Slash Boxes

SoylentNews is people

posted by Fnord666 on Tuesday March 21 2017, @05:53AM   Printer-friendly
from the keep-it-to-yourself dept.

RAND corporation recently received rare access to study a couple hundred 0-day vulnerabilities and their exploits.

It turns out that 0-day vulnerability discoveries live for about 6.9 years, and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap. This means that releasing discoveries to the public provides very little defensive value while obviously destroying offensive ability.

The report (summary and full text[PDF]) includes quite a bit more about the industry, including some estimates of pricing and headcount.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by fadrian on Tuesday March 21 2017, @01:14PM (2 children)

    by fadrian (3194) on Tuesday March 21 2017, @01:14PM (#482090) Homepage

    Wait ... HOW did they find THAT out? Did Russia or China give them a stack of their stock-piled zero-days so they could compare to the CIA/NSA ones?? I mean seriously... what possible methodology are they using here? I don't get it.

    You could get lists of your allies' 0-days and compare to them to see if there was much overlap, too. Well, you could if we had any allies anymore... Thanks, Trump!

    That is all.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @01:45PM

    by Anonymous Coward on Tuesday March 21 2017, @01:45PM (#482111)

    Obvious questions:

    Where did Rand get the data and why would they expect the source to be truthful?

    The analysis seems to be about an 'us' versus 'them' pair. this results in a small overlap which leads to holding our zero day's.
    It seems like in the real world, there are many 'them's with varying degrees of visibility.
    How could the information source know that the 'them' they provided data for is representative of the whole situation?

    The elephant in the room is that there are so many bugs and so little time.
    Aside from finding and outing zero day's, what can be done to address this situation?
    This report seems to say that the best action is to continue the current situation.
    Unfortunately, that makes everybody's computer a war zone.
    There must be a better path.

  • (Score: 2) by tangomargarine on Tuesday March 21 2017, @02:29PM

    by tangomargarine (667) on Tuesday March 21 2017, @02:29PM (#482150)

    Assuming of course you trust said allies to give you the complete list, which would be doubtful, Trump or no.

    "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"