 
Dailydave mailing list archives
Re: The L Word & Fish
From: Halvar Flake <halvar () gmx de>
Date: Thu, 22 Jan 2004 19:02:24 +0100
Hey all, DA> I think the best arguments against the paper are: DA> 1. It's got a lot of bullshit equations in it. They add nothing. DA> 2. The graphs are also completely made up. DA> 3. "The bottom line, then, is that based on the evidence we cannot DA> conclude that bug finding and disclosure provides an increase in DA> software security sufficient to offset the effort being invested" DA> <---makes no sense. The paper is quite obviously written by somebody peddling in economics. A smart man (and economics PhD) told me that many economics papers suffer from a heavy ideologic influence -- that means instead of starting with the analysis of a problem, the paper is written by first deciding what result one would like and then arguing for it. And there's the joke that if an economist has good karma, he's reborn as a scientist, and if he has bad karma, he's reborn as a politician. If anyhow wants to make the case that finding reliably exploitable remote code execution bugs in core OpenSSH now is of the same difficulty as it was 2-3 years ago has very little idea of what he is talking about (or is such a natural born code auditor that it doesn't matter to him). Again, the bug <=> fish analogy provides quite a bit of insight: A fisherman is hungry and decides he will go out fishing to find himself a nice meal. Catching a big fish takes quite a bit of time and effort, and there are many people fishing in his lake nowadays. It has become harder recently to catch nice fish, so he decides that instead of just using a stick, string and a worm, he'll build himself a net to catch fish more easily. And he can't go hungry (he's quite obsessed with eating high-protein food) so he will invest the time to build himself a net to fish, and then use it. The other fishermen think similarly, and start building nets. Some decide to go fishing further up north, where it is a lot colder and less fun to fish (the surface is frozen and the water is pitch dark). All suffer from the fact that they can't catch fish they used to (sitting leisurely in the sun with a stick and a string), but they can't help it: They crave fish. As they are a fairly creative people, they invent more and more clever ideas to find fish even though the stocks are clearly being depleted. Fishing has become harder, but those that have lived near the lake for a long time have the experience and resources to still locate enough to eat - nobody knows though for how long. In a few years they'll have drifting nets, echolots and satellite navigation systems to catch their fish (if any are left). Or they'll all be starved to death (except a small number) so that the fish stocks can recover. We all remember the time when every Oracle product died after 2 minutes of (manual) fuzzing. Now it takes a lot longer. Probably days, perhabs a week. Productivity gains in locating fish can lead to rising yields even though the underlying stocks are deteriorating. Interestingly, the fishers in our example are all subsistence workers. You can only digest so much fish at once. And if there's no way to sell your fish, it makes no sense to catch more than you can eat. Cheers, Halvar _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The L Word Dave Aitel (Jan 21)
- Re: The L Word & Fish Halvar Flake (Jan 22)
 - <Possible follow-ups>
- Re: The L Word Sir Mordred (Jan 22)
 


