Dailydave mailing list archives
Re: The monetization of information insecurity
From: "Dennis Groves" <dennis.groves () gmail com>
Date: Tue, 9 Sep 2014 11:23:52 -0700
With all due respect,
Any object of nontrivial complexity is non-optimum, in the sense that it
can be improved in some way (while still remaining non-optimum)
-- Donald Knuth from https://www.tug.org/TUGboat/tb35-1/tb109knut.pdf
Donald Knuth states perfectly why bug bounties do not work. And our industry is filled with security people finding clever ways to *improve* non-optimal solutions, while they still remain non-optimum! Do nothing and profit!!! I believe that AV has already been mentioned, however, we all know they are not the only security vendors who make their livings this way... I'll give you three additional reasons why bug bounties do not work: * It assumes all security issues are software, which is just plain false. Have you seen how devastating bumpkeys and social engineering and PSYOPS can be? * Entropy - software is of nontrivial complexity. Further it does not remain static, but rather it is always in a state of change, features are always being added bugs are patched, databases grow in size etc... bounded rationality alone causes requirements to change during development! An infinite problem space has infinite problems. (e.g. Turing completeness, Godel, etc...) Software is used in ways the designers never imagined or intended them to be used. There is no software utopia. * It assumes we can patch all of the issues bug bounties identify, however we don't control the supply chain! - Systems are coming pre-manufactured with vulns by DESIGN. - Systems are compromised in route to deployment so three letter agencies can do their intelligence work. Bug bounties are simply the latest way for multi-national corporations to get hundreds of security researchers to do work for free. Don't confuse economic systems with security systems, they are not the same. Bug bounties are about reducing the cost of security, while maintaining the appearances of doing something about it. It is the same old PR approach in new clothing. You want to know what would work? Holding software producers legally liable for their software bugs, because only if they have consequences for their actions will they ever start taking things seriously! Regards, Dennis Groves, MSc -----Original Message----- From: dailydave-bounces () lists immunityinc com [mailto:dailydave-bounces () lists immunityinc com] On Behalf Of Brad Spengler Sent: Monday, September 8, 2014 3:12 PM To: dave aitel Cc: dailydave () lists immunityinc com Subject: Re: [Dailydave] The monetization of information insecurity [----8<----- ] We need to change course. Let's resolve to put the monetary focus of the industry to where it really belongs: bug bounties. Let's ensure fuzzers are employed for the next decade while we reap the bountiful rewards of their endless trickle of bugs. If we make sure this strategy dominates, we can be sure we don't hamstring the industry by focusing efforts on what produces real improvement. We know bug bounties work because their associated monetary offerings continue to increase -- the market has spoken. If we take our cues from such visionaries, I think we can avoid the parasitic growth of the infosec industry and break the chain of strategies that haven't worked for their entire reign. Respectfully submitted for your consideration, -Brad On Mon, Sep 08, 2014 at 10:07:02AM -0400, dave aitel wrote:
So I'm heading to a conference shortly and I was going to promote them in this email but they're apparently not a public conference. I'm on a panel called "Identification of Emerging and Evolving Threats" with some non-US Government people who seem pretty nice. Anyways, now that I've guaranteed myself an exciting visit from security services, I wanted to point out the one question everyone should be asking when they go to any conference and a new technology of any kind is proposed as any kind of forward movement for defense. And that is this: "How can we avoid making the mistake of Anti-Virus" ever again? Because much like the Internet has been hamstrung at birth by the parasitic growth of the advertising industry, the information security community has been devastated for almost its entire existence by the dominance of anti-virus companies and products which demonstrably haven't worked for almost their entire reign, and in theory never could have scaled. They are broken by design. And because they sucked all the money and research and people from the defensive community, no actual defenses were ever created for IT that had a hope of working. So the only question any team of government executives working on defense needs to be thinking about is "How is this different from Anti-Virus in the long term? How can we avoid making that mistake ever again?" Because until you know how that mistake was made, and can avoid it for the next generation, "Emerging and Evolving" threats will always be beyond your power to stop. -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
--- This email is free from viruses and malware because avast! Antivirus protection is active. http://www.avast.com _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- The monetization of information insecurity dave aitel (Sep 08)
- Re: The monetization of information insecurity Brad Spengler (Sep 09)
- Re: The monetization of information insecurity J. Oquendo (Sep 09)
- Re: The monetization of information insecurity Dennis Groves (Sep 10)
- Re: The monetization of information insecurity Michal Zalewski (Sep 10)
- Re: The monetization of information insecurity Dominique Brezinski (Sep 11)
- Re: The monetization of information insecurity Parity (Sep 12)
- Re: The monetization of information insecurity Brad Spengler (Sep 09)
- Re: The monetization of information insecurity John Strand (Sep 10)