Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Some quick notes on the CNAS report

From: Dave Aitel <dave () immunityinc com>
Date: Wed, 01 Jun 2011 16:35:02 -0400
1. Everyone likes to have more advisory boards as long as they are on them!

2.
From the CNAS report (http://www.cnas.org/node/6405) volume 1 page 30:
"""
In addition to a favorable cost ratio, attackers also possess advantages
in the required levels of effort and complexity. According to the
Defense Advanced Research Project Agency (DARPA), the number of lines of
code included in security software increased from several thousand 20
years ago to nearly 10 million today. Over the same period, the number
of lines of code included in malware remained constant at approximately
125. In other words, cyber defenses have grown exponentially in effort
and complexity, but they continue to be defeated by offenses that
require far less investment by the attacker.
"""

That statistic is completely bogus, and so's the conclusion. It's
baffling how people refer to these things and draw these kinds of
results. WHAT KIND OF SOFTWARE IS 125 LINES?!? Surely someone read this
and was like "Hmm. That number seems suspiciously low! Last time I wrote
hello world it was > 125 lines of code. And I remember kernel trojans
being larger than that usually." Regina Dugan (who is quoted as the
DARPA person who gave this number in testimony to Congress) has a degree
from Virginia Tech, and she knows all this, and yet we still see this
figure bandied about for some reason. Time to annoy Mudge about it! :>

Obviously malware is harder to write than almost all other software for
one major reason: Testing. It's a LOT harder to test malware than it is
to test almost any other kind of software. Modern malware is a
networked, polymorphic beast, that must be 100% reliable in almost any
network or host environment, against all past *and* *future* software
and network stacks, some of which are explicitly hostile to the
malware's presence.

This is expensive and difficult to do, as anyone who has tried has
learned on day 1.

You may say "This is just some small thing they got wrong, what does it
matter?" But what it points to is a widespread fundamental
misunderstanding of the game. And when you tie that to strategic
policymaking, you get what the underground would call "Lulz" but what
you and I would call billions of wasted dollars.

-dave

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: