[174713] in North American Network Operators' Group
RE: update
daemon@ATHENA.MIT.EDU (Keith Medcalf)
Sat Sep 27 01:15:00 2014
X-Original-To: nanog@nanog.org
Date: Fri, 26 Sep 2014 21:11:54 -0600
In-Reply-To: <CAGhGL2BLs0jhjGOU1DSqjt369pFNf_=+R_uStvBRVe8WikWXtA@mail.gmail.com>
From: "Keith Medcalf" <kmedcalf@dessus.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Friday, 26 September, 2014 08:37,Jim Gettys <jg@freedesktop.org> said:
>For those of you who want to understand more about the situation we're
>all in, go look at my talk at the Berkman Center, and read the articles
>linked from there by Bruce Schneier and Dan Geer.
>http://cyber.law.harvard.edu/events/luncheon/2014/06/gettys
Unfortunately, that page contains near the top the ludicrous and impossible=
assertion:
""Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy =
Code in Zero-Day Vulnerabilities", by Clark, Fry, Blaze and Smith makes cl=
ear that ignoring these devices is foolhardy; unmaintained systems become m=
ore vulnerable, with time."
It is impossible for unchanged/unmaintained systems to develop more vulnera=
bilities with time. Perhaps what these folks mean is that "vulnerabilities=
which existed from the time the system was first developed become more wel=
l known over time".
The fact that the folks in the next building can peep at your privates thro=
ugh the bedroom window on which you did not install blinds does not mean th=
at the vulnerability only exists from the time it is published in the local=
tabloid -- it existed all along -- it did not "magically" come into existe=
nce at some point after the building was built, the window installed, and y=
ou moved in without putting up windows blinds.
The fact that you did not become aware of it until you saw a photograph of =
yourself doing unmentionable things only serves as the point in time at whi=
ch you became aware of your failure to properly assess the posture of the s=
ystem in the first place.
>Jim Gettys
