| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <468067D0.5070507@kevinbeardsucks.com> Date: Mon, 25 Jun 2007 21:11:44 -0400 From: kefka <kefka@...inbeardsucks.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Office 0day Depends on your definition of secure. phpninja wrote: > Also I guess if every company paid for exploits you guys would be out > of a job (most everything would be secure).. I did'nt think of that.. > > On 6/25/07, *Troy* <gimmespam@...il.com <mailto:gimmespam@...il.com>> > wrote: > > On 6/25/07, * phpninja* < phpninja@...il.com > <mailto:phpninja@...il.com>> wrote: > > <i>If other places are offering $20K for a 0day, why should > Microsoft offer > 10 times that, when they can probably make the sale offering > only $25K?</i> > > I would think Incentive.. Sell my exploit to some criminal > network for cheap? Or would I rather Microsoft trump their > offer by much more and continue consulting for microsoft > rather than criminal networks. Also if I am in any industry > (lets say software) I am going to strive to produce the best > product possible reguardless of the profit. This means > spending a lot more for peoples research than some average > criminal who will then make much much more money the security > researcher > > > $1 million is much more than "much more" than $20K. $40K would be > more than enough to give the needed incentive. > > > Well I would think there would be some motivation. Unless > every employee who codes at Microsoft is a money grubbing > greedy person with no reguard to the person who uses their > products then there would have to be some motivation to fix > the product if it is flawed. > > > While it is true that not every employee is "a money grubbing > greedy person," that is, unfortunately, not how corporations work. > In fact, the bigger the corporation, the harder it is for an > individual within that corporation to make a difference. The fact > is that, no matter how many good people work for a corporation, it > all comes down to how much money the shareholders can make. > > lets see, they spend 50 million over 7 years (windows xp > lifespan so far) not bad.. > they are a 280+ billion dollar company. > > > Your first assumption is that, in the course of 7 years, there > have only been 50 major security exploits discovered by third > parties in Windows XP. Your number is a bit low. > > But compared to a Security team of 50 people at $250,000 a > year for 7 years. = 87,500,000 , Looks like their security > team is costing a lot more.. > > > Your second assumption is that Microsoft's security team consists > of 50 people who are each making $250,000 a year. Microsoft pays > well, but not that well. At least, not to that many people. At > least, as far as I know. I may be wrong, but those numbers seem > high. > > That is like me trying to argue that after going to a car > mechanic, I should have known that the engine mount that I > paid to be secure in my car would have loosened on a bumpy > freeway and let my engine fall out on the freeway. I should > have put a big metal sheet under my car from keeping things > from falling out after i pay for service!! I just should have > that knowledge magically. It just won't hold up in court. > > > That's a straw man argument. A better analogy would be trying to > sue an automobile manufacturer because your car was stolen, even > though you locked the doors. After all, it's the manufacturer's > fault that a security flaw existed in the car and somebody was > able to break the windows to get in, isn't it? If you really want > to push the analogy, you could say it's like suing a lock > manufacturer because their padlock didn't prevent a thief from > cutting the lock with bolt cutters and you lost your stock of gold > bullion. > > No reasonable system administrator can expect any operating system > to be completely secure. If that were the case, we wouldn't need > firewalls. Anybody trained in IT knows that hackers can, have, and > will, break into systems, no matter what you do. If you store > customer information in a plain text file on a system connected to > the Internet, you can't blame Microsoft when somebody steals it. > > <i>Making a *criminal* negligence case stick would be > *exceedingly* hard to do</i> > > I don't think it would be so hard. Someone reports a critical > flaw, and microsoft reports it, but does'nt patch it and does > nothing about it. So they know about the flaw at hand and > are'nt doing anything to fix it. That is the definition of > negligence. Its like a tire company knowing of a problem in > their tires, stating the problem, and not recalling the tires. > They know of the problem but don't fix it. Now I've been > thinking, I dont think you'd need a big DA or anything of that > nature. > > > That's civil, not criminal. There's a big difference. There's also > a big difference between tires blowing out and killing people and > a hacker getting some credit card numbers. > > Despite all this, you just stated exactly why Microsoft wouldn't > want to do this. Someone sells a flaw to Microsoft. Microsoft > works on a patch. Somebody's system gets compromised before the > patch is ready. Now, there is no doubt that Microsoft is aware of > the flaw, and a lawsuit becomes much easier to win. > > > There was a judge in the news recently suing for $60,000,000 > for a pair of pants. All you have to do is piss off the right > people. > > > You can sue anybody for any amount you want. I can file a lawsuit > asking for $27 billion because somebody cut me off in traffic and > caused distress. That doesn't mean I'll win. > > The $60 million (actually $54 million) lawsuit over a pair of > pants is a great example, especially since it was thrown out of > court. http://www.cnn.com/2007/LAW/06/25/trouser.trial/index.html > <http://www.cnn.com/2007/LAW/06/25/trouser.trial/index.html> > > I guess the whole point is, yes Microsoft could offer to purchase > exploits. No, we can't force them to do so. No, $1 million for an > exploit is not a reasonable expectation. No, Microsoft won't do it > because, as you've pointed out, once they start doing it, they're > admitting they know about the exploits and may be open to lawsuits > at that point. > > I also don't like the idea the OP had of purchasing fixes for the > exploits. Operating Systems shouldn't include code written by > mercenaries who sell their code to the highest bidder. > > -- > Troy > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists