Kenneth Finnegan kennethfinnegan2007 at gmail.com
Sun Sep 28 05:29:14 UTC 2014

> My original proposition still holds perfectly:
> (1) The vulnerability profile of a system is fixed at system commissioning.
> (2) Vulnerabilities do not get created nor destroyed except through implementation of change.
> (3) If there is no change to a system, then there can be no change in its vulnerabilities.

Your original proposition is pointlessly academic. Yes, given
absolutely no changes to the system, it's vulnerability profile does
not change. Does your "correct" system boundary include the file
system? So you're definition of an unchanging system only uses
read-only file systems. Does it include the system's load average?
Can't ever change the number of clients connected to it... Does it
include the system's uptime?  Etc.

So yes, you're right. The number of existing vulnerabilities in a
system never changes. It's just that you've also ruled out every
system I can imagine being even remotely useful in life, so your
argument seems to apply to _nothing_.

What does change for a system is the threat profile as exploits become
better known. Arguing that it is better to blissful march onward with
what is *known* to be a vulnerable system instead of rolling out
stable branch security updates that *generally* contain less bugs
demonstrates a lack of pragmatism.

I'm sorry that someone on the Internet hasn't precisely used your
made-up distinction between a "vulnerability profile" and the actual
threat level given the current state of the rest of the universe. We
really don't need to be splitting hairs about this on the NANOG

Kenneth Finnegan

More information about the NANOG mailing list