mailing list archives
Re: Faster, smashter. (fwd)
From: "BEES INC" <bees.inc () gmail com>
Date: Thu, 11 Dec 2008 18:42:22 +1100
we are not talking about an auction though, we are talking about derivatives.
As the name implies the price of a derivate is derived from the price
of some underlying asset. With commodities or equities you have a
market where the last price something traded at is readily available.
You take that price and a few other things, plug them into black
scholes and you have your theoretical option price that may be above
or below the market price for the option depending on sentiment and
the usual supply/demand.
Derivatives are also standardized, say an option on a share gets you 1
share, it only works if every share is equal. Not all 0days are
created equal. For instance take an 0day in ManOs, an experimental
operating system used predominately by physicists. How do you value
it? What did the last 0day for manos go for? Is that a reliable
indicator of this 0days price? The last one could've been kinda lame
and have lots of preconditions for it to be successful, but maybe this
one has no such conditions, and consequently worth a lot more. The
same contract wont fit.
It's probably safe to assume there is 0day for manos or exchange or
whatever, but pricing a derivative requires available access to the
pricing of the underlying and standardization of the terms. You could
classify the 0day in terms of severity and have different types for
that (like there are different types of oil contracts), and in general
I would agree an auction is probably the best way to gauge fair value,
but until you can get a fair value you're in a bit of a pickle (or
Liquidity would also be a big issue. You would need a reasonable
number of players to make the market work, otherwise people would get
stuck holding illiquid, tricky to value derivatives and you just have
to take a look at the subprime debt market to see how well that works
On Thu, Dec 11, 2008 at 12:43 AM, Jon Passki <jon.passki () hursk com> wrote:
I disagree. Give me N number of oracles that state they know x, y, z issue
is exploitable (at some defined level of exploitability) and I'll give you
an auction. The concept of an auction is from the perspective of the buyer,
not the seller... If Oracle A, B, D, and F state that they have an exploit
for vuln Alpha, then I have a ceiling cost and a basement cost for the
exploit. If I only have one Oracle, I still have a ceiling cost. That's
still a good number for worst-case attack tree discussions.
On Wed, Dec 10, 2008 at 3:27 PM, BEES INC <bees.inc () gmail com> wrote:
i have postgrad applied finance qualifications and this is not really
practical. You need an open/free market on 0day before you could start
writing futures/options contracts. to my knowledge this doesn't exist,
and is unlikely to exist for a whole bunch of reasons. its more
profitable for exploit writers and cheaper for buyers to keep the
other side in the dark on going rates.
i remember they tried something like this in fresno county with the
sausage and spice prices there. though a little different from
exploits its similar in that its a fairly small and niche market, and
the supply was effectively controlled by a cartel, and pricing
information was dubious at best. needless to say it didn't take off
you would be better off writing insurance and collecting a premiums,
and if something does happen the payout could go to covering costs of
patching and recovery. i'm pretty sure ive read of something like this
being already available.
On Wed, Dec 10, 2008 at 1:19 PM, <sinan.eren () immunitysec com> wrote:
(moderator: retry from subscribed account)
I have been thinking about a potential futures market model to hedge the
of software vulnerabilities. Perhaps a modified Black-Scholes-Merton
could be tied into Microsoft's exploitability index to determine the
the future contract ? Hedgers (companies, govermantal institutions,
etc.) could than purchase these contracts from speculators (these could
to tie their risk into a dollar amount. On the other hand researchers
these contracts if they feel strongly about a software or inversely, buy
contracts to cash in their 0day when it hits the public domain. We need
market place for 0day (outside of the 2 known players whose model
one) and I believe futures market model is the way to go. After all if
hedge your exposure to weather, why can't you hedge it against 0day ? It
as crazy as it sounds ....
I would appreciate ideas to tie the value of a vulnerability to a
quants who do security as well ?
On Tue, 9 Dec 2008, Dave Aitel wrote:
-----BEGIN PGP SIGNED MESSAGE-----
One technique we're doing this week with a client is taking an attack
tree and marking it up with dollar values. I.E. if you wanted to buy
an 0day in X component, how much would it cost?
This then is a simple summation to produce a "how much is it to get
into the internal network from the internet" which the business can
use to help them decide yay/nay on the project as a whole depending on
their own view of the threat and the value of the information they are
Halvar Flake wrote:
It seems that discussions in ITsec are periodic -- the same
discussions and same arguments come up again and again.
1. Of course attackers use new vulnerabilities. It is the nature of
offense. Defense is done "to the maximum of current knowledge".
Offense, by it's nature, has to expand on the status quo.
2. How do you simulate an attack with a new vulnerability if you
don't have one ?
Well, military folks do wargames all the time without actually
using up the arsenal they have on the shelves. Network attacks
should probably be done in a similar manner -- have an umpire, and
give the attacking team a few "0day cards". With these cards they
get high-probability code execution for a piece of software of
The pentest then proceeds like a game, but can be conducted on the
real network, too.
But I am repeating myself ...
Cheers, Halvar _______________________________________________
Dailydave mailing list Dailydave () lists immunitysec com
Dailydave mailing list
Dailydave () lists immunitysec com
Re: Faster, smashter. (fwd) sinan . eren (Dec 11)
Re: Faster, smashter. (fwd) Robert Lemos (Dec 12)
Re: Faster, smashter. (fwd) Thorsten Holz (Dec 10)