<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div><tt><font color="#1a1a1a">Hey all,</font></tt><br/>
<br/>
<tt><font color="#1a1a1a">with all the IOC-bashing, I think I need to supply some compelling</font></tt><br/>
<tt><font color="#1a1a1a">arguments in favour of them:</font></tt><br/>
<br/>
<tt><font color="#1a1a1a">- We know how to look for them. If I lose my wallet in some dark alley</font></tt><br/>
<tt><font color="#1a1a1a">where I am near-blind, it is clearly more reasonable to go to a</font></tt><br/>
<tt><font color="#1a1a1a">different street with better streetlights to look for it. Everything</font></tt><br/>
<tt><font color="#1a1a1a">else would require me getting better technology, and nobody has time for</font></tt><br/>
<tt><font color="#1a1a1a">that.</font></tt><br/>
<br/>
<tt><font color="#1a1a1a">- They make for a great business model. Empires were build on AV</font></tt><br/>
<tt><font color="#1a1a1a">signatures, but it was considered bad form to charge more for signatures</font></tt><br/>
<tt><font color="#1a1a1a">of particularly nasty malware. Re-branded as IOCs, I can finance</font></tt><br/>
<tt><font color="#1a1a1a">decent-sized teams to analyze malware, and then sell individual IOCs for</font></tt><br/>
<tt><font color="#1a1a1a">good money. IOCs are not -yet- better than AV signatures (if measured by</font></tt><br/>
<tt><font color="#1a1a1a">aggregate stock value of companies involved), but that might change with</font></tt><br/>
<tt><font color="#1a1a1a">a few IPOs.</font></tt><br/>
<br/>
<tt><font color="#1a1a1a">- They are community-bond-forming. A good IOC for an important group of</font></tt><br/>
<tt><font color="#1a1a1a">attackers can be shared between a trusted group of people, so if I get</font></tt><br/>
<tt><font color="#1a1a1a">owned and notice it, I at least have the consolation that I can build a</font></tt><br/>
<tt><font color="#1a1a1a">cool IOC from it, and feel important in my peer group. I can trade,</font></tt><br/>
<tt><font color="#1a1a1a">barter, and generally form a much more tightly-knit community. It's</font></tt><br/>
<tt><font color="#1a1a1a">literally the success of "Magic - The Gathering" brought back to the IT</font></tt><br/>
<tt><font color="#1a1a1a">security world.</font></tt><br/>
<br/>
<tt><font color="#1a1a1a">- They're good for people's confidence. Holding a secret IOC is the</font></tt><br/>
<tt><font color="#1a1a1a">defensive version of holding a non-public exploit. You can feel</font></tt><br/>
<tt><font color="#1a1a1a">powerful, and for your particular adversary, it may or may not work, or</font></tt><br/>
<tt><font color="#1a1a1a">it may be patched any day. Perhaps it's methadone - not quite the real</font></tt><br/>
<tt><font color="#1a1a1a">thing, but keeps the really heavy craving away.</font></tt><br/>
<br/>
<tt><font color="#1a1a1a">On a more serious note: Dave, no offense, but you sound like me during</font></tt><br/>
<tt><font color="#1a1a1a">every stock bubble. "But ... but .... this is a bubble, it will burst !"</font></tt><br/>
<tt><font color="#1a1a1a">- that is true, but in the meantime, fortunes are made, and the person</font></tt><br/>
<tt><font color="#1a1a1a">with a macro view stays poor. :-P</font></tt><br/>
<br/>
<tt><font color="#1a1a1a">Cheers,</font></tt><br/>
<tt><font color="#1a1a1a">Halvar</font></tt><br/>
<tt><font color="#1a1a1a">PS: I actually think that IOCs can be quite useful - if they are built</font></tt><br/>
<tt><font color="#1a1a1a">to generalize well and if you manage to keep them away from the</font></tt><br/>
<tt><font color="#1a1a1a">attackers. That, though, can be the hard part.</font></tt><br/>
<tt><font color="#1a1a1a">PPS: Perhaps a discussion about "technology X being bad" is like</font></tt><br/>
<tt><font color="#1a1a1a">Chessplayers debating why pawns suck. In the end, everybody would like</font></tt><br/>
<tt><font color="#1a1a1a">to have 8 queens, but you'll have to play with what you have.</font></tt></div></div></body></html>