How do you (politely) respond when a #Java user tells you they don't need to update their #JDK with the latest security patches because their app is behind a firewall? 🤦‍♂️🤔

@speakjava Let me know when you have the correct answer :)

@speakjava You may explain how Israeli intelligence hacked the Iranian atomic power plant centrifuges that were not connected to the net.

@speakjava Remind them this: vulncat.fortify.com/en/detail?id=d…. A hacker can craft a request message with this specific double and hang their machine if they don't update.

@speakjava What about “I hope you have slightly different update policy of your firewall”? 😉

@speakjava How about changing the context to something everybody should understand, e.g. airport customs.

@speakjava Ask them if they have any firewall exceptions.

@speakjava It depends on your relationship with him. If he is your customer then the old saying applies: "The customer is not always right, but he always has the last word".

@speakjava May be point them towards the Equifax dossier?

@speakjava Like this 🤦‍♂️ but you actually do it.

@speakjava Just ask them if they are also not using any Anti-Virus software just because they are behind a firewall.

@speakjava There's always some surface to attack. How about - - there's more concerning exposure than 2m old jdk? And time to retest that build which has "just" security patch simply doesn't worth it? :)

@speakjava Not updating is totally ok as long as the app is on a machine that is turned off, in a sealed high-security safe 10 m underground. :)

@speakjava Ask a friendly hacker to send them a screenshot of their desktop.

@speakjava There are some hackers using waterwalls, which make firewalls totally inoperable. There are ofc alternatives, one might use an airwall to make the firewall even stronger or combine it with an earthwall to stop the waterwall...1/2

@speakjava Showing an example of how it could be exploited even behind a firewall.

@speakjava Maybe with statistics.. the majority of attacks/breaches come from inside errors.

@speakjava Remember Germany, 1989? Walls aren't as impenetrable as some people might want you to believe. If there's a will, there is a way.

@speakjava Pen Testing:)

@speakjava I can’t.

@speakjava “Okay sounds good!”

@speakjava It's a joke, right?

@speakjava Is it the great firewall of china ?

@speakjava The great irony of life is, good counsel given to someone whose tail is not on fire yet, is usually looked upon as BS. So it’s better, to focus energies elsewhere.

@speakjava Is there a danger from malicious users inside the organisation/firewall?

@speakjava Why would there be any irritation on your side (and indication of impoliteness)? Just keep the answer merit-based.

@speakjava Me:"Are you sure? Ok is upon to you: i'll write a document signed by You were all your decisions are documented together with my proposition..." - Be Correct + Pecunia non olet!😎🖖

@speakjava No response is a response

@speakjava Tell them it is exactly similar to keeping an expired medecine in shelf for emergency purpose.

@speakjava POC || GTFO w/ an example vuln. Doesn’t have to be the same language. Demonstrate knowledge and show how history repeats itself.

@speakjava Tell them they'd be better off doing something less technical :)

@speakjava You just respond normally with the prefix "With all due respect, Sir" and then you can say something like "you are a halfwit" or whatnot.

@speakjava «Defense in depth» is neither a galaxy name nor a novel tittle ;)