North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: AV/FW Adoption Sudies
On Thu, 10 Jun 2004 11:54:31 PDT, Eric Rescorla said: > My hypothesis is that the sets of bugs independently found by white > hats and black hats are basically disjoint. So, you'd definitely > expect that there were bugs found by the black hats and then used as > zero-days and eventually leaked to the white hats. So, what you > describe above is pretty much what one would expect. Well.. for THAT scenario to happen, two things have to be true: 1) Black hats are able to find bugs too 2) The white hats aren't as good at finding bugs as we might think, because some of their finds are leaked 0-days rather than their own work, inflating their numbers. Remember what you said: > relatively small. If we assume that the black hats aren't vastly more > capable than the white hats, then it seems reasonable to believe that > the probability of the black hats having found any particular > vulnerability is also relatively small. More likely, the software actually leaks like a sieve, and NEITHER group has even scratched the surface.. Remember - every single 0-day that surfaces was something the black hats found first. The only thing you're really measuring by looking at the 0-day rate is the speed at which an original black exploit gets leaked from a black hat to a very dark grey hat to a medium grey hat and so on, until it gets to somebody who's hat is close enough to white to publish openly. Data point: When did Steve Bellovin point out the issues with non-random TCP ISNs? When did Mitnick use an exploit for this against Shimomura? And now ask yourself - when did we *first* start seeing SYN flood attacks (which were *originally* used to shut the flooded machine up while and prevent it from talking while you spoofed its address to some OTHER machine?) Attachment:
pgp00018.pgp
|