Dailydave mailing list archives

Re: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow.

From: Blue Boar <BlueBoar () thievco com>
Date: Thu, 09 Jun 2005 14:01:13 -0700

john blumenthal wrote:

      johnb:  in the auction model I am proposing the seller would need to
describe the vulnerability in order for the buyer to make a qualified
decision.  This would be similar to the current disclosure model, in that
the vendor could be notified that not only the exploit exists, it's going up
for auction on date X.  In addition, the exploit would need to be verified
by the independent auditor (0bay) prior to auction.  Participants would get
to rank the credibility of the seller and the value of the exploit based on
the description and validation.


I've observed that even a description of a vulnerability with no
technical details is often enough to put an experienced researcher on
the right track.  The second researcher refinds the bug described, or
finds a similar one in the same area that often devalues the original
one.  How do you propose to find the balance between the need to
describe one's awesome hole for marketing purposes, and the need to keep
it exclusive?

Note that in the 0bay scenario, the public (I assume) gets to watch the
auctions, and so can observe that, say, 10 Oracle exploits were sold
last week, and factor that into any planning.  Not that the general
public seems to make much of a buying decision based on track record,
but to the small degree that it does... I imagine knowing that there are
N 0day for a product you use has to accelerate that a little.

      johnb:  As long as license agreements continue to transfer all risk to the
licensee I believe we do not have a research model that works.  I am
researching not what motivates security researchers in reality; I am looking
at what suspends basic economic principles in producer-consumer
relationships when it comes to software.


Why don't the attempts by software vendors to license away your right to
find holes work?  It's been tried numerous times now.  Each time, the
vendor with deep pockets has backed off.  Is it really just the outcry
that is making them back off?  Are they afraid to take EULAs to court?

                                        BB
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow., (continued)
- - - Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. byte_jump (Jun 09)
    - RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
  - RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Chris Wysopal (Jun 09)
    - RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
    - RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Chris Wysopal (Jun 09)
    - Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. dan (Jun 10)
  - Re: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Matt Hargett (Jun 09)
    - RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
    - Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Thomas H. Ptacek (Jun 09)
    - RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
    - Re: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Blue Boar (Jun 09)
    - Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. byte_jump (Jun 09)
    - Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Matt Hargett (Jun 09)