----- Original Message -----
From: "Keith Medcalf" <kmedcalf@dessus.com>
Unfortunately, that page contains near the top the ludicrous and impossible assertion:
""Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities", by Clark, Fry, Blaze and Smith makes clear that ignoring these devices is foolhardy; unmaintained systems become more vulnerable, with time."
It is impossible for unchanged/unmaintained systems to develop more vulnerabilities with time. Perhaps what these folks mean is that "vulnerabilities which existed from the time the system was first developed become more well known over time".
That's not actually true. A running process, instantiated from a file of object code, derives its behavior from a number of interfaces; to the kernel, the libc, the filesystem of the machine it's run on, and even network interfaces off the machine. While the device itself may be -- or seem to be -- immutable, unless you're certain that *nothing around it changed either*, then you cannot assume that things became vulnerabilities *as deployed* which were not so previously. Ok, yes, that's partially equivalent to what you said, at least in the case of, say, consumer routers, booting from flash. But for code running on real OSs, it's possible for a vulnerability to "appear" because something under or beside the code got updated, turning something which could not be attacked into something which could. I haven't an example case, but it is theoretically possible. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274