lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: guninski at guninski.com (Georgi Guninski)
Subject: [OT] Re: Quick Question

[Sorry for cross posting to the list, but this looks like a FAQ]

Dear Mr. Kannan,

Karthik Natarajan Kannan wrote:
> Dear Mr. Guninski,
> 
> I am a doctoral student at Carnegie Mellon University working on my

I am Georgi. Georgi Guninski.

> thesis on Information Security trying to understand the industry
> structure and incentives.  I realize that you are one of the prime
> people in unearthing bugs. I would greatly appreciate your responses for
> the following questions:
> 

Sure, I will answer, but I would greatly appreciate the answer to a question by 
Pink Floyd at http://www.lyricsstyle.com/p/pinkfloyd/goodbyebluesky.html
"Mother, should I trust the government?" -- Pink Floyd

> a) What is the incentive for firms like yours to unearth security bugs? 
> 

No special incentive. Hint: It is not for the money, it is not for the fame.

> b) What is the norm after unearthing the bug?  Whom do you report it to?
> 
There is no official norm as far as I know. The owner of the 0day has the 
intellectual property over it and can do whatever he wants with it.
I personally have sympathy for open source projects and do my best the problem 
to be fixed officially before I go public. First notify the software developer 
in this case. This symapthy does not apply for commercial vendors in whose 
licence agreements is written that the product does not fit for any purpose.

> c) Suppose, a bug has been unearthed, does the software vendor pay the
> security firms for unearthing the bugs?
> 

Generally no. The only exception for me was Netscape - they had (probably also 
have, check at their site) a bug bounty program, which basically means paying 
for reproducible security bugs.

> d) How do security firms like yours unearth bugs?  Do you have
> specialized teams which work on unearthing these bugs? 
> 

The general algorithm is with typing on the keyboard. Mouse engineering brought 
to the masses is not effective, I believe.

> e) Are there security firms which talk to hacker community to unearth
> bugs?  
> 

I think you have the term "hacker" wrong.
Check http://www.jargonfile.com/jargon/html/entry/hacker.html

> f) What sort of tools do you use to unearth bugs?  Would they be similar
> to what hackers use?
>

See the answer to e)
For me the most interesting bugs were found without any tools, just my old 
brain. Anyway grep and flawfinder can help in some cases.


> Looking forward to hearing from you. 
>

Me too, for the Floyd stuff.

> Thanks
> Karthik
> 
> Karthik Kannan
> Carnegie Mellon University
> http://www.andrew.cmu.edu/~kkannan
> 

Georgi Guninski
http://www.guninski.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