No announcement yet.

Using the past to predict the future...

  • Filter
  • Time
  • Show
Clear All
new posts

  • Using the past to predict the future...

    /me pulls out his crystal ball...

    Anyone who subscribes to full disclosure security mailing lists for more than 2 years will likely have noticed the frequency or rate of security risks (exploited holes, bugs found, and risks exposed) seem to be cyclic in nature.

    Several years ago, I noticed one trend:
    The two months leading up to DefCon we seem to see a large deal of traffic on the lists which address issues with remote exploits to service which lead to priv. escalation, runing arb. code, buffer overruns found and exploited, and other interesting discussions.

    Many of the issues become topics at DC by speakers, but what is the chain of events? Do bug become exploits through exposure of discussion at DC, or do discussions at DC become popular as a result of exploits and found bugs?


    We are now at about the two month mark before the con begins. Will history repeat itself as seen during the previous years?

    Other ideas which have been provided for the cause to this cyclic effect on lists include:
    Over summer, many students do not attend classes, and have more free time to hammer on various things.
    There is no cyclic effect, people are just more conscious of security issues as DC gets closer

    Do you have other ideas on this?

  • #2
    Speaking of cycles, for consulting I find my cycles to be:
    Jan to Apr - busy
    May/June - slowing
    July/August - slow
    Sep to mid-Nov - busy
    mid-Nov/Dec - slow

    During the slow times I run audits on my clients, finish up the detail work missed during the heavy tech integrations/upgrades, etc. Much of this, especially in the last couple of years, is securing systems/networks/etc. I also use the slow time to read the books/articles that I have said, "I should read that soon," but haven't gotten to in three months. Following that comes posting, discussions, etc. And, what a lucky coincidence, DefCon and (now) LayerOne occur during those times. Study up for certs, kick back some bruskies, and soaking up some So Cal sun also rank high on my slow-time list. (Yes, even in Dec. I make it a point to surf on Christmas day whenever I am in town.)

    Back to the point of the post, so my hypothesis is that techies get to focus on the things they have put-off during the summer because companies are generally doing less during this time. Security being a hot issue for the last couple of years, makes sense that there is more activity relating to it.
    Ya got no legs, don't come crawlin' to me.


    • #3

      Looks dodgy and great the same time
      Just some how confused me a bit