Comment by tptacek
2 months ago
If we're talking about mid-90s race conditions there, with "temporary names", there was never a market for those vulnerabilities. There's a myriad of different vulnerabilities and new bug classes announced with fanfare every year at Black Hat and the Big Four conferences, but we've been in what seems like a stable state for over a decade on which of those vulnerabilities are actually tradable.
> If we're talking about mid-90s race conditions there, with "temporary names", there was never a market for those vulnerabilities.
More like mid-80's with effects dragging on to mid-90's.
There was never a market back then at all. ;) The point is, many confidently announced that all the easy to exploit stuff in Unix was being fixed and soon security was going to be less of a problem.
> but we've been in what seems like a stable state for over a decade on which of those vulnerabilities are actually tradable.
Yes, but that doesn't stay the same if the low hanging fruit dries up as you posit. The level of sophistication of both exploit writers and exploit consumers will have to climb, but we're nowhere near the ceiling of the skills and effort that crime and intelligence can pay for.
Right, so I'm not confidently predicting the end of software security (I'm "optimistic" about its relevance, in the same way you're pessimistic about the long term security of software). But drive-by clientside exploits are a particular kind of software security problem, and that one, I do see the light at the end of the tunnel (and also a prolonged period of 7-8 figure exploit premiums).