[PLUG] Joe Jobbed

Ronald Chmara ron at Opus1.COM
Wed Oct 10 05:29:39 UTC 2007


On Oct 9, 2007, at 6:20 AM, Rich Shepard wrote:

> On Mon, 8 Oct 2007, Ronald Chmara wrote:
>
>> Because every vendor-driven package manager I've used lately is 1-24
>> months behind the latest security and stability fixes for some (or  
>> in a
>> few cases, many) of its packages. I understand the whole idea of  
>> "stable"
>> or "tested" (QA'd, certified, whatever) packages, but somehow, I  
>> tend to
>> think that "this is so stable that it reliably lets attackers  
>> exploit it
>> every time, and we won't fix it right now in case somebody  
>> *depends* on
>> that feature!".... is not exactly a desirable condition.
>
>    Pardon me for jumping in, but I have a question because I'm a  
> non-expert,
> non-IT professional. I'd appreciate the insight your answer(s) will  
> provide.
>
>    When I read the notices that accompany the infrequent Slackware  
> security
> updates I'm struck by their pro-active nature.

It's been a while since I've used Slack... but "infrequent" sets off  
alarms in my head. :)

> Every one I can recall said
> that it was a potential vulnerability, but no actual exploitation  
> of that
> vulnerability was known.

White hats often don't publish. For good reason (and often, that  
reason is paycheck/NDA).

> Some vulnerabilities are specific to local users,
> others to network-external ones. They also seem rather remote to me,
> depending on a combination of factors occuring simultaneously that  
> would be
> highly infrequent. I upgrade anyway even if they don't seem  
> applicable to
> our tiny local network.

Ah, the "infrequent" problem (a *very real* issue when talking to  
managers about budget and man hours). If something only can happen  
one out of 30,000 times, it must not be an issue, right?

...Until a computer can run 60,000 attacks a minute. ;)

>    Wouldn't a better metric of security be related to exploitations  
> rather
> than vulnerabilities that are potenial rather than actual?

Nobody reliably publishes their exploit data, or for that matter  
"successfully unknown" exploit data. It's just not in their interests  
to do so.

> We all know that
> there are still -- despite all sorts of laws and enforcement  
> activities --
> too many drunk (or drugged) drivers on the road, teenage drivers  
> sending
> text messages from behind the steering wheel, and folks who fall  
> asleep and
> drift across the road into on-coming traffic. Combined, quite high
> vulnerabilities every time we're driving state and county highways.  
> Yet the
> actual incidence is low compared to the exposure. Isn't this also  
> true in
> network/system security?

Define "low". ;)

I first saw this email hours ago, so I tried to count the driver  
errors on my commute home. I saw 37 in my hour-long commute, which is  
about half the attacks I see per hour on each of my servers.

-Bop



More information about the PLUG mailing list