Re: funny comments from Hack IIS6 contest admin

[Anthony Zboralski <bcs2005 () bellua com>]

On 14 May 2005, at 19:51, Roger A. Grimes wrote:

> Re-read the posting.  I said MOST people on the list would not be able
> to hack the site if the reward was bigger.  That is because MOST  
> people
> on the list don't have the skillz and could not acquire them.  Serious
> hacking is something either you have or you don't...I'm not talking
> about the hacking where you must rely on a misconfiguration to be
> successful (because our box is not misconfigured), but the zero-day
> stuff.

"Serious skills"  depend on your motivation (and confidence) to learn
and improve these same skills.

> I assure you that the hackers that are capable of hacking this box are
> motivated for far less money, if any.  Take Dave at Immunity.  He  
> makes
> more money than the average hacker, but I assure you that he makes far
> less than $250K on each hack he discovers.  (Tell me if I'm wrong,
> Dave).

An IIS6 0day exploit will certainly generate more earnings than 150$,
the price of an Xbox. The resale value of a clean exploit for IIS6 is
around 20k + earnings generated from pen testing + earnings generated
by follow-up projects (impressing the clients) + earnings generated by
attack frameworks such as core impact, canvas + earnings generated by
vulnerability sharing clubs + earnings generated by interest.

You are offering $150 + some publicity (it is hard to quantify how  
much this
is really worth...) in exchange for a working exploit or the  
possibility to
get a pcap and analyse it.

$250K is more of a value proposal. How much is a 0day exploit for  
IIS6 worth
to Microsoft? Why are you guys running this contest and what is your  
motivation
behind it? Do you want to improve IIS6 security or you just want to  
do some guerilla marketing?

> Professional hackers may make more than $250K, but what
> motivated them initially was far less money, if any.  The best hackers
> in the world that released the most devastating exploits, did it for
> free...not money. It was either to improve the product or for the
> "glory" in the community.  Consistent hackers...the best...want more
> money...but what motivated them initially was far less.

Money or fame... unless one has the opportunity to do both like you!

"As a rule, never do pro-bono work for a profit-making organisation.  
Don't
let them fool you with the "e" word, exposure." Alan Weiss

You work for Windows IT Pro Magazine.
Penton Media, it is a listed company and a Microsoft partner.

Security Partner Home
... Custom Media Group is part of Windows IT Pro, a Division of  
Penton Media Inc.
Copyright © 2005 Penton Media, Inc., All rights reserved. ...
https://partner.microsoft.com/global/security/40011535

http://members.microsoft.com/partner/campaign/SecurityOutreach/Sell/ 
Default.htm (free reg)
New SecurityWatch e-Newsletter
New SecurityWatch e-Newsletter for you to customize and deliver to  
customers. Starting late February 2004, a new customer-ready e- 
newsletter will be available for you to pass-on to your customers,  
keeping them in touch with the industry-wide security threats and  
tips for keeping their company secure. This newsletter is free to you  
and can be a valuable way for you to continue to connect with  
customers and stay in the forefront of their minds as their security  
advisor. Published by industry analysts, this newsletter contains  
Microsoft’s security newsletter headlines inside. This page will  
contain links to the newsletter when the first issue is available.

This doesn't come as a surprise, where is your independence :)

> Would more money motivate more people?  Yes, of course.  But Anthony,
> people like you wouldn't be able to hack it regardless of the  
> award.  In
> fact, Anthony, I'll personally give you, and you alone, $2000  
> reward of
> my own money, if you hack it (by yourself without any external  
> help) by
> midnight tonight.  Go!

I don't want to take your personal money and I am not very impressed
by $2000. I have been doing pen tests for the last 10 years and my  
success
rate is very high, to say the least. At Bellua, we always succeed :)  
(although
we cheat a little bit by rejecting stupid constraints and limited  
scope.)

You should read one of my poorly written post on the same subject.
http://archives.neohapsis.com/archives/dailydave/2005-q1/0146.html

> If fact, tell me the IP address you're hacking from (so I can track  
> you)
> and send one original hack that might possibly be successful...I doubt
> you can even do that.  It won't get you any award, but at least I  
> won't
> see you as the poser you so obviously are.
>
> Or are you already calling your more knowledgable friends for help or
> deciding on what witty response to send why you don't hack my box?
> Roger A. Grimes
> admin () hackiis6 com

Do you always talk to people like that? Have we met before?
Why the personal attack? You seem to be missing my point.

You said on Slashdot:
"This sort of claim is so not true. Ebay, Microsoft, Msn, Hotmail,  
and so many other sites run on IIS 6. Certainly, there is financial  
gain beyond $250K to be made if you successfully hack those sites.  
They aren't (while you can never be sure any computer system isn't  
hacked...they aren't publicly known to be hacked)."

-Translation: the value of an attack against sites IIS6 is probably  
worth more than $250K?

You said:
"Hacking success is driven by desire and consistent effort, only a  
bit of which is money-driven. The spyware and ad-ware related hackers  
are certainly driven by money, but many other hackers (i.e. gov't  
hackers) aren't."

-Gov't hackers are motivated by job security, the others are  
motivated by fame. Dave said in a recent
interview that fame == money.. so we are probably talking about the  
same type of greed.

You said:
"It's probably safe to say that most people on this list, including  
anyone claiming so (like you) would not be able to hack the site if  
given a bigger prize. Some might...but the ones who can really do it  
aren't out making knowingly false claims and bragging of skills they  
don't have and probably couldn't acquire.

-Maybe on Slashdot, it is safe to say that. That's exactly the reason  
why I moved the thread to a more appropriate list.

You said:
"Of course, on the other end of the spectrum, if given a bigger  
prize, I would probably secure the site beyond the basics as  
well...and things like that...so it would not be a one-sided build up."

- Yes please "secure" the site and do raise the prize to $250K. If  
you raise the reward to an acceptable level, I will give
$5,000 of my personal money to you if nobody wins.

You know that if you run a golf tournament and offer a BMW or a  
Mercedes as the hole-in-one prize,
most insurance companies will cover the risk for about 3% of the  
value of the car. I wonder if they would
insure a hacking contest, you might want to try.

Cheers,

Anthony Zboralski

> -----Original Message-----
> From: Anthony Zboralski [mailto:bcs2005 () bellua com]
> Sent: Friday, May 13, 2005 4:38 PM
> To: dailydave
> Cc: Roger A. Grimes
> Subject: funny comments from Hack IIS6 contest admin
>
> Did you guys notice this dumb Hack IIS6 Contest to win an Xbox?
>
>      http://www.hackiis6.com
>
> Below are the comments I posted on Slashdot and a reply from Roger
> Grimes, who claims that if MS increases the price to $250K it will not
> affect the result of the contest:))
>
>
> Is this a joke?!? The reward is worthless! (Score:3, Informative)  
> by acz
> (120227) <z&hert,org> on Friday May 06, @08:15AM (#12448998) You  
> have to
> be retarted to use an 0day IIS exploit to win an XBox when you can  
> sell
> it for around 20K or impress customers during a pen test... (A pen  
> test
> can be worth between 15K to 200K depending on the scope of the  
> project).
>
> One hour of security consulting earns you an XBox, why bother with  
> this
> contest?
>
> Link to post on vuln sharing club, here [immunitysec.com]
>
> Re:Is this a joke?!? The reward is worthless! (Score:1) by acz  
> (120227)
> <z&hert,org> on Friday May 06, @10:31AM (#12449395) make the reward  
> 250K
> and this web site will be hacked right away.
>
> Re:Is this a joke?!? The reward is worthless! (Score:0) by Anonymous
> Coward on Friday May 06, @07:12PM (#12453220) This sort of claim is so
> not true. Ebay, Microsoft, Msn, Hotmail, and so many other sites  
> run on
> IIS 6. Certainly, there is financial gain beyond $250K to be made  
> if you
> successfully hack those sites. They aren't (while you can never be  
> sure
> any computer system isn't hacked...they aren't publicly known to be
> hacked).
>
> Hacking success is driven by desire and consistent effort, only a  
> bit of
> which is money-driven. The spyware and ad-ware related hackers are
> certainly driven by money, but many other hackers (i.e. gov't
> hackers) aren't.
>
> It's probably safe to say that most people on this list, including
> anyone claiming so (like you) would not be able to hack the site if
> given a bigger prize. Some might...but the ones who can really do it
> aren't out making knowingly false claims and bragging of skills they
> don't have and probably couldn't acquire. Of course, on the other  
> end of
> the spectrum, if given a bigger prize, I would probably secure the  
> site
> beyond the basics as well...and things like that...so it would not  
> be a
> one-sided build up.
>
> Roger A. Grimes
> admin () hackiis6 com
>
> Re:Is this a joke?!? The reward is worthless! (Score:1) by acz  
> (120227)
> <z&hert,org> on Friday May 13, @10:24PM (#12523673) Some of the
> companies you have mentioned have been hacked and will be hacked
> again... Didn't Microsoft get winnt4 and win2k src stolen last year?
> (it's probably still on edonkey.)
>
> I was talking about legal ways to make money from a vulnerability or
> exploit without resorting to fraud or crime.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave