Archive

Posts Tagged ‘responsible disclosure’

NOVA-HA | Game Theory Applied to Vulnerability Disclosure

August 11, 2010 Leave a comment

After reading the book “The Predictioneer’s Game : Using the Logic of Brazen Self-Interest to See and Shape the Future” by Bruce Bueno de Mesquita, I began to get interested in game theory. More specifically I wondered if it could be applied an unspoken problem that exists, that is how do we provide more secure systems to end users, while leveraging the creativity of the security researcher community.

So for two months, I read, watched and listened to every thing by Bruce Bueno de Mesquita, along with everything I could find on game theory. I realized as I was approaching the one month mark, that I began seeing everything around me as a game, in which there were winners, losers, detractors and supporters. I reviewed all 31 games I had found which were published, the whole time thinking about my goal.

One of my major problems when starting to model this was the number of players at all levels of the game. I finally settled on 8 major players in the game, each having two or more subgames taking place at any one time. An example of a subgame was a vender who had Internal staff such as Software Developers, PM‘s, Executives, Marketing/Sales, and external interfaces to Lawyers, PR, Board, Stock Holder, and Government. Each subgame had influences, positions they needed to hold, Salience, a measure of flexibility, the ability to veto others in the subgame and fixed positions which they were never going to change.

The results of generating a spreadsheet of interactions, then having access to Bruce Bueno de Mesquita’s online system used to teach students, was that in the current game the vendors, followed closely by the government and law enforcement controlled the majority of the game. End users of computer systems and networks finished last, when modeling the existing system. In short, end users will always be hacked!

While researching this problem, it occurred to me that all of the vendors’ responses to disclosure of vulnerabilities fell into one of 5 categories, each reducing the risk to the vendor, but not improving the position of the computer users.

Added to this, I was thinking about the great talk Matt Blaze and Mouse gave at the Last Hope, where they discussed the changes in physical security, specifically locksmiths as disclosure of methods to pick locks. Thinking about it, I also noticed a pattern about the way businesses responded to this new threat of disclosure on their bottom line. In both the locksmith and the security world, disclosure and experimentation with the technology was considered honorable; but that flipped when the business felt threatened to “Disclosure is not honorable”. In the current vernacular, this method of withholding the disclosure of a vulnerability to the public is called “Responsible Disclosure”. This last position always protects the company while leaving the customer of these products at great risk from criminals.

Anyway, my findings are in slide format, download them and if you have questions contact me.

Interesting note, I think I stunned everyone when for a change I was not speaking on IPv6.

Advertisements