, 10 tweets, 2 min read Read on Twitter
1/ This comment by Kim and Josh is extremely bad, reflecting the authoritarian nature of today's infosec. The vast majority of WinXP systems have RDP disabled and thus don't need to be patched, for example.
2/ There are many ways of mitigating bugs like this RDP vuln, through microsegmentation of the network, firewalling, hardening the system, disabling features, adding features, and so on. As others have pointed out, this RDP vuln can be mitigated with a simple configuration change
3/ Only a vanishingly tiny percentage of vulns are "wormable" like this RDP vuln. We are talking a couple vulns a year out of the tens of thousands that are assigned CVE identifiers.
4/ In other words, the better health care analogy is how you people don't diet and exercise, not that you refuse vaccines.
5/ I mention this because infosec is full of people who do not themselves maintain systems in operation/production, but instead is full of buttinskies telling people who do maintain these systems how to do their jobs, totally ignorant of the real problems involved.
6/ Infosec isn't even good at doing it's own job. They don't really understand what happened with Heartbleed. They don't understand what really happened with worms like Mirai and notPetya.
7/ The biggest factor in the notPetya spread was the reuse of Windows credentials to spread to other machines, and getting domain admin credentials in particular. A network of 10,000 computers may have only one unpatched system, but be taken down by credential reuse.
8/ But after notPetya, infosec isn't warning people about how Windows credentials spread ransomware, but how the Eternalblue exploited unpatched systems. They ignore the real threats in favor of the political thing of protecting public health by keeping patches up-to-date.
9/ Infosec, when done properly, isn't about avoiding risks, it's about risk management, quantifying risks. Different vulns/patches have different risks. This WinXP/Win7 RDP bug has a critically high risk profile. Other vulns/patches have a lot less risk.
10/ Josh's original comment ignores this, pretending the those resisting patches for small threats would likewise resist patches to protect against critical threats.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robᵇᵉᵗᵒ Graham
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!