Dailydave mailing list archives
Networked Computer Security Experiment with prizes: Call for Participants
From: Daniel Bilar <daniel.bilar () gmail com>
Date: Fri, 29 Apr 2011 13:10:05 -0500
Hello Daily Dave denizens I hope this email finds you all well. I am part of a group organizing a computer security experiment ( a prediction market) you may find interesting. A more involved prediction market like this was run before in 2006 and 2008, and gave away $15k and $60k in prizes (see the FAQs at rahvahulk.com). This year it is IPad and IPods as prizes. Let me briefly describe why this experiment (for those who just like to dive in: www.rahvahulk.com) and the followup experiments are of some importance: It is not practical/possible to subject an actual live mission network of 10,000s-100,000s of nodes to live penetration testing/risk assessment to gauge confidentiality, integrity, availability risk of various threats to the network's mission. We are running a prediction market and the question we are investigating is this: Are people who have actual access to a networked system (through a user/superuser logon) more accurate in their *time predictions* viz time to exploit vulnerabilities, time to reach attack goals, estimate of zero days etc than people who just have a textual description (like given by nmap, lsof -i -P and similar system 'inventory' textual output) of the networked system? If not, this is good news since textual descriptions are relatively easy to generate and can be assessed offline. But we do not know, and we want to figure this out for a small 'mesoscale' system and then investigate how this could scale to networks with 1000s-100,000s of nodes. One group of participants gets the mesoscale system in the form of two VMs and the Abstract Specs (that is the textual description), and one group gets simply the Abstract Specs. The experiment consist of answering questions like: How long do you estimate it would take a professional with 5 years of experience to exploit vulnerability CVE-2009-xxxx of the webserver? Exploiting the 'stepping stone' SUID program xyz ? How long would it take to breach the integrity of the database? You place 'bets' (in essence you adjust a probability distribution) over 7 answers per question. There are 48 questions. The site http://www.rahvahulk.com gives additional details and explanations. In any event, thanks for your help and/or interest. Please mail me if you have questions. daniel.bilar () gmail com _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Networked Computer Security Experiment with prizes: Call for Participants Daniel Bilar (May 02)