Re: Faster, smashter. (fwd)

["Jon Passki" <jon.passki () hursk com>]

Yeah, but I would not be the one to figure out the value.  I would ask
Immunity Sec if they had an exploit on ManOS that gave me, for example,
local root access accessible from any user.  If Immunity Sec did confirm a
0day that met my criteria, the next question is then asking them what my
cost would be for the 0day.  I now have a ceiling cost, even though the cost
may be hugely inflated.  I may never care whatsoever on purchasing that 0day
from Immunity Sec.  Also, they might not like me and change me a higher cost
than someone else.  If I have more oracles to contact, then I can gauge a
better market value.

Yes, there are details, with whatever devils hiding in there.  There is also
some nice properties, but with risk..  Immunity Sec need not expose the
actual 0day.  There's risk they may lie to me, though.  The only exposure is
that a set of given properties on some exploit may be publicly disclosed.
> From Immutiy Sec's perspecitve, though, they now can analysis the number of
queries across vendors and applications and see what the "public" cares
about.  Maybe 13% of all queries relate to some version of WebSphere on AIX
5.4 (shudder). They now have market intellegence that may drive research and
development into platforms not perceived to be viable.  So, that
intelligence may definitely out weight the loss of size of their "market
cap" on exploits.  Other devils are in classifications.  But, seriously,
that's something I could see reasonably being taken care of overtime for
most general exploits.  Sure, some just won't be able to be classified.  So
what if a vast majority can.  Perfection, enemy, good, blah blah blah.


On Thu, Dec 11, 2008 at 4:42 PM, BEES INC <bees.inc () gmail com> wrote:

