Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Networked Computer Security Experiment with prizes: Call for Participants

From: Daniel Bilar <daniel.bilar () gmail com>
Date: Fri, 29 Apr 2011 13:10:05 -0500
Hello Daily Dave denizens

I hope this email finds you all well. I am part of a group organizing
a computer security experiment ( a prediction market) you may find
interesting.
A more involved prediction market like this was run before in 2006 and
2008, and gave away $15k and $60k in prizes (see the FAQs at
rahvahulk.com). This year it is IPad and IPods as prizes.

Let me briefly describe why this experiment (for those who just like
to dive in: www.rahvahulk.com) and the followup experiments are
of some importance: It is not practical/possible to subject an actual live
mission network of 10,000s-100,000s of nodes  to live penetration
testing/risk assessment to gauge confidentiality, integrity,
availability risk of various threats to the network's mission.

We are running a prediction market and the question we are
investigating is this: Are people who have actual
access to a networked system (through a user/superuser logon)  more
accurate in their *time predictions* viz time to exploit
vulnerabilities, time to reach attack goals, estimate of zero days etc
 than people who just have a textual description (like given by nmap,
lsof -i -P and similar system 'inventory' textual output) of the
networked system? If not, this is good news since textual descriptions
are relatively easy to generate and can be assessed offline. But we do
not know, and we want to
figure this out for a small 'mesoscale' system and then investigate
how this could scale to networks with 1000s-100,000s of nodes.

One group of participants gets the mesoscale system in the form of two
VMs and the Abstract Specs (that is the textual description), and one
group gets simply the Abstract Specs.

The experiment consist of answering questions like: How long
do you estimate it would take a professional with 5 years of
experience to exploit vulnerability CVE-2009-xxxx of the webserver?
Exploiting the
'stepping stone' SUID program xyz ? How long would it take to
breach the integrity of the database?

You place 'bets' (in essence you adjust a probability distribution)
over 7 answers per question. There are 48 questions. The site
http://www.rahvahulk.com gives additional details and explanations.

In any event, thanks for your help and/or interest. Please mail me if
you have questions.

daniel.bilar () gmail com
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: