On Sunday, 28 September, 2014 00:39, William Herrin said:
On Fri, Sep 26, 2014 at 11:11 PM, Keith Medcalf <kmedcalf@dessus.com> wrote:
On Friday, 26 September, 2014 08:37,Jim Gettys <jg@freedesktop.org> said:
""Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities", by Clark, Fry, Blaze and Smith makes clear that ignoring these devices is foolhardy; unmaintained systems become more vulnerable, with time."
It is impossible for unchanged/unmaintained systems to develop more vulnerabilities with time. Perhaps what these folks mean is that "vulnerabilities which existed from the time the system was first developed become more well known over time".
Keith,
Any statement can be made foolish if you tweak the words a little. They said, "Unmaintained systems become more vulnerable with time," a reasonable and possibly correct claim. You paraphrased it as, "unmaintained systems develop more vulnerabilities with time," which is, of course, absurd.
The vulnerabilities were there the whole time, but the progression of discovery and dissemination of knowledge about those vulnerabilities makes the systems more vulnerable. The systems are more vulnerable because the rest of the world has learned more about how those systems may be successfully attacked.
You are absolutely correct, Bill. The truly correct statement of affairs is that the pre-existing vulnerabilities, which have not been mitigated, become more likely to be exploited over time. That premise would change the tenor of the paper entirely from crack addict encouragement to giving the useful advice that the issue stems not from the failure of the dealer to continue providing more crack, but rather from the consumers failure to realize that smoking crack is dangerous and may be deleterious to one's health unless suitable precautions are taken before engaging in the activity. If one fully and correctly assess the avenues by which exploitation may occur and fully mitigates those avenues of attack, then the system, although unmaintained, does not become subject to increased likelihood of having vulnerabilities exploited over time.
Regards, Bill Herrin