Dailydave mailing list archives

Re: Vista speach recognition

From: "Halvar Flake" <halvar () gmx de>
Date: Wed, 31 Jan 2007 17:51:13 +0100

A small comments on the NYT article:

The article makes it seem as if in the past, bug-hunters were "doing it for the passion" and then
disclosing the bugs for glory, and the bug hunters of today just "do it for the money". I think this
is a fundamentally flawed claim that is not supported at all in the article.

My interpretation of the situation would be the following: In the past, bugs were plenty and trivial
to find. It is really easy to give something away for free that took you two days to find and perhabs
three to exploit. As software security improved and bugs got more difficult (both to find and to exploit),
the economics of the game changed. With a time investment between weeks and months to find
a good bug, and potentially even longer to reliably exploit it, the publicity gained from publishing just
isn't worth the effort.

Let us have a look at the benefit function for a vulnerability researcher. I'd reckon that an attacker
can derive different benefits from a vulnerability by (1) turning it into money on the black market where
it will remain unpatched, (2) turning it into money on the open market where it will get fixed, (3) using it
himself to access systems for pleasure, or (4) publish it for a warm handshake.

Now, selling it on the black market yields cash AND the ability to keep the bug for his own use.
Selling it on the open market yields (less) cash AND publicity as most of the open market guys
(iDefense, ZDI) still credit authors (at least last time I checked). The open publication is really the
only choice where he just gets credited AND loses the ability to keep the bug for his own use.

Cheers,
Halvar
PS: Concerning the speech recognition stuff: Even if my own computer knows that the audio it
hears is played by itself, your cubicle neighbours computer might not know, right ? Nice idea !

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Vista speach recognition, (continued)
- - - Re: Vista speach recognition dan (Jan 31)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Vista speach recognition George Ou (Jan 31)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: Vista speach recognition George Ou (Jan 31)
    - Message not available
    - Re: Vista speach recognition George Ou (Feb 01)
    - Re: Vista speach recognition Sebastian Krahmer (Feb 01)
    - Message not available
    - Re: Vista speach recognition George Ou (Feb 02)
    - Re: Vista speach recognition Sebastian Krahmer (Feb 02)
    - Re: Vista speach recognition Dave Aitel (Feb 02)
    - Re: Vista speach recognition George Ou (Jan 31)
    - Re: Vista speach recognition dan (Jan 30)
  - Re: Vista speach recognition Halvar Flake (Jan 31)
- Re: Vista speach recognition christian void (Jan 30)
- Re: Vista speach recognition George Ou (Jan 30)
- Re: Vista speach recognition George Ou (Jan 30)
- Re: Vista speach recognition Ross Brown (Jan 31)
  - Re: Vista speach recognition Sebastian Krahmer (Jan 31)
    - Re: Vista speach recognition George Ou (Jan 31)
- Re: Vista speach recognition Juha-Matti Laurio (Feb 01)
  - Re: Vista speach recognition Michal Zalewski (Feb 01)
  - Re: Vista speach recognition Ken Buchanan (Feb 01)