Dailydave mailing list archives
RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow.
From: john blumenthal <jblumen () xmission com>
Date: Thu, 09 Jun 2005 01:00:21 -0600
A few years back Greg Hoglund and I explored the use of an auction model ("0bay") that would be anonymized while using a verification and reputation model much like eBay does today. Some of the recent webmobs resemble this model. Our employer at the time had us tear down the site based on legal advice. ;-) I'd love to put the system back online if some sharp Stanford lawyer interested in pro bono work and alot of publicity might donate their time to building legal firewalls. I like the idea of auctioning exploits. I think it would shift the industry pretty radically since the market's invisible hand should be capable of driving demand for high value exploits. Some economic forces to consider given, say, a package of 0day remote exploits on Oracle: -- would it be more economical for Oracle to QA these, sue you to avoid disclosing, or simply purchase the exploits in an auction (effectively using the 0bay site as an outsourced security QA service ;-) ) to take them off the market? -- would vendors purchase competitor vulnerabilities or would they form a cartel to take down the site? And if they did collaborate in this manner what would the press and customers say? -- would the software vendor consider this blackmail with any legal recourse? What if the research is sold from a location beyond a legal domain that does provide legal recourse? -- doesn't the auction approach highlight the economic cost of not building secure software to begin with? Security cost is borne today in a business model that defies fundamental economic laws -- in which the consumer bears all the cost and risk and doesn't even own the product for which they incur that exposure and expense! With economics turned on its head in the software industry we end up with Microsoft selling security software in a bizarre variation of demand generation. -- vulnerability clubs kind of attempt the auction model but don't constitute a market where demand is the inherent driver of the price for the exploit. Economics rules everything. With security I say let the market decide. johnb -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com]On Behalf Of Dave Aitel Sent: Wednesday, June 08, 2005 6:28 AM To: dailydave Subject: [Dailydave] A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Thomas's posts are again genius. He needs to cross post them here, so I stop doing so. :> http://www.sockpuppet.org/tqbf/log/ Speaking of buying exploits, I've been toying with the idea recently that exploit purchasing is done on the artwork principle. I.E. rather than modeling it as a commodity or based on game theory, people should model it the way they purchase paintings. People don't just purchase paintings based on the colors and weight. They tend to think of a certain historical context. Recently, a friend purchased a painting for me in Tikrit. This painting, while worth a lot more, imo, cost around 15 dollars. Surely this concept comes into play with exploits as well. Was the GOBBLES apache-nosejob.c exploit worth more because of the exciting events that surrounded the disclosure? I offer this humble offering to the economists of the vulnerability disclosure debate future. :> -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Dave Aitel (Jun 08)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 08)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Mike Tremoulet (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Chris Kuethe (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Pete Herzog (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. byte_jump (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Mike Tremoulet (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Chris Wysopal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Chris Wysopal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. dan (Jun 10)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 08)
- Re: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Matt Hargett (Jun 09)