Workshop on Economics and Information
Security (WEIS04)
Eric
Riscorla - Is finding Security Holes a Good Idea?
Hao
Xu - Optimal Policy for Software
Vulnerability Disclosure
Invited Talk: Dan Greer - The Economics
of Shared Risk at the National Scale
Hal
Varian - Who Signed up for the
Do-not-call List?
Alessandro
Acquisti - Privacy and Rationality
Ashish
Arora - Impact of Vulnerability Disclosure and Patch Availability
Rahul
Telang – An Economic Analysis of Market for Software Vulnerabilities
George
Danezis – Economics of Censorship Resistance
Friday
Andrei
Serjantov – On Dealing with Adversaries Fairly
Michal
Feldman – Free-riding and Whitewashing on P2P Systems
Stephen
Lewis – Sufficiently secure P2P Networks
Joan
Feigenbaum – Towards and Economic Analysis of Trusted Systems
Stuart
Schecter – Towards Econometric Models of Software Security Risks From Remote
Attacks
Richard
Clayton - “Proof-of-work” proves not to work
Andy
Ozment – Bug Auctions: Vulnerability Markets reconsidered
Nicholas Weaver - A worst Case Worm
Welcome by Andrew Odlyzko
Welcome to
the
40
submissions, 17 papers accepted
Background theory
Security holes: routine activity of
finding and revealing flaws: bugtraq, etc
State of the world: bugs, and security bugs exist
Solution: find bugs, fix them
Find
them before the bad guys, fix them
Also:
corporate incentives, academic incentives, openness is good
Costs of vulnerability research:
give attackers info about bugs
Vendors,
sysadmins forced to implement patches
Standard of medicine care: first do
no harm – show that treatment works
Driving research question: Does research for vulnerabilities
payoff?
Simplified vulnerability discovery model
White hat –
bug found by good guy, patched & published
Black hat –
exploited, patched
Graph: # vulnerable machines &
exploitation over time
Black hat
and white hat similar, but black hat has small window of private exploitation
WH better than blackhat
BUT:
If
bug is never rediscovered by BH, then better not to publish
Disclosure pays off if Pr(rediscover) * (costs) > (costs of public)
A model to find Pr(rediscover)
Assumption
in model: all bugs are equally likely to be found
F bugs out
of N found: probability of finding a bug is F/N
Data: data on the rate of bug discovery
NIST ICAT metebase from multiple DBs: CVA,
affected program, bug release time
Data
issues: noisy, only know about discovered bugs, heavily censored
Approach 1: Program level should expect reduced disclosure
over time: less bugs per program
No downward
trend easily observed
Approach 2: Bug level – when was it put in SW, how long
until discovered
Should
expect fewer disclosures each year
Don’t see
much, except for 1999
Approach 3: ignore censoring and consider recent
developments – trend exists
We do see a
trend, but it’s very slow – approx 2.5 years
Discount
rate comes into play in considering actions in the future
3%
à
BH has to be 13% worse than WH discovery
Bigger
differential for less
Conclusions
Appear to
be faced with an infinite stream of bugs, no dent being made in it
BUT:
clearly not an infinite number, b/c that means 0 prob
of a given bug
If
depletion is slow, is it cost effective?
Automatic
patching makes disclosure more attractive
Faster malware makes disclosure less attractive
No data-driven evidence that bug
finding is good
It’s
expensive to do, any effects seem small at best
Need
better record keeping
What about
vendor incentives?
Q: IBM did a study on old code in 80s – defect rate for
fixes worse than new code
Maintenance
shouldn’t be preventative
A: Yes, assuming that patches are perferct,
this makes it less attractive
Q: Difference b/n WH and BH bugs in data?
A: databases don’t say.
No evidence on how long to get from BH to WH data
Q: Analogy with oil: increased tech reduces bugs before
release, so we have few bugs?
Tech at
finding bugs in post-release SW is getting better?
A: Probably not, also more effort
Q: Assumption in paper is that all bugs are equally
bad. Not true.
