RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow.

[john blumenthal <jblumen () xmission com>]

This was indeed part of that conversation ;-).  fwiw I'm working on an op-ed
piece on this that I'd like anyone interested on this list to review prior
to publication.  Email if you want me to send it to you.

I personally think there is more money in exploit auctions for many of the
people on this list -- you are literally selling yourselves short.  The
business model you should be adopting is not Gartner research re-selling but
eBay.  Let the market and its invisible hand determine not only the price
for your research but also the re-structuring of software license agreements
on ownership and liability.  At the very least there will be some sharp
procurement negotiator out there dealing with a software vendor and
evaluating the price of your exploit and whether owning the exploit improves
their bargaining power. ;-)

The auction model surfaces and disturbs alot of market dynamics in the
security industry imho.

-----Original Message-----
From: Matt Hargett [mailto:matt () use net]
Sent: Thursday, June 09, 2005 5:44 AM
To: jblumen () xmission com
Cc: Dave Aitel; dailydave
Subject: Re: [Dailydave] A single line drawn by Picasso, an Iraqi
artist,and a buffer overflow.


john blumenthal wrote:
> A few years back Greg Hoglund and I explored the use of an auction model
> ("0bay") that would be anonymized while using a verification and
reputation
> model much like eBay does today.  Some of the recent webmobs resemble this
> model.  Our employer at the time had us tear down the site based on legal
> advice.  ;-)  I'd love to put the system back online if some sharp
Stanford
> lawyer interested in pro bono work and alot of publicity might donate
their
> time to building legal firewalls.
>
> I like the idea of auctioning exploits.  I think it would shift the
industry
> pretty radically since the market's invisible hand should be capable of
> driving demand for high value exploits.  Some economic forces to consider
> given, say, a package of 0day remote exploits on Oracle:
>
>       -- would it be more economical for Oracle to QA these, sue you to avoid
> disclosing, or simply purchase the exploits in an auction (effectively
using
> the 0bay site as an outsourced security QA service ;-) ) to take them off
> the market?

I particularly liked this idea, and still do. Was this part of the
ironing we did at Red Rock coffee shop in downtown mt.view? The look on
people's faces around us as we discussed was very amusing :)

Also, nice vendor shout-out ;>


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave