RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow.

[john blumenthal <jblumen () xmission com>]

Excellent response.  Let me belabor this point one more time then I'll shut
up and get back to work.  Inline:

-----Original Message-----
From: Thomas H. Ptacek [mailto:tqbf () sockpuppet org]
Sent: Thursday, June 09, 2005 1:14 PM
To: jblumen () xmission com
Cc: dailydave
Subject: Re: [Dailydave] A single line drawn by Picasso, an Iraqi
artist,and a buffer overflow.



On Jun 9, 2005, at 4:08 PM, john blumenthal wrote:

> on ownership and liability.  At the very least there will be some
> sharp
> procurement negotiator out there dealing with a software vendor and
> evaluating the price of your exploit and whether owning the exploit
> improves
> their bargaining power. ;-)

I've reread this thread twice now, and I may be misunderstanding the
idea, but if not, I'm uneasy about this for three basic reasons:

1.    The overwhelming majority of exploits truly valuable only when
their underlying vulnerabilities are kept secret. But keeping
vulnerabilities secret is unethical: even if the vendor won't patch,
many operators can employ other effective stopgap solutions.

        johnb:  in the auction model I am proposing the seller would need to
describe the vulnerability in order for the buyer to make a qualified
decision.  This would be similar to the current disclosure model, in that
the vendor could be notified that not only the exploit exists, it's going up
for auction on date X.  In addition, the exploit would need to be verified
by the independent auditor (0bay) prior to auction.  Participants would get
to rank the credibility of the seller and the value of the exploit based on
the description and validation.

        johnb:  like eBay there would be a range of high value and low value items
of varying quality and credibility.  Vendors would be able to log in and see
what's considered high value and make a decision to buy the research, invest
more into their own QA processes to prevent auctions (the ideal imho), or
ignore it.  I am not debating the ethics of this approach, only suggesting
an economic model that uses natural market forces to move software vendors
into changing their legacy QA approaches and licensing models that defy
economics by transferring liability irrationally.

2.    It places a premium on vulnerability research that produces
readily-exploitable vulnerabilities in a small subset of vendors,
regardless of the fact that those vendors might not be our most
important targets. For every OS you find a remote in, I have an
embedded printer card that would be even scarier to break. And so on.
Not to mention the fact that the "current exploitability" factor is
not necessarily a good predictor of the "long term value" of a
vulnerability.

        johnb:  Good points.  To your first, the "premium" is in fact the "price."
A purchase may elect to retain the "value" of the exploit by stopping
distribution (and a key factor to make the auction work is that the seller
would be contractually bound to guaranteeing the existence of 1 copy and
liable for any "accidental" distribution; something that is debatable in its
efficacy and may be the entire achilles heel to this thing).  The exploit
probably does have a rate of decay, though, that would be interesting to
understand.

3.    It marks a return to the "security-clique" mentality that
characterized the early 90's; if full-disclosure people like me have
an ideological enemy, it's the Infohax/CORE-list dynamic that kept a
small group of "cool kids" in the know about holes and everyone else
in the dark. 8lgm shattered that on Bugtraq, hundreds of people
followed, and we are way, way better off for it. It's a subtly
different point from #1: yes, it's bad to hamstring operators by
keeping info secret, but it's even worse to retard progress by
withholding research results.

        johnb: I disagree.  The auction model is a free market approach to pricing
research, open to anyone willing to pay the market-driven price.  Full
disclosure can continue to co-exist nicely with this approach.  But to make
any real money as a researcher, you'd have to be driven by market demands:
pick the right target and make absolutely certain your research was unique
and incisive.

Part of the issue is, I'm just not not convinced that the current
model we have isn't effective. Yeah, it undersells people who find
vulnerabilities. But undervaluing research isn't what keeps people
buying insecure products, so solving the "market value of exploits"
problem doesn't address the "market acceptance of insecurity"
problem. It seems clear to me, based on the past 10 years of
vulnerability research, that there are other effective motivators for
security researchers.

        johnb:  As long as license agreements continue to transfer all risk to the
licensee I believe we do not have a research model that works.  I am
researching not what motivates security researchers in reality; I am looking
at what suspends basic economic principles in producer-consumer
relationships when it comes to software.

---
Thomas Ptacek
Matasano Security


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave