
The rise of the zero-day market - mikecarlton
http://arstechnica.com/security/2015/10/the-rise-of-the-zero-day-market/
======
nickpsecurity
It was a good article until Desaultel's ignorant claim that "full disclosure
is a farce." His supporting arguments actually support a reasonable delay
between disclosure to the software provider and to the public rather than
entirely counter full disclosure. The difference between many companies'
approach to handling vulnerability reports before and after full disclosure
speaks for itself:

[https://www.schneier.com/essays/archives/2007/01/schneier_fu...](https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.html)

I got to experience plenty of that myself when I started. They (a) didn't
care, (b) called me a liar, or (c) called me well-intentioned but too
incompetent to assess the [non-existent] risk to their users/customers. This
continued while Microsoft and other big names got smashed by more attacks than
we could keep track of which were often easily prevented (eg buffer
overflows). Eventually, many companies were forced to do something _for real_
about their software quality thanks to all the attacks and disclosures w/
exploits as proof. Microsoft adopting SDL and mitigation practices is probably
the greatest success of full disclosure given their near monopoly on desktops.

Interesting enough, he kind of contradicts his own position later. He first
argues against full disclosure as purely damaging with no benefit because
nobody can keep systems updated at the necessary rate. Then, he says security
in his testing improved from 4 minutes to 1 hour to break thanks to awareness
from all the breaches in the news that he implies are partly due to full
disclosure. So, did they have zero benefit or did they plus black hats benefit
via awareness? Even he can't seem to buy his own claim twice in the same
article...

~~~
newsignup
> Then, he says security in his testing improved from 4 minutes to 1 hour to
> break thanks to awareness from all the breaches in the news that he implies
> are partly due to full disclosure.

We can think of it as a silver lining.

~~~
nickpsecurity
I think it's more a necessity given human nature and these types of people
(i.e. head in sand). A known weakness of human mind is responding go immediate
threats more than what data shows it even if data is clear and is a huge
threat. People also react better to stories. Both full disclosure and breaches
in media create the impression of immediate threat with incentives to CYA or
do some real security. So, more like parents slapping their kids hands or
spanking them for trying to touch a hot stove except with most kids continuing
despite all the burned hands and sore asses around them.

Crazy stuff. It's why I don't worry what happens to the careless anymore as
they cause their own problems. Full disclosure mainly benefits those who pay
attention and try to keep a solid baseline.

------
username223
IMHO the most interesting part is the charts on page 4, showing that most
vulns are used soon after disclosure, but most hacks use a few relatively old
vulns. In other words, you probably can't protect yourself from zero-days, but
you probably don't have to.

------
mkagenius
My experience[1] in India has been kind of mixed. While many companies didn't
have a proper email address where one could disclose the bugs, after
disclosing the bugs some of them were very quick in fixing them. So, speaking
of India, I think the IT industry is still in nascent stage where they do not
think about bug bounties programme much. I hope that changes soon.

1\. [https://medium.com/@fallible/we-discovered-severe-bugs-
in-11...](https://medium.com/@fallible/we-discovered-severe-bugs-
in-11-startups-worth-3-billion-in-a-week-cf2a856edb94)

------
graycat
Ah, from all could see, the article said next to nothing about how to detect
an exploitation.

Also the article concentrated on _malicious_ , that is, _malware_ ,
exploitations.

Also can define _zero day_ as any problem never seen before. The cause might
be software flaws, hardware failures, human system management errors, and
more, all in addition to malicious causes.

Then for any and all zero day problems, need to detect, diagnose, and correct.

So, start at the beginning: How to detect?

Here issues are, what parts of, say, a server farm to monitor, what data to
get and use, what to do about rates of false alarms and missed detections, and
more.

------
codemac
Does anyone know which CVE is in 2007 that everyone is exploiting?

------
mcs
another negative use of bitcoin

