lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 25 Jun 2007 17:31:35 -0700
From: phpninja <phpninja@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Office 0day

Also I guess if every company paid for exploits you guys would be out of a
job (most everything would be secure).. I did'nt think of that..

On 6/25/07, Troy <gimmespam@...il.com> wrote:
>
>  On 6/25/07, phpninja < phpninja@...il.com> wrote:
> >
> > <i>If other places are offering $20K for a 0day, why should Microsoft
> > offer
> > 10 times that, when they can probably make the sale offering only
> > $25K?</i>
> >
> > I would think Incentive.. Sell my exploit to some criminal network for
> > cheap? Or would I rather Microsoft trump their offer by much
> > more and continue consulting for microsoft rather than criminal networks.
> > Also if I am in any industry (lets say software) I am going to strive to
> > produce the best product possible reguardless of the profit. This means
> > spending a lot more for peoples research than some average criminal who will
> > then make much much more money the security researcher
> >
>
> $1 million is much more than "much more" than $20K. $40K would be more
> than enough to give the needed incentive.
>
>
> >  Well I would think there would be some motivation. Unless every
> > employee who codes at Microsoft is a money grubbing greedy person with no
> > reguard to the person who uses their products then there would have to be
> > some motivation to fix the product if it is flawed.
> >
>
> While it is true that not every employee is "a money grubbing greedy
> person," that is, unfortunately, not how corporations work. In fact, the
> bigger the corporation, the harder it is for an individual within that
> corporation to make a difference. The fact is that, no matter how many good
> people work for a corporation, it all comes down to how much money the
> shareholders can make.
>
>  lets see, they spend 50 million over 7 years (windows xp lifespan so far)
> > not bad..
> > they are a 280+ billion  dollar company.
> >
>
> Your first assumption is that, in the course of 7 years, there have only
> been 50 major security exploits discovered by third parties in Windows XP.
> Your number is a bit low.
>
>   But compared to a Security team of 50 people at $250,000 a year for 7
> > years. = 87,500,000 , Looks like their security team is costing a lot
> > more..
> >
>
> Your second assumption is that Microsoft's security team consists of 50
> people who are each making $250,000 a year. Microsoft pays well, but not
> that well. At least, not to that many people. At least, as far as I know. I
> may be wrong, but those numbers seem high.
>
>  That is like me trying to argue that after going to a car mechanic, I
> > should have known that the engine mount that I paid to be secure in my car
> > would have loosened on a bumpy freeway and let my engine fall out on the
> > freeway. I should have put a big metal sheet under my car from keeping
> > things from falling out after i pay for service!! I just should have that
> > knowledge magically. It just won't hold up in court.
> >
>
>  That's a straw man argument. A better analogy would be trying to sue an
> automobile manufacturer because your car was stolen, even though you locked
> the doors. After all, it's the manufacturer's fault that a security flaw
> existed in the car and somebody was able to break the windows to get in,
> isn't it? If you really want to push the analogy, you could say it's like
> suing a lock manufacturer because their padlock didn't prevent a thief from
> cutting the lock with bolt cutters and you lost your stock of gold bullion.
>
> No reasonable system administrator can expect any operating system to be
> completely secure. If that were the case, we wouldn't need firewalls.
> Anybody trained in IT knows that hackers can, have, and will, break into
> systems, no matter what you do. If you store customer information in a plain
> text file on a system connected to the Internet, you can't blame Microsoft
> when somebody steals it.
>
>   <i>Making a *criminal* negligence case stick would be *exceedingly* hard
> > to do</i>
> >
> > I don't think it would be so hard. Someone reports a critical flaw, and
> > microsoft reports it, but does'nt patch it and does nothing about it. So
> > they know about the flaw at hand and are'nt doing anything to fix it. That
> > is the definition of negligence. Its like a tire company knowing of a
> > problem in their tires, stating the problem, and not recalling the tires.
> > They know of the problem but don't fix it. Now I've been thinking, I dont
> > think you'd need a big DA or anything of that nature.
> >
>
>  That's civil, not criminal. There's a big difference. There's also a big
> difference between tires blowing out and killing people and a hacker getting
> some credit card numbers.
>
> Despite all this, you just stated exactly why Microsoft wouldn't want to
> do this. Someone sells a flaw to Microsoft. Microsoft works on a patch.
> Somebody's system gets compromised before the patch is ready. Now, there is
> no doubt that Microsoft is aware of the flaw, and a lawsuit becomes much
> easier to win.
>
>
>  There was a judge in the news recently suing for $60,000,000 for a pair
> > of pants. All you have to do is piss off the right people.
> >
>
>  You can sue anybody for any amount you want. I can file a lawsuit asking
> for $27 billion because somebody cut me off in traffic and caused distress.
> That doesn't mean I'll win.
>
> The $60 million (actually $54 million) lawsuit over a pair of pants is a
> great example, especially since it was thrown out of court. http://www.cnn.com/2007/LAW/06/25/trouser.trial/index.html
>
>
> I guess the whole point is, yes Microsoft could offer to purchase
> exploits. No, we can't force them to do so. No, $1 million for an exploit is
> not a reasonable expectation. No, Microsoft won't do it because, as you've
> pointed out, once they start doing it, they're admitting they know about the
> exploits and may be open to lawsuits at that point.
>
> I also don't like the idea the OP had of purchasing fixes for the
> exploits. Operating Systems shouldn't include code written by mercenaries
> who sell their code to the highest bidder.
>
> --
> Troy
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