On 07/20/2014 11:00 AM, Michael Rogers wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 18/07/14 01:02, coderman wrote:
as thought experiment: a hidden site is setup by presumed
trustworthy experts. exploits are funneled there, then they all
dry up.
- congratulations! NSA is out of 0day! ? - congratulations! NSA is
not using 0day over Internet! ? - technique for catching 0day has
been compromised. start over,...
explain to me how any public effort will not fall into the last
trap, repeatedly.
Assuming the effort doesn't stop when exploits dry up, but instead
looks for new ways to attract exploits, what's the problem?
If the cost of buying a 0day and adding it to the pile is so
insignificant that we can call it zero, then coderman "wins".
If that cost is nonzero, then you "win".
So, what's the ballpark cost of buying a 0day and adding it to the
pile? (Buy, implement, test, deploy.)
Can one of the experts on this list estimate a cost within an order of
magnitude, and give links to peer reviewed research to support their
estimate?
Thank you,
Jonathan
if your concern is security for the public, do it by making the
software we use more difficult to exploit as a whole, rather than
fixating on free exploits from NSA for a particular vulnerability
among many.
That sounds like a false dichotomy to me. Publicising a specific
exploit may spur the development of general as well as specific
mitigations.
Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJTy9l8AAoJEBEET9GfxSfMfgkH/RSVybypdVyJJprzT860Gm5v
XEzwDG8fK1f+BHfC7ougO6JfQODdCigC6gfNlhSG5eyhAUoQ1+YctrjKz1tGS3S+
DdzI4zplRnVZrFkHZOyps36W+DnO1v199xgT1nPsFlxwc9lGAFqhfkQos7CkF2e9
YxPgC0xfsKupxt1PfStkm6s1CLPUA+o9RVvO4nN8ARTRnp3LrAZW/zjh7FynJ9rj
Elfb8wttCd3SzFMcRF7bor/M0fCgW76zTCLJEjAIYTADvp4iMmacjM8Xs4VVDql0
RyJZrK1yQGY3X5H3Zv0Qj00TYbMgrF8oXQTHeo+9p6xE+mcfN2X9AMIhjqL+aJY=
=TXzt
-----END PGP SIGNATURE-----
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change
to digest, or change password by emailing moderator at [email protected].
