mailing list archives
Re: Getting Off the Patch
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Mon, 17 Jan 2011 20:38:39 +0000
Now, what I did there was insulting, confrontational, and a general shitty
thing to do.
Expected. Nothing that I wouldn't put past you.
It wasn't for your benefit; it was to hopefully prepare PMs for the ensuing anal jihad they'll get from management if
they present your idea without any facts and the illustration of their naiveté in regard to what happens when security
analysts write checks that operations and management has to cash.
You cannot use the "if you don't like my driving then stay off the
Wow, you're still inferring a whole bunch of things there and even saying
things I didn't say. You are so taking this all out of context.
You said if one doesn't your emails, not to read them, and if we don't like your idea, don't do it. The problem with
this selfish logic is that when my company applies standards, policies, and requirements to data management and risk
mitigation, but a vendor to whom I send data decides not to patch based on your idea, then it affects me and my
customers, and as such, I simply asked for what are now tiny little shreds of any evidence you have outside of a couple
of servers and workstations. I think the scope of your research has qualified the level of consideration it should
I chose that example specifically because it represented an unpatched
Sorry you were dissatisfied with the examples. I'll try harder for you
You really should. Rather than providing a single suggestion on how your model would have protected 100% of this
known-yet-unpatched vulnerability, you should have taken the opportunity to at least illustrate your assertion by way
of example. You have reduced the applicability of your model to instances where, as far as the most basic of network
controls, "there are none." There is no need for a "new model" here, and in fact, there is nothing new about it in the
first place other than to think that when it has been illustrated that people can't deploy an ACL, that they will be
successful in not patching.
Your stating that "you think that op-controls can't protect where patches
Of course your argument is your opinion. One that can be surely backed
by many stats from many companies making money off that particular
model. And those stats also show it doesn't work consistently. Why not
try something different? I am presenting a different model is all.
Sorry you don't like it. It works for others that have tried.
Yet again, this was the purpose of my example. What you consider "brainwashing" I view as "insight," which I believe
is evident by my use of an example where I already calculated your responses beforehand.
The impact of Slammer proved the state of system security at the time in a definitive manner. No theory, not "what
would have happened if your model was in place," and how basic principles of least privilege and security in depth were
not applied. While it doesn't take an Einstein to predict the obvious (oh, btw, your relativity example was a
complete fail) I would like to point out statements of security in depth here:
- and where I not only predicted slammer and warned against it before writing the article, but covered your "new" model
about 8 years ago (even though I'm "brainwashed") here:
You might offer models based on presumed benefits with inferred value unsubstantiated by research or cost analysis, but
I have illustrated a real-life, what-actually-happened, non-theoretical, KNOWN vulnerability that had a massive impact
on the global internet. And to prevent it, all someone had to do was to install the patch.
For what my position is worth, I totally support you and your research organization pushing the age-old model of
security in depth and least privilege, but I would recommend that you do so with the "don't patch" nonsense removed.
I'm more than happy to continue this exchange, but please excuse me if I fail to reply to responses empty of substance.
So, "ttyl," or "thanks, it's been interesting."
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Re: Getting Off the Patch, (continued)