Dailydave mailing list archives

Re: The Week of Oracle Database Bugs

From: Dave Aitel <dave () immunityinc com>
Date: Mon, 27 Nov 2006 11:15:01 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't think it is an angels-on-a-pin question. When it comes to
valuing vulnerabilities you have to take into account the
"obviousness" of a particular vulnerability. This goes directly into
cost because it speaks to the lifespan of the vulnerability. Not only
do you have to worry about automated technologies finding your
vulnerability as they get slightly better over time, but you have to
think about how many other people have the skill, the time, and the
inclination to find that particular fish.

For example, bugs found with fuzzers are rarely worth a lot of money.
As Sinan says, "Fish caught with a wide net go brown quickly".

In other words, economically, releasing SPIKE as GPL was a way to
clean out a lot of fish from the shallows quickly, so that the smaller
fishing crews would go get jobs at a factory. Finding a deep sea fish
can take months, and exploiting it, more months. But at the end, it's
something that lasts for years. A Leviathan, unseen.

Of course, it is impossible to place a metric on "obviousness" which
is why patents are such a horrible tool for social manipulation and
why valuing vulnerabilities is still mostly gut feel.

- -dave

dan () geer org wrote:

The nuance I was trying to get across is this: If and when I
disover a vulnerability, it is prudent on my part (as a researcher)
to assume that someone else has already discovered that vuln.
Perhaps the most conservative position is that if I discover a
vuln, I should not only assume that it has been previously
discovered by persons unknown but that as well as being already
discovered it is already in use.  If I take such a conservative
position, then it might be also a conservative position that the
first activity should be to mitigate the attack vector the vuln
represents and, only after that is done, turn one's attention to
removing the vuln itself.

This may, of course, be much like debating how many angels can fit
on the head of a pin.

--dan


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFFaw8DB8JNm+PA+iURAjqTAJ9zR3I1vvJh2yyWnelj7wNNtgKppQCg3LtO
Kx1E43aEQvK3Ry8tBasR+Po=
=zUUa
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

The Week of Oracle Database Bugs Cesar (Nov 20)
- Re: The Week of Oracle Database Bugs Evgeny Legerov (Nov 21)
- <Possible follow-ups>
- Re: The Week of Oracle Database Bugs ¯`· . _The Sun_ . ·´¯ (Nov 20)
  - Re: The Week of Oracle Database Bugs Joel Eriksson (Nov 21)
    - Re: The Week of Oracle Database Bugs dan (Nov 22)
    - Re: The Week of Oracle Database Bugs Joanna Rutkowska (Nov 22)
    - Re: The Week of Oracle Database Bugs dan (Nov 22)
    - Re: The Week of Oracle Database Bugs pageexec (Nov 24)
    - Re: The Week of Oracle Database Bugs Dave Aitel (Nov 27)
    - Re: The Week of Oracle Database Bugs Jared DeMott (Nov 27)
    - Re: The Week of Oracle Database Bugs sinan . eren (Nov 27)
    - Re: The Week of Oracle Database Bugs Jared DeMott (Nov 27)
    - Re: The Week of Oracle Database Bugs Dude VanWinkle (Nov 29)
    - Re: The Week of Oracle Database Bugs Jeremiah Johnson (Nov 29)
    - Re: The Week of Oracle Database Bugs Curt (Nov 29)
    - Re: The Week of Oracle Database Bugs Olef Anderson (Nov 29)
    - Re: The Week of Oracle Database Bugs Anthony_Lineberry (Nov 29)
    - Re: The Week of Oracle Database Bugs L . M . H (Nov 29)
    - Re: The Week of Oracle Database Bugs Jared DeMott (Nov 27)

(Thread continues...)