Jimmy Hess mysidia at gmail.com
Sun Sep 28 12:38:33 UTC 2014

On Sat, Sep 27, 2014 at 11:57 PM, Keith Medcalf <kmedcalf at dessus.com>
wrote:> This is another case where a change was made.
> If the change had not been made (implement the new kernel) then the vulnerability would not have been introduced.
> The more examples people think they find, the more it proves my proposition.  Vulnerabilities can only be introduced or removed through change.  If there is no change, then the vulnerability profile is fixed.

I see what you did there... you expanded the boundaries of the
"system" to include not just the application code but more and more of
the environment, CPU, Kernel, ....

The problem is, before it is an entirely correct statement to assert
that a zero entropy system never develops new vulnerabilities, you
have to expand the boundaries of the "system"  to include the entire

Suppose you have a vulnerability that can only be exposed if port 1234
is open.   That's no problem,  you blocked port 1234 on the external
firewall, therefore the application cannot be considered to be
vulnerable during testing.

A few years later you replace the firewall with a NAT router that
doesn't block port 1234.

Oops!  Now you have to consider the entire network and the Firewall to
be part of the application  / internal part of the system.

And it doesn't end there.   Eventually for the statement to remain
true, the boundaries of the system which 'cannot develop a
vulnerability unless it changes' have to expand  in order to include
the attackers' brains.

"If the attacker discovers a new trick or kind of attack they did not
know before"   then a change to the system has occured.


More information about the NANOG mailing list