Re: Some Sums

["Olef Anderson" <olef.anderson () gmail com>]

About this whole fuzzer business, how about putting some cold hard cash
where the corporate mouthpiece is at ?
Since obviously you happen to have some VC money, a booth at the RSA floor
is a sign, you can back your claims with real currency. I would love to give
you the opportunity.

Lets take the latest Microsoft Exchange release (2007) and 2 weeks of your
time running your PROTOS fuzzer. At the end of the 2 weeks if you can find
the existing remote root hole in it, I am offering to pay you the bugs worth
of $150 000.00. However If you are not successful, I should be payed the
very same amount which in return I shall present you the exploit. From that
point you will be free to coordinate vendors, release advisories whatever it
takes. Just to clarify a point though, no DoSes are acceptable, should be an
overflow that leads to clear code execution ( the mailing list subscribers
could be the judge of that).

Wouldn't that be nice to prove that you actually know what you are talking
about ?

On 2/7/07, Ari Takanen <ari.takanen () codenomicon com> wrote:
> Hmmm, distantly related to this: Maybe us fuzzer developers should
> save hashes of some millions of attacks somewhere also, so that we can
> prove our tools were used to find the flaws in the first
> place... Looking at past iDefence disclosures for example, I am
> beginning to doubt that they reward for publishing flaws instead of
> finding flaws (this is like patent system in Europe which rewards
> first to file, not first to invent)... More and more flaws are found
> using tools, and pre-packaged attacks. If a flaw is found using a
> product like Codenomicon/PROTOS or CANVAS, I supposed the reward
> should also be paid to the tool developer and not the tool user. ;)
>
> Tongue-in-the-cheek-greetings,
>
> /Ari
>
> > Date: Wed, 7 Feb 2007 02:11:16 -0500 (EST)
> > From: "Steven M. Christey" <coley () mitre org>
> > Subject: Re: [Dailydave] Some Sums
> > To: dailydave () lists immunitysec com
> > Message-ID: <200702070711.l177BGJw026300 () faron mitre org>
> >
> >
> > >   I take it that's going to be the hash of some file or other data
> > >   you're > going to produce for someone at sometime in the future?
> > >   Couldn't you just > have used a ZK protocol and left us all out of
> > >   it? ;-) If you're going to use > our inboxes as substitutes for
> > >   escrow/notarisation centres, you could perhaps > tell us just a
> > >   little bit more about what you're doing!
> >
> > MD5/SHA-1 crackability issues aside*, the next question that
> > immediately comes to mind is why there isn't a central place for
> > researchers to do exactly this - make a claim about knowledge that's
> > provably fixed in a certain place and time.  Oh, wait, we're all
> > individuals and we don't need anybody else.  There's no need to
> > organize in any way, shape, or form.  After all, when Ilfak posted
> > that third-party patch, ABSOLUTELY EVERYBODY knew who he was and
> > immediately trusted him, so why not Halvar?  Sorry, I forgot about the
> > outside world for a second.
> >
> >
> > Snarkily and respectfully,
> > Steve
> >
> >
> > * crypto is my kryptonite, I defer to the geniuses.
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave