[174738] in North American Network Operators' Group
Re: update
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sun Sep 28 17:51:30 2014
X-Original-To: nanog@nanog.org
To: "Keith Medcalf" <kmedcalf@dessus.com>
In-Reply-To: Your message of "Sun, 28 Sep 2014 15:06:18 -0600."
<4f19b7f0d08345408906cb4bc7cbc736@mail.dessus.com>
From: Valdis.Kletnieks@vt.edu
Date: Sun, 28 Sep 2014 17:50:53 -0400
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1411941053_2244P
Content-Type: text/plain; charset=us-ascii
On Sun, 28 Sep 2014 15:06:18 -0600, "Keith Medcalf" said:
> >Hopefully, Keith will admit that *THAT* qualifies as a "change" in his
> >book as well. If attackers are coming at you with an updated copy
> >of Metasploit, things have changed....
>
> Sorry to disappoint, but those are not changes that make the system more
> vulnerable. They are externalities that may change the likelihood of
> exploitation of an existing vulnerability, but does not create any new
> vulnerability. Again, if the new exploit were targeting a vulnerability
> which was fully mitigated already and thus could not be exploited, there
> has not even been a change in likelihood of exploit or risk.
So tell us Keith - since you said earlier that properly designed systems will
already have 100% mitigations against these attackes _that you don't even know
about yet_, how exactly did you design these mitigations? (Fred Fish's thesis
paper, where he shows that malware detection is equivalent to the Turing Halting
Problem, is actually relevant here).
In particular, how did you mitigate attacks that are _in the data stream
that you're charging customers to carry_? (And yes, there *have* been
fragmentation attacks and the like - and I'm not aware of a formal proof
that any currently shipping IP stack is totally correct, either, so there
may still be unidentified attacks).
--==_Exmh_1411941053_2244P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBVCiCvQdmEQWDXROgAQKd3A//cqvsrGYSNVJFy0froSPvhHjGF91CVEwe
R5C7H3Gq/qs08m9pr5GkCGz674OThgkkK9i4lnCBe1gk59a2k8MIHbOwBs02TL0T
+RbAy+6e1j7zhzRRKTL+P5Lju/cvWVZLb2yuhBJDy553Vw0TdCR+8Tx5eJlXXmZw
99xQm0iBBuVpMi2lyfoaw34THcOZQwnGaGYANVo28Mq4rvRX6dSDNM2J8wVqDXqc
rQ0YMS2Erwh3P+DwlRZLDMLslkTdm32pATXKRG1TVzB0ThSJXkbIB+fsOOQroKpq
KrTFtNOC0wlnZLEtZso/2VujeNX8dSTPMuYGI7dcdN3D6BQPjChIy304ryaS1+pd
godzhuTIY2GoY9+tutcMbZ03c14BhmfHZ7eFExOkhSIWdfMUf5m1cAz3LABNRtqT
idHQOJs21UaG/Jq9M0c/LBXGpUwwmm9AtqJjd5mpL5RtYWjXlQmWcvVI9DFK6I9T
nGXs3o7nN4D33dslR8KBe6Sua4YOFwXeKaWuMgRQbwxHephVB1hX9QSzK7jPACBg
Vx4ZNhh+k1DnGOwZC+YFhI8JIvh+LZ3cC1GCKfq9HHNDnd4Det4cKOBnAWDuzvWh
7joObqypUxcFXn9vpdGB/P9Gzz1GIG/xY1nI3+suZ5hCewg8Ow5sIaUSYFIc9OAH
VsWTJrNhvDM=
=dKoI
-----END PGP SIGNATURE-----
--==_Exmh_1411941053_2244P--
