[15638] in cryptography@c2.net mail archive
Re: Is finding security holes a good idea?
daemon@ATHENA.MIT.EDU (Birger =?ISO-8859-1?Q?T=F6dtmann?=)
Thu Jun 17 14:26:01 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Birger =?ISO-8859-1?Q?T=F6dtmann?= <btoedtmann@exp-math.uni-essen.de>
Reply-To: btoedtmann@exp-math.uni-essen.de
To: EKR <ekr@rtfm.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <kj8yem9rsy.fsf@romeo.rtfm.com>
Date: Thu, 17 Jun 2004 18:14:46 +0200
Am Do, den 17.06.2004 schrieb Eric Rescorla um 16:34:
[...]
> > even fixes available. I would expect the "Intrusion Rate" curve to be
> > formed radically different at this point. This also affects the
> > discussion about social welfare lost / gained through discloure quite a
> > lot.
> >
> > I don't see how applying Browne's vulnerability cycle concept to the
> > Black Hat Discovery case as it has been done in the paper can reflect
> > these threat scenarios correctly.
>
> It's true that the Browne paper doesn't apply directly, but I don't
> actually agree that rapid spreading malware alters the reasoning in
> the paper much. None of the analysis on the paper depends on any
> particular C_BHD/C_WHD ratio. Rather, the intent is to provide
> boundaries for what one must believe about that ratio in order to
> think that finding bugs is a good idea.
So if we don't peg the C_BHD/C_WHD ratio to something happening in the
real world, it's "all depends on your threat model" again. If I assume
a specific ratio that 'justifies' finding bugs in terms of economic
trade-off, you may disagree by believing in a different ratio. It could
be of interest which threat model represents which ratio to see the
effects in economic trade-off - however, the discussion is simply
shifted towards "which threat model is more realistic". What do we
gain?
Regards
--
Birger Tödtmann <btoedtmann@exp-math.uni-essen.de>
Computer Networks Working Group, Institute for Experimental Mathematics
University Duisburg-Essen, Germany
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
