Eric Rescorla wrote:
Cryptography readers who are also interested in systems security may be interested in reading my paper from the Workshop on Economics and Information Security '04:
Is finding security holes a good idea?
Eric Rescorla
RTFM, Inc.
A large amount of effort is expended every year on finding and patching security holes. The underlying rationale for this activity is that it increases welfare by decreasing the number of bugs available for discovery and exploitation by bad guys, thus reducing the total cost of intrusions. Given the amount of effort expended, we would expect to see noticeable results in terms of improved software quality. However, our investigation does not support a substantial quality improvement--the data does not allow us to exclude the possibility that the rate of bug finding in any given piece of software is constant over long periods of time. If there is little or no quality improvement, then we have no reason to believe that that the disclosure of bugs reduces the overall cost of intrusions.
I don't see how that follows. If a bug is found but not disclosed, then it can be used for intrusion. If it is disclosed, then it cannot (assuming it gets fixed, of course). The fact that there are more bugs to be found which can _also_ be used for intrusions doesn't mean there's no point in fixing the hole, surely - at least the next bug has to be found before intrusions can occur again.
What you _may_ have shown is that there's an infinite number of bugs in any particularly piece of s/w. I find that hard to believe, too :-)
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
