Dailydave mailing list archives

Re: Faster, smashter. (fwd)

From: "Jon Passki" <jon.passki () hursk com>
Date: Wed, 10 Dec 2008 22:43:19 +0900

I disagree.  Give me N number of oracles that state they know x, y, z issue
is exploitable (at some defined level of exploitability) and I'll give you
an auction.  The concept of an auction is from the perspective of the buyer,
not the seller...  If Oracle A, B, D, and F state that they have an exploit
for vuln Alpha, then I have a ceiling cost and a basement cost for the
exploit.  If I only have one Oracle, I still have a ceiling cost.  That's
still a good number for worst-case attack tree discussions.


On Wed, Dec 10, 2008 at 3:27 PM, BEES INC <bees.inc () gmail com> wrote:

i have postgrad applied finance qualifications and this is not really
practical. You need an open/free market on 0day before you could start
writing futures/options contracts. to my knowledge this doesn't exist,
and is unlikely to exist for a whole bunch of reasons. its more
profitable for exploit writers and cheaper for buyers to keep the
other side in the dark on going rates.

i remember they tried something like this in fresno county with the
sausage and spice prices there. though a little different from
exploits its similar in that its a fairly small and niche market, and
the supply was effectively controlled by a cartel, and pricing
information was dubious at best. needless to say it didn't take off

you would be better off writing insurance and collecting a premiums,
and if something does happen the payout could go to covering costs of
patching and recovery. i'm pretty sure ive read of something like this
being already available.

On Wed, Dec 10, 2008 at 1:19 PM,  <sinan.eren () immunitysec com> wrote:


(moderator: retry from subscribed account)

I have been thinking about a potential futures market model to hedge the

risk

of software vulnerabilities. Perhaps a modified Black-Scholes-Merton

model that

could be tied into Microsoft's exploitability index to determine the

premium on

the future contract ? Hedgers (companies, govermantal institutions,

military

etc.) could than purchase these contracts from speculators (these could

be us)

to tie their risk into a dollar amount. On the other hand researchers can

sell

these contracts if they feel strongly about a software or inversely, buy

these

contracts to cash in their 0day when it hits the public domain. We need a

fair

market place for 0day (outside of the 2 known players whose model

benefits no

one) and I believe futures market model is the way to go. After all if

you can

hedge your exposure to weather, why can't you hedge it against 0day ? It

is not

as crazy as it sounds ....

I would appreciate ideas to tie the value of a vulnerability to a

premium, any

quants who do security as well ?

-sinan

On Tue, 9 Dec 2008, Dave Aitel wrote:

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1

 One technique we're doing this week with a client is taking an attack
 tree and marking it up with dollar values. I.E. if you wanted to buy
 an 0day in X component, how much would it cost?

 This then is a simple summation to produce a "how much is it to get
 into the internal network from the internet" which the business can
 use to help them decide yay/nay on the project as a whole depending on
 their own view of the threat and the value of the information they are
 protecting.

 -dave


 Halvar Flake wrote:

 Hey all,

 It seems that discussions in ITsec are periodic -- the same
 discussions and same arguments come up again and again.

 1. Of course attackers use new vulnerabilities. It is the nature of
 offense. Defense is done "to the maximum of current knowledge".
 Offense, by it's nature, has to expand on the status quo.

 2. How do you simulate an attack with a new vulnerability if you
 don't have one ?

 Well, military folks do wargames all the time without actually
 using up the arsenal they have on the shelves. Network attacks
 should probably be done in a similar manner -- have an umpire, and
 give the attacking team a few "0day cards". With these cards they
 get high-probability code execution for a piece of software of
 their choice.

 The pentest then proceeds like a game, but can be conducted on the
 real network, too.

 But I am repeating myself ...

 Cheers, Halvar _______________________________________________
 Dailydave mailing list Dailydave () lists immunitysec com
 http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Faster, smashter. (fwd) sinan . eren (Dec 09)
- Re: Faster, smashter. (fwd) security curmudgeon (Dec 09)
- Re: Faster, smashter. (fwd) BEES INC (Dec 10)
  - Re: Faster, smashter. (fwd) Jon Passki (Dec 10)
    - Re: Faster, smashter. (fwd) BEES INC (Dec 11)
    - Re: Faster, smashter. (fwd) Jon Passki (Dec 11)
    - Robert Seacord on the CERT C Secure Coding Standard Robert Seacord (Dec 16)
    - Message not available
    - Re: Robert Seacord on the CERT C Secure Coding Standard Robert Seacord (Dec 17)
  - Re: Faster, smashter. (fwd) sinan . eren (Dec 10)
    - Re: Faster, smashter. (fwd) Matthew Wollenweber (Dec 11)
  - Re: Faster, smashter. (fwd) Robert Lemos (Dec 11)
- Re: Faster, smashter. (fwd) Thorsten Holz (Dec 10)
  - Re: Faster, smashter. (fwd) Charles Miller (Dec 11)