<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style id="owaParaStyle">P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
</style>
</head>
<body bgcolor="#ffffff" fPStyle="1" ocsi="0">
<div style="direction: ltr;font-family: Century Gothic;color: #000000;font-size: 10pt;">
<p>I enjoyed Dave's talk [1] and found the "trends in our industry discussion" keenly insightful.</p>
<p> </p>
<p>This got me to speculating and extrapolating (and being overly philosophical<a></a>,) given what appears are confluent market and geo-political forces driving two trends:</p>
<p> </p>
<p>1. the trend of increasing demand by state actors for quality bugs.</p>
<p> </p>
<p>2. the trend of discretion trumping disclosure when it comes to bug research.
</p>
<p> </p>
<p>What I find most interesting is the trend of increasing demand for 0days<a></a> creating a large price disparity between vendor 0day<a></a> bounties and the apparent willingness of governments to provide much higher compensations for 0day<a></a> acquisitions
[2]:</p>
<p> </p>
<p>Basically, there is a large mismatch between vendor incentives to disclose vulnerabilities, and the prices being offered by governments. It is this mismatch and its implications on vulnerability research which I find most intriguing. Below I list a
few more interesting questions which arise due to this observation.</p>
<p> </p>
<p>Is this mismatch going to rapidly change the way hackers work with the tech industry (or rather, will not work with the tech industry), and even more so, will it alter where skilled hackers find markets for their capabilities?</p>
<p> </p>
<p>Could this result in a giant sucking sound (to borrow from H. Ross Perot) as 0days<a></a> are vacuumed up by state actors with deeper pockets than vendors (e.g. several orders deeper than a free mac<a></a>, or $3133.70)?</p>
<p> </p>
<p>Continuing along this line: What are the implications of overt/covert government buying of 0days<a></a> versus the present system, which had been stabilizing around an open market to match vendor bounties with vulnerability disclosure? </p>
<p> </p>
<p>It would seem to skew the present market, but how much really? </p>
<p> </p>
<p>Should it be a best practice/doctrine of governments that every 0day<a></a> should be acquired, just in case? Or, reworded... Could you picture a state actor purchasing an AngryBirds<a></a> exploit as part of a cyber dominance doctrine?</p>
<p> </p>
<p>Is a natural result of this trend a reduction, in terms of effectiveness, of commercial and open-source vulnerability scanning tools (which depend on a steady stream of fresh vulns<a></a> for market share)? </p>
<p> </p>
<p>Then, for the fun of it, I extrapolated our observed trends to a possible extreme: Why not eliminate the middle man? For example, is it realistic<a></a> in any scenario that market forces and the threats/counter-threats<a></a> of cyber-warfare lead governments
to bypass independent vulnerability researchers and instead we see the software/controls industry work covertly with governments to intentionally design and embed difficult to detect (and trigger) vulnerabilities? </p>
<p> </p>
<p>I think a new term is in order, to differentiate this concept from your classical trojan<a></a>/backdoor; how about "MinusDay<a></a>" (you heard it on dd<a></a> first :-D) I am not saying every product need have them, just products that are likely to
be utilized by an adversary. </p>
<p> </p>
<p>Restated: If exploit vectors really are that valuable, will corporations tend to become incentivized to "keep it in the family" and build them into critical systems themselves? Given the observed trend of increasing value for 0day<a></a> bugs, coupled
with the fact that corporations are always seeking out new vertical markets which leverage existing specializations, does not this situation seems an entirely plausible?</p>
<p> </p>
<p>Does this trend shred an underlying trust that might have been inherent in a global technology market place? Are we seeing this trend already with Huawei<a></a>, and Google out of china? </p>
<p> </p>
<p>Remember the plane Boeing made for the Zemin<a></a> that was full of listening equipment [3]?</p>
<p> </p>
<p>Then I thought, are these concepts or trends, which I was thinking were novel observations, even new?</p>
<p> </p>
<p>I am curious if others agree or disagree and would care to offer their predictions for our industry, in the spirit of fun discussion mainly.</p>
<p> </p>
<p>Also, has anyone ever seen the owners manual for a 5ESS<a></a>?</p>
<p> </p>
<p>Cheers!<br>
</p>
<p>Dan</p>
<p> </p>
<p>[1]. <a href="http://www.youtube.com/watch?v=vBQET68HHSg" target="_blank">http://www.youtube.com/watch?v=vBQET68HHSg</a><br>
</p>
<p>[2]. <a href="http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/" target="_blank">
http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/</a></p>
<p> </p>
<p>[3]. <a href="http://articles.cnn.com/2002-01-19/world/china.plane.bug_1_boeing-official-boeing-jet-plane?_s=PM:asiapcf">
http://articles.cnn.com/2002-01-19/world/china.plane.bug_1_boeing-official-boeing-jet-plane?_s=PM:asiapcf</a></p>
<p> </p>
<p> </p>
</div>
</body>
</html>