> we are not talking about an auction though, we are talking about
> derivatives.
>
> As the name implies the price of a derivate is derived from the price
> of some underlying asset. With commodities or equities you have a
> market where the last price something traded at is readily available.
> You take that price and a few other things, plug them into black
> scholes and you have your theoretical option price that may be above
> or below the market price for the option depending on sentiment and
> the usual supply/demand.
>
> Derivatives are also standardized, say an option on a share gets you 1
> share, it only works if every share is equal. Not all 0days are
> created equal. For instance take an 0day in ManOs, an experimental
> operating system used predominately by physicists. How do you value
> it? What did the last 0day for manos go for? Is that a reliable
> indicator of this 0days price? The last one could've been kinda lame
> and have lots of preconditions for it to be successful, but maybe this
> one has no such conditions, and consequently worth a lot more. The
> same contract wont fit.
>
> It's probably safe to assume there is 0day for manos or exchange or
> whatever, but pricing a derivative requires available access to the
> pricing of the underlying and standardization of the terms. You could
> classify the 0day in terms of severity and have different types for
> that (like there are different types of oil contracts), and in general
> I would agree an auction is probably the best way to gauge fair value,
> but until you can get a fair value you're in a bit of a pickle (or
> sausage)
>
> Liquidity would also be a big issue. You would need a reasonable
> number of players to make the market work, otherwise people would get
> stuck holding illiquid, tricky to value derivatives and you just have
> to take a look at the subprime debt market to see how well that works
> out.
>
> On Thu, Dec 11, 2008 at 12:43 AM, Jon Passki <jon.passki () hursk com> wrote:
> > I disagree.  Give me N number of oracles that state they know x, y, z
> issue
> > is exploitable (at some defined level of exploitability) and I'll give
> you
> > an auction.  The concept of an auction is from the perspective of the
> buyer,
> > not the seller...  If Oracle A, B, D, and F state that they have an
> exploit
> > for vuln Alpha, then I have a ceiling cost and a basement cost for the
> > exploit.  If I only have one Oracle, I still have a ceiling cost.  That's
> > still a good number for worst-case attack tree discussions.
> >
> >
> > On Wed, Dec 10, 2008 at 3:27 PM, BEES INC <bees.inc () gmail com> wrote:
> > > i have postgrad applied finance qualifications and this is not really
> > > practical. You need an open/free market on 0day before you could start
> > > writing futures/options contracts. to my knowledge this doesn't exist,
> > > and is unlikely to exist for a whole bunch of reasons. its more
> > > profitable for exploit writers and cheaper for buyers to keep the
> > > other side in the dark on going rates.
> > >
> > > i remember they tried something like this in fresno county with the
> > > sausage and spice prices there. though a little different from
> > > exploits its similar in that its a fairly small and niche market, and
> > > the supply was effectively controlled by a cartel, and pricing
> > > information was dubious at best. needless to say it didn't take off
> > >
> > > you would be better off writing insurance and collecting a premiums,
> > > and if something does happen the payout could go to covering costs of
> > > patching and recovery. i'm pretty sure ive read of something like this
> > > being already available.
> > >
> > > On Wed, Dec 10, 2008 at 1:19 PM,  <sinan.eren () immunitysec com> wrote:
> > > > (moderator: retry from subscribed account)
> > > >
> > > > I have been thinking about a potential futures market model to hedge
> the
> > > > risk
> > > > of software vulnerabilities. Perhaps a modified Black-Scholes-Merton
> > > > model that
> > > > could be tied into Microsoft's exploitability index to determine the
> > > > premium on
> > > > the future contract ? Hedgers (companies, govermantal institutions,
> > > > military
> > > > etc.) could than purchase these contracts from speculators (these
> could
> > > > be us)
> > > > to tie their risk into a dollar amount. On the other hand researchers
> > > > can sell
> > > > these contracts if they feel strongly about a software or inversely,
> buy
> > > > these
> > > > contracts to cash in their 0day when it hits the public domain. We
> need
> > > > a fair
> > > > market place for 0day (outside of the 2 known players whose model
> > > > benefits no
> > > > one) and I believe futures market model is the way to go. After all if
> > > > you can
> > > > hedge your exposure to weather, why can't you hedge it against 0day ?
> It
> > > > is not
> > > > as crazy as it sounds ....
> > > >
> > > > I would appreciate ideas to tie the value of a vulnerability to a
> > > > premium, any
> > > > quants who do security as well ?
> > > >
> > > > -sinan
> > > >
> > > > On Tue, 9 Dec 2008, Dave Aitel wrote:
> > > >
> > > > >  -----BEGIN PGP SIGNED MESSAGE-----
> > > > >  Hash: SHA1
> > > > >
> > > > >  One technique we're doing this week with a client is taking an
> attack
> > > > >  tree and marking it up with dollar values. I.E. if you wanted to buy
> > > > >  an 0day in X component, how much would it cost?
> > > > >
> > > > >  This then is a simple summation to produce a "how much is it to get
> > > > >  into the internal network from the internet" which the business can
> > > > >  use to help them decide yay/nay on the project as a whole depending
> on
> > > > >  their own view of the threat and the value of the information they
> are
> > > > >  protecting.
> > > > >
> > > > >  -dave
> > > > >
> > > > >
> > > > >  Halvar Flake wrote:
> > > > > >  Hey all,
> > > > > >
> > > > > >  It seems that discussions in ITsec are periodic -- the same
> > > > > >  discussions and same arguments come up again and again.
> > > > > >
> > > > > >  1. Of course attackers use new vulnerabilities. It is the nature
> of
> > > > > >  offense. Defense is done "to the maximum of current knowledge".
> > > > > >  Offense, by it's nature, has to expand on the status quo.
> > > > > >
> > > > > >  2. How do you simulate an attack with a new vulnerability if you
> > > > > >  don't have one ?
> > > > > >
> > > > > >  Well, military folks do wargames all the time without actually
> > > > > >  using up the arsenal they have on the shelves. Network attacks
> > > > > >  should probably be done in a similar manner -- have an umpire, and
> > > > > >  give the attacking team a few "0day cards". With these cards they
> > > > > >  get high-probability code execution for a piece of software of
> > > > > >  their choice.
> > > > > >
> > > > > >  The pentest then proceeds like a game, but can be conducted on the
> > > > > >  real network, too.
> > > > > >
> > > > > >  But I am repeating myself ...
> > > > > >
> > > > > >  Cheers, Halvar _______________________________________________
> > > > > >  Dailydave mailing list Dailydave () lists immunitysec com
> > > > > >  http://lists.immunitysec.com/mailman/listinfo/dailydave



-- 
Cheers,

Jon Passki, Partner
The Hursk Group, LLC

"Obvia conspicimus, nubem pellente Mathesi."

e: jon.passki () hursk com
ph: 651/222.3020
cal:
http://www.google.com/calendar/hosted/hursk.com/embed?src=jon.passki%40hursk.com
pgp: 1BB0 A946 927B 93C3 ED6A  0466 6692 6C2C 84BE 4122

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave