Re: AV/FW Adoption Sudies

[Valdis.Kletnieks () vt edu]

On Thu, 10 Jun 2004 11:54:31 PDT, Eric Rescorla said:

> My hypothesis is that the sets of bugs independently found by white
> hats and black hats are basically disjoint. So, you'd definitely
> expect that there were bugs found by the black hats and then used as
> zero-days and eventually leaked to the white hats. So, what you
> describe above is pretty much what one would expect.

Well.. for THAT scenario to happen, two things have to be true:

1) Black hats are able to find bugs too

2) The white hats aren't as good at finding bugs as we might think,
because some of their finds are leaked 0-days rather than their own work,
inflating their numbers.

Remember what you said:

> relatively small. If we assume that the black hats aren't vastly more
> capable than the white hats, then it seems reasonable to believe that
> the probability of the black hats having found any particular
> vulnerability is also relatively small.

More likely, the software actually leaks like a sieve, and NEITHER group
has even scratched the surface..

Remember - every single 0-day that surfaces was something the black hats
found first.   The only thing you're really measuring by looking at the
0-day rate is the speed at which an original black exploit gets leaked from
a black hat to a very dark grey hat to a medium grey hat and so on, until
it gets to somebody who's hat is close enough to white to publish openly.

Data point:  When did Steve Bellovin point out the issues with non-random
TCP ISNs?   When did Mitnick use an exploit for this against Shimomura?

And now ask yourself - when did we *first* start seeing SYN flood attacks (which
were *originally* used to shut the flooded machine up while and prevent it
from talking while you spoofed its address to some OTHER machine?)

Attachment: _bin
Description: