Re: The L Word & Fish

[Halvar Flake <halvar () gmx de>]

Hey all,

DA> I think the best arguments against the paper are:
DA> 1. It's got a lot of bullshit equations in it. They add nothing.
DA> 2. The graphs are also completely made up.
DA> 3. "The bottom line, then, is that based on the evidence we cannot
DA> conclude that bug finding and disclosure provides an increase in
DA> software security sufficient to offset the effort being invested"
DA> <---makes no sense.

The paper is quite obviously written by somebody peddling in
economics. A smart man (and economics PhD) told me that many
economics papers suffer from a heavy ideologic influence -- that means
instead of starting with the analysis of a problem, the paper is
written by first deciding what result one would like and then arguing
for it. And there's the joke that  if an economist has good karma, he's
reborn as a scientist, and if he has bad karma, he's reborn as a
politician.

If anyhow wants to make the case that finding reliably exploitable
remote code execution bugs in core OpenSSH now is of the same difficulty as
it was 2-3 years ago has very little idea of what he is talking about
(or is such a natural born code auditor that it doesn't matter to
him).

Again, the bug <=> fish analogy provides quite a bit of insight:

A fisherman is hungry and decides he will go out fishing to find
himself a nice meal. Catching a big fish takes quite a bit of time and
effort, and there are many people fishing in his lake nowadays. It has
become harder recently to catch nice fish, so he decides that instead of
just using a stick, string and a worm, he'll build himself a net to
catch fish more easily. And he can't go hungry (he's quite obsessed
with eating high-protein food) so he will invest the time to build
himself a net to fish, and then use it. The other fishermen think
similarly, and start building nets. Some decide to go fishing further
up north, where it is a lot colder and less fun to fish (the surface
is frozen and the water is pitch dark). All suffer from the fact that
they can't catch fish they used to (sitting leisurely in the sun with
a stick and a string), but they can't help it: They crave fish. As
they are a fairly creative people, they invent more and more clever
ideas to find fish even though the stocks are clearly being depleted.
Fishing has become harder, but those that have lived near the lake for
a long time have the experience and resources to still locate enough
to eat - nobody knows though for how long.
In a few years they'll have drifting nets, echolots and satellite
navigation systems to catch their fish (if any are left). Or they'll
all be starved to death (except a small number) so that the fish
stocks can recover.

We all remember the time when every Oracle product
died after 2 minutes of (manual) fuzzing. Now it takes a lot longer.
Probably days, perhabs a week.

Productivity gains in locating fish can lead to rising yields even
though the underlying stocks are deteriorating.

Interestingly, the fishers in our example are all subsistence workers.
You can only digest so much fish at once. And if there's no way
to sell your fish, it makes no sense to catch more than you can eat.

Cheers,
Halvar

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave