[71187] in North American Network Operators' Group
Re: AV/FW Adoption Sudies
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Jun 10 15:19:46 2004
To: EKR <ekr@rtfm.com>
Cc: Paul G <paul@rusko.us>, "'Nanog'" <nanog@merit.edu>
In-Reply-To: Your message of "Thu, 10 Jun 2004 11:54:31 PDT."
<kju0xjs0pk.fsf@romeo.rtfm.com>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 10 Jun 2004 15:19:31 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-1585457516P
Content-Type: text/plain; charset=us-ascii
On Thu, 10 Jun 2004 11:54:31 PDT, Eric Rescorla said:
> My hypothesis is that the sets of bugs independently found by white
> hats and black hats are basically disjoint. So, you'd definitely
> expect that there were bugs found by the black hats and then used as
> zero-days and eventually leaked to the white hats. So, what you
> describe above is pretty much what one would expect.
Well.. for THAT scenario to happen, two things have to be true:
1) Black hats are able to find bugs too
2) The white hats aren't as good at finding bugs as we might think,
because some of their finds are leaked 0-days rather than their own work,
inflating their numbers.
Remember what you said:
> relatively small. If we assume that the black hats aren't vastly more
> capable than the white hats, then it seems reasonable to believe that
> the probability of the black hats having found any particular
> vulnerability is also relatively small.
More likely, the software actually leaks like a sieve, and NEITHER group
has even scratched the surface..
Remember - every single 0-day that surfaces was something the black hats
found first. The only thing you're really measuring by looking at the
0-day rate is the speed at which an original black exploit gets leaked from
a black hat to a very dark grey hat to a medium grey hat and so on, until
it gets to somebody who's hat is close enough to white to publish openly.
Data point: When did Steve Bellovin point out the issues with non-random
TCP ISNs? When did Mitnick use an exploit for this against Shimomura?
And now ask yourself - when did we *first* start seeing SYN flood attacks (which
were *originally* used to shut the flooded machine up while and prevent it
from talking while you spoofed its address to some OTHER machine?)
--==_Exmh_-1585457516P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAyLRDcC3lWbTT17ARAk56AKDmdb9dPTY+wtd+SpZgYW9XTAJTtACg7nUk
PqqXjlj/LT0xXqD3P4WnWcE=
=THmu
-----END PGP SIGNATURE-----
--==_Exmh_-1585457516P--
