Is finding security holes a good idea?
Birger Tödtmann
btoedtmann at exp-math.uni-essen.de
Thu Jun 17 12:14:46 EDT 2004
Am Do, den 17.06.2004 schrieb Eric Rescorla um 16:34:
[...]
> > even fixes available. I would expect the "Intrusion Rate" curve to be
> > formed radically different at this point. This also affects the
> > discussion about social welfare lost / gained through discloure quite a
> > lot.
> >
> > I don't see how applying Browne's vulnerability cycle concept to the
> > Black Hat Discovery case as it has been done in the paper can reflect
> > these threat scenarios correctly.
>
> It's true that the Browne paper doesn't apply directly, but I don't
> actually agree that rapid spreading malware alters the reasoning in
> the paper much. None of the analysis on the paper depends on any
> particular C_BHD/C_WHD ratio. Rather, the intent is to provide
> boundaries for what one must believe about that ratio in order to
> think that finding bugs is a good idea.
So if we don't peg the C_BHD/C_WHD ratio to something happening in the
real world, it's "all depends on your threat model" again. If I assume
a specific ratio that 'justifies' finding bugs in terms of economic
trade-off, you may disagree by believing in a different ratio. It could
be of interest which threat model represents which ratio to see the
effects in economic trade-off - however, the discussion is simply
shifted towards "which threat model is more realistic". What do we
gain?
Regards
--
Birger Tödtmann <btoedtmann at exp-math.uni-essen.de>
Computer Networks Working Group, Institute for Experimental Mathematics
University Duisburg-Essen, Germany
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list