Dailydave mailing list archives
Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology
From: "Berend-Jan Wever" <berendjanwever () gmail com>
Date: Wed, 22 Aug 2007 12:37:55 +0100
Hi Dave, I liked point 5 best: *Having a "target rich environment" overwhelms an attacker's analytical capability.* I'll tell the people I work with we need to put more bugs in our software to stop people from exploiting them :) I think point 6 applies to everybody: there is no data to back up either side of the argument. However, we do have some data to back up claims around the insecurity of software, so let's make an analogy with hard-to-model, complex software products which gets updated frequently and see what we find: *1. Hacking has an economy of scale.* There are plenty of complex products that get hit by 0days from "one-hit-wonders". If you have two smart pentesters looking at product X and one dumb attacker, that does not guarantee your pentesters will find all bug in the product before the attacker finds one they have yet to discover. *2. Product X is a hard system to model.* One does not need to model the whole system, just the weak parts. I have not a clue how SETI@HOME does what it does, but I'm sure it's pretty complex. Regardless, I was able to write an exploit for it. *3. Complexity breeds resilience.* It also breeds issues. The more lines of code, the more potential bugs and adding complexity often requires adding more lines of code. Therefore, you'll find more bugs in more complex code. *4. Technology is adopted quickly in product X, making it a fast-moving target.* New technology brings new issues: the technology has not been proven, new classes of issues that affect only this new technology are yet to be discovered. Unfortunately, I have no data to back up that my analogy scales well. It seems that only time may tell us who was right, let's hope it never gets to that. Cheers, SkyLined -- Berend-Jan "SkyLined" Wever Email & Live messenger: berendjanwever () gmail com
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Berend-Jan Wever (Aug 22)