Off-topic: Workstation vulnerability — FUD at its best

Reading an interestingly-titled article on InformIT, I’ve stumbled across the following text:

The survival time is an estimate of how long an un-patched computer will remain uncompromised once it’s connected to the Internet. While the actual time varies, historically it tends to run between 4 and 20 minutes.

This is such an obvious nonsense that I had to check the source, which is also full of alarming messages, but admits at the end that the problems described largely disappeared with XP SP2. Just to put things in perspective: XP SP2 was released in August 2004 and the graph in the alarming blog post displays data from 2008.

Next step: investigate the source of the graph. The »average survival time« is defined as the time between probes on numerous TCP or UDP ports, regardless of whether the port was actually enabled in the workstation and whether the probe was successful or not.

My personal conclusion: as most workstations include some sort of rudimentary firewall these days, the whole approach is bogus. More precisely, it measures an important parameter (average time between probes), but claims it represents something completely different (average survival time). Would you agree with my conclusion?

Lesson learned: Never trust alarming over-simplifying statements based on misunderstood data.


  1. This proves my premise that many security people have lost their marbles.
    Some moons ago, I decided to enable the windows firewall via a GPO on all desktops. The vulnerability reports immediately improved to nothing outstanding. Instead of being satisfied the Chief Lost Marble Person insisted that the firewalls on all the desktops be disabled so he can have a "true reflection of vulnerability."
  2. As always, people working with preemptive protection of any kind are hard at work churning out risk assessment figures to justify their existences to the bean counters.
Add comment