> More likely, the software actually leaks like a sieve, and NEITHER group
> has even scratched the surface..
How many leaks did the OpenBSD team find when they proactively audited
their entire codebase for the first time a few years ago? This would
be an indication of just how leaky an O/S might
On Thu, 10 Jun 2004 13:50:47 PDT, Eric Rescorla said:
> I'm asking the question:
> If you find some bug in the normal course of your operations
> (i.e. nobody told you where to look) how likely is it that
> someone else has already found it?
>
> And you're asking a question more like:
> Given tha
[EMAIL PROTECTED] writes:
> On Thu, 10 Jun 2004 13:30:41 PDT, Eric Rescorla said:
>
>> [0] Note that this doesn't require that the chance of finding
>> any particular bug upon inspection of the code be very low
>> high, but merely that there not be very deep coverage of
>> any particular code sec
On Thu, 10 Jun 2004 13:30:41 PDT, Eric Rescorla said:
> [0] Note that this doesn't require that the chance of finding
> any particular bug upon inspection of the code be very low
> high, but merely that there not be very deep coverage of
> any particular code section.
Right. However, if you hand
[EMAIL PROTECTED] writes:
> On Thu, 10 Jun 2004 12:23:42 PDT, Eric Rescorla said:
>
>> I'm not sure we disagree. All I was saying was that I don't
>> think we have a good reason to believe that the average bug
>> found independently by a white hat is already known to a
>> black hat. Do you disagr
On Thu, 10 Jun 2004 12:23:42 PDT, Eric Rescorla said:
> I'm not sure we disagree. All I was saying was that I don't
> think we have a good reason to believe that the average bug
> found independently by a white hat is already known to a
> black hat. Do you disagree?
Actually, yes.
Non-obvious bu
In message <[EMAIL PROTECTED]>, Valdis.Kletni
[EMAIL PROTECTED] writes:
Actually, it was Morris, not me, who first pointed it out.
>
>Data point: When did Steve Bellovin point out the issues with non-random
>TCP ISNs? When did Mitnick use an exploit for this against Shimomura?
>
>And now ask y
[EMAIL PROTECTED] writes:
> On Thu, 10 Jun 2004 11:54:31 PDT, Eric Rescorla said:
>
>> My hypothesis is that the sets of bugs independently found by white
>> hats and black hats are basically disjoint. So, you'd definitely
>> expect that there were bugs found by the black hats and then used as
>>
On Thu, 10 Jun 2004 11:54:31 PDT, Eric Rescorla said:
> My hypothesis is that the sets of bugs independently found by white
> hats and black hats are basically disjoint. So, you'd definitely
> expect that there were bugs found by the black hats and then used as
> zero-days and eventually leaked to
- Original Message -
From: "Eric Rescorla" <[EMAIL PROTECTED]>
> Paul G <[EMAIL PROTECTED]> wrote:
>
> > - Original Message -
> > From: "Eric Rescorla" <[EMAIL PROTECTED]>
> >
> > -- snip ---
> >
> > > If we assume that the black hats aren't vastly more
> > > capable than the
Paul G <[EMAIL PROTECTED]> wrote:
> - Original Message -
> From: "Eric Rescorla" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Cc: "Sean Donelan" <[EMAIL PROTECTED]>; "'Nanog'" <[EMAIL PROTECTED
- Original Message -
From: "Eric Rescorla" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: "Sean Donelan" <[EMAIL PROTECTED]>; "'Nanog'" <[EMAIL PROTECTED]>
Sent: Thursday, June 10, 2004 2:37 PM
Subject: Re: AV/FW Adoptio
[EMAIL PROTECTED] writes:
> On Thu, 10 Jun 2004 08:50:18 PDT, Eric Rescorla said:
>> [EMAIL PROTECTED] writes:
>
>> > Remember that the black hats almost certainly had 0-days for the
>> > holes, and before the patch comes out, the 0-day is 100% effective.
>>
>> What makes you think that black ha
On Thu, 10 Jun 2004 08:50:18 PDT, Eric Rescorla said:
> [EMAIL PROTECTED] writes:
> > Remember that the black hats almost certainly had 0-days for the
> > holes, and before the patch comes out, the 0-day is 100% effective.
>
> What makes you think that black hats already know about your
> average
[EMAIL PROTECTED] writes:
> On Wed, 09 Jun 2004 18:45:55 EDT, Sean Donelan <[EMAIL PROTECTED]> said:
>
>> The numbers vary a little e.g. 38% or 42%, but the speed or severity or
>> publicity doesn't change them much. If it is six months before the
>> exploit, about 40% will be patched (60% unpat
On Wed, 09 Jun 2004 18:45:55 EDT, Sean Donelan <[EMAIL PROTECTED]> said:
> The numbers vary a little e.g. 38% or 42%, but the speed or severity or
> publicity doesn't change them much. If it is six months before the
> exploit, about 40% will be patched (60% unpatched). If it is 2 weeks,
> about
On Wed, 9 Jun 2004 [EMAIL PROTECTED] wrote:
> A writeup on the OpenSSL holes, the Slapper worm, and when/why users
> patched their systems. 17 pages, PDF.
>
> http://www.rtfm.com/upgrade.pdf
>
> Lots of interesting conclusions about user behavior, which we probably
> need to consider when plannin
On Tue, 08 Jun 2004 17:29:51 CDT, Dennis Dayman <[EMAIL PROTECTED]> said:
>
> Does anyone know of any studies on user adoption of security s/w (AV and FW
> products), including how often people update and how regularly?
Two papers that might help:
A writeup on the OpenSSL holes, the Slapper wor
Does anyone know of any studies on user adoption of security s/w (AV and FW
products), including how often people update and how regularly?
-Dennis
19 matches
Mail list logo