update

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Sun Sep 28 21:50:53 UTC 2014


On Sun, 28 Sep 2014 15:06:18 -0600, "Keith Medcalf" said:

> >Hopefully, Keith will admit that *THAT* qualifies as a "change" in his
> >book as well.  If attackers are coming at you with an updated copy
> >of Metasploit, things have changed....
>
> Sorry to disappoint, but those are not changes that make the system more
> vulnerable.  They are externalities that may change the likelihood of
> exploitation of an existing vulnerability, but does not create any new
> vulnerability.  Again, if the new exploit were targeting a vulnerability
> which was fully mitigated already and thus could not be exploited, there
> has not even been a change in likelihood of exploit or risk.

So tell us Keith - since you said earlier that properly designed systems will
already have 100% mitigations against these attackes _that you don't even know
about yet_, how exactly did you design these mitigations?  (Fred Fish's thesis
paper, where he shows that malware detection is equivalent to the Turing Halting
Problem, is actually relevant here).

In particular, how did you mitigate attacks that are _in the data stream
that you're charging customers to carry_? (And yes, there *have* been
fragmentation attacks and the like - and I'm not aware of a formal proof
that any currently shipping IP stack is totally correct, either, so there
may still be unidentified attacks).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140928/af791be6/attachment.pgp>


More information about the NANOG mailing list