Dailydave mailing list archives
Re: Vista speach recognition
From: "Halvar Flake" <halvar () gmx de>
Date: Wed, 31 Jan 2007 17:51:13 +0100
A small comments on the NYT article: The article makes it seem as if in the past, bug-hunters were "doing it for the passion" and then disclosing the bugs for glory, and the bug hunters of today just "do it for the money". I think this is a fundamentally flawed claim that is not supported at all in the article. My interpretation of the situation would be the following: In the past, bugs were plenty and trivial to find. It is really easy to give something away for free that took you two days to find and perhabs three to exploit. As software security improved and bugs got more difficult (both to find and to exploit), the economics of the game changed. With a time investment between weeks and months to find a good bug, and potentially even longer to reliably exploit it, the publicity gained from publishing just isn't worth the effort. Let us have a look at the benefit function for a vulnerability researcher. I'd reckon that an attacker can derive different benefits from a vulnerability by (1) turning it into money on the black market where it will remain unpatched, (2) turning it into money on the open market where it will get fixed, (3) using it himself to access systems for pleasure, or (4) publish it for a warm handshake. Now, selling it on the black market yields cash AND the ability to keep the bug for his own use. Selling it on the open market yields (less) cash AND publicity as most of the open market guys (iDefense, ZDI) still credit authors (at least last time I checked). The open publication is really the only choice where he just gets credited AND loses the ability to keep the bug for his own use. Cheers, Halvar PS: Concerning the speech recognition stuff: Even if my own computer knows that the audio it hears is played by itself, your cubicle neighbours computer might not know, right ? Nice idea !
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vista speach recognition, (continued)
- Re: Vista speach recognition dan (Jan 31)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Vista speach recognition George Ou (Jan 31)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Vista speach recognition George Ou (Jan 31)
- Message not available
- Re: Vista speach recognition George Ou (Feb 01)
- Re: Vista speach recognition Sebastian Krahmer (Feb 01)
- Message not available
- Re: Vista speach recognition George Ou (Feb 02)
- Re: Vista speach recognition Sebastian Krahmer (Feb 02)
- Re: Vista speach recognition Dave Aitel (Feb 02)
- Re: Vista speach recognition George Ou (Jan 31)
- Re: Vista speach recognition dan (Jan 30)
- Re: Vista speach recognition Sebastian Krahmer (Jan 31)
- Re: Vista speach recognition George Ou (Jan 31)
- Re: Vista speach recognition Michal Zalewski (Feb 01)
- Re: Vista speach recognition Ken Buchanan (Feb 01)