Dailydave mailing list archives
RE: RE: funny comments from Hack IIS6 contest admin
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Sun, 15 May 2005 12:01:22 -0400
-See replies below. -----Original Message----- From: Steve Lord [mailto:steve () buyukada co uk] Sent: Sunday, May 15, 2005 7:37 AM To: Roger A. Grimes Cc: Dave Aitel; dailydave Subject: Re: [Dailydave] RE: funny comments from Hack IIS6 contest admin Roger A. Grimes wrote:
I've heard of both of you. Dave, I've used your software many times before. Sorry if I wasn't in awe enough for your egos.
Not being funny, but you're the one who started personally attacking Dave and Anthony. Also you should bear in mind that it's the DailyDave list, not the DailyRoger list. If you don't like it here then please feel free to start your own. -I didn't come to the list, nor did I send the first email. Anthony sent an email to the list attacking one of my statements and I responded.
An invitation to hack a box located at www.hackiis6.com with web pages full of "hack me" text certainly doesn't need a signed authorization...it's explicit already.
Really? Are you sure? What, for everywhere? I know in the UK if I started breaking into boxes across the Internet because they said 'hack me' I'd get into trouble fairly quickly if I was caught. Does that mean that if someone defaces a web site and puts 'hack me' on the page then it's ok because it's explicit? -I'm positive that even within the UK that if someone invites you to hack them, you cannot be liable for any hacks on that site that fall within the written rules.
So as you both are making sport of me, tell me how my statement is false? First, there haven't been many 0-day exploits against W2K3 and IIS 6 (if any), and not that many against Windows products at all since 2000 was released.
According to http://secunia.com/product/20/ - Windows 2000 Server is affected by 90 Secunia advisories. 20% of reported issues remain unpatched, the worst of which appears to be a nasty bug in the Jet Dtabase engine, which could lead to remote system access. -How many were zero day? One, maybe. Windows 2003 Server Web Edition (seeing as we're looking at IIS 6) is affected by 49 advisories according to Secunia (http://secunia.com/product/1176/). 6 of these vulnerabilities remain unpatched, although these are only listed as moderately critical. -IIS 6 has only had 5 vulnerabilities publicly disclosed so far, Secunia (BTW)only lists 3. If W2K3 is so exploitable, please hack away at my sight.
Dave, how many hackers and exploit writers do you know that are motivated to write exploits by large sums of money?
How many people does Dave employ that write exploits? How many people do companies like NGS Research employ purely to find vulnerabilities? -I assure you that they don't get paid a tremendous amount of money for each bug they find. Again, Dave, tell me if I'm wrong. Do you have to pay your bug finders $150,000 for each bug they find or do they work for a lot less?
Even when companies do offer money for finding bugs, as some have done over the last year, it doesn't result in a ton of exploits found and released. Money isn't a prime motivator in any hack. Hell, the real money is made in run old exploits (like spambots and adware crap).
Are you speaking from personal experience? -I don't black hat, if that is what you mean. But its well documented that EVERY wide spread Windows exploit uses old found vulnerabilities, not zero day. Hackers don't have to come up with zero day exploits to get rich, if that is what they want...they use the old stuff. Steve _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: funny comments from Hack IIS6 contest admin, (continued)
- Re: funny comments from Hack IIS6 contest admin Allan Liska (May 14)
- RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- Re: funny comments from Hack IIS6 contest admin Anthony Zboralski (May 14)
- Re: RE: funny comments from Hack IIS6 contest admin Dave Aitel (May 14)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- Re: RE: funny comments from Hack IIS6 contest admin Bas Alberts (May 14)
- Re: RE: funny comments from Hack IIS6 contest admin Steve Lord (May 15)
- RE: RE: funny comments from Hack IIS6 contest admin I)ruid (May 17)
- RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 15)
- Re: RE: funny comments from Hack IIS6 contest admin Holden Williamson (May 15)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 17)
- Re: RE: funny comments from Hack IIS6 contest admin H D Moore (May 17)
- Re: funny comments from Hack IIS6 contest admin Holden Williamson (May 18)
- Re: Re: funny comments from Hack IIS6 contest admin H D Moore (May 18)
- Re: RE: funny comments from Hack IIS6 contest admin H D Moore (May 17)
- RE: RE: funny comments from Hack IIS6 contest admin I)ruid (May 17)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 18)
- Re: RE: funny comments from Hack IIS6 contest admin Jan Muenther (May 18)
- Re: RE: funny comments from Hack IIS6 contest admin Mark (May 18)
- Re: RE: funny comments from Hack IIS6 contest admin Dave Aitel (May 18)
- Re: RE: funny comments from Hack IIS6 contest admin Jan Muenther (May 18)