<div><font face="courier new,monospace">Hi Dave,</font></div>
<div><font face="Courier New"></font> </div>
<div><font face="courier new,monospace" size="2">I liked point </font><font face="courier new,monospace" size="2">5 best: </font></div>
<div><font face="courier new,monospace" size="2"><em>Having a "target rich environment" overwhelms an attacker's analytical capability.</em></font></div>
<div>
<p class="MsoPlainText" style="MARGIN: 0cm 0cm 0pt"><font face="courier new,monospace" size="2">I'll tell the people I work with we need to put more bugs in our software to stop people from exploiting them :)</font></p>
<p class="MsoPlainText" style="MARGIN: 0cm 0cm 0pt"><font face="courier new,monospace" size="2"></font> </p>
<p class="MsoPlainText" style="MARGIN: 0cm 0cm 0pt"><font face="courier new,monospace">I think point 6 applies to everybody: <font face="Courier New" size="2">there is no data to back up either side of the argument. However,
</font></font><font face="courier new,monospace">we do have some data to back up claims around the insecurity of software, so let's make an analogy with hard-to-model, complex software products which gets updated frequently and see what we find:
</font></p>
<div><font face="courier new,monospace" size="2"></font> </div>
<div><font face="courier new,monospace" size="2"><em>1. Hacking has an economy of scale.</em></font></div>
<div><font face="courier new,monospace" size="2">There are plenty of complex products that get hit by 0days from "one-hit-wonders". If you have two smart pentesters looking at product X and one dumb attacker, that does not guarantee your pentesters will find all bug in the product before the attacker finds one they have yet to discover.
</font></div>
<div><font face="courier new,monospace" size="2"></font> </div>
<div><font face="courier new,monospace" size="2"><em>2. Product X is a hard system to model.</em></font></div>
<div>
<p class="MsoPlainText" style="MARGIN: 0cm 0cm 0pt"><font face="courier new,monospace" size="2">One does not need to model the whole system, just the weak parts. I have not a clue how <a href="mailto:SETI@HOME">SETI@HOME
</a> does what it does, but I'm sure it's pretty complex. Regardless, I was able to write an exploit for it.</font></p>
<p class="MsoPlainText" style="MARGIN: 0cm 0cm 0pt"><font face="Courier New" size="2"></font><font face="Courier New" size="2"></font> </p><font face="courier new,monospace" size="2">
<p class="MsoPlainText" style="MARGIN: 0cm 0cm 0pt"><font face="courier new,monospace" size="2"><em>3. Complexity breeds resilience.</em></font></p></font>
<p class="MsoPlainText" style="MARGIN: 0cm 0cm 0pt"><font face="courier new,monospace" size="2"><font face="Courier New" size="2">It also breeds issues. The more lines of code, the more potential bugs and adding complexity often requires adding more lines of code. Therefore, you'll find more bugs in more complex code.
</font></font></p>
<p class="MsoPlainText" style="MARGIN: 0cm 0cm 0pt"> </p>
<p class="MsoPlainText" style="MARGIN: 0cm 0cm 0pt"><font face="courier new,monospace" size="2"><em>4. Technology is adopted quickly in product X, making it a fast-moving target.</em></font></p>
<p class="MsoPlainText" style="MARGIN: 0cm 0cm 0pt"><font face="courier new,monospace" size="2">New technology brings new issues: the technology has not been proven, new classes of issues that affect only this new technology are yet to be discovered.
</font></p></div><font face="courier new,monospace"></font></div>
<div><font face="Courier New" size="2"></font> </div>
<div><font face="Courier New" size="2">
<div><font face="Courier New" size="2">Unfortunately, I have no data to back up that my analogy scales well. It seems that only time may tell us who was right, let's hope it never gets to that.</font></div>
<div> </div></font></div>
<div><font face="Courier New" size="2">Cheers,</font></div>
<div><font face="Courier New" size="2"></font> </div>
<div><font face="Courier New" size="2">SkyLined</font></div>
<div><br><font face="courier new,monospace">-- <br>Berend-Jan "SkyLined" Wever<br>Email & Live messenger: <a href="mailto:berendjanwever@gmail.com">berendjanwever@gmail.com</a> <br> </font></div>