Am Do, den 17.06.2004 schrieb Eric Rescorla um 16:34: [...] > > even fixes available. I would expect the "Intrusion Rate" curve to be > > formed radically different at this point. This also affects the > > discussion about social welfare lost / gained through discloure quite a > > lot. > > > > I don't see how applying Browne's vulnerability cycle concept to the > > Black Hat Discovery case as it has been done in the paper can reflect > > these threat scenarios correctly. > > It's true that the Browne paper doesn't apply directly, but I don't > actually agree that rapid spreading malware alters the reasoning in > the paper much. None of the analysis on the paper depends on any > particular C_BHD/C_WHD ratio. Rather, the intent is to provide > boundaries for what one must believe about that ratio in order to > think that finding bugs is a good idea.
So if we don't peg the C_BHD/C_WHD ratio to something happening in the real world, it's "all depends on your threat model" again. If I assume a specific ratio that 'justifies' finding bugs in terms of economic trade-off, you may disagree by believing in a different ratio. It could be of interest which threat model represents which ratio to see the effects in economic trade-off - however, the discussion is simply shifted towards "which threat model is more realistic". What do we gain? Regards -- Birger T�dtmann <[EMAIL PROTECTED]> Computer Networks Working Group, Institute for Experimental Mathematics University Duisburg-Essen, Germany --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
