Dailydave mailing list archives

Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology

From: "Berend-Jan Wever" <berendjanwever () gmail com>
Date: Wed, 22 Aug 2007 12:37:55 +0100

Hi Dave,

I liked point 5 best:
*Having a "target rich environment" overwhelms an attacker's analytical
capability.*

I'll tell the people I work with we need to put more bugs in our software to
stop people from exploiting them :)



I think point 6 applies to everybody: there is no data to back up either
side of the argument. However, we do have some data to back up claims around
the insecurity of software, so let's make an analogy with hard-to-model,
complex software products which gets updated frequently and see what we
find:

*1. Hacking has an economy of scale.*
There are plenty of complex products that get hit by 0days from
"one-hit-wonders". If you have two smart pentesters looking at product X and
one dumb attacker, that does not guarantee your pentesters will find all bug
in the product before the attacker finds one they have yet to discover.

*2. Product X is a hard system to model.*

One does not need to model the whole system, just the weak parts. I have not
a clue how SETI@HOME does what it does, but I'm sure it's pretty complex.
Regardless, I was able to write an exploit for it.



*3. Complexity breeds resilience.*

It also breeds issues. The more lines of code, the more potential bugs and
adding complexity often requires adding more lines of code.
Therefore, you'll find more bugs in more complex code.



*4. Technology is adopted quickly in product X, making it a fast-moving
target.*

New technology brings new issues: the technology has not been proven, new
classes of issues that affect only this new technology are yet to be
discovered.

 Unfortunately, I have no data to back up that my analogy scales well. It
seems that only time may tell us who was right, let's hope it never gets to
that.

Cheers,

SkyLined

-- 
Berend-Jan "SkyLined" Wever
Email & Live messenger: berendjanwever () gmail com

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Berend-Jan Wever (Aug 22)