Is finding security holes a good idea?
Birger Tödtmann
btoedtmann at exp-math.uni-essen.de
Thu Jun 17 06:47:14 EDT 2004
Am Do, den 10.06.2004 schrieb Eric Rescorla um 20:37:
> Cryptography readers who are also interested in systems security may be
> interested in reading my paper from the Workshop on Economics
> and Information Security '04:
>
> Is finding security holes a good idea?
[...]
The economic reasoning within the paper misses casualties that arise
from automated, large scale attacks.
In figure 2, the graph indicating the "Black Hat Discovery Process"
suggests we should expect a minor impact of "Private Exploitation" only,
because the offending Black Hat group is small and exploits manually.
However, one could also imagine Code Red, Slammer and the like. Apart
from having a fix ready or not, when vulnerabilities of this kind are
not known *at all* to the public (no problem description, no workaround
like "remove file XYZ for a while" known), worms can hit the network far
more severe than they already do with knowledge of vulnerability and
even fixes available. I would expect the "Intrusion Rate" curve to be
formed radically different at this point. This also affects the
discussion about social welfare lost / gained through discloure quite a
lot.
I don't see how applying Browne's vulnerability cycle concept to the
Black Hat Discovery case as it has been done in the paper can reflect
these threat scenarios correctly.
Regards,
--
Birger Tödtmann <btoedtmann at exp-math.uni-essen.de>
Computer Networks Working Group, Institute for Experimental Mathematics
University Duisburg-Essen, Germany
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list