The Grugq: Well, in 2000 there were loads of good exploits which would take maybe a week to find and develop. These days it might take six months to find and develop one. That is a huge change in value.
CSO: Why so long now?
The Grugq: It is harder to find good bugs and develop good exploits for them.
CSO: It’s like overfishing?
The Grugq: It is exactly like overfishing. That is actually the analogy which Halvar uses to describe it. He takes it a bit further. Basically, there’s closed-source fishing and open-source fishing. Or ice fishing vs. fishing in a clear coral sea.
CSO: It makes sense. As finding exploits became automated, bugs were found and exploited rapidly. It’s like dropping those huge trawling nets.
The Grugq: The thing is, the juicy targets are still few and far between.
CSO: And this must also put a premium on socially engineering your way in.
The Grugq: Well, that is harder to do. But these days non-exploit hacking is making a comeback. The whole buffer overflow thing will die off, and what is left is the people who know how to get in without exploit. Those guys are the really old-school guys.