One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 332564 |
| Date de publication | 2017-03-09 03:46:36 (vue: 2017-03-09 03:46:36) |
| Titre | Some notes on the RAND 0day report |
| Texte | The RAND Corporation has a research report on the 0day market [*]. It's pretty good. They've got the pricing about right ($1 million for full chain iPhone exploit, but closer to $100k for others). They've got the stats about right (5% chance somebody else will discover an exploit). Yet, they've got some problems, namely phrasing the debate as activists want, rather than a neutral view of the debate.The report frequently uses the word "stockpile". This is a biased term used by activists. According to the dictionary, it means:a large accumulated stock of goods or materials, especially one held in reserve for use at a time of shortage or other emergency.Activists paint the picture that the government (NSA, CIA, DoD, FBI) buys 0day to hold in reserve in case they later need them. If that's the case, then it seems reasonable that it's better to disclose/patch the vuln then let it grow moldy in a cyberwarehouse somewhere.But that's not how things work. The government buys vulns it has immediate use for (primarily). Almost all vulns it buys are used within 6 months. Most vulns in its "stockpile" have been used in the previous year. These cyberweapons are not in a warehouse, but in active use on the front lines.This is top secret, of course, so people assume it's not happening. They hear about no cyber operations (except Stuxnet), so they assume such operations aren't occurring. Thus, they build up the stockpiling assumption rather than the active use assumption.If the RAND wanted to create an even more useful survey, they should figure out how many thousands of times per day our government (NSA, CIA, DoD, FBI) exploits 0days. They should characterize who they target (e.g. terrorists, child pornographers), success rate, and how many people they've killed based on 0days. It's this data, not patching, that is at the root of the policy debate.That 0days are actively used determines pricing. If the government doesn't have immediate need for a vuln, it won't pay much for it, if anything at all. Conversely, if the government has urgent need for a vuln, it'll pay a lot.Let's say you have a remote vuln for Samsung TVs. You go to the NSA and offer it to them. They tell you they aren't interested, because they see no near term need for it. Then a year later, spies reveal ISIS has stolen a truckload of Samsung TVs, put them in all the meeting rooms, and hooked them to Internet for video conferencing. The NSA then comes back to you and offers $500k for the vuln.Likewise, the number of sellers affects the price. If you know they desperately need the Samsung TV 0day, but they are only offering $100k, then it likely means that there's another seller also offering such a vuln.That's why iPhone vulns are worth $1 million for a full chain exploit, from browser to persistence. They use it a lot, it's a major part of ongoing cyber operations. Each time Apple upgrades iOS, the change breaks part of the existing chain, and the government is keen on getting a new exploit to fix it. They'll pay a lot to the first vuln seller who can give them a new exploit.Thus, there are three prices the government is willing to pay for an 0day (the value it provides to the government):the price for an 0day they will actively use right now (high)the price for an 0day they'll stockpile for possible use in the future (low)the price for an 0day they'll disclose to the vendor to patch (very low)That these are different prices is important to the policy debate. When activists claim the government should disclose the 0day they acquire, they are ignoring the price the 0day was acquired for. Since the government actively uses the 0day, they are acquired for a high-price, with their "use" value far higher than their "patch" value. It\ |
| Envoyé | Oui |
| Condensat | $100k $500k 0day 0days :the about absurd according accumulated acquire acquired acquiring active actively activists adversaries advocating affects against all almost also another anything apple are aren argument around arsenal assume assumption avoid back based basis because becomes been better biased both breaks browser build business but buy buying buys can case chain chance change characterize child cia claim closer comes compared comparing conclusionit conferencing confirmed consequence continue controversy conversely corporation country course create cyber cyberdisarmament cyberwarehouse cyberweapons daily data day debate demands desperately determines dictionary different disarm discard disclose disclose/patch discover dod does doesn each either else emergency enforcement especially even except existing exploit exploits far fbi figure first first vuln fix found frequently from front full future gaping getting give good goods got government grow happen happening has have hear held high higher hold hole hooked how ignoring immediate immediately important instead intelligence interested internet ios iphone isis its keen killed know large later law let likely likewise lines looked lot low major make many market materials mean means means:a meeting military million moldy money months more most much namely near need neither neutral new news nice not notes now nsa nsa/cia number occurring offer offering offers one ongoing only operations other others out outcome paint paper part patch patching pay people per persistence phrasing picture place point policy pornographers possible pretty preventing previous price prices pricing primarily problems provides put question rand rate rather real reasonable remote report reporting research reserve reserve in results reveal right rooms root samsung say secret see seems seller sellers shortage should side since some somebody somewhere spies stats stock stockpile stockpiling stolen stop stops studied stuxnet success such survey talking target tell term terrorists than that them then there these they things those though thousands three thus time times top truckload tvs unilateral unilaterally upgrades urgent use used useful uses using usual value vendor very video view vuln vulns want wanted warehouse way weaponizing when whether who why will willing within won word words work worth year yet |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.