On Thu, 10 Jun 2004 11:54:31 PDT, Eric Rescorla said:
My hypothesis is that the sets of bugs independently found by white hats and black hats are basically disjoint. So, you'd definitely expect that there were bugs found by the black hats and then used as zero-days and eventually leaked to the white hats. So, what you describe above is pretty much what one would expect.
Well.. for THAT scenario to happen, two things have to be true: 1) Black hats are able to find bugs too 2) The white hats aren't as good at finding bugs as we might think, because some of their finds are leaked 0-days rather than their own work, inflating their numbers. Remember what you said:
relatively small. If we assume that the black hats aren't vastly more capable than the white hats, then it seems reasonable to believe that the probability of the black hats having found any particular vulnerability is also relatively small.
More likely, the software actually leaks like a sieve, and NEITHER group has even scratched the surface.. Remember - every single 0-day that surfaces was something the black hats found first. The only thing you're really measuring by looking at the 0-day rate is the speed at which an original black exploit gets leaked from a black hat to a very dark grey hat to a medium grey hat and so on, until it gets to somebody who's hat is close enough to white to publish openly. Data point: When did Steve Bellovin point out the issues with non-random TCP ISNs? When did Mitnick use an exploit for this against Shimomura? And now ask yourself - when did we *first* start seeing SYN flood attacks (which were *originally* used to shut the flooded machine up while and prevent it from talking while you spoofed its address to some OTHER machine?)