Dailydave mailing list archives
Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow.
From: "Thomas H. Ptacek" <tqbf () sockpuppet org>
Date: Thu, 9 Jun 2005 15:14:24 -0400
On Jun 9, 2005, at 4:08 PM, john blumenthal wrote:
on ownership and liability. At the very least there will be some sharpprocurement negotiator out there dealing with a software vendor andevaluating the price of your exploit and whether owning the exploit improvestheir bargaining power. ;-)
I've reread this thread twice now, and I may be misunderstanding the idea, but if not, I'm uneasy about this for three basic reasons:
1. The overwhelming majority of exploits truly valuable only when their underlying vulnerabilities are kept secret. But keeping vulnerabilities secret is unethical: even if the vendor won't patch, many operators can employ other effective stopgap solutions.
2. It places a premium on vulnerability research that produces readily-exploitable vulnerabilities in a small subset of vendors, regardless of the fact that those vendors might not be our most important targets. For every OS you find a remote in, I have an embedded printer card that would be even scarier to break. And so on. Not to mention the fact that the "current exploitability" factor is not necessarily a good predictor of the "long term value" of a vulnerability.
3. It marks a return to the "security-clique" mentality that characterized the early 90's; if full-disclosure people like me have an ideological enemy, it's the Infohax/CORE-list dynamic that kept a small group of "cool kids" in the know about holes and everyone else in the dark. 8lgm shattered that on Bugtraq, hundreds of people followed, and we are way, way better off for it. It's a subtly different point from #1: yes, it's bad to hamstring operators by keeping info secret, but it's even worse to retard progress by withholding research results.
Part of the issue is, I'm just not not convinced that the current model we have isn't effective. Yeah, it undersells people who find vulnerabilities. But undervaluing research isn't what keeps people buying insecure products, so solving the "market value of exploits" problem doesn't address the "market acceptance of insecurity" problem. It seems clear to me, based on the past 10 years of vulnerability research, that there are other effective motivators for security researchers.
--- Thomas Ptacek Matasano Security _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow., (continued)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Chris Kuethe (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Pete Herzog (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. byte_jump (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Chris Wysopal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Chris Wysopal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. dan (Jun 10)
- Re: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Matt Hargett (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Thomas H. Ptacek (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Blue Boar (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. byte_jump (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Matt Hargett (Jun 09)