Is finding security holes a good idea?

Eric Rescorla ekr at rtfm.com
Mon Jun 14 11:07:11 EDT 2004 

Ben Laurie <ben at algroup.co.uk> writes:

> Eric Rescorla wrote:
>
>> Cryptography readers who are also interested in systems security may be
>> interested in reading my paper from the Workshop on Economics
>> and Information Security '04:
>>     Is finding security holes a good idea?
>>         Eric Rescorla
>>     RTFM, Inc.
>>     A large amount of effort is expended every year on finding and
>>     patching security holes. The underlying rationale for this activity
>>     is that it increases welfare by decreasing the number of bugs
>>     available for discovery and exploitation by bad guys, thus reducing
>>     the total cost of intrusions. Given the amount of effort expended,
>>     we would expect to see noticeable results in terms of improved
>>     software quality. However, our investigation does not support a
>>     substantial quality improvement--the data does not allow us to
>>     exclude the possibility that the rate of bug finding in any given
>>     piece of software is constant over long periods of time. If there is
>>     little or no quality improvement, then we have no reason to believe
>>     that that the disclosure of bugs reduces the overall cost of
>>     intrusions.
>
> I don't see how that follows. If a bug is found but not disclosed,
> then it can be used for intrusion. If it is disclosed, then it cannot
> (assuming it gets fixed, of course). The fact that there are more bugs
> to be found which can _also_ be used for intrusions doesn't mean
> there's no point in fixing the hole, surely - at least the next bug
> has to be found before intrusions can occur again.

Well, this is just the abstract... The full argument is laid out
in the paper. 

Roughly speaking:
If I as a White Hat find a bug and then don't tell anyone, there's no
reason to believe it will result in any intrusions.  The bug has to
become known to Black Hats before it can be used to mount
intrusions. This can either happen by Black Hats re-finding it or some
White Hat disclosing it.  So, the question is, at least in part, what
the likelihood of these happening is...

-Ekr






---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list