[OT] Re: Quick Question

[Georgi Guninski <guninski () guninski com>]

[Sorry for cross posting to the list, but this looks like a FAQ]

Dear Mr. Kannan,

Karthik Natarajan Kannan wrote:
> Dear Mr. Guninski,
>
> I am a doctoral student at Carnegie Mellon University working on my

I am Georgi. Georgi Guninski.

> thesis on Information Security trying to understand the industry
> structure and incentives.  I realize that you are one of the prime
> people in unearthing bugs. I would greatly appreciate your responses for
> the following questions:

Sure, I will answer, but I would greatly appreciate the answer to a question by 
Pink Floyd at http://www.lyricsstyle.com/p/pinkfloyd/goodbyebluesky.html
"Mother, should I trust the government?" -- Pink Floyd

> a) What is the incentive for firms like yours to unearth security bugs? 

No special incentive. Hint: It is not for the money, it is not for the fame.

> b) What is the norm after unearthing the bug?  Whom do you report it to?
There is no official norm as far as I know. The owner of the 0day has the 
intellectual property over it and can do whatever he wants with it.
I personally have sympathy for open source projects and do my best the problem