I’d like to do some research into the time it takes from when blackhats find 0-days to [when] whitehats find them.
I'm also interested in this question. Is there existing research on this topic? Earlier in the piece he also claims this:
The thing you have to remember is the black hat world is 10 steps ahead of what’s commercially available. When a 0-day is released blackhats have used it for months.
Is this statement true? Are the top level blackhats more talented, driven, or greater in number than the top level whitehats? Obviously there is money to be made as a blackhat but not everyone has criminal inclinations. Script kiddies aside, intuition tells me that the intersection of people who have the skill to write an 0-day and the inclination to be a blackhat is smaller than the intersection of skilled/honest people. Not to mention that you can make a perfectly legal fortune (ethics aside) selling exploits to security firms which on-sell them to governments. [1]
I'm also interested in his statement about virus scanners - are they really useless? I use Chrome, MS Security Essentials, dont click on devious looking links...and I've had 1 infection flagged in the last 3 years (thanks Adobe). Are there stats on how many infections dont get noticed by anti-virus software, even if you keep the definitions up to date?
I'm also interested in this question. Is there existing research on this topic? Earlier in the piece he also claims this:
The thing you have to remember is the black hat world is 10 steps ahead of what’s commercially available. When a 0-day is released blackhats have used it for months.
Is this statement true? Are the top level blackhats more talented, driven, or greater in number than the top level whitehats? Obviously there is money to be made as a blackhat but not everyone has criminal inclinations. Script kiddies aside, intuition tells me that the intersection of people who have the skill to write an 0-day and the inclination to be a blackhat is smaller than the intersection of skilled/honest people. Not to mention that you can make a perfectly legal fortune (ethics aside) selling exploits to security firms which on-sell them to governments. [1]
I'm also interested in his statement about virus scanners - are they really useless? I use Chrome, MS Security Essentials, dont click on devious looking links...and I've had 1 infection flagged in the last 3 years (thanks Adobe). Are there stats on how many infections dont get noticed by anti-virus software, even if you keep the definitions up to date?
[1] http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppin...