Now, what I did there was insulting, confrontational, and a general
thing to do.
Expected. Nothing that I wouldn't put past you.
It wasn't for your benefit; it was to hopefully prepare PMs for the ensuing
anal jihad they'll get from management if they present your idea without any
facts and the illustration of their naiveté in regard to what happens when
security analysts write checks that operations and management has to cash.
You cannot use the "if you don't like my driving then stay off the
Wow, you're still inferring a whole bunch of things there and even saying
things I didn't say. You are so taking this all out of context.
You said if one doesn't your emails, not to read them, and if we don't like
your idea, don't do it. The problem with this selfish logic is that when my
company applies standards, policies, and requirements to data management and
risk mitigation, but a vendor to whom I send data decides not to patch based
on your idea, then it affects me and my customers, and as such, I simply
asked for what are now tiny little shreds of any evidence you have outside
of a couple of servers and workstations. I think the scope of your
research has qualified the level of consideration it should receive.
I chose that example specifically because it represented an unpatched
Sorry you were dissatisfied with the examples. I'll try harder for you
You really should. Rather than providing a single suggestion on how your
model would have protected 100% of this known-yet-unpatched vulnerability,
you should have taken the opportunity to at least illustrate your assertion
by way of example. You have reduced the applicability of your model to
instances where, as far as the most basic of network controls, "there are
none." There is no need for a "new model" here, and in fact, there is
nothing new about it in the first place other than to think that when it has
been illustrated that people can't deploy an ACL, that they will be
successful in not patching.
Your stating that "you think that op-controls can't protect where
Of course your argument is your opinion. One that can be surely backed
by many stats from many companies making money off that particular
model. And those stats also show it doesn't work consistently. Why not
try something different? I am presenting a different model is all.
Sorry you don't like it. It works for others that have tried.
Yet again, this was the purpose of my example. What you consider
"brainwashing" I view as "insight," which I believe is evident by my use of
an example where I already calculated your responses beforehand.
The impact of Slammer proved the state of system security at the time in a
definitive manner. No theory, not "what would have happened if your model
was in place," and how basic principles of least privilege and security in
depth were not applied. While it doesn't take an Einstein to predict the
obvious (oh, btw, your relativity example was a complete fail) I would like
to point out statements of security in depth here:
- and where I not only predicted slammer and warned against it before
writing the article, but covered your "new" model about 8 years ago (even
though I'm "brainwashed") here:
You might offer models based on presumed benefits with inferred value
unsubstantiated by research or cost analysis, but I have illustrated a
real-life, what-actually-happened, non-theoretical, KNOWN vulnerability that
had a massive impact on the global internet. And to prevent it, all someone
had to do was to install the patch.
For what my position is worth, I totally support you and your research
organization pushing the age-old model of security in depth and least
privilege, but I would recommend that you do so with the "don't patch"
I'm more than happy to continue this exchange, but please excuse me if I
fail to reply to responses empty of substance.
So, "ttyl," or "thanks, it's been interesting."
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/