Re: Some Sums

["Olef Anderson" <olef.anderson () gmail com>]

company, and refuse to disclose flaws in commercial software (and our
> customers appreciate this). We are not in the blackmailing
> business... Open source would be free target though (my personal
> opinion, not our company opinion). Thirdly, we do not build exploits
> like Dave already pointed out earlier, again from ethical reasons (and
> because nobody has ever asked us to develop exploits for the found
> flaws even if building the exploit would be easy). And last note, we
> would have no use nor interest for your exploit, nor would we want to
> even see it due to the related liability issues.



Blackmailing business ? Where did you come up with that ? There is a
difference in not wanting to offer any free services to Microsoft and
blackmailing it ? If you can't tell the difference between the two, you
really don't understand much about the nuances of the field you are trying
to get some traction from. However you are always quick to respond to Dave's
emails regarding Canvas/Spike etc and inserting your worthless commercial
rhetoric, I am for a change offering you to do it like a man ? So can you
handle that or will keep being the half-assed corporate mouthpiece ?

So I am sorry I have to decline the offer. You are free to continue
> hunting for your fame and glory from the remote exploits. I wish you
> good luck in the hunt! And I will shut up about our products as I
> definitely do not even want you to get these tools in your hand. ;)



Trust me, I would not have any use for your tool. Like many of your
contemporaries, your product is an one big blunder and yet another silly
excuse to launch a security company.

Also if I was for any fame and glory, don't you think I wouldn't settle for
the silly credit in Microsoft advisories like many of eEye's foreign imports
? I am (like any other researcher with enough years of experience under
his/her belt) are solely interested in the financial gain, pay me my hourly
rate and I don't care if you act like you don't even know me, that's just
fine.

I hope you had a chance to visit us at RSA! We are constantly looking
> for skilled people who wish to start doing more proactive work in
> security.



Proactive work ? ahaha now thats just crazy funny!


Olef.


> On Thu, Feb 08, 2007 at 01:22:02PM -0500,
> dailydave-request () lists immunitysec com wrote:
> > Date: Thu, 8 Feb 2007 09:48:36 -0800
> > From: "Olef Anderson" <olef.anderson () gmail com>
> > Subject: Re: [Dailydave] Some Sums
> > To: dailydave () lists immunitysec com
> >
> > About this whole fuzzer business, how about putting some cold hard cash
> > where the corporate mouthpiece is at ?
> > Since obviously you happen to have some VC money, a booth at the RSA
> floor
> > is a sign, you can back your claims with real currency. I would love to
> give
> > you the opportunity.
> >
> > Lets take the latest Microsoft Exchange release (2007) and 2 weeks of
> your
> > time running your PROTOS fuzzer. At the end of the 2 weeks if you can
> find
> > the existing remote root hole in it, I am offering to pay you the bugs
> worth
> > of $150 000.00. However If you are not successful, I should be payed the
> > very same amount which in return I shall present you the exploit. From
> that
> > point you will be free to coordinate vendors, release advisories
> whatever it
> > takes. Just to clarify a point though, no DoSes are acceptable, should
> be an
> > overflow that leads to clear code execution ( the mailing list
> subscribers
> > could be the judge of that).
> >
> > Wouldn't that be nice to prove that you actually know what you are
> talking
> > about ?
> >
> > On 2/7/07, Ari Takanen <ari.takanen () codenomicon com> wrote:
> > >
> > > Hmmm, distantly related to this: Maybe us fuzzer developers should
> > > save hashes of some millions of attacks somewhere also, so that we can
> > > prove our tools were used to find the flaws in the first
> > > place... Looking at past iDefence disclosures for example, I am
> > > beginning to doubt that they reward for publishing flaws instead of
> > > finding flaws (this is like patent system in Europe which rewards
> > > first to file, not first to invent)... More and more flaws are found
> > > using tools, and pre-packaged attacks. If a flaw is found using a
> > > product like Codenomicon/PROTOS or CANVAS, I supposed the reward
> > > should also be paid to the tool developer and not the tool user. ;)
> > >
> > > Tongue-in-the-cheek-greetings,
> > >
> > > /Ari
>
> --
> -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
> Ari Takanen                       Codenomicon Ltd.
> ari.takanen () codenomicon com       Tutkijantie 4E
> tel: +358-40 50 67678             FIN-90570 Oulu
> http://www.codenomicon.com        Finland
> PGP: http://www.codenomicon.com/codenomicon-key.asc
> -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave