[prev in list] [next in list] [prev in thread] [next in thread]
List: dailydave
Subject: [Dailydave] Dave's CounterMeasure Talk
From: "Gieseman, Daniel J [ITRNS]" <dgiesema () iastate ! edu>
Date: 2012-10-30 19:41:35
Message-ID: BFAC43E399150A4F8A95D211F85A6E314053841E () ITSDAG1D ! its ! iastate ! edu
[Download RAW message or body]
I enjoyed Dave's talk [1] and found the "trends in our industry discussion" keenly \
insightful.
This got me to speculating and extrapolating (and being overly philosophical,) given \
what appears are confluent market and geo-political forces driving two trends:
1. the trend of increasing demand by state actors for quality bugs.
2. the trend of discretion trumping disclosure when it comes to bug research.
What I find most interesting is the trend of increasing demand for 0days creating a \
large price disparity between vendor 0day bounties and the apparent willingness of \
governments to provide much higher compensations for 0day acquisitions [2]:
Basically, there is a large mismatch between vendor incentives to disclose \
vulnerabilities, and the prices being offered by governments. It is this mismatch \
and its implications on vulnerability research which I find most intriguing. Below \
I list a few more interesting questions which arise due to this observation.
Is this mismatch going to rapidly change the way hackers work with the tech industry \
(or rather, will not work with the tech industry), and even more so, will it alter \
where skilled hackers find markets for their capabilities?
Could this result in a giant sucking sound (to borrow from H. Ross Perot) as 0days \
are vacuumed up by state actors with deeper pockets than vendors (e.g. several orders \
deeper than a free mac, or $3133.70)?
Continuing along this line: What are the implications of overt/covert government \
buying of 0days versus the present system, which had been stabilizing around an open \
market to match vendor bounties with vulnerability disclosure?
It would seem to skew the present market, but how much really?
Should it be a best practice/doctrine of governments that every 0day should be \
acquired, just in case? Or, reworded... Could you picture a state actor purchasing \
an AngryBirds exploit as part of a cyber dominance doctrine?
Is a natural result of this trend a reduction, in terms of effectiveness, of \
commercial and open-source vulnerability scanning tools (which depend on a steady \
stream of fresh vulns for market share)?
Then, for the fun of it, I extrapolated our observed trends to a possible extreme: \
Why not eliminate the middle man? For example, is it realistic in any scenario that \
market forces and the threats/counter-threats of cyber-warfare lead governments to \
bypass independent vulnerability researchers and instead we see the software/controls \
industry work covertly with governments to intentionally design and embed difficult \
to detect (and trigger) vulnerabilities?
I think a new term is in order, to differentiate this concept from your classical \
trojan/backdoor; how about "MinusDay" (you heard it on dd first :-D) I am not \
saying every product need have them, just products that are likely to be utilized by \
an adversary.
Restated: If exploit vectors really are that valuable, will corporations tend to \
become incentivized to "keep it in the family" and build them into critical systems \
themselves? Given the observed trend of increasing value for 0day bugs, coupled \
with the fact that corporations are always seeking out new vertical markets which \
leverage existing specializations, does not this situation seems an entirely \
plausible?
Does this trend shred an underlying trust that might have been inherent in a global \
technology market place? Are we seeing this trend already with Huawei, and Google \
out of china?
Remember the plane Boeing made for the Zemin that was full of listening equipment \
[3]?
Then I thought, are these concepts or trends, which I was thinking were novel \
observations, even new?
I am curious if others agree or disagree and would care to offer their predictions \
for our industry, in the spirit of fun discussion mainly.
Also, has anyone ever seen the owners manual for a 5ESS?
Cheers!
