[PLUG] Joe Jobbed

Rich Shepard rshepard at appl-ecosys.com
Tue Oct 9 13:20:59 UTC 2007


On Mon, 8 Oct 2007, Ronald Chmara wrote:

> Because every vendor-driven package manager I've used lately is 1-24
> months behind the latest security and stability fixes for some (or in a
> few cases, many) of its packages. I understand the whole idea of "stable"
> or "tested" (QA'd, certified, whatever) packages, but somehow, I tend to
> think that "this is so stable that it reliably lets attackers exploit it
> every time, and we won't fix it right now in case somebody *depends* on
> that feature!".... is not exactly a desirable condition.

   Pardon me for jumping in, but I have a question because I'm a non-expert,
non-IT professional. I'd appreciate the insight your answer(s) will provide.

   When I read the notices that accompany the infrequent Slackware security
updates I'm struck by their pro-active nature. Every one I can recall said
that it was a potential vulnerability, but no actual exploitation of that
vulnerability was known. Some vulnerabilities are specific to local users,
others to network-external ones. They also seem rather remote to me,
depending on a combination of factors occuring simultaneously that would be
highly infrequent. I upgrade anyway even if they don't seem applicable to
our tiny local network.

   Wouldn't a better metric of security be related to exploitations rather
than vulnerabilities that are potenial rather than actual? We all know that
there are still -- despite all sorts of laws and enforcement activities --
too many drunk (or drugged) drivers on the road, teenage drivers sending
text messages from behind the steering wheel, and folks who fall asleep and
drift across the road into on-coming traffic. Combined, quite high
vulnerabilities every time we're driving state and county highways. Yet the
actual incidence is low compared to the exposure. Isn't this also true in
network/system security?

Rich

-- 
Richard B. Shepard, Ph.D.               |    The Environmental Permitting
Applied Ecosystem Services, Inc.        |         Accelerators(TM)
<http://www.appl-ecosys.com>     Voice: 503-667-4517      Fax: 503-667-8863



More information about the PLUG mailing list