fully mitigates those avenues of attack, then the
system, although unmaintained, does not become subject to increased
likelihood of having vulnerabilities exploited over time.

>Regards,
>Bill Herrin






More information about the NANOG mailing list