AV/FW Adoption Sudies

• Previous message (by thread): AV/FW Adoption Sudies
• Next message (by thread): AV/FW Adoption Sudies
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Valdis.Kletnieks at vt.edu writes:

> On Thu, 10 Jun 2004 08:50:18 PDT, Eric Rescorla said:
>> Valdis.Kletnieks at vt.edu writes:
>
>> > Remember that the black hats almost certainly had 0-days for the
>> > holes, and before the patch comes out, the 0-day is 100% effective.
>> 
>> What makes you think that black hats already know about your
>> average hole?
>
> Because unlike a role playing game, in the real world the lawful-good white
> hats don't have any deity-granted magic ability to spot holes that remain
> hidden from the chaotic-neutral/evil dark hats.
>
> Explain to me why, given that MS03-039, MS03-041, MS03-043,
> MS03-044, and MS03-045 all affected systems going all the way back
> to NT/4, and that exploits surfaced quite quickly for all of them,
> there is *any* reason to think that only white hats who have been
> sprinkled with magic pixie dust were able to find any of those holes
> in all the intervening years?

Actually, I think that the persistence of vulnerabilities is an
argument against the theory that the black hats in general know about
vulnerabilities before they're released.  I.e. given that the white
hats put a substantial amount of effort into finding vulnerabilities
and yet many vulnerabilities persist in software for a long period of
time without being found and disclosed that suggests that the
probability of white hats finding any particular vulnerability is
relatively small. If we assume that the black hats aren't vastly more
capable than the white hats, then it seems reasonable to believe that
the probability of the black hats having found any particular
vulnerability is also relatively small.

For more detail on this general line of argument, see my paper 
"Is finding security holes a good idea?" at WEIS '04.

Paper:   http://www.dtc.umn.edu/weis2004/rescorla.pdf
Slides:  http://www.dtc.umn.edu/weis2004/weis-rescorla.pdf

WRT to the relatively rapid appearance of exploits, I don't think
that's much of a signal one way or the other. As I understand it, once
one knows about a vulnerability it's often (though not always) quite
easy to write an exploit. And as you observe, the value of an
exploit is highest before people have had time to patch.
                                   
-Ekr

• Previous message (by thread): AV/FW Adoption Sudies
• Next message (by thread): AV/FW Adoption Sudies
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]