> Bugtraq readers might be interested in this paper: > > Is finding security holes a good idea? > > Eric Rescorla > RTFM, Inc. <http://www.rtfm.com/> > > The paper can be downloaded from: > http://www.rtfm.com/bugrate.pdf > http://www.rtfm.com/bugrate.ps This is a very interesting read. However there is one main problem: It doesn't matter if finding security holes or not is a "good idea" or cost effective since there are a number of groups for which finding bugs is a vested interest: 1) "Blackhats" and their sponsors - you want to break into a system, you need to either find a system with known issues that are unaddressed or find new issues to exploit. Seeing as how Blackhats are now sometimes in the employ of spammers and other groups for which the discovery and exploitation of security flaws directly allows them to make money we have a powerful group with money and a vested interest in finding flaws and exploiting them. 2) "Penetration testers" and their sponsors - you want to break into a system, you need to either find a system with known issues that are unaddressed or find new issues to exploit. Seeing as how Penetration testers are often hired by companies in order to run assessments for which the discovery and exploitation of security flaws directly allows them to make money we have a powerful group with money and a vested interest in finding flaws and exploiting them. 3) "Security vendors" and their sponsors - you want to sell a third party product that prevents exploitation of buffer overflows for example there needs to be a serious and identifiable problem with buffer overflows being exploited in products and systems people want to secure. Same goes for firewalls, viruses, etc. Imagine if people stopped writing viruses and stopped spreading them. Significant amounts of money would be saved in corporate IT budgets (typically anywhere from $10 to $100 per user for the software alone). So with these three large groups (and numerous other classes of people and organizations with a vested interest in finding flaws) it doesn't matter or not whether it's a good idea. The simple fact of the matter is that it will continue. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/