Even very smart guys like Dave don't understand risk basics. Attack costs, anyone? #ntiacollabhttps://twitter.com/daveaitel/status/672101231867858944 …
@SpireSec gotcha. i think that is primarily what @daveaitel was speaking to with the original tweet, in context of #ntiacollab discussion
-
-
@attritionorg regardless, in most (but not all) cases, vuln disclosure is risk-increasing. That put's ppl more in harms way.@daveaitel -
@SpireSec@attritionorg@daveaitel short term risk increase, longer term reduction if fixes/defenses deployed? -
@zmanion possibly, but rarely enough, imo. SaaS may be exception since 100% fix possible.@attritionorg@daveaitel -
@SpireSec@attritionorg@daveaitel disclosure informing defenders, otherwise only attackers know? More info = better risk decision? -
@zmanion rediscovery rates are extremely low and "attackers know" about all sorts of vulns, incl those that defenders don't.@attritionorg
End of conversation
New conversation -
-
-
@attritionorg there is plenty of evidence in this regard, btw. Dumitras paper for example.@daveaitel -
@SpireSec@daveaitel i agree with you disclosure potentially increases risk. was only disagreeing if "disclosure = start of risk" -
@attritionorg that's a pet peeve of mine that I find extremely annoying.@daveaitel -
@SpireSec You can measure vulnerability, and it stays constant. How do you measure threat in a non-bullshit way? -
@alexkropivny attacks, or after the fact via change in compromises (vuln constant or lower) -
@SpireSec What if attack data follows a Heaviside step function, and we're still at -t?
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.