[71168] in North American Network Operators' Group
Re: AV/FW Adoption Sudies
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Thu Jun 10 11:51:05 2004
To: Valdis.Kletnieks@vt.edu
Cc: Sean Donelan <sean@donelan.com>, "'Nanog'" <nanog@merit.edu>
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 10 Jun 2004 08:50:18 -0700
In-Reply-To: <200406101528.i5AFSxNg018475@turing-police.cc.vt.edu> (Valdis
Kletnieks's message of "Thu, 10 Jun 2004 11:28:59 -0400")
Errors-To: owner-nanog-outgoing@merit.edu
Valdis.Kletnieks@vt.edu writes:
> On Wed, 09 Jun 2004 18:45:55 EDT, Sean Donelan <sean@donelan.com> said:
>
>> The numbers vary a little e.g. 38% or 42%, but the speed or severity or
>> publicity doesn't change them much. If it is six months before the
>> exploit, about 40% will be patched (60% unpatched). If it is 2 weeks,
>> about 40% will be patched (60% unpatched). Its a strange "invisible hand"
>> effect, as the exploits show up sooner the people who were going to patch
>> anyway patch sooner. The ones that don't, still don't.
>
> Remember that the black hats almost certainly had 0-days for the
> holes, and before the patch comes out, the 0-day is 100% effective.
What makes you think that black hats already know about your
average hole?
> Once the patch comes out and is widely deployed, the usefulness of
> the 0-day drops.
>
> Most probably, 40% is a common value for "I might as well release
> this one and get some recognition". After that point, the residual
> value starts dropping quickly.
I don't think this assessment is likely to be correct. If you look, for
instance, at the patching curve on page 1 of "Security holes... Who
cares?" (http://www.rtfm.com/upgrade.pdf) theres'a pretty clear flat
spot from about 25 days (roughly 60% patch adoption) to 45 days
(release of the Slapper worm). So, one that 2-3 week initial
period has passed, the value of an exploit is roughly constant
for a long period of time.
-Ekr
