jra at baylink.com
Sun Sep 28 21:12:28 UTC 2014
----- Original Message -----
> From: "Valdis Kletnieks" <Valdis.Kletnieks at vt.edu>
> On Sun, 28 Sep 2014 02:39:15 -0400, William Herrin said:
> > The vulnerabilities were there the whole time, but the progression of
> > discovery and dissemination of knowledge about those vulnerabilities
> > makes the systems more vulnerable. The systems are more vulnerable
> > because the rest of the world has learned more about how those
> > systems may be successfully attacked.
> Hopefully, Keith will admit that *THAT* qualifies as a "change" in his
> book as well. If attackers are coming at you with an updated copy
> of Metasploit, things have changed....
I will actually grant to Keith this: the thing he's saying, actually is true.
If you change *anything* on a computer, its attack surface may change one
way or another.
The question is: which of those things can you be reliably be expected to
know about. And whom you are.
If you are the developer of Sendmail, you can't be expected to know that
*a change to the API of Linux* will make something attackable; there are
too many possible changes, which no one is positing at any given moment,
and that way lies madness.
Because that's true, you can't be expected to warn your users of it, either,
just as the manufacturer of concrete used to build a bridge could be expected
to warn people who build and use the bridge that "the creation of a
nanobot that likes to eat portland cement might cause your bridge to
It's true, but it's not especially helpful. To anyone.
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
More information about the NANOG