Re: [Dailydave] Faster, smashter. (fwd)


Welcome to the Virus.Org Mailing List Archive

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

To: [EMAIL PROTECTED]
Subject: Re: [Dailydave] Faster, smashter. (fwd)
From: "BEES INC" <[EMAIL PROTECTED]>
Date: Wed, 10 Dec 2008 17:27:15 +1100
In-reply-to: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>

i have postgrad applied finance qualifications and this is not really
practical. You need an open/free market on 0day before you could start
writing futures/options contracts. to my knowledge this doesn't exist,
and is unlikely to exist for a whole bunch of reasons. its more
profitable for exploit writers and cheaper for buyers to keep the
other side in the dark on going rates.

i remember they tried something like this in fresno county with the
sausage and spice prices there. though a little different from
exploits its similar in that its a fairly small and niche market, and
the supply was effectively controlled by a cartel, and pricing
information was dubious at best. needless to say it didn't take off

you would be better off writing insurance and collecting a premiums,
and if something does happen the payout could go to covering costs of
patching and recovery. i'm pretty sure ive read of something like this
being already available.

On Wed, Dec 10, 2008 at 1:19 PM,  <[EMAIL PROTECTED]> wrote:
>
> (moderator: retry from subscribed account)
>
> I have been thinking about a potential futures market model to hedge the risk
> of software vulnerabilities. Perhaps a modified Black-Scholes-Merton model that
> could be tied into Microsoft's exploitability index to determine the premium on
> the future contract ? Hedgers (companies, govermantal institutions, military
> etc.) could than purchase these contracts from speculators (these could be us)
> to tie their risk into a dollar amount. On the other hand researchers can sell
> these contracts if they feel strongly about a software or inversely, buy these
> contracts to cash in their 0day when it hits the public domain. We need a fair
> market place for 0day (outside of the 2 known players whose model benefits no
> one) and I believe futures market model is the way to go. After all if you can
> hedge your exposure to weather, why can't you hedge it against 0day ? It is not
> as crazy as it sounds ....
>
> I would appreciate ideas to tie the value of a vulnerability to a premium, any
> quants who do security as well ?
>
> -sinan
>
> On Tue, 9 Dec 2008, Dave Aitel wrote:
>
>>  -----BEGIN PGP SIGNED MESSAGE-----
>>  Hash: SHA1
>>
>>  One technique we're doing this week with a client is taking an attack
>>  tree and marking it up with dollar values. I.E. if you wanted to buy
>>  an 0day in X component, how much would it cost?
>>
>>  This then is a simple summation to produce a "how much is it to get
>>  into the internal network from the internet" which the business can
>>  use to help them decide yay/nay on the project as a whole depending on
>>  their own view of the threat and the value of the information they are
>>  protecting.
>>
>>  -dave
>>
>>
>>  Halvar Flake wrote:
>> >  Hey all,
>> >
>> >  It seems that discussions in ITsec are periodic -- the same
>> >  discussions and same arguments come up again and again.
>> >
>> >  1. Of course attackers use new vulnerabilities. It is the nature of
>> >  offense. Defense is done "to the maximum of current knowledge".
>> >  Offense, by it's nature, has to expand on the status quo.
>> >
>> >  2. How do you simulate an attack with a new vulnerability if you
>> >  don't have one ?
>> >
>> >  Well, military folks do wargames all the time without actually
>> >  using up the arsenal they have on the shelves. Network attacks
>> >  should probably be done in a similar manner -- have an umpire, and
>> >  give the attacking team a few "0day cards". With these cards they
>> >  get high-probability code execution for a piece of software of
>> >  their choice.
>> >
>> >  The pentest then proceeds like a game, but can be conducted on the
>> >  real network, too.
>> >
>> >  But I am repeating myself ...
>> >
>> >  Cheers, Halvar _______________________________________________
>> >  Dailydave mailing list [EMAIL PROTECTED]
>> >  http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>>  -----BEGIN PGP SIGNATURE-----
>>  Version: GnuPG v1.4.6 (GNU/Linux)
>>  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>>  iD8DBQFJPoSCtehAhL0gheoRAqofAJ0Yvic/Ro6dRr+xWLavp+DizANyAACfWUXc
>>  JRFeXEvy4EJeg5gkuXxC2ZU=
>>  =6PWU
>>  -----END PGP SIGNATURE-----
>>
>>  _______________________________________________
>>  Dailydave mailing list
>>  [EMAIL PROTECTED]
>>  http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>
> _______________________________________________
> Dailydave mailing list
> [EMAIL PROTECTED]
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
_______________________________________________
Dailydave mailing list
[EMAIL PROTECTED]
http://lists.immunitysec.com/mailman/listinfo/dailydave

Follow-Ups:
- Re: [Dailydave] Faster, smashter. (fwd)
  - From: Jon Passki
- Re: [Dailydave] Faster, smashter. (fwd)
  - From: sinan . eren
- Re: [Dailydave] Faster, smashter. (fwd)
  - From: Robert Lemos

References:
- Re: [Dailydave] Faster, smashter. (fwd)
  - From: sinan . eren

Prev by Date: Re: [Dailydave] Faster, smashter. (fwd)
Next by Date: Re: [Dailydave] Faster, smashter. (fwd)
Previous by thread: Re: [Dailydave] Faster, smashter. (fwd)
Next by thread: Re: [Dailydave] Faster, smashter. (fwd)
Index(es):
- Main
- Thread

Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.