Dailydave mailing list archives
RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow.
From: john blumenthal <jblumen () xmission com>
Date: Thu, 09 Jun 2005 14:47:48 -0600
Excellent response. Let me belabor this point one more time then I'll shut up and get back to work. Inline: -----Original Message----- From: Thomas H. Ptacek [mailto:tqbf () sockpuppet org] Sent: Thursday, June 09, 2005 1:14 PM To: jblumen () xmission com Cc: dailydave Subject: Re: [Dailydave] A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. On Jun 9, 2005, at 4:08 PM, john blumenthal wrote:
on ownership and liability. At the very least there will be some sharp procurement negotiator out there dealing with a software vendor and evaluating the price of your exploit and whether owning the exploit improves their bargaining power. ;-)
I've reread this thread twice now, and I may be misunderstanding the idea, but if not, I'm uneasy about this for three basic reasons: 1. The overwhelming majority of exploits truly valuable only when their underlying vulnerabilities are kept secret. But keeping vulnerabilities secret is unethical: even if the vendor won't patch, many operators can employ other effective stopgap solutions. johnb: in the auction model I am proposing the seller would need to describe the vulnerability in order for the buyer to make a qualified decision. This would be similar to the current disclosure model, in that the vendor could be notified that not only the exploit exists, it's going up for auction on date X. In addition, the exploit would need to be verified by the independent auditor (0bay) prior to auction. Participants would get to rank the credibility of the seller and the value of the exploit based on the description and validation. johnb: like eBay there would be a range of high value and low value items of varying quality and credibility. Vendors would be able to log in and see what's considered high value and make a decision to buy the research, invest more into their own QA processes to prevent auctions (the ideal imho), or ignore it. I am not debating the ethics of this approach, only suggesting an economic model that uses natural market forces to move software vendors into changing their legacy QA approaches and licensing models that defy economics by transferring liability irrationally. 2. It places a premium on vulnerability research that produces readily-exploitable vulnerabilities in a small subset of vendors, regardless of the fact that those vendors might not be our most important targets. For every OS you find a remote in, I have an embedded printer card that would be even scarier to break. And so on. Not to mention the fact that the "current exploitability" factor is not necessarily a good predictor of the "long term value" of a vulnerability. johnb: Good points. To your first, the "premium" is in fact the "price." A purchase may elect to retain the "value" of the exploit by stopping distribution (and a key factor to make the auction work is that the seller would be contractually bound to guaranteeing the existence of 1 copy and liable for any "accidental" distribution; something that is debatable in its efficacy and may be the entire achilles heel to this thing). The exploit probably does have a rate of decay, though, that would be interesting to understand. 3. It marks a return to the "security-clique" mentality that characterized the early 90's; if full-disclosure people like me have an ideological enemy, it's the Infohax/CORE-list dynamic that kept a small group of "cool kids" in the know about holes and everyone else in the dark. 8lgm shattered that on Bugtraq, hundreds of people followed, and we are way, way better off for it. It's a subtly different point from #1: yes, it's bad to hamstring operators by keeping info secret, but it's even worse to retard progress by withholding research results. johnb: I disagree. The auction model is a free market approach to pricing research, open to anyone willing to pay the market-driven price. Full disclosure can continue to co-exist nicely with this approach. But to make any real money as a researcher, you'd have to be driven by market demands: pick the right target and make absolutely certain your research was unique and incisive. Part of the issue is, I'm just not not convinced that the current model we have isn't effective. Yeah, it undersells people who find vulnerabilities. But undervaluing research isn't what keeps people buying insecure products, so solving the "market value of exploits" problem doesn't address the "market acceptance of insecurity" problem. It seems clear to me, based on the past 10 years of vulnerability research, that there are other effective motivators for security researchers. johnb: As long as license agreements continue to transfer all risk to the licensee I believe we do not have a research model that works. I am researching not what motivates security researchers in reality; I am looking at what suspends basic economic principles in producer-consumer relationships when it comes to software. --- Thomas Ptacek Matasano Security _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow., (continued)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Pete Herzog (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. byte_jump (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Chris Wysopal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Chris Wysopal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. dan (Jun 10)
- Re: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Matt Hargett (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Thomas H. Ptacek (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Blue Boar (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. byte_jump (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Matt Hargett (Jun 09)