tag:blogger.com,1999:blog-4088979.post7715189493619431093..comments2008-08-08T15:42:00.077-04:00Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4088979.post-1107622652734931002008-08-08T15:42:00.000-04:002008-08-08T15:42:00.000-04:00Along with the question of a "T" being unknown, if intruders are smart and unpredictable( see Tao ) how can one ever assign "T" a value of 0 ? <BR/><BR/>Is "Evidence-based decision-making" related to your discussion of Indicators and Warnings in the Tao, Richard ?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-58814041166902222592008-07-22T14:34:00.000-04:002008-07-22T14:34:00.000-04:00In reference to R = V * T * A, how does one assess the 'Threat' of a 0day exploit, or this DNS bug? How does one take a proactive approach? The equation breaks down if T is an unknown. So I believe that some sensationalism is required when V and A are large values with T as an unknown.<BR/><BR/>Also, some organization's executives, especially government types need some magic dust thrown at them to get things approved and moving along.<BR/><BR/>Like with Y2K, sensationalism helped push things to the point where on the that day in history, nobody noticed even a blip or pause.<BR/><BR/>So yes, within the community it should be a level-headed discussion, but getting it public enough for people to take action is something that the straight facts can't always accomplish.Mubixhttp://www.blogger.com/profile/08706151795678283675noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-18626896607867389732008-07-22T13:41:00.000-04:002008-07-22T13:41:00.000-04:00"Evidence-based decision-making is superior to reacting to the latest sensationalist news story."<BR/><BR/>You have hit the home run on this one.Many people forget the issue at hand and get carried away by the sensational stories which may or may not be affecting them.JJJJhttp://www.blogger.com/profile/01506547900654823557noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-51527001923029964392008-07-21T11:18:00.000-04:002008-07-21T11:18:00.000-04:00While agree with a large portion of this post, an issue was not addressed. It&#39;s not the low-level malware writers that keep me up at night. It is the &quot;low &amp; slow&quot; professional hacker that worries me. <BR/><BR/>I look at the disclosures two ways: <BR/>1) An &quot;unknown&quot; tool of a professional hacker has been discovered (even though they may already have been using it) Giving the vendor a chance to fix it, no matter how long it takes them. This give me a chance to take a foothold away from the attacker.<BR/>2) The released information just gave a professional hacker another tool of which to whittle away at my defenses. Full disclosure or not if they are good, they are probably smart enough to develop an attack at what information they get. (albeit, I&#39;m not against most forms of disclosure) Again, the vendor can come up with a fix allowing me to take away a foothold for the attacker.<BR/><BR/>Again, it&#39;s not the malware writer or script kiddie I lose sleep. The guys that have the talent to utilize such information are what keeps me up at night.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-53713818334608010942008-07-20T23:01:00.000-04:002008-07-20T23:01:00.000-04:00And when a patch hurt and disrupts a network as in the case of http://blogs.technet.com/sbs/archive/2008/07/17/some-services-may-fail-to-start-or-may-not-work-properly-after-installing-ms08-037-951746-and-951748.aspx one has to balance the risk of the threat of the vulnerability, with the risk of the threat of patch disruption.<BR/><BR/>Patches bring change to a network and should not be blindly applied as well.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-11089562629420457372008-07-19T04:45:00.000-04:002008-07-19T04:45:00.000-04:00You are right wher you say "At the end of the day, those of us working in production networks have to make choices about how we prioritize our actions."<BR><BR/>Sometimes that security bug is not so important compared to normal bug in the application that prevents curtomers from using it for say, 4 hours. Those 4 hours can be really an hell, the customers keep calling on the telephone, your boss behind you shoulders pushing pressure on soliving the issue (and tipically something worse is happening)<BR><BR/>Anyway, i believe it is a good thing when security bug are spread accross websites, blogs and so on. In this way you can say, "ok, today i have no time, but patching the system is tomorrow's job". Pushing so much importance on a security bug makes you feel like "If i don't patch it as soon as possible, i will have my dns cache poisoned"(or my ssh server in the hand of some attaker, etc.), than you patch it!<BR><BR/>An attacker must have skill to write an exploit and you say that often he has not! Besides, an attacker has to know what to exploit. If the bug is big almost every dns admin would have it patched in some days; who did not patch? how can i find that dns? what is behind that dns? what can i poison and how many people are going to be affected?<BR/>I believe it is easier to send email around the globe, with some malware and blue pills inside, but please continue research on security and keep saying that there is a new "worst in the history" security bug.Fulviohttp://www.blogger.com/profile/17224298147753986874noreply@blogger.com