Maybe even
insert innocuous bugs as honey pots
A: Same results in data for “high severity”
Q: Over time, find more bugs, but less severity
Risk
thermostat – project failure is constant, for different scope projects
-Less
incentives for good code by not punishing vendor to make bug-free code
vendor pays for patches
A: Can use “buying up loose nukes” or spot auditing to
enforce code w/out vulnerabilities
With Ashish Arora
and Rahul Telang
State of the world of disclosure policies
Every party
follows own interests
Secrecy,
Full disclosure, CERT (short term secret)
Goal: develop theoretic model for optimal policy for social
utility
Social
planner perspective and interactions with vendors
Game-theoretic approach
Vendor and
social planner interact w/ disclosure time
Vendor can
lose customers, pass on patching costs to customers
Vendor’s
costs: patch development time +
Loss to
customers: depends on when social planner discloses
Patch
before or after attacks
Vendor’s
decision: when vendor internalizes more customer loss, vendor delivers patch
earlier
If social
planner reduces the disclosure window, vendor delivers patch earlier
Should
enlarge the time window for the vendors – reduce patching costs
Comparing with a numeric example
Social
costs vs. internalization ration
Optimal is
better than secrecy and instant
Most
of the time, secrecy is better than instance
All models
converge to low social costs as more is internalized
Extentions w model
Diffusion of
patching, patching quality
Conclusions
Vendor will
release later than socially optimal time
Loss from
exploitation trade off w/ delay in release of patch
Q: How is patching incentivized
from the user perspective
DRM:
suspicious motivation
Q: Vendor in a position to know the impact of the
patch? Customers use it differently?
Q: Vendor liability?
Has it been tested?
A: No.
Q: EULA prohibits product liability
“The essence of security is really risk management”
This field
is the moment of maximum hybrid vigor
Hard to sell security – only willing customers are those who
were attacked or will be audited
Ask the right questions (get the problem right!)
What can
attack a national infrastructure?
What can be
done about it?
State of the world
Interdependence,
location irrelevance (no safe neighborhoods on the net)
Tech
advances faster than public comprehension (avg clue
is dropping)
Info assets
are in motion (where we should be looking anyway)
No one owns
the risk
Computing
is dynamic,
Economic state of the world:
Most efficient to attack the
applications
Apps
are federated: multiple security domains, more moving parts, jurisdictions
Perimeter defenses are diseconomic
Data on spendingVolume
doubling every 30 months, getting much cheaper
The public cares about: spam, viruses, theft (identity,
cycles)
Privacy
regulation has grown over the past 20 years (EPIC)
The public notices
Critical issues of Public Interest – (everything else is
less important)
Inherently
unique asset: GPS, FAA’s broadcast ability, DNS
Cascade
failure: victims become attackers at a higher rate
Unique assets
Concentrated
data or communication
Attack:
Targeted attack of high power
Counter:
defense in depth of unit, replication of functionality
This
is expensive, need to spend money
This just
requires will and good leadership inside insitutions
Cascade Failure
Precondition:
always-on monoculture
Ignition:
any exploitable vulnerability
Counter:
risk diversification
Requires:
resolve to create heterogeneous
Why ‘sploits matter
Monoculture
is a force multiplier
Amateurs
provide smokescreen for pros
Are unknown exploits held
in reserve?
Is the absence of a serious event an evidence of zero
threat, or just a failure to detect
Field repairs
Patching
won’t cure everything
Due care
vs. force majeur
Attractive
nuisance vs. unwitting accomplice
Automatic
update is brittling, not toughening
Predictions
Private
sector will treat traffic analysis as they did crypto
Security
and privacy will hit each other
Meritocracy
yields to governance
NSF assessment saw: low skill should be secure, info risk
> fin risk
Metrics – adapt rather than create
Public
health, insurance, portfolio mgmt, physics, accelerated failure time testing
Catastrophe
bonds, value at risk
Immunity is
expensive
Models can
be found anywhere
Process-based
vs. goal based
Ordinal
ordering may be good enough
Security is necessary but not sufficient for reliability:
security is a subset
Security spend – how much of growth/profit can we spend on
security
Valuing info is really hard, but it’s very valuable
Security requires preemption, which requires surveillance
IT: freedom
(default permit) yields to safety (default deny)
Numbers:
Hosts *
vulnerabilities: huge curve
BUT:
greater than number of incidents?
Are we
doing a good job, or are the attackers satiated?
Complexity
is proportional to square of code,
Epidemic
modeling
Malcom Gladwell – tipping point
Small
change in initial conditions,
Worst
case disease:
Virulence
is an adaptation against defense – spread if immune system is good
If the
epidemic model gets worse, may have to make patching mandatory
Policy solutions
Closed code
= single source of fixes
User-level
lock in
Q: Is it true that patching increases security? Do we really have a market failure?
A: If we can’t say it isn’t, you’ll get bad regulation
S-O is a
security issue
Q: Patching makes the code base less diverse – we’re all
using the same version now
A: Most attacked system is the one that’s one rev off
current
Make a
program install more like Build, less like Copy
Randomize
instructions, implement microdiversity
Q: What about social pressure? “Nice people don’t connect weak computers to
the internet”
A: We don’t have a meritocracy. How do you quantify performance standards?
i.e. emissions standards
Big fear:
embedded systems that are networks but not updatable
à
replacement levels (WMA requires updates)
With Fredrik Wallenberg and Glenn Woroch
Interested in the demand for privacy
Multi-dimensional
Explicitly
about “solitude”
Do not call (DNC) list – free signup, high penalties
Big peak at
the beginning, the last day à publicity
Register by
phone, web,
Research goals – what is correlated with DNC?
Household decision as a flow chart
Aware that
it exists
Random
utility model of household registration
Data – FOIA from FTC
Area code +
exchange of all numbers in census for all registrations
Map to
county-level numbers, got census data, info about telco
Analsysis - basic
Frequency
of signup for each county vs. demographic
Assume
constant fraction of each demographic signed up across counties
Racial
composition is important: more black = less sign up
Income:
very low and very high are sig. different, little variation for middle
Age: positive correlation with age until 50-60,
then high rate
High signup
in central city, highest at farms
Small
differences in the middle of continuous areas
Analysis – grouped logit models
Kitchen
sink model: .75 r-squared
Parsimonious:
Income, kids, educ & state-merge à
.7 r squared
Demand for do-not spam (Pew study)
The same
people who thought that telemarketing was a big deal were annoyed by spam
Means we
don’t have to rest too heavily on use of one or the other
Value of DNC registry
$.10
annoyance per call x 104 million calls/day = 3.6 billion per year
WTP – costs
of
With Jens Grossklags
Open questions in economics of privacy
Do
individuals care? Can they protect
themselves? Should they?
Claim: framing the debate in terms of rational trade-off is
misleading
Two different markets: market for personal information vs.
market for privacy
Privacy trade-offs - Protection has immediate costs,
uncertain benefits
Incomplete
info
Bounded
rationality
Hyperbolic
discounting
Availability
Data – 100 questions
Privacy
attitudes, privacy behavior, market characteristics and psych distortions
Knowledge
of privacy risks, privacy protections
Risk
aversion
Buy/sell
value
Hyperbolic
discounting
Results
General
privacy, has it increased à high (as predicted)
Concerns:
more for marketing that price discrimination
Limited
awareness of gov’t monitoring
40% of
people think that CC doesn’t know about CC transaction
Actually,
36% answered “nobody” to “who else knows about transaction?”
à
open-ended question
Methods:
it’s part of the decision process
56% were
overconfident
54% could
not quote or describe a privacy act
51% would
not know what to do to browse anonymously
74% of
respondents took some action to protect their privacy
BUT
– few actually use any specific one
Test the infosec chocolate/password tradeoff
98%
said no! (as
opposed to get through 71%)
Buy lower
than sell
Sell
> expected loss 70%
Buy > expected loss 35%
With Krishnan, Nandkumar, Telang and Yang
Motivation – understanding the optimal policy requires
measuring
Likelihood/frequency
of exploit attempts, loss from exploits,
Patch diffusion rates
Cost of
patching
Data: attack data from honeypots
Number of
attacks/day for each of 308 vulnerabilities
2772 obs. Over 9 weeks over course
of year
Vulnerabilities
as either secret, published or patches
Results – effects of patching and publishing
Difference-in-difference
– publication & patching increase attacks by .02
attacks/day
OLS –
Disclosure increases attacks by .26, patching decreases by .5
Dummies
of vulnerability attributes reduce coefs
Tobit specification for the average of the real data
Vulnerabilities
have big spike in attacks
Patching
has immediate plummet before patch is released!
