[71166] in North American Network Operators' Group
Re: AV/FW Adoption Sudies
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Jun 10 11:35:32 2004
To: Sean Donelan <sean@donelan.com>
Cc: "'Nanog'" <nanog@merit.edu>
In-Reply-To: Your message of "Wed, 09 Jun 2004 18:45:55 EDT."
<Pine.GSO.4.58.0406091815550.19694@clifden.donelan.com>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 10 Jun 2004 11:28:59 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-1860368108P
Content-Type: text/plain; charset=us-ascii
On Wed, 09 Jun 2004 18:45:55 EDT, Sean Donelan <sean@donelan.com> said:
> The numbers vary a little e.g. 38% or 42%, but the speed or severity or
> publicity doesn't change them much. If it is six months before the
> exploit, about 40% will be patched (60% unpatched). If it is 2 weeks,
> about 40% will be patched (60% unpatched). Its a strange "invisible hand"
> effect, as the exploits show up sooner the people who were going to patch
> anyway patch sooner. The ones that don't, still don't.
Remember that the black hats almost certainly had 0-days for the holes, and
before the patch comes out, the 0-day is 100% effective. Once the patch comes
out and is widely deployed, the usefulness of the 0-day drops.
Most probably, 40% is a common value for "I might as well release this one and
get some recognition". After that point, the residual value starts dropping
quickly.
Dave Aucsmith of Microsoft seems to think there's a flurry of activity to
reverse engineer the patch:
http://news.bbc.co.uk/1/hi/technology/3485972.stm
In fact, half of them are just sitting there and playing "chicken" - you wait
too long, and somebody else gets the recognition as "best reverse engineer" by
Aucsmith, but if you wait too little, you lose your 0-day while it still has
some effectiveness.
Somebody else can turn the crank on the game-theory machine and figure out what
the mathematically optimum release point is....
--==_Exmh_-1860368108P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAyH47cC3lWbTT17ARAvHtAKC/ly6dGn+uP92clkpEeuHBZ+b2IACfTK0Z
vGnQQAGD1zfQFUOD17hZoO8=
=xBaB
-----END PGP SIGNATURE-----
--==_Exmh_-1860368108P--
