Dailydave mailing list archives
Re: The Week of Oracle Database Bugs
From: Dave Aitel <dave () immunityinc com>
Date: Mon, 27 Nov 2006 11:15:01 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't think it is an angels-on-a-pin question. When it comes to valuing vulnerabilities you have to take into account the "obviousness" of a particular vulnerability. This goes directly into cost because it speaks to the lifespan of the vulnerability. Not only do you have to worry about automated technologies finding your vulnerability as they get slightly better over time, but you have to think about how many other people have the skill, the time, and the inclination to find that particular fish. For example, bugs found with fuzzers are rarely worth a lot of money. As Sinan says, "Fish caught with a wide net go brown quickly". In other words, economically, releasing SPIKE as GPL was a way to clean out a lot of fish from the shallows quickly, so that the smaller fishing crews would go get jobs at a factory. Finding a deep sea fish can take months, and exploiting it, more months. But at the end, it's something that lasts for years. A Leviathan, unseen. Of course, it is impossible to place a metric on "obviousness" which is why patents are such a horrible tool for social manipulation and why valuing vulnerabilities is still mostly gut feel. - -dave dan () geer org wrote:
The nuance I was trying to get across is this: If and when I disover a vulnerability, it is prudent on my part (as a researcher) to assume that someone else has already discovered that vuln. Perhaps the most conservative position is that if I discover a vuln, I should not only assume that it has been previously discovered by persons unknown but that as well as being already discovered it is already in use. If I take such a conservative position, then it might be also a conservative position that the first activity should be to mitigate the attack vector the vuln represents and, only after that is done, turn one's attention to removing the vuln itself. This may, of course, be much like debating how many angels can fit on the head of a pin. --dan
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFFaw8DB8JNm+PA+iURAjqTAJ9zR3I1vvJh2yyWnelj7wNNtgKppQCg3LtO Kx1E43aEQvK3Ry8tBasR+Po= =zUUa -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The Week of Oracle Database Bugs Cesar (Nov 20)
- Re: The Week of Oracle Database Bugs Evgeny Legerov (Nov 21)
- <Possible follow-ups>
- Re: The Week of Oracle Database Bugs ¯`· . _The Sun_ . ·´¯ (Nov 20)
- Re: The Week of Oracle Database Bugs Joel Eriksson (Nov 21)
- Re: The Week of Oracle Database Bugs dan (Nov 22)
- Re: The Week of Oracle Database Bugs Joanna Rutkowska (Nov 22)
- Re: The Week of Oracle Database Bugs dan (Nov 22)
- Re: The Week of Oracle Database Bugs pageexec (Nov 24)
- Re: The Week of Oracle Database Bugs Dave Aitel (Nov 27)
- Re: The Week of Oracle Database Bugs Jared DeMott (Nov 27)
- Re: The Week of Oracle Database Bugs sinan . eren (Nov 27)
- Re: The Week of Oracle Database Bugs Jared DeMott (Nov 27)
- Re: The Week of Oracle Database Bugs Dude VanWinkle (Nov 29)
- Re: The Week of Oracle Database Bugs Jeremiah Johnson (Nov 29)
- Re: The Week of Oracle Database Bugs Curt (Nov 29)
- Re: The Week of Oracle Database Bugs Olef Anderson (Nov 29)
- Re: The Week of Oracle Database Bugs Anthony_Lineberry (Nov 29)
- Re: The Week of Oracle Database Bugs L . M . H (Nov 29)
- Re: The Week of Oracle Database Bugs Joel Eriksson (Nov 21)
- Re: The Week of Oracle Database Bugs Jared DeMott (Nov 27)