Matt Tait's INFILTRATE 2018 keynote: here <https://vimeo.com/267445424>, is really about the intersection of two different strategic risk bubbles. It is about a misunderstood or mis-articulated security dilemma. On one hand, vulnerabilities which get auto-silently-patched do not get used by attackers as N-day. On the other hand, auto-silent-update systems are themselves a strategic risk of massive impact, and one we've seen used against us (c.f. NotPetya)! As Matt says, cogently, "NotPetya and Wannacry were exact opposite ends of the strategic risk spectrum - one was about patching TOO fast, and one was about not patching fast enough".
This is one of those dimensions of the problem that we've always talked around instead of directly about. It's the sort of thing where if you are designing a VEP, the way people patch makes a big difference in how valuable any kind of disclosure is. And a PATCH IS DISCLOSURE. I don't know how to get that concept to the policy world which seems to think patches can magically fix systems without somehow implicitly giving away the information about the vulnerability they are removing. Not only do they give up information about the one bug they are fixing, but often about whole classes of bugs and attack paths and exposures and even backend research capabilities. In other words, the value of a patch to your security is not just how FAST you are at getting to 100% installed, but how thorough your patch is at fixing all related issues, which, if less than 100%, may significantly */increase your risk/*. And we know the ceiling - the top bar - of this because of the open-world experiment that is Microsoft vs Project Zero. In any case, watch the keynote, if for no reason than to laugh at the ARM facts. -dave
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
