AV/FW Adoption Sudies
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu Jun 10 15:28:59 UTC 2004
On Wed, 09 Jun 2004 18:45:55 EDT, Sean Donelan <sean at donelan.com> said:
> The numbers vary a little e.g. 38% or 42%, but the speed or severity or
> publicity doesn't change them much. If it is six months before the
> exploit, about 40% will be patched (60% unpatched). If it is 2 weeks,
> about 40% will be patched (60% unpatched). Its a strange "invisible hand"
> effect, as the exploits show up sooner the people who were going to patch
> anyway patch sooner. The ones that don't, still don't.
Remember that the black hats almost certainly had 0-days for the holes, and
before the patch comes out, the 0-day is 100% effective. Once the patch comes
out and is widely deployed, the usefulness of the 0-day drops.
Most probably, 40% is a common value for "I might as well release this one and
get some recognition". After that point, the residual value starts dropping
quickly.
Dave Aucsmith of Microsoft seems to think there's a flurry of activity to
reverse engineer the patch:
http://news.bbc.co.uk/1/hi/technology/3485972.stm
In fact, half of them are just sitting there and playing "chicken" - you wait
too long, and somebody else gets the recognition as "best reverse engineer" by
Aucsmith, but if you wait too little, you lose your 0-day while it still has
some effectiveness.
Somebody else can turn the crank on the game-theory machine and figure out what
the mathematically optimum release point is....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20040610/6791ca8a/attachment.sig>
More information about the NANOG
mailing list