Re: [Full-Disclosure] interesting?

From: batz (batsy@vapour.net)
Date: 02/01/03

• Next message: Blue Boar: "Re: [Full-Disclosure] interesting?"

```From: batz <batsy@vapour.net>
To: Roland Postle <mail@blazde.co.uk>
Date: Sat, 1 Feb 2003 12:04:32 -0500 (EST)

```

On Sat, 1 Feb 2003, Roland Postle wrote:

:It might seem frightening that sapphire reached 90% infection in 10
:minutes, but this is a feature of it's aggressive conectionless
:scanning with single packets, and the small address space the internet
:has, not it's particular scanning strategy. For a good discussion of
:
:"How to 0wn the Internet in Your Spare Time"
:http://www.icir.org/vern/papers/cdc-usenix-sec02/index.html

The really interesting part of this paper is their use of the
"logistic equation" to describe the spread of the various
worms.

They use: da/dt = Ka(1-a)

I guess my question fundamentally would be; could this
logistic equation be effectively used to describe the
propagation of patch information from CERT, the ISA, etc,
vs the propagation of patch information from Bugtraq/Fd etc..?

So, can: da/dt = Ka(1-a) be used to describe the propagation
of patch information, and what would the implications of it be?

Where K is the rate of information spread (based on number of
subscriptions to public lists vs. consortiums) 'a' being the
proportion of subscribers informed, 't' is hours, and 'd'
seems to be iteration?

I am speaking way out of my depth, but my question is based upon
the intuition and experience that informs my opinions on how
vulnerability information should be distributed.

Is there another more appropriate formula that describes
this problem?

Cheers,

```--
batz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
```