Dailydave mailing list archives
Some quick notes on the CNAS report
From: Dave Aitel <dave () immunityinc com>
Date: Wed, 01 Jun 2011 16:35:02 -0400
1. Everyone likes to have more advisory boards as long as they are on them! 2. From the CNAS report (http://www.cnas.org/node/6405) volume 1 page 30: """ In addition to a favorable cost ratio, attackers also possess advantages in the required levels of effort and complexity. According to the Defense Advanced Research Project Agency (DARPA), the number of lines of code included in security software increased from several thousand 20 years ago to nearly 10 million today. Over the same period, the number of lines of code included in malware remained constant at approximately 125. In other words, cyber defenses have grown exponentially in effort and complexity, but they continue to be defeated by offenses that require far less investment by the attacker. """ That statistic is completely bogus, and so's the conclusion. It's baffling how people refer to these things and draw these kinds of results. WHAT KIND OF SOFTWARE IS 125 LINES?!? Surely someone read this and was like "Hmm. That number seems suspiciously low! Last time I wrote hello world it was > 125 lines of code. And I remember kernel trojans being larger than that usually." Regina Dugan (who is quoted as the DARPA person who gave this number in testimony to Congress) has a degree from Virginia Tech, and she knows all this, and yet we still see this figure bandied about for some reason. Time to annoy Mudge about it! :> Obviously malware is harder to write than almost all other software for one major reason: Testing. It's a LOT harder to test malware than it is to test almost any other kind of software. Modern malware is a networked, polymorphic beast, that must be 100% reliable in almost any network or host environment, against all past *and* *future* software and network stacks, some of which are explicitly hostile to the malware's presence. This is expensive and difficult to do, as anyone who has tried has learned on day 1. You may say "This is just some small thing they got wrong, what does it matter?" But what it points to is a widespread fundamental misunderstanding of the game. And when you tie that to strategic policymaking, you get what the underground would call "Lulz" but what you and I would call billions of wasted dollars. -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Some quick notes on the CNAS report Dave Aitel (Jun 01)
- Re: Some quick notes on the CNAS report dan (Jun 30)