lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <849f37830706251546p211c2a97nc0b8e1d5e04d263b@mail.gmail.com>
Date: Mon, 25 Jun 2007 15:46:19 -0700
From: phpninja <phpninja@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Office 0day

<i>If other places are offering $20K for a 0day, why should Microsoft offer
10 times that, when they can probably make the sale offering only $25K?</i>

I would think Incentive.. Sell my exploit to some criminal network for
cheap? Or would I rather Microsoft trump their offer by much
more and continue consulting for microsoft rather than criminal networks.
Also if I am in any industry (lets say software) I am going to strive to
produce the best product possible reguardless of the profit. This means
spending a lot more for peoples research than some average criminal who will
then make much much more money the security researcher

<i>Yes. They could.  But if they've bought exclusive rights to the exploit,
why
should they?  Remember why the concept of "full disclosure" started in the
first place - because if a vendor is the only one who knows about a hole,
they
have little to no motivation to actually *fix* it.
</i>

Well I would think there would be some motivation. Unless every employee who
codes at Microsoft is a money grubbing greedy person with no reguard to the
person who uses their products then there would have to be some motivation
to fix the product if it is flawed.

<I>Which is a better bet for Microsoft - spending $15 million on a big PR
and
advertising campaign that announces the 'New Secure Attitude', or spending
$50M on quietly fixing the broken software?
</i>

lets see, they spend 50 million over 7 years (windows xp lifespan so far)
not bad..
they are a 280+ billion  dollar company.

But compared to a Security team of 50 people at $250,000 a year for 7 years.
= 87,500,000 , Looks like their security team is costing a lot more..

Also I should'nt have to take into consideration 'the amount of security im
willing to pay for' If I can only get so much (guaranteed?) security for 1
price.

<i>Microsoft could *easily* argue that the webmaster
or sysadmin or whatever *should* have known that "software is hackable" and
taken additional precautions of their own.</i>

That is like me trying to argue that after going to a car mechanic, I should
have known that the engine mount that I paid to be secure in my car would
have loosened on a bumpy freeway and let my engine fall out on the freeway.
I should have put a big metal sheet under my car from keeping things from
falling out after i pay for service!! I just should have that knowledge
magically. It just won't hold up in court.

<i>Making a *criminal* negligence case stick would be *exceedingly* hard to
do</i>

I don't think it would be so hard. Someone reports a critical flaw, and
microsoft reports it, but does'nt patch it and does nothing about it. So
they know about the flaw at hand and are'nt doing anything to fix it. That
is the definition of negligence. Its like a tire company knowing of a
problem in their tires, stating the problem, and not recalling the tires.
They know of the problem but don't fix it. Now I've been thinking, I dont
think you'd need a big DA or anything of that nature. There was a judge in
the news recently suing for $60,000,000 for a pair of pants. All you have to
do is piss off the right people.

just some thoughts..


On 6/25/07, Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> wrote:
>
> On Mon, 25 Jun 2007 13:18:42 PDT, secure poon said:
>
> > *Proposition*
> >
> > Microsoft is a 280+ billion dollar corporation. Why don't/can't they
> have a
> > standard ransom fee for security flaws?
> >
> > 0day Remote OS flaw: $1,000,000
> > 0day  IE explorer flaws that give administrative shells: $200,000
> > 0day (other flaws) that affect other products (ie office): $200,000
> > etc..(these fees could be much higher)
>
> If other places are offering $20K for a 0day, why should Microsoft offer
> 10 times that, when they can probably make the sale offering only $25K?
>
> Remember - Microsoft isn't there to make good software. It's there to
> make a profit.
>
> > Provided the person who discovered the vulnerability gives a full
> working
> > patch, Then Microsoft could patch the hole right away and people could
> > update.
>
> Yes. They could.  But if they've bought exclusive rights to the exploit,
> why
> should they?  Remember why the concept of "full disclosure" started in the
> first place - because if a vendor is the only one who knows about a hole,
> they
> have little to no motivation to actually *fix* it.
>
> >         (yes i know lots of people don't update but at least it is a
> start,
> > and then legally they would be so liable). Maybe this concept isint new
> and
> > I am just in the dark about it.
>
> There's companies in the security arena buying 0days, been happening for
> years already.
>
> > Why does'nt Microsoft (or any company) do this?
>
> There's plenty of companies that make a living fixing the problems in the
> Microsoft products (IDS and A/V and all the rest), and they've been doing
> it
> for a while.  It would be a *bad* idea for Microsoft to get caught doing
> that,
> as the instant they shell out some money for a 0day, they lose most of
> their
> plausible deniability.  It's hard to argue "We didn't know about that bug
> until
> the public posting on the XYZ-L list on Dec 3" if the other side's lawyers
> find
> records of buying a 0day for the hole back in early April.
>
> Something to keep in mind is that security is *always* about tradeoffs,
> especially when you're a vendor.  You're probably *not* interested in
> shipping
> a massively hardened secure system - only a few sites are truly paranoid
> or require that sort of thing.  Windows XP will end up selling hundreds of
> millions of copies - the amount of security in those will end up being the
> amount of security that hundreds of millions of Joe Sixpack customers are
> willing to actually *pay* for.
>
> Since Microsoft is a for-profit corporation, their security team is
> charged with
> reducing the *total* cost of the security - the expense of actually
> auditing
> any existing code, and writing new code to stricter standards, *plus* the
> costs of fixing bugs once they escape, *plus* the costs of keeping
> customers
> happy when a security bugfix changes an API and production software
> breaks,
> *plus* the PR costs of following your planned decision.
>
> Which is a better bet for Microsoft - spending $15 million on a big PR and
> advertising campaign that announces the 'New Secure Attitude', or spending
> $50M on quietly fixing the broken software?
>
> >                                                   And also has Microsoft
> ever
> > been held criminaly liable for negligence in a criminal case for not
> > patching a flaw leading to a security breach?
>
> Making a *criminal* negligence case stick would be *exceedingly* hard to
> do,
> as you'd have to find a district attorney who wanted to try to press
> charges,
> and it's hard to make it stick against a corporation - the legal standard
> really *does* approach "the defendant knew or should have known that their
> behavior was likely to result in somebody literally getting hurt or
> killed".
> (One web site gave the hypothetical examples of a canoeing tour operator
> that
> takes kids who are beginning canoers out on a lake, without life
> preservers,
> when stormy weather is forecast, or a company releasing toxic chemicals
> that
> they should have known would end up in a town's drinking water).
>
> It would be a lot easier to make a case for civil liability for the
> negligence,
> but then you'd have a *big* problem - by using a non-pirated copy of
> Windows,
> you presumably agreed to the EULA, where you disclaimed most of the
> obligations
> you would normally have.  And *at best*, you'd only be able to pin them
> with
> "contributory negligence" - Microsoft could *easily* argue that the
> webmaster
> or sysadmin or whatever *should* have known that "software is hackable"
> and
> taken additional precautions of their own.
>
> A number of pretty clever people have been looking at this, and it's
> pretty
> generally agreed that the test case you'd want to see in court would be a
> non-Microsoft shop (so they're not party to the EULA) who gets DDoS'ed or
> otherwise attacked from compromised Windows boxes, such that the
> compromise
> allows the attacker to remain anonymous/unfindable.  And even then it's
> not
> a clearly winnable *practical* suit to battle - if the plaintiff company
> only lost $250,000 due to the DDoS, and the attorney is doing it for the
> semi-standard 30% of the award, and it will take more than $75K worth of
> legal just to get the case rolling, it becomes difficult to get the
> lawsuit
> moving.  So you'd need either a non-Microsoft shop that lost millions of
> dollars due to the DDoS, or a law firm that wants to rack up *lots* of
> pro bono hours..
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