Firewall security: Problems with simple Samba file share 3609

No, perfectly true. You seem somewhat naive about probabilities and stats ..

Of course I do. Bayesian reasoning.

False deduction. Incorrect logic. I can know plenty of things about things that haven't occurred yet - the whole science of probability is devoted to just exactly that.

The probability of an exploit against me is as close to zero as one can get, because use of the vulnerability causes reports to be generated, which causes people to look for it, which causes the exploit to be trapped, analysed, and a fix put out, in hours. That's unique to open source. The resurces dedicated to finding trapping and fixing it are enourmous.

Even way back when in the days of the Morris internet worm, which shut down about half the then net, the whole thing was seen, trapped and rebuffed in about 48h, using just the postmasters. Nowadays the response is a matter of about 4-8h and people all over the place contribute, as far as I can tell from the reports I have seen go past over about the last five years.

(and you are probably confusing the terms "exploit" and "vulnerability" - a vulnerability may exist without ever being exploited).

So by bayesian logic, the only still undefended vulnerabiliies are the ones which are not being exploited. Which I am not likely to suffer from!

You stole it from me. But not from everybody. So say there are 100 million people on the internet. Then there is a 1:100000000 chance of suffering from your exploit. Thanks - but I am much more likely to be run over by a truck, or struck by a falling star.

If you were to use a technique that was generally applicable and rapidly effected in multiple places, it would quickly be noticed, analysed, and a defense concocted, transmitted to the distros, and pbutted on to users in updates.

The only vulnerabilities not closed are the ones not exploited. That means you don't have to worry about them - they are not likely to be applied to you.

Great!

Good.

Insignificant. A single hacker working away can do maybe 10 breakins a day, working full speed. That's 1:10000000 per day. Not even that, since he has to locate targets very carefully and keep himself hidden. You are more likely to choke to rest on your next meal. Worry about that instead.

And that's only WHEN he comes up with such a breakin, and applies only to those setups that are vulerable to his approach. Say that 1 in 10 setups are vulnerable (unlikely - there are a dozen major ditros, in lotsa different configs, not to mention different versions). Now you get to multiply by the odds of coming up with it.

Forget it. Bayes still applies.

No, it would be a couple of months at most (an analogy was the breakin at gnu - they tk about a month to notice it, deduce the mechanism, fix it, etc - yes, it as an unknown kernel vulnerability or similar, and no, the exploit could not be widely used without advertising it, so it wasn't). And only a limited set of targets could be taken.

There's no point. Large odds are meaningless. There is no real sense in which 1:100000000 is better or worse than 1:1000000000. They are both "once in never" odds. If you want to cover yourself, bet $1 on it happening. Bookies also are beaten by long odds.

They're relatively high. About 90% of all software and hardware problems are admin-caused for a start!

Why? You think they will try harder to get in or choose your car first? Reasonable - but try making the car refuse to work for anyone but you. Then you won't care.

Peter