Birger Toedtmann <[EMAIL PROTECTED]> writes: > Am Do, den 10.06.2004 schrieb Eric Rescorla um 20:37: >> Cryptography readers who are also interested in systems security may be >> interested in reading my paper from the Workshop on Economics >> and Information Security '04: >> >> Is finding security holes a good idea? > [...] > > The economic reasoning within the paper misses casualties that arise > from automated, large scale attacks. > > In figure 2, the graph indicating the "Black Hat Discovery Process" > suggests we should expect a minor impact of "Private Exploitation" only, > because the offending Black Hat group is small and exploits manually. > However, one could also imagine Code Red, Slammer and the like. Apart > from having a fix ready or not, when vulnerabilities of this kind are > not known *at all* to the public (no problem description, no workaround > like "remove file XYZ for a while" known), worms can hit the network far > more severe than they already do with knowledge of vulnerability and > even fixes available. I would expect the "Intrusion Rate" curve to be > formed radically different at this point. This also affects the > discussion about social welfare lost / gained through discloure quite a > lot. > > I don't see how applying Browne's vulnerability cycle concept to the > Black Hat Discovery case as it has been done in the paper can reflect > these threat scenarios correctly.
It's true that the Browne paper doesn't apply directly, but I don't actually agree that rapid spreading malware alters the reasoning in the paper much. None of the analysis on the paper depends on any particular C_BHD/C_WHD ratio. Rather, the intent is to provide boundaries for what one must believe about that ratio in order to think that finding bugs is a good idea. That said, I don't think that the argument you present above is that convincing. it's true that a zero-day worm would be bad, but given the shape of the patching curve [0], a day-5 worm would be very nearly as bad (and remember that it's the C_BHD/C_WHD ratio we care about). Indeed, note that all of the major worms so far have been based on known vulnerabilities. -Ekr [0] E. Rescorla, "Security Holes... Who Cares?", Proc. 12th USENIX Security, 2003. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]