Dan
[1]. http://www.youtube.com/watch?v=vBQET68HHSg
[2]. http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
[3]. http://articles.cnn.com/2002-01-19/world/china.plane.bug_1_boeing-official-boeing-jet-plane?_s=PM:asiapcf
[Attachment #3 (text/html)]
<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style id="owaParaStyle">P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
</style>
</head>
<body bgcolor="#ffffff" fPStyle="1" ocsi="0">
<div style="direction: ltr;font-family: Century Gothic;color: #000000;font-size: \
10pt;"> <p>I enjoyed Dave's talk [1] and found the "trends in our \
industry discussion" keenly insightful.</p> <p> </p>
<p>This got me to speculating and extrapolating (and being overly \
philosophical<a></a>,) given what appears are confluent market and geo-political \
forces driving two trends:</p> <p> </p>
<p>1. the trend of increasing demand by state actors for quality \
bugs.</p> <p> </p>
<p>2. the trend of discretion trumping disclosure when it comes to bug \
research. </p>
<p> </p>
<p>What I find most interesting is the trend of increasing demand \
for 0days<a></a> creating a large price disparity between \
vendor 0day<a></a> bounties and the apparent willingness \
of governments to provide much higher compensations for 0day<a></a> \
acquisitions [2]:</p>
<p> </p>
<p>Basically, there is a large mismatch between vendor incentives to disclose \
vulnerabilities, and the prices being offered by governments. It is \
this mismatch and its implications on vulnerability research which I find most \
intriguing. Below I list a few more interesting questions which \
arise due to this observation.</p> <p> </p>
<p>Is this mismatch going to rapidly change the way hackers work with the \
tech industry (or rather, will not work with the tech industry), and \
even more so, will it alter where skilled hackers find markets for \
their capabilities?</p> <p> </p>
<p>Could this result in a giant sucking sound (to borrow from H. \
Ross Perot) as 0days<a></a> are vacuumed up by state actors with \
deeper pockets than vendors (e.g. several orders deeper than a free mac<a></a>, \
or $3133.70)?</p> <p> </p>
<p>Continuing along this line: What are the implications of \
overt/covert government buying of 0days<a></a> versus the present \
system, which had been stabilizing around an open market to match \
vendor bounties with vulnerability disclosure? </p> <p> </p>
<p>It would seem to skew the present market, but how much really? </p>
<p> </p>
<p>Should it be a best practice/doctrine of governments \
that every 0day<a></a> should be acquired, just in \
case? Or, reworded... Could you picture a state \
actor purchasing an AngryBirds<a></a> exploit as part of a cyber dominance \
doctrine?</p> <p> </p>
<p>Is a natural result of this trend a reduction, in terms \
of effectiveness, of commercial and open-source vulnerability scanning \
tools (which depend on a steady stream of fresh vulns<a></a> for market \
share)? </p> <p> </p>
<p>Then, for the fun of it, I extrapolated our observed trends to \
a possible extreme: Why not eliminate the middle man? For example, is \
it realistic<a></a> in any scenario that market forces and the \
threats/counter-threats<a></a> of cyber-warfare lead governments to bypass \
independent vulnerability researchers and instead we see the \
software/controls industry work covertly with governments to intentionally design \
and embed difficult to detect (and trigger) vulnerabilities? </p> \
<p> </p> <p>I think a new term is in order, to differentiate this concept from \
your classical trojan<a></a>/backdoor; how about "MinusDay<a></a>" (you \
heard it on dd<a></a> first :-D) I am not saying \
every product need have them, just products that are likely to be utilized \
by an adversary. </p> <p> </p>
<p>Restated: If exploit vectors really are \
that valuable, will corporations tend to become incentivized to \
"keep it in the family" and build them into critical systems \
themselves? Given the observed trend of increasing value \
for 0day<a></a> bugs, coupled with the fact that corporations are always \
seeking out new vertical markets which leverage existing \
specializations, does not this situation seems an entirely plausible?</p> \
<p> </p> <p>Does this trend shred an underlying trust that might have \
been inherent in a global technology market place? Are we \
seeing this trend already with Huawei<a></a>, and Google out \
of china? </p> <p> </p>
<p>Remember the plane Boeing made for the Zemin<a></a> that was full of \
listening equipment [3]?</p> <p> </p>
<p>Then I thought, are these concepts or trends, which I was \
thinking were novel observations, even new?</p> <p> </p>
<p>I am curious if others agree or disagree and would care to offer their predictions \
for our industry, in the spirit of fun discussion mainly.</p> <p> </p>
<p>Also, has anyone ever seen the owners manual for a 5ESS<a></a>?</p>
<p> </p>
<p>Cheers!<br>
</p>
<p>Dan</p>
<p> </p>
<p>[1]. <a href="http://www.youtube.com/watch?v=vBQET68HHSg" \
target="_blank">http://www.youtube.com/watch?v=vBQET68HHSg</a><br> </p>
<p>[2]. <a href="http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/" \
target="_blank"> http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/</a></p>
<p> </p>
<p>[3]. <a href="http://articles.cnn.com/2002-01-19/world/china.plane.bug_1_boeing-official-boeing-jet-plane?_s=PM:asiapcf">
http://articles.cnn.com/2002-01-19/world/china.plane.bug_1_boeing-official-boeing-jet-plane?_s=PM:asiapcf</a></p>
<p> </p>
<p> </p>
</div>
</body>
</html>
_______________________________________________
Dailydave mailing list
Dailydave@lists.immunityinc.com
https://lists.immunityinc.com/mailman/listinfo/dailydave
--===============6877666196146753124==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic