[Dailydave] Strategic Keynote: Matt Tait

David Aitel dave at immunityinc.com
Wed May 2 14:25:30 UTC 2018 

Matt Tait's INFILTRATE 2018 keynote: here <https://vimeo.com/267445424>,
is really about the intersection of two different strategic risk
bubbles. It is about a misunderstood or mis-articulated security
dilemma. On one hand, vulnerabilities which get auto-silently-patched do
not get used by attackers as N-day. On the other hand,
auto-silent-update systems are themselves a strategic risk of massive
impact, and one we've seen used against us (c.f. NotPetya)! As Matt
says, cogently, "NotPetya and Wannacry were exact opposite ends of the
strategic risk spectrum - one was about patching TOO fast, and one was
about not patching fast enough".

This is one of those dimensions of the problem that we've always talked
around instead of directly about. It's the sort of thing where if you
are designing a VEP, the way people patch makes a big difference in how
valuable any kind of disclosure is. And a PATCH IS DISCLOSURE. I don't
know how to get that concept to the policy world which seems to think
patches can magically fix systems without somehow implicitly giving away
the information about the vulnerability they are removing. Not only do
they give up information about the one bug they are fixing, but often
about whole classes of bugs and attack paths and exposures and even
backend research capabilities.

In other words, the value of a patch to your security is not just how
FAST you are at getting to 100% installed, but how thorough your patch
is at fixing all related issues, which, if less than 100%, may
significantly */increase your risk/*. And we know the ceiling - the top
bar -  of this because of the open-world experiment that is Microsoft vs
Project Zero. 

In any case, watch the keynote, if for no reason than to laugh at the
ARM facts.

-dave


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20180502/6259a31d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20180502/6259a31d/attachment.sig>

More information about the Dailydave mailing list