My original proposition still holds perfectly:
(1) The vulnerability profile of a system is fixed at system commissioning. (2) Vulnerabilities do not get created nor destroyed except through implementation of change. (3) If there is no change to a system, then there can be no change in its vulnerabilities.
Your original proposition is pointlessly academic. Yes, given absolutely no changes to the system, it's vulnerability profile does not change. Does your "correct" system boundary include the file system? So you're definition of an unchanging system only uses read-only file systems. Does it include the system's load average? Can't ever change the number of clients connected to it... Does it include the system's uptime? Etc. So yes, you're right. The number of existing vulnerabilities in a system never changes. It's just that you've also ruled out every system I can imagine being even remotely useful in life, so your argument seems to apply to _nothing_. What does change for a system is the threat profile as exploits become better known. Arguing that it is better to blissful march onward with what is *known* to be a vulnerable system instead of rolling out stable branch security updates that *generally* contain less bugs demonstrates a lack of pragmatism. I'm sorry that someone on the Internet hasn't precisely used your made-up distinction between a "vulnerability profile" and the actual threat level given the current state of the rest of the universe. We really don't need to be splitting hairs about this on the NANOG list... -- Kenneth Finnegan http://blog.thelifeofkenneth.com/