Data
artifact – we have to rely on DB”s patch release date
Majority of vulnerabilities are patched on disclosure, long
tail
CERT will
informally delay publication if requested à publish after patch
Open source vendors are more likely to patch, and patch more
quickly
Bruce:
could be a marketing hook
Parametric Model specs:
Do they
patch?
Instantaneous
disclosure, large vendors, severity
Q: what about publishing a false vulnerability?
Q: Why does patching have this effect? (tobit?
Q: Did you observe any vulnerabilities
that demonstrated this behavior? (tobit)
With Karthik Kannan
Motivation – users voluntarily report vulnerability
organization
BUT – what
if there was a market for vulnerability information
i.e. iDefence
Business model:
Buy info
from identifiers
Help
protect clients, defense from exploit codes
Assumptions
Analyze
market and CERT separately
Model parameters
Infomediary pays Pb for each vulnerability, CERT doesn’t pay anything
Infomediary charges Ps for each vulnerability, CERT doesn’t
charge
Infomediary gives identifier
incentive to find vulnerability first
If
identifier finds vulnerability, non-subscribers are hit
If attacker
finds vulnerability first, all are hit
Results of the model
Benign
identifier exerts negative externality on hackers
If default
prob. Of finding a vulnerability is low, then social
benefit
Need to define compensation as greater than
the reputation capital
Infomediary
has incentive to release vulnerabilities to put non-subscribers at risk
Create
incentive to subscribe à hurts others
Could
be worse than no market at all
Conclusions – markets can work if we handle info properly
Q: What about public good effects?
Q: CERT could be seen as market in reputation, even though
others may not want vulnerabilities published
Q: Security academics (like private schools) decrease social
utility by increasing the supply of published bugs
With Ross Anderson
Censorhsip issues – Scientology,
copyright issues, libel laws
First wave
of attacks hit the centralization
P2P model
can resist this attack
Model:
Nodes with
heterogeneous prefs, same capability T
Some
pref split between red and blue (i.e. liberal and
conservative)
Nodes
are happier to distribute resources in proportion r and b
Discretionary
Model – each node can choose what to distribute
Random
model – node does not have ability to choose
Policy
set from system, reflect total system distribution
Each
node has an incentive to shift towards their own
preference
Bad
things, w/out censorship attempts
Need
a fair distrib: elections, ecash,
rep,
Censorship – from an external censor
Censor
targets specific nodes
Imposes
particular distribution on each node
Resistance – a node can choose to resist
Nodes have
a defense budget t, subtracted from the ability to distribute resources
Tradeoff
b/n censorship resistance and distributing resources
Defense budget in discretionary model will cause more
reaction than in the random model
Caveat:
Utility of each node is local,
rather than global
Don’t model implementation costs or
the censor
Discretionary models provide greater utility and higher
local and global defense budget
Q: What about availability
A: In the discretionary model, you are vulnerable to
this—could be good or bad
Q: Utility from being able to conceal preferences that’s in
the discretionary model
Q: Censor to generate fake information (i.e. seed bad music files)
A: No way to model this
Q: Conditions where censor would have to work less in random
than discretionary?
A: Sometimes, you might not want to resist censorship
Traditional capital budgeting – select investment to maximize
NPV
BUT –
change the level of risk, and thus the discount
Need an investment mode that has:
Inclusion
of time, distribution of losses, possible multiple breaches, discount rate
Conceptual model as a Binomial Option Pricing Model
Either a
net savings, or not
There is a breach, which can result in a loss or a net
savings from protection
Find
investment with protection such that loss isn’t greater than a certain point
Assume a twin security S perfectly correlated with the
probability of loss
Construct a
portfolio of S and a riskless security
Find a certainty equivalent for
this portfolio
Can extend this mechanism for multiple vulnerabilities à
Black-Scholes option pricing formula
What kind of twinning security exists from a security
breach?
When you have high variability in distribution of losses,
then investment will be expensive
As planning horizon gets longer, investement
level gets more linear
BUT –
generally dealing with a short term vehicle
Rationality assumption
Underinsurance
if you haven’t had an incident
Overinsurance if you have invested
Q: Internet as the “
A: Model doesn’t cut off tail, but tails are very long
Q: info a company would need to know would be about the
distribution of losses
A: Yes—need to understand the distribution, not just the
expected value
Q: How do you measure those losses?
A: That’s the problem, isn’t it?
Q: Can’t you use this option pricing to deterimine
whether firms are spending as much as they should/ too much?
A: Similar to how we use financial assets, to reverse
engineer things to review decisions
Q: What if variance of losses are a
power-law style distribution with a heavy tail?
A: Some theoretical distributions do predict this
With Ross Anderson
Problem – a group of people need to make a decision from a
group of preferences
Generalized
voting
Preference
aggregation: a social welfare function turns many prefs
into one
Should
be transitive, reflexive, etc
Criteria for good and bad
Non-dictatorship
Unrestricted
domain
Pareto
(unanimity)
BUT – Arrow
says that we can’t have all of these
Democracy
doesn’t always work
Look at reputation systems w/ social choice theory
Aberer & Despotovic
Reputation
is a product of your complaints against and how many complaints
BUT – if no
one complains about you, or you never complain:
perfect reputation
Solution:
add 1 to the components before multiplying
Not pareto – everyone thinking
something doesn’t lead that as the outcome
Delloracas (2003)
Users rate
each other on 1-100, Outliers are detected and removed
Ignores
some votes!
Involves
inter-personal outcomes
Why not
just compute the median?
Kemeny-Young – allows fuzzy prefs to find optimal outcome
Good
results, reflects conderset preferences
Manipulability
Gibbard-Satterthwaite: all schemes dictatorial or manipulable
Manipulation
might be computationally hard
Conclusions
Economists
have already looked at a lot of these aggregating issues
Lots of
things are impossible
Some tools
are directly borrowable
Q: Randomness moves you away from pure preference
aggregation
Q: What about socio-cognitive trust? It has been mathematically modeled.
Q: Econ assumes ordinal, not cardinal prefs. Reputation can be thought of as a counting,
rather than voting. What about paying
for votes/expression
A: Fairness issues,
With Christos Papadimitriou,
John Chuang, Ion Stoica
P2P require voluntary actions, that may not be optimal for
individuals
Adar (2000) and Saroiu (2002)
found empirical free riding – rational behavior
Need to
incentivize cooperation, punish free-riders
Punishment
requires reputation
BUT
– cheap pseudonyms: Whitewash attach
Model – rational agents with a type of generosity level – U(0, t)
Decide
whether to contribute of free ride
As more
people constribute, marginal cost of participating
declines
Rational –
contribute if marginal cost is less than generosity level
Graphical representation
Intersection
of distribution and 1/t
A stable
and an unstable equilibrium
Works
a max generosity level that is high enough
Performance is the total benefit less that total cost
Penalty mechanism p < 1
P could be
a service diff. coef
P also
could be a probability of catch and exclude
Both reduce
burden on contributors and introduce threat to free-riders
System
performance improves
BUT
– reduced benefit to free-riders
If p>(1/a) – there is no social loss
It’s
a threat, but no reduced performance
White-washing attack – free identity enables easy
free-riding
Need to
extend dynamic model with entrance & exit
Some
portion of those who leave return
Impossible
to penalize known free-riders
Have to
penalize newcomers – including new contributors
With very
low turnover rate, free identity has little impact
Social loss
increases as turnover increases
But
– higher levels of generosity is still better than market
Conclusions – model of free riding
Quantify
penalty mechs and identity
Q: Assume the turnover is exogenous, some % of departures
cycle
A: It would be interesting to build arrival and departure
into model
Q: What exactly can be observed? Why not have a pricing mechanism
A: Model assumes that we know who is a free rider. P can be thought of as accuracy of catching
free-rider. Based on
contribution of each user.
Contribution and consumption might also be useful to meter.
Q; Incentives are negative?
A: Also works with positive incentives, same system.
Q: Actually, positive incentives can be targeted to
Q: Low-level participation that neither consumes or
free-rides, but is just there—not a white-washer
A: need a non-binary decision
Q: Like MUDs – longer you play,
the more you get, discourages free-riding
Most security models assume a very powerful attacker
Try to
model a cost-effective attack
Model – n nodes with d documents
Attacker
corrupts x percent of nodes
Publisher
wants to make sure at least one copy of document exists
Attacker
wants to get rid of all of them
(perfect search, attack doesn’t affect document)
Attacker will either attack all of network of none of it if
there is linear attack cost
Simple
utility comparison
Publisher’s
Best Response:
No
attack – publish a single copy of the document
If
there is an attack – no publish at all
Non-linear attack costs
If d <
exponent (few enough documents in the network)
Internal
solution to maximize
Otherwise,
all or nothing response
No analytic
best reponse function b/c of shape of function
Can use a
mixed strategy probabilistic solution for the attacker and whether to publish
Security of network depends on size and the payoff of
censorship
Linear cost
– all or nothing
Non-linear costs - both expend
some effort
Q: Cost of bringing down the system: take down first node,
the rest are free.
A: This only captures that you compromise the node to stop
publishing, as opposed to system itself.
With Bergemann, Shenker, Smith
A research agenda, rather than presented results
How much are still interested, given market conditions
Love-hate relationship b/n content providers and the
internet
Low costs +
high volume may not equal high profits
Desire to
keep the old prices, and the new costs
Trusted platforms
Machines
can prove to each other that they are running authorized software
E.g. TCG,
NGSCB
Could
enable remote control of data after it has been transferred to another machine
Applications
Copyright
enforcement / content business
?
Privacy Protection
?
Security-policy enforcement generally
Permission-enforcement
mechanisms
(Apparently, the industry is
backing off things)
Multidisciplinary study
Economics –
would they be wildey adopted?
Are
their economically better, feasible alternatives?
Two-sided markets – must be adopted by both content
providers and content consumers
Each market
has externalities
(only a little bit of recent literature about the
externalities)
Timing and uncertainty
Dependence
on consumer valuations, early adopter driver
Information asymmetry – will vendors reveal security
vulnerabilities?
Alternatives to trusted platforms
(detection, rather than prevention)
Customer
gets specific permissions
Authorized
use only is worse than
Flexible
private use is worse than
Uncontrolled
network use
Suppose
unauthorized action can be detected with probability q
Once
caught, have to use trusted computing
Participation
constraint: utility less price greater for flexible
Incentive
constraint:
Price
difference will be positive if q is high enough
Intuitive:
catch the really successful
Model may explain part of iTunes
Allows
flexible private use, but not full-scale network piracy
Will users prefer monitoring to copy prevention?
Technologically – how do you make q
high enough?
Prevention vs. detecting mishaps and working around them
This is a
general security question
Open research agenda, may need to be re-examined in light of
industry realities.
Q: Prob. Of catching vs. severity of punishment
A: focus on how you monitor things that well
Need a
cost-effective system to foist on cheaters
Risk = (expected loss frequency) * (cost of loss)
In
security, most losses result from attacks
Frequency
of attack metrics
Number
of individuals, incentives, personal risk
Costs
of time, equipment, information
Measuring these today
Frequency
of attack as high, medium or low
Strength is
a sum of resource costs à find a
vulnerability
History
Computer Security
Act of 1987
Guidelines
set by NIST
Fault trees
(attack trees) – calculate total risk as sum of specific ones
BUT
– don’t really know leaf nodes
Qualitative
approach – low, medium & high
Desired metrics
Total
security losses – expected
Can
determine return-on-investment
Lessons from the study of safety – forecasting uses
historical assumptions
Stationary
model depends on natural rules and assumptions
BUT
Security doesn’t do this – attackers exploit us
Security regression models
Indicators
must be measurable and relevant
Risk is
positively correlated with adversary population and incentive to attack
Risk is
negatively correlated with personal risk and security strength
Analog – Modelling burglary
Security
strength not significant – it’s other risk factors
BUT
– attacks to software are more diverse, bigger scale, time is important
Strength-based models
Choice to
attack as a fn of incentive to attack and strength
Stationary
model is unaffected as safeguards become obsolete
Data
remains constantly protected as security changes
Certainty vs. applicability
Measuring strengths
Costs of
finding a vulnerability
Conclusion – risk management is essential, need measures of
security strengths
Can use
markets for vulnerabilities
Q: What about malware? How can you capture that?
A: They’re not terribly profitable
Q: There’s more than one coin. Reputation, fun—you attacker could be earning
non-monetizable actions
A: It’s so cheap to break in, and the hacker would rather be
rich.
With Ben Laurie
Spam as an economic problem – no charge for email
$.01/email
= $91 billion annually
eCash has not happened
513 million
net users, 230 million hosts, 56% of emails are spam
50
emails/day avg, 60 spam/day
32 billion spam/day
Proof of work: useless piece of work to show you care
Dwork & Naur, Adam Back
One idea: A
hash with n leading 0s to show that they tried a lot of hashes
Another:
base it on memory speed, since there’s less variation
What about mailing lists?
We don’t
know how much
Estimate:
40% of emails had same source, multiple destinations
Adjust
calculations: legit host must send 75 emails/day
Econ analysis
Spammers charge b/n .001 and .03 cents to send
Spammers invest $50k, wants $30k/year
Need to
send 35,000 emails/day to break even
Response
rate to spam: .0023%
With
1/10 cent/email – ad costs $4.35/sale
Efficient
for $50 mortgage lead, cellphone, pills
Legit
email: 0.7-1.6%
Differentials
b/n good guys and bad guys:
75
emails vs. 1750 emails/host
Possible
“factor of 4” for work ability
Some
room, but not a lot
Security analysis
Lots of
0wned machines
Currently
easy to find a compromised machine spamming
BUT
– suppose they were doing proof-of-work
Trying to
allow good guys to send 75 emails/day
BUT bad
guys can spam with 250 emails/host using 0wned machines
With
a 1% of inbox as spam caveat
Real world email analysis
People
really do send a lot of email
Pure proof-of-work schemes don’t work
Q: what’s wrong with charging for email?
A: Changing the current system is expensive
Spammers can still pay for that
Q: what about an escrow system where you get the money back
if it’s not a spam
A: Too many insecurities.
Q: Why is white-listing hard? What is inherently hard?
A: We don’t have the tools for doing it. Can’t tell where the email actually comes
from, and doing that is really bad for privacy—and hard to do.
Q: Why not a simple hash-cash person-to-person?
A: compromised machines…
Q: Why not do it at the ISP list?
Q: Why wouldn’t Bruce’s subscribers pay for it?
A:
Q: Micropayments are too expensive
to implement
No good way to measure software security – market for lemons
Producer’s motivation for vulnerability markets
Improved
product quality
Useful
metric
Assumes vulnerabilities are ordered
Vulnerability Auctions – single buyer, many sellers
Ascending,
first price (reverse Dutch)
Bidders are
asymmetric – auction is not revenue equivalent
Conveys no information about the number of bidders
Preferred
by risk averse producers
A reward is
always offered – want to make sure that vulnerabities
are purchased
Producers want to encourage testes to enter the auction
High min
bid
… Had to leave, and did not capture the rest of the
paper. Sorry.
These notes were recorded on the fly by Allan Friedman, and
any omissions or inaccuracies are purely his fault. To learn more about the papers here, please see
the conference website, or
contact the authors directly. Please
contact me (allan_friedman at ksg.harvard.edu) for
any corrections or clarifications.
I apologize for the horrendous
formatting; I took notes in Microsoft Word and was lazy about dumping things
into HTML, so plenty of nasty artifacts remain.