Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow.

From: "Thomas H. Ptacek" <tqbf () sockpuppet org>
Date: Thu, 9 Jun 2005 15:14:24 -0400

On Jun 9, 2005, at 4:08 PM, john blumenthal wrote:
on ownership and liability. At the very least there will be some sharp 
procurement negotiator out there dealing with a software vendor and
evaluating the price of your exploit and whether owning the exploit improves 
their bargaining power. ;-)
I've reread this thread twice now, and I may be misunderstanding the idea, but if not, I'm uneasy about this for three basic reasons:
1. The overwhelming majority of exploits truly valuable only when their underlying vulnerabilities are kept secret. But keeping vulnerabilities secret is unethical: even if the vendor won't patch, many operators can employ other effective stopgap solutions.
2. It places a premium on vulnerability research that produces readily-exploitable vulnerabilities in a small subset of vendors, regardless of the fact that those vendors might not be our most important targets. For every OS you find a remote in, I have an embedded printer card that would be even scarier to break. And so on. Not to mention the fact that the "current exploitability" factor is not necessarily a good predictor of the "long term value" of a vulnerability.
3. It marks a return to the "security-clique" mentality that characterized the early 90's; if full-disclosure people like me have an ideological enemy, it's the Infohax/CORE-list dynamic that kept a small group of "cool kids" in the know about holes and everyone else in the dark. 8lgm shattered that on Bugtraq, hundreds of people followed, and we are way, way better off for it. It's a subtly different point from #1: yes, it's bad to hamstring operators by keeping info secret, but it's even worse to retard progress by withholding research results.
Part of the issue is, I'm just not not convinced that the current model we have isn't effective. Yeah, it undersells people who find vulnerabilities. But undervaluing research isn't what keeps people buying insecure products, so solving the "market value of exploits" problem doesn't address the "market acceptance of insecurity" problem. It seems clear to me, based on the past 10 years of vulnerability research, that there are other effective motivators for security researchers. 

---
Thomas Ptacek
Matasano Security
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: