On Sun, 28 Sep 2014 15:06:18 -0600, "Keith Medcalf" said: > >Hopefully, Keith will admit that *THAT* qualifies as a "change" in his > >book as well. If attackers are coming at you with an updated copy > >of Metasploit, things have changed.... > > Sorry to disappoint, but those are not changes that make the system more > vulnerable. They are externalities that may change the likelihood of > exploitation of an existing vulnerability, but does not create any new > vulnerability. Again, if the new exploit were targeting a vulnerability > which was fully mitigated already and thus could not be exploited, there > has not even been a change in likelihood of exploit or risk.
So tell us Keith - since you said earlier that properly designed systems will already have 100% mitigations against these attackes _that you don't even know about yet_, how exactly did you design these mitigations? (Fred Fish's thesis paper, where he shows that malware detection is equivalent to the Turing Halting Problem, is actually relevant here). In particular, how did you mitigate attacks that are _in the data stream that you're charging customers to carry_? (And yes, there *have* been fragmentation attacks and the like - and I'm not aware of a formal proof that any currently shipping IP stack is totally correct, either, so there may still be unidentified attacks).
pgpzzz69NVC0o.pgp
Description: PGP signature
