Bugtraq mailing list archives
Re: Paper announcement: Is finding security holes a good idea?
From: "Kurt Seifried" <bt () seifried org>
Date: Wed, 21 Jan 2004 18:11:59 -0700
Bugtraq readers might be interested in this paper: Is finding security holes a good idea? Eric Rescorla RTFM, Inc. <http://www.rtfm.com/> The paper can be downloaded from: http://www.rtfm.com/bugrate.pdf http://www.rtfm.com/bugrate.ps
This is a very interesting read. However there is one main problem: It doesn't matter if finding security holes or not is a "good idea" or cost effective since there are a number of groups for which finding bugs is a vested interest: 1) "Blackhats" and their sponsors - you want to break into a system, you need to either find a system with known issues that are unaddressed or find new issues to exploit. Seeing as how Blackhats are now sometimes in the employ of spammers and other groups for which the discovery and exploitation of security flaws directly allows them to make money we have a powerful group with money and a vested interest in finding flaws and exploiting them. 2) "Penetration testers" and their sponsors - you want to break into a system, you need to either find a system with known issues that are unaddressed or find new issues to exploit. Seeing as how Penetration testers are often hired by companies in order to run assessments for which the discovery and exploitation of security flaws directly allows them to make money we have a powerful group with money and a vested interest in finding flaws and exploiting them. 3) "Security vendors" and their sponsors - you want to sell a third party product that prevents exploitation of buffer overflows for example there needs to be a serious and identifiable problem with buffer overflows being exploited in products and systems people want to secure. Same goes for firewalls, viruses, etc. Imagine if people stopped writing viruses and stopped spreading them. Significant amounts of money would be saved in corporate IT budgets (typically anywhere from $10 to $100 per user for the software alone). So with these three large groups (and numerous other classes of people and organizations with a vested interest in finding flaws) it doesn't matter or not whether it's a good idea. The simple fact of the matter is that it will continue. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
Current thread:
- Paper announcement: Is finding security holes a good idea? Eric Rescorla (Jan 21)
- Re: Paper announcement: Is finding security holes a good idea? Oliver Friedrichs (Jan 22)
- Re: Paper announcement: Is finding security holes a good idea? Benjamin Franz (Jan 22)
- Re: Paper announcement: Is finding security holes a good idea? Kurt Seifried (Jan 22)
- Re: Paper announcement: Is finding security holes a good idea? Robert Lemos (Jan 22)
- Re: Paper announcement: Is finding security holes a good idea? Christopher E. Cramer (Jan 22)
- <Possible follow-ups>
- RE: Paper announcement: Is finding security holes a good idea? Daniel Whelan (Jan 22)