interesting paper on the economics of security

pgut001 pgut001 at cs.auckland.ac.nz
Thu Aug 23 01:00:44 EDT 2007


Florian Weimer <fw at deneb.enyo.de> writes:

>The tests I've seen are mostly worthless because they do not weigh their
>results based on the actual threats a typical user faces.

A topic very similar to this came up recently on the hcisec list.  My comments
there were:

We already have really, really good metrics for this.  It's called the
commercial malware industry (blatant ad: see my Defcon talk from last week for
examples of exploit sales and pricing models).  To find out how secure
something is, look at how much exploits for it are selling for on the black
market.  I've been thinking of doing a maverick paper for next years MetriCon
about this [0], for example although OS X is veritable smorgasbord of 0days
the market value of these is close to zero because everyone's targetting
Windows instead.  A prime example of this is Safari, it was 0dayed within two
hours of the Windows version appearing, yet the same flaws had lain dormant in
the OS X version (presumably) for years because there's little to no
commercial interest in exploiting Macs.  So it could be argued that the best
real-world metric that we have for security comes from the attackers, not the
defenders.

(Incidentally, this powerful real-world metric is telling us that the
existing browser security model is indistinguishable from placebo :-).

Peter.

[0] This should not be construed as a promise of a paper appearing.  I'm not
    sure whether I could get enough material to make an interesting paper.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list