Comments on: Proof Of Concept Code, Boon or Bane http://emergentchaos.com/archives/2005/02/proof-of-concept-code-boon-or-bane.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Mr. X http://emergentchaos.com/archives/2005/02/proof-of-concept-code-boon-or-bane.html/comment-page-1#comment-362 Mr. X Mon, 14 Feb 2005 13:44:50 +0000 http://emergentchaos.com/?p=452#comment-362 You make valid points as always, but I think that, as security practitioners, we tend to neglect the base rate when making these kinds of value judgments. Certainly, there are a lot of people (and vendors!) with IDS systems to test, vulnerability scanners to update, and so on. But the huge majority of businesses do not benefit from these activities, either because they simply don't own those security technologies, or because they end up feeling the effects of the worm (or attacker) which uses the exploit before they have a chance to patch their systems. Also, I may be misreading your post (and being pedantic to boot!), but MSFT have not "come out swinging" against researchers who "publish code". Rather, they have suggested that researchers who publish exploit code on the same day that the patches are released are not doing most businesses a favor. I think a factor here is that there seems to be a certain "macho factor" associated with having your code be the most well-known spl0it for a particular vulnerability. (route did very well off teardrop.c, if I remember correctly - just as one example). To accomplish this though, you have to publish your code before other people (even if you originally found the vulnerability), and it seems like the minimum delta which lets you retain the veneer of professionalism these days is "the day the patch is released + zero"... hardly altruistic. You make valid points as always, but I think that, as security practitioners, we tend to neglect the base rate when making these kinds of value judgments. Certainly, there are a lot of people (and vendors!) with IDS systems to test, vulnerability scanners to update, and so on. But the huge majority of businesses do not benefit from these activities, either because they simply don’t own those security technologies, or because they end up feeling the effects of the worm (or attacker) which uses the exploit before they have a chance to patch their systems.
Also, I may be misreading your post (and being pedantic to boot!), but MSFT have not “come out swinging” against researchers who “publish code”. Rather, they have suggested that researchers who publish exploit code on the same day that the patches are released are not doing most businesses a favor.
I think a factor here is that there seems to be a certain “macho factor” associated with having your code be the most well-known spl0it for a particular vulnerability. (route did very well off teardrop.c, if I remember correctly – just as one example). To accomplish this though, you have to publish your code before other people (even if you originally found the vulnerability), and it seems like the minimum delta which lets you retain the veneer of professionalism these days is “the day the patch is released + zero”… hardly altruistic.

]]> By: Iang http://emergentchaos.com/archives/2005/02/proof-of-concept-code-boon-or-bane.html/comment-page-1#comment-361 Iang Mon, 14 Feb 2005 07:59:26 +0000 http://emergentchaos.com/?p=452#comment-361 Comment on the Swire paper ... not having read the paper as yet, but that's a fascinating idea to apply the EMH (efficient markets hypothesis) to security. I would agree that the open source community takes the view that all information about the technology is public. That is, the source code. But this doesn't extend to the exploit. That's more akin to insider information. Now, in EMH, the question is, how does the insider information leak and then become public? As it happens, there are similarities between insider leakage and exploit leakage. But, there is one crucial difference: Once insider information leaks, it quickly gets factored in as public information. Within days or hours... But, exploit information while spread quickly, does not get factored in quickly. The vulnerability then has a very long tail whereby we wait for all the users out there to patch. There is no such effect in EMH, so I'd be careful in employing the lessons from there. Still, a great example of cross-discipline ideas. Comment on the Swire paper … not having read the paper as yet, but that’s a fascinating idea to apply the EMH (efficient markets hypothesis) to security. I would agree that the open source community takes the view that all information about the technology is public. That is, the source code.
But this doesn’t extend to the exploit. That’s more akin to insider information. Now, in EMH, the question is, how does the insider information leak and then become public? As it happens, there are similarities between insider leakage and exploit leakage.
But, there is one crucial difference: Once insider information leaks, it quickly gets factored in as public information. Within days or hours… But, exploit information while spread quickly, does not get factored in quickly. The vulnerability then has a very long tail whereby we wait for all the users out there to patch. There is no such effect in EMH, so I’d be careful in employing the lessons from there.
Still, a great example of cross-discipline ideas.

]]> By: Financial Cryptography http://emergentchaos.com/archives/2005/02/proof-of-concept-code-boon-or-bane.html/comment-page-1#comment-363 Financial Cryptography Mon, 14 Feb 2005 07:30:41 +0000 http://emergentchaos.com/?p=452#comment-363 <strong>Full disclosure: for and against</strong> How to address Internet security in an open source world is a simmering topic. Frank Hecker has documented his view of the Mozilla Full Disclosure debate that led to their current security policy. I haven't read it yet, but will.... Full disclosure: for and against

How to address Internet security in an open source world is a simmering topic. Frank Hecker has documented his view of the Mozilla Full Disclosure debate that led to their current security policy. I haven’t read it yet, but will….

]]>