Am Do, den 10.06.2004 schrieb Eric Rescorla um 20:37: > Cryptography readers who are also interested in systems security may be > interested in reading my paper from the Workshop on Economics > and Information Security '04: > > Is finding security holes a good idea? [...]
The economic reasoning within the paper misses casualties that arise from automated, large scale attacks. In figure 2, the graph indicating the "Black Hat Discovery Process" suggests we should expect a minor impact of "Private Exploitation" only, because the offending Black Hat group is small and exploits manually. However, one could also imagine Code Red, Slammer and the like. Apart from having a fix ready or not, when vulnerabilities of this kind are not known *at all* to the public (no problem description, no workaround like "remove file XYZ for a while" known), worms can hit the network far more severe than they already do with knowledge of vulnerability and even fixes available. I would expect the "Intrusion Rate" curve to be formed radically different at this point. This also affects the discussion about social welfare lost / gained through discloure quite a lot. I don't see how applying Browne's vulnerability cycle concept to the Black Hat Discovery case as it has been done in the paper can reflect these threat scenarios correctly. Regards, -- Birger Tödtmann <[EMAIL PROTECTED]> Computer Networks Working Group, Institute for Experimental Mathematics University Duisburg-Essen, Germany --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]