RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow.

[john blumenthal <jblumen () xmission com>]

A few years back Greg Hoglund and I explored the use of an auction model
("0bay") that would be anonymized while using a verification and reputation
model much like eBay does today.  Some of the recent webmobs resemble this
model.  Our employer at the time had us tear down the site based on legal
advice.  ;-)  I'd love to put the system back online if some sharp Stanford
lawyer interested in pro bono work and alot of publicity might donate their
time to building legal firewalls.

I like the idea of auctioning exploits.  I think it would shift the industry
pretty radically since the market's invisible hand should be capable of
driving demand for high value exploits.  Some economic forces to consider
given, say, a package of 0day remote exploits on Oracle:

        -- would it be more economical for Oracle to QA these, sue you to avoid
disclosing, or simply purchase the exploits in an auction (effectively using
the 0bay site as an outsourced security QA service ;-) ) to take them off
the market?

        -- would vendors purchase competitor vulnerabilities or would they form a
cartel to take down the site?  And if they did collaborate in this manner
what would the press and customers say?

        -- would the software vendor consider this blackmail with any legal
recourse?  What if the research is sold from a location beyond a legal
domain that does provide legal recourse?

        -- doesn't the auction approach highlight the economic cost of not building
secure software to begin with?  Security cost is borne today in a business
model that defies fundamental economic laws -- in which the consumer bears
all the cost and risk and doesn't even own the product for which they incur
that exposure and expense!  With economics turned on its head in the
software industry we end up with Microsoft selling security software in a
bizarre variation of demand generation.

        -- vulnerability clubs kind of attempt the auction model but don't
constitute a market where demand is the inherent driver of the price for the
exploit.

Economics rules everything.  With security I say let the market decide.

johnb



-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com]On Behalf Of Dave Aitel
Sent: Wednesday, June 08, 2005 6:28 AM
To: dailydave
Subject: [Dailydave] A single line drawn by Picasso, an Iraqi artist,and
a buffer overflow.


Thomas's posts are again genius. He needs to cross post them here, so I
stop doing so. :>
http://www.sockpuppet.org/tqbf/log/

Speaking of buying exploits, I've been toying with the idea recently
that exploit purchasing is done on the artwork principle. I.E. rather
than modeling it as a commodity or based on game theory, people should
model it the way they purchase paintings. People don't just purchase
paintings based on the colors and weight. They tend to think of a
certain historical context. Recently, a friend purchased a painting for
me in Tikrit. This painting, while worth a lot more, imo, cost around 15
dollars. Surely this concept comes into play with exploits as well. Was
the GOBBLES apache-nosejob.c exploit worth more because of the exciting
events that surrounded the disclosure?

I offer this humble offering to the economists of the vulnerability
disclosure debate future. :>

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave