<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Matt Tait's INFILTRATE 2018 keynote: <a moz-do-not-send="true"
href="https://vimeo.com/267445424">here</a>, is really about the
intersection of two different strategic risk bubbles. It is about
a misunderstood or mis-articulated security dilemma. On one hand,
vulnerabilities which get auto-silently-patched do not get used by
attackers as N-day. On the other hand, auto-silent-update systems
are themselves a strategic risk of massive impact, and one we've
seen used against us (c.f. NotPetya)! As Matt says, cogently,
"NotPetya and Wannacry were exact opposite ends of the strategic
risk spectrum - one was about patching TOO fast, and one was about
not patching fast enough".<br>
</p>
<p>This is one of those dimensions of the problem that we've always
talked around instead of directly about. It's the sort of thing
where if you are designing a VEP, the way people patch makes a big
difference in how valuable any kind of disclosure is. And a PATCH
IS DISCLOSURE. I don't know how to get that concept to the policy
world which seems to think patches can magically fix systems
without somehow implicitly giving away the information about the
vulnerability they are removing. Not only do they give up
information about the one bug they are fixing, but often about
whole classes of bugs and attack paths and exposures and even
backend research capabilities. <br>
</p>
<p>In other words, the value of a patch to your security is not just
how FAST you are at getting to 100% installed, but how thorough
your patch is at fixing all related issues, which, if less than
100%, may significantly <b><i>increase your risk</i></b>. And we
know the ceiling - the top bar - of this because of the
open-world experiment that is Microsoft vs Project Zero. </p>
<p>In any case, watch the keynote, if for no reason than to laugh at
the ARM facts.</p>
<p>-dave</p>
<p><br>
</p>
</body>
</html>