----- Original Message -----
From: "Valdis Kletnieks" <Valdis.Kletnieks@vt.edu>
On Sun, 28 Sep 2014 02:39:15 -0400, William Herrin said:
The vulnerabilities were there the whole time, but the progression of discovery and dissemination of knowledge about those vulnerabilities makes the systems more vulnerable. The systems are more vulnerable because the rest of the world has learned more about how those systems may be successfully attacked.
Hopefully, Keith will admit that *THAT* qualifies as a "change" in his book as well. If attackers are coming at you with an updated copy of Metasploit, things have changed....
I will actually grant to Keith this: the thing he's saying, actually is true. If you change *anything* on a computer, its attack surface may change one way or another. The question is: which of those things can you be reliably be expected to know about. And whom you are. If you are the developer of Sendmail, you can't be expected to know that *a change to the API of Linux* will make something attackable; there are too many possible changes, which no one is positing at any given moment, and that way lies madness. Because that's true, you can't be expected to warn your users of it, either, just as the manufacturer of concrete used to build a bridge could be expected to warn people who build and use the bridge that "the creation of a nanobot that likes to eat portland cement might cause your bridge to crumble". It's true, but it's not especially helpful. To anyone. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274