Dailydave mailing list archives
Re: funny comments from Hack IIS6 contest admin
From: Anthony Zboralski <bcs2005 () bellua com>
Date: Sun, 15 May 2005 02:12:15 +0700
On 14 May 2005, at 19:51, Roger A. Grimes wrote:
Re-read the posting. I said MOST people on the list would not be ableto hack the site if the reward was bigger. That is because MOST peopleon the list don't have the skillz and could not acquire them. Serious hacking is something either you have or you don't...I'm not talking about the hacking where you must rely on a misconfiguration to be successful (because our box is not misconfigured), but the zero-day stuff.
"Serious skills" depend on your motivation (and confidence) to learn and improve these same skills.
I assure you that the hackers that are capable of hacking this box aremotivated for far less money, if any. Take Dave at Immunity. He makesmore money than the average hacker, but I assure you that he makes far less than $250K on each hack he discovers. (Tell me if I'm wrong, Dave).
An IIS6 0day exploit will certainly generate more earnings than 150$, the price of an Xbox. The resale value of a clean exploit for IIS6 is around 20k + earnings generated from pen testing + earnings generated by follow-up projects (impressing the clients) + earnings generated by attack frameworks such as core impact, canvas + earnings generated by vulnerability sharing clubs + earnings generated by interest.You are offering $150 + some publicity (it is hard to quantify how much this is really worth...) in exchange for a working exploit or the possibility to
get a pcap and analyse it.$250K is more of a value proposal. How much is a 0day exploit for IIS6 worth to Microsoft? Why are you guys running this contest and what is your motivation behind it? Do you want to improve IIS6 security or you just want to do some guerilla marketing?
Professional hackers may make more than $250K, but what motivated them initially was far less money, if any. The best hackers in the world that released the most devastating exploits, did it for free...not money. It was either to improve the product or for the "glory" in the community. Consistent hackers...the best...want more money...but what motivated them initially was far less.
Money or fame... unless one has the opportunity to do both like you!"As a rule, never do pro-bono work for a profit-making organisation. Don't
let them fool you with the "e" word, exposure." Alan Weiss You work for Windows IT Pro Magazine. Penton Media, it is a listed company and a Microsoft partner. Security Partner Home... Custom Media Group is part of Windows IT Pro, a Division of Penton Media Inc.
Copyright © 2005 Penton Media, Inc., All rights reserved. ... https://partner.microsoft.com/global/security/40011535http://members.microsoft.com/partner/campaign/SecurityOutreach/Sell/ Default.htm (free reg)
New SecurityWatch e-NewsletterNew SecurityWatch e-Newsletter for you to customize and deliver to customers. Starting late February 2004, a new customer-ready e- newsletter will be available for you to pass-on to your customers, keeping them in touch with the industry-wide security threats and tips for keeping their company secure. This newsletter is free to you and can be a valuable way for you to continue to connect with customers and stay in the forefront of their minds as their security advisor. Published by industry analysts, this newsletter contains Microsoft’s security newsletter headlines inside. This page will contain links to the newsletter when the first issue is available.
This doesn't come as a surprise, where is your independence :)
Would more money motivate more people? Yes, of course. But Anthony,people like you wouldn't be able to hack it regardless of the award. In fact, Anthony, I'll personally give you, and you alone, $2000 reward of my own money, if you hack it (by yourself without any external help) bymidnight tonight. Go!
I don't want to take your personal money and I am not very impressedby $2000. I have been doing pen tests for the last 10 years and my success rate is very high, to say the least. At Bellua, we always succeed :) (although we cheat a little bit by rejecting stupid constraints and limited scope.)
You should read one of my poorly written post on the same subject. http://archives.neohapsis.com/archives/dailydave/2005-q1/0146.html
If fact, tell me the IP address you're hacking from (so I can track you)and send one original hack that might possibly be successful...I doubtyou can even do that. It won't get you any award, but at least I won'tsee you as the poser you so obviously are. Or are you already calling your more knowledgable friends for help or deciding on what witty response to send why you don't hack my box? Roger A. Grimes admin () hackiis6 com
Do you always talk to people like that? Have we met before? Why the personal attack? You seem to be missing my point. You said on Slashdot:"This sort of claim is so not true. Ebay, Microsoft, Msn, Hotmail, and so many other sites run on IIS 6. Certainly, there is financial gain beyond $250K to be made if you successfully hack those sites. They aren't (while you can never be sure any computer system isn't hacked...they aren't publicly known to be hacked)."
-Translation: the value of an attack against sites IIS6 is probably worth more than $250K?
You said:"Hacking success is driven by desire and consistent effort, only a bit of which is money-driven. The spyware and ad-ware related hackers are certainly driven by money, but many other hackers (i.e. gov't hackers) aren't."
-Gov't hackers are motivated by job security, the others are motivated by fame. Dave said in a recent interview that fame == money.. so we are probably talking about the same type of greed.
You said:"It's probably safe to say that most people on this list, including anyone claiming so (like you) would not be able to hack the site if given a bigger prize. Some might...but the ones who can really do it aren't out making knowingly false claims and bragging of skills they don't have and probably couldn't acquire.
-Maybe on Slashdot, it is safe to say that. That's exactly the reason why I moved the thread to a more appropriate list.
You said:"Of course, on the other end of the spectrum, if given a bigger prize, I would probably secure the site beyond the basics as well...and things like that...so it would not be a one-sided build up."
- Yes please "secure" the site and do raise the prize to $250K. If you raise the reward to an acceptable level, I will give
$5,000 of my personal money to you if nobody wins.You know that if you run a golf tournament and offer a BMW or a Mercedes as the hole-in-one prize, most insurance companies will cover the risk for about 3% of the value of the car. I wonder if they would
insure a hacking contest, you might want to try. Cheers, Anthony Zboralski
-----Original Message----- From: Anthony Zboralski [mailto:bcs2005 () bellua com] Sent: Friday, May 13, 2005 4:38 PM To: dailydave Cc: Roger A. Grimes Subject: funny comments from Hack IIS6 contest admin Did you guys notice this dumb Hack IIS6 Contest to win an Xbox? http://www.hackiis6.com Below are the comments I posted on Slashdot and a reply from Roger Grimes, who claims that if MS increases the price to $250K it will not affect the result of the contest:))Is this a joke?!? The reward is worthless! (Score:3, Informative) by acz (120227) <z&hert,org> on Friday May 06, @08:15AM (#12448998) You have to be retarted to use an 0day IIS exploit to win an XBox when you can sell it for around 20K or impress customers during a pen test... (A pen test can be worth between 15K to 200K depending on the scope of the project).One hour of security consulting earns you an XBox, why bother with thiscontest? Link to post on vuln sharing club, here [immunitysec.com]Re:Is this a joke?!? The reward is worthless! (Score:1) by acz (120227) <z&hert,org> on Friday May 06, @10:31AM (#12449395) make the reward 250Kand this web site will be hacked right away. Re:Is this a joke?!? The reward is worthless! (Score:0) by Anonymous Coward on Friday May 06, @07:12PM (#12453220) This sort of claim is sonot true. Ebay, Microsoft, Msn, Hotmail, and so many other sites run on IIS 6. Certainly, there is financial gain beyond $250K to be made if you successfully hack those sites. They aren't (while you can never be sureany computer system isn't hacked...they aren't publicly known to be hacked).Hacking success is driven by desire and consistent effort, only a bit ofwhich is money-driven. The spyware and ad-ware related hackers are certainly driven by money, but many other hackers (i.e. gov't hackers) aren't. It's probably safe to say that most people on this list, including anyone claiming so (like you) would not be able to hack the site if given a bigger prize. Some might...but the ones who can really do it aren't out making knowingly false claims and bragging of skills theydon't have and probably couldn't acquire. Of course, on the other end of the spectrum, if given a bigger prize, I would probably secure the site beyond the basics as well...and things like that...so it would not be aone-sided build up. Roger A. Grimes admin () hackiis6 comRe:Is this a joke?!? The reward is worthless! (Score:1) by acz (120227)<z&hert,org> on Friday May 13, @10:24PM (#12523673) Some of the companies you have mentioned have been hacked and will be hacked again... Didn't Microsoft get winnt4 and win2k src stolen last year? (it's probably still on edonkey.) I was talking about legal ways to make money from a vulnerability or exploit without resorting to fraud or crime.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- funny comments from Hack IIS6 contest admin Anthony Zboralski (May 13)
- Re: funny comments from Hack IIS6 contest admin Steve Lord (May 13)
- Re: funny comments from Hack IIS6 contest admin Allan Liska (May 14)
- <Possible follow-ups>
- RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- Re: funny comments from Hack IIS6 contest admin Anthony Zboralski (May 14)
- Re: RE: funny comments from Hack IIS6 contest admin Dave Aitel (May 14)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- Re: RE: funny comments from Hack IIS6 contest admin Bas Alberts (May 14)
- Re: RE: funny comments from Hack IIS6 contest admin Steve Lord (May 15)
- RE: RE: funny comments from Hack IIS6 contest admin I)ruid (May 17)
- RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 15)
- Re: RE: funny comments from Hack IIS6 contest admin Holden Williamson (May 15)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 17)
- Re: RE: funny comments from Hack IIS6 contest admin H D Moore (May 17)
(Thread continues...)