The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

CERIAS Blog

Page Content

Patching is Not Security

Share:

I have long argued that the ability to patch something is not a security “feature” — whatever caused the need to patch is a failure. The only proper path to better security is to build the item so it doesn’t need patching — so the failure doesn’t occur, or has some built-in alternative protection.

This is, by the way, one of the reasons that open source is not “more secure” simply because the source is available for patching — the flaws are still there, and often the systems don’t get patched because they aren’t connected to any official patching and support regime. Others may be in locations or circumstances where they simply cannot be patched quickly — or perhaps not patched at all. That is also an argument against disclosure of some vulnerabilities unless they are known to be in play — if the vulnerability is disclosed but cannot be patched on critical systems, it simply endangers those systems. Heartbleed is an example of this, especially as it is being found in embedded systems that may not be easily patched.

But there is another problem with relying on patching — when the responsible parties are unable or unwilling to provide a patch, and that is especially the case when the vulnerability is being actively exploited.

In late January, a network worm was discovered that was exploiting a vulnerability in Linksys routers. The worm was reported to the vendor and some CERT teams. A group at the Internet Storm Center analyzed the worm, and named it TheMoon. They identified vulnerabilities in scripts associated with Linksys E-series and N-series routers that allowed the worm to propagate, and for the devices to be misused.

Linksys published instructions on their website to reduce the threat, but it is not a fix, according to reports from affected users — especially for those who want to use remote administration. At the time, a posting at Linksys claimed a firmware fix would be published “in the coming weeks."

Fast forward to today, three months later, and a fix has yet to be published, according to Brett Glass, the discoverer of the original worm.

Complicating the fix may be the fact that Belkin acquired Linksys. Belkin does not have a spotless reputation for customer relations; this certainly doesn’t help. I have been copied on several emails from Mr. Glass to personnel at Belkin, and none have received replies. It may well be that they have decided that it is not worth the cost of building, testing, and distributing a fix.

I have heard that some users are replacing their vulnerable systems with those by vendors who have greater responsiveness to their customers’ security concerns. However, this requires capital expenses, and not all customers are in a position to do this. Smaller users may prefer to continue to use their equipment despite the compromise (it doesn’t obviously endanger them — as yet), and naive users simply may not know about the problem (or believe it has been fixed).

At this point we have vulnerable systems, the vendor is not providing a fix, the vulnerability is being exploited and is widely known, and the system involved is in widespread use. Of what use is patching in such a circumstance? How is patching better than having properly designed and tested the product in the first place?

Of course, that isn’t the only question that comes to mind. For instance, who is responsible for fixing the situation — either by getting a patch out and installed, or replacing the vulnerable infrastructure? And who pays? Fixing problems is not free.

Ultimately, we all pay because we do not appropriately value security from the start. That conclusion can be drawn from incidents small (individual machine) to medium (e.g., the Target thefts) to very large (government-sponsored thefts). One wonders what it will take to change that? How do we patch peoples’ bad attitudes about security — or better yet, how do we build in a better attitude?

In Memorium: Wyatt Starnes

Share:

William Wyatt Starnes passed away unexpectedly on May 10th, 2014 at the age of 59. Wyatt was a serial entrepreneur, known for his work in computing — and especially cyber protection — as well as for his mentorship and public service.

Wyatt graduated from Ygnacio Valley High School in Concord, CA, in 1972, and then obtained an Associates Degree from the Control Data Institute. His first full-time job was at Data General, and he went on to hold technical positions with Monolithic Memories, Maruman Integrated Circuits, and then Megatest Corporation. While at Megatest, Wyatt moved into management, where he showed significant expertise, and was eventually promoted to VP of Sales and Marketing. He subsequently moved to Tokyo for several years as the President of Megatest Japan. Although the remainder of his career was in management positions, he continued to work in technology, and was named as inventor or co-inventor of a number of patents in later years.

Upon leaving Megatest, Wyatt moved to Portland, Oregon, where he lived for the rest of his life. In Portland, he worked for several firms before founding his own company, Eclipse Technologies, Inc., and then Infinite Pictures. During that time, he met Gene Kim (one of my former students). Wyatt then founded Visual Computing, Inc., with Gene. They had originally planned on producing an immersive MMORPG named “Piggyland.” (I still have some of the marketing literature for this!) It used some novel technology and a great deal of humor, but before it had progressed very far, a series of coincidences led them to start Tripwire Security Services as a subsidiary, to produce software to secure MMORPGs and similar games. In short order, it became clear that Tripwire was the real path to success, and they transformed Infinite Pictures and TSS into Tripwire, Inc.

Wyatt was the CEO of Tripwire from 1997 to 2004 (Gene was CTO). In 2004, after a bout with cancer weakened him and forced him to step down from managing Tripwire, Wyatt founded the first version of the company SignaCert, and served as its CEO for the next six years. In 2010, SignaCert was acquired by Harris Corporation, and Wyatt served as the VP of Advanced Concepts and CTO for Cyber until 2012, when he retired. (NB. SignaCert has since begun a “second life” after being sold by Harris.) Over his career, Wyatt also served on the boards of Swan Island Networks of Portland, Oregon; Comprehensive Intelligence Technology Training Corporation of Annapolis, Maryland; and Symbium Software of Ottawa, Ontario.

During his 15 year career as a leading executive in cyber security, Wyatt was a driven and passionate advocate for better security and better design. He spoke at industry and community events, and was asked to join several high-level government and industry advisory boards, including  TechAmerica Foundation’s CLOUD2 Commission, NIST’s Visiting Committee on Advance Technologies (VCAT), and the Oregon Executive Council of the American Electronics Association (AeA), among others. In Portland, he was cofounder of the innovative RAINS network (Regional Alliances for Infrastructure and Network Security), a nonprofit public/private alliance (now defunct) formed to accelerate development, deployment and adoption of innovative technology for homeland security.

Wyatt was known for business acumen with a human touch — he cared about the people who worked for him, his customers, and the world around him. He made time for others when they needed it, and that is a rare quality in someone serving as a CEO. Although highly focused on his business duties, Wyatt was seemingly always willing to lend a smile, and listen to what others had to say. He was also known for his fondness for good wine and good humor.

As the designer of the original Tripwire and SignaCert offerings, I have known and worked with Wyatt for nearly 20 years. When he was undergoing treatment for his life-threatening condition in the mid-2000s, we had many conversations about the nature of existence and the future. Then, and throughout the time I knew him, Wyatt expressed a strong commitment to living in the present — to not put off things (including people) that might then be forgotten…and regretted.

Some people believe that exiting life with the largest bank account is success. Wyatt believed that making the world a better place was true success. He wrote in his LinkedIn profile under “Awards and Honors”

My reward comes from the special opportunity to do something important that (hopefully) leaves the world a better place.
And it is an honor to share what I have learned with others that aspire to create lasting contributions with their lives.

By those measures, he clearly was a huge success — his companies, his advocacy, his mentoring, and his friendship changed the lives of many, many people for the better. Wyatt Starnes will be greatly missed.


Some other media accounts of Wyatt’s passing: