Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

RE: funny comments from Hack IIS6 contest admin

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Sat, 14 May 2005 21:38:24 -0400
-See below 

-----Original Message-----
From: Anthony Zboralski [mailto:bcs2005 () bellua com] 
Sent: Saturday, May 14, 2005 3:12 PM
To: Roger A. Grimes
Cc: dailydave
Subject: Re: funny comments from Hack IIS6 contest admin


On 14 May 2005, at 19:51, Roger A. Grimes wrote:


Re-read the posting.  I said MOST people on the list would not be able



to hack the site if the reward was bigger.  That is because MOST 
people on the list don't have the skillz and could not acquire them.  
Serious hacking is something either you have or you don't...I'm not 
talking about the hacking where you must rely on a misconfiguration to



be successful (because our box is not misconfigured), but the zero-day



stuff.


"Serious skills"  depend on your motivation (and confidence) to learn
and improve these same skills.

-Yeah, but I know lots of "serious" hackers who don't have the intellect
to make their own exploits.  They can be persistent...which often pays
of more than creative...but they aren't designing zero-daye exploits.


I assure you that the hackers that are capable of hacking this box are



motivated for far less money, if any.  Take Dave at Immunity.  He 
makes more money than the average hacker, but I assure you that he 
makes far less than $250K on each hack he discovers.  (Tell me if I'm 
wrong, Dave).


An IIS6 0day exploit will certainly generate more earnings than 150$,
the price of an Xbox. The resale value of a clean exploit for IIS6 is
around 20k + earnings generated from pen testing + earnings generated by
follow-up projects (impressing the clients) + earnings generated by
attack frameworks such as core impact, canvas + earnings generated by
vulnerability sharing clubs + earnings generated by interest.

-This is a contest for fun, not to find uber hackers...that's why the
prize is not a bezillion dollars.  It's a place where anyone can hack
legally...to give an outlet to those who want to test their tools and
knowledge legally...and if someone wants credit for something nifty,
that too.

You are offering $150 + some publicity (it is hard to quantify how much
this is really worth...) in exchange for a working exploit or the
possibility to get a pcap and analyse it.
-99% of exploits are released for free.

$250K is more of a value proposal. How much is a 0day exploit for IIS6
worth to Microsoft? 
-I don't know, they aren't overly involved in the contest.

Why are you guys running this contest and what is your motivation behind
it? 
-A place for people to hack, and marketing of course.

Do you want to improve IIS6 security or you just want to do some
guerilla marketing?
-Both.  We aren't necessarily trying to improve IIS 6...it's pretty
secure already..but if learn something new, great.  Primarily the lesson
to be learned is that a standard IIS 6 box with the basic hardening can
withstand weeks of dedicated hack attacks.  If it doesn't get hacked, it
doesn't mean it is completely secure, only relatively secure.


Professional hackers may make more than $250K, but what motivated them



initially was far less money, if any.  The best hackers in the world 
that released the most devastating exploits, did it for free...not 
money. It was either to improve the product or for the "glory" in the 
community.  Consistent hackers...the best...want more money...but what



motivated them initially was far less.


Money or fame... unless one has the opportunity to do both like you!
-I make good money, the fame part is more for you and Dave.

"As a rule, never do pro-bono work for a profit-making organisation.  
Don't
let them fool you with the "e" word, exposure." Alan Weiss

You work for Windows IT Pro Magazine.
Penton Media, it is a listed company and a Microsoft partner.

Security Partner Home
... Custom Media Group is part of Windows IT Pro, a Division of Penton
Media Inc.
Copyright (c) 2005 Penton Media, Inc., All rights reserved. ...
https://partner.microsoft.com/global/security/40011535

http://members.microsoft.com/partner/campaign/SecurityOutreach/Sell/
Default.htm (free reg)
New SecurityWatch e-Newsletter
New SecurityWatch e-Newsletter for you to customize and deliver to
customers. Starting late February 2004, a new customer-ready e-
newsletter will be available for you to pass-on to your customers,
keeping them in touch with the industry-wide security threats and tips
for keeping their company secure. This newsletter is free to you and can
be a valuable way for you to continue to connect with customers and stay
in the forefront of their minds as their security advisor. Published by
industry analysts, this newsletter contains Microsoft's security
newsletter headlines inside. This page will contain links to the
newsletter when the first issue is available.

This doesn't come as a surprise, where is your independence :)


Would more money motivate more people?  Yes, of course.  But Anthony, 
people like you wouldn't be able to hack it regardless of the award.  
In fact, Anthony, I'll personally give you, and you alone, $2000 
reward of my own money, if you hack it (by yourself without any 
external
help) by
midnight tonight.  Go!


I don't want to take your personal money and I am not very impressed by
$2000. I have been doing pen tests for the last 10 years and my success
rate is very high, to say the least. At Bellua, we always succeed :)
(although we cheat a little bit by rejecting stupid constraints and
limited
scope.)

You should read one of my poorly written post on the same subject.
http://archives.neohapsis.com/archives/dailydave/2005-q1/0146.html


If fact, tell me the IP address you're hacking from (so I can track
you)
and send one original hack that might possibly be successful...I doubt



you can even do that.  It won't get you any award, but at least I 
won't see you as the poser you so obviously are.

Or are you already calling your more knowledgable friends for help or 
deciding on what witty response to send why you don't hack my box?
Roger A. Grimes
admin () hackiis6 com


Do you always talk to people like that? Have we met before?
Why the personal attack? You seem to be missing my point.

You said on Slashdot:
"This sort of claim is so not true. Ebay, Microsoft, Msn, Hotmail, and
so many other sites run on IIS 6. Certainly, there is financial gain
beyond $250K to be made if you successfully hack those sites.  
They aren't (while you can never be sure any computer system isn't
hacked...they aren't publicly known to be hacked)."

-Translation: the value of an attack against sites IIS6 is probably
worth more than $250K?

You said:
"Hacking success is driven by desire and consistent effort, only a bit
of which is money-driven. The spyware and ad-ware related hackers are
certainly driven by money, but many other hackers (i.e. gov't
hackers) aren't."

-Gov't hackers are motivated by job security, the others are motivated
by fame. Dave said in a recent interview that fame == money.. so we are
probably talking about the same type of greed.

You said:
"It's probably safe to say that most people on this list, including
anyone claiming so (like you) would not be able to hack the site if
given a bigger prize. Some might...but the ones who can really do it
aren't out making knowingly false claims and bragging of skills they
don't have and probably couldn't acquire.

-Maybe on Slashdot, it is safe to say that. That's exactly the reason
why I moved the thread to a more appropriate list.

You said:
"Of course, on the other end of the spectrum, if given a bigger prize, I
would probably secure the site beyond the basics as well...and things
like that...so it would not be a one-sided build up."

- Yes please "secure" the site and do raise the prize to $250K. If you
raise the reward to an acceptable level, I will give $5,000 of my
personal money to you if nobody wins.

You know that if you run a golf tournament and offer a BMW or a Mercedes
as the hole-in-one prize, most insurance companies will cover the risk
for about 3% of the value of the car. I wonder if they would insure a
hacking contest, you might want to try.

Cheers,

Anthony Zboralski



-----Original Message-----
From: Anthony Zboralski [mailto:bcs2005 () bellua com]
Sent: Friday, May 13, 2005 4:38 PM
To: dailydave
Cc: Roger A. Grimes
Subject: funny comments from Hack IIS6 contest admin

Did you guys notice this dumb Hack IIS6 Contest to win an Xbox?

     http://www.hackiis6.com

Below are the comments I posted on Slashdot and a reply from Roger 
Grimes, who claims that if MS increases the price to $250K it will not



affect the result of the contest:))


Is this a joke?!? The reward is worthless! (Score:3, Informative) by 
acz
(120227) <z&hert,org> on Friday May 06, @08:15AM (#12448998) You have 
to be retarted to use an 0day IIS exploit to win an XBox when you can 
sell it for around 20K or impress customers during a pen test... (A 
pen test can be worth between 15K to 200K depending on the scope of 
the project).

One hour of security consulting earns you an XBox, why bother with 
this contest?

Link to post on vuln sharing club, here [immunitysec.com]

Re:Is this a joke?!? The reward is worthless! (Score:1) by acz
(120227)
<z&hert,org> on Friday May 06, @10:31AM (#12449395) make the reward 
250K and this web site will be hacked right away.

Re:Is this a joke?!? The reward is worthless! (Score:0) by Anonymous 
Coward on Friday May 06, @07:12PM (#12453220) This sort of claim is so



not true. Ebay, Microsoft, Msn, Hotmail, and so many other sites run 
on IIS 6. Certainly, there is financial gain beyond $250K to be made 
if you successfully hack those sites. They aren't (while you can never



be sure any computer system isn't hacked...they aren't publicly known 
to be hacked).

Hacking success is driven by desire and consistent effort, only a bit 
of which is money-driven. The spyware and ad-ware related hackers are 
certainly driven by money, but many other hackers (i.e. gov't
hackers) aren't.

It's probably safe to say that most people on this list, including 
anyone claiming so (like you) would not be able to hack the site if 
given a bigger prize. Some might...but the ones who can really do it 
aren't out making knowingly false claims and bragging of skills they 
don't have and probably couldn't acquire. Of course, on the other end 
of the spectrum, if given a bigger prize, I would probably secure the 
site beyond the basics as well...and things like that...so it would 
not be a one-sided build up.

Roger A. Grimes
admin () hackiis6 com

Re:Is this a joke?!? The reward is worthless! (Score:1) by acz
(120227)
<z&hert,org> on Friday May 13, @10:24PM (#12523673) Some of the 
companies you have mentioned have been hacked and will be hacked 
again... Didn't Microsoft get winnt4 and win2k src stolen last year?
(it's probably still on edonkey.)

I was talking about legal ways to make money from a vulnerability or 
exploit without resorting to fraud or crime.






_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: