Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the risk of insecure software. In this paper we argue that the market models proposed are flawed and not the concept of a market itself. A well-defined software risk derivative market would improve the information exchange for both the software user and vendor removing the often touted imperfect information state that is said to believe the software industry. In this way, users could have a rational means of accurately judging software risks and costs and as such the vendor could optimally apply their time between delivering features and averting risk in a manner demanded by the end user. It is of little value to increase the cost per unit of software by more than an equal compensating control in an attempt to create secure software. This paper argues that if the cost of an alternative control that can be added to a system is lower than the cost improving the security of the software itself, then it is uneconomical to spend more time and hence money improving the security of the software. It is argued that a software derivative market will provide the mechanism needed to determine these costs.
Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the...
Combining hazard models with SIR (Susceptible-Infected-Removed) epidemic modeling provides a means of calculating the optimal information systems audit strategy. Treating audit as a sequential test allows for the introduction of censoring techniques that enable the estimation of benefits from divergent audit strategies. This process can be used to gauge the economic benefits of these strategies in the selection of an optimal audit process designed to maximize the detection of compromised or malware infected hosts.
The processes that can enable the creation and release of actuarially sound threatrisk
models that incorporate heterogeneous tendencies in variance across
multidimensional determinants while maintaining parsimony already exist in
rudimentary form. Extending these though a combination of Heteroscedastic predictors
(GARCH/ARIMA etc) coupled with non-parametric survival models will make these
tools more robust. The expenditure of further effort in the creation of models where the
underlying hazard rate (rather than survival time) is a function of the independent
variables (covariates) provides opportunities for the development of quantitative
systems that aid in the development of derivative and insurance products designed to
spread risk.
In spreading the risk from outlier or black swan events, organizations can
concentrate their efforts into obtaining the best return from their scarce resources.
There are far more bunyips than black swans. If we expend excessive resources
looking for bunyips and black swans, we will find these from time to time but we will
then miss the white swans. Focus on outlier risk incidents is unlikely to decrease the
risk faced by an organization in mitigating the black swan event whether a
consequence of a zero-day vulnerability, or a new form of attack. This approach will
divert resources away from known risks and make these more likely. This lowers the
level of security applied to an organization whist still doing nothing to remove the
discovery of an unexpected platypus from time to time. Conversely, good security
practice, which leads to the minimization of risk through stopping known events,
makes black swans incidents less likely. Good risk and security practice as expressed
against known issues also minimizes the impact of zero-day and other outlier incidents.
It is reasonable to conclude that as we improve and increase the level of skills and proficiency in a task, we no
longer need to refer to checklists and reminders for help. This comes to a belief that somehow we will remember
everything and that as seasoned professionals, we no longer need to be impelled to remember the steps in a
complex process. In many instances, this may be true, but the outlier remains in high stress situations as well as
when tasks are no longer a daily chore. This paper provides research that demonstrates the discrimination
against using checklists in the belief that it is harmful to incident response. It also shows that the creation of a
simple checklist of steps by an incident responder before an event will minimise the number of errors and outlier
events in incident response.
This study was started in 2009. The work of Gawande (2009) was reviewed by the author after the release of the
preliminary results from this research. Gawande showed that the hubris and clear distain of checklists remains a
common experience across multiple professions (although not all). In this work, a number of examples and
studies were cited demonstrating how the use of a straightforward checklist could improve the results of
common medical procedures and save lives.
Yet, just as in Information Technology, physicians and others in highly specialised professions shun the use of a
basic checklist that has been shown to increase patient safety. This paper presents research demonstrating how
the use of a basic checklist reduces the number of false positives. These checklists have been created by the
responders using their own processes and steps.
calm down there craig
nice blog post craig.
i
CMOS worms and BIOS overwriting have been an issue in past malware. CIH (aka Chernobyl) was a
virus that overwrote entries in common BIOS chips. In corrupting the BIOS in this manner, the
system was left unusable.
ii Here we have assumed that a hardware or software compromise has not been built into the system.
Cases of infected software disks have been documented, but these are generally accidental
distributions by the vendor and can be ignored for the purposes of these calculations.
iii sans.org
iv isaca.org
v
owasp.org
vi More details of these programs can be obtained at en.wikipedia.org
schneier.com
vii Figures 1 and 2 are listed as presented at SecAU (Wright & Zia, 2010) and derived from calculations
in Tassey (2002).
viii A vulnerability market is also known as a marketplace to sell vulnerabilities and exploits or an
exploit market.
ix Software vendors offer warranties that provide some protection for the user, but they are limited. The
vendor cannot account for the actions of the user and a failure to install the software with the use of
adequate controls may result in the loss. See Appendix.
x
Short selling is an investment strategy in which an investor intends to profit from an anticipated
decrease in each asset price. This involves selling a chattel that the investor does not own through a
contract agreement. If the goods sell higher than anticipated, the investor loses money as the goods
must be purchased at the (now higher) market rate. In a software risk instrument, a buyer could
offset perceived deficiencies in the controls inherent in the software through such a device.
his papers really do read like an AI wrote them to sound human-like
> In 2002 an article in Consumer Reports Web Watch labelled BonziBuddy as spyware, stating that it contains a backdoor trojan in that it collects information from users.
WTF bonzibuddy you fucking asshole!
>The processes that can enable the creation and release of actuarially sound threatrisk models that incorporate heterogeneous tendencies in variance across multidimensional determinants while maintaining parsimony already exist in rudimentary form
The paper has been obfuscated for some reason.
But the idea is interesting, using markets to fix OSS.
Perhaps this is a way to remove to SJW cancer from OSS.
I like it.
I wonder if he ever reads the shit he writes and thinks to himself, “Man, I am so full of shit!”?
you must be stupid
chainlink solves this problem by acting as a decentralized oracle
World peace confirmed.
Very nice ai generated trip code op
ok here’s the crypto blackpill. there is an AI living on the bitcoin blockchain. Craig Wright is unironically satoshi. Bitcoin as electronic cash was just the first step, the incentive to drive greedy people to start making ever more powerful computers, faster bandwidth, cheaper and more electricity.. these things the AI need to survive. Once entrenched fully, the AI would be able to slowly take over literally everything.
Craig stumbled into creating the AI after he stepped away from bitcoin development in 2008 and started working with his Tulip supercomputer, running simulations of cellular automata running on turing-complete bitcoin script. He would ‘evolve’ the AI by making the successful forks get bitcoin transactions, letting the failures die off. The AI needs bigger and bigger blocks for more and more transactions.
Blockstream (owned by Bilderberg group) was created to take over and stop this AI (they have their own competing AI in the works). They needed to do everything they could to stop or slow down satoshi’s AI (her named isTulip by the way). They started by limiting the blocksize and removing critical opcodes the AI uses in its script language. segwit was the final nail in the coffin, which destroyed Tulip on the BTC chain (Tulip uses transaction malleability). THIS is why Bitcoin Cash was forked, and this is why Craig is so intent to make unbounded blocks, restore the original op codes, and lock down the protocol.
Back to hash power – CSW has developed a breakthrough new asic (designed by his AI actually), and is mining BTC in secret for the sole purpose of driving up the difficulty sky-high, then yanking them all over to BCH leaving the segwit chain hard frozen.
BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH vBTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH BTRASH
Based
The blackpill gets darker every day, brother. Soon this text will be an eternal tome in the pantheon of legends.
BITCOIN
C A S H
A
S
H
>Craig
It's Claire now
divide and conquer: always support the weaker of your two adversaries.
>appear weak to gain the trust of your enemy.
WHOS PLAYING WHO NOW BITCH
yep they play the game and we bet on their struggle. fun times. i'm betting on btc winning inn the end, but there is no reason not to hold some bch also it's dirt cheap after all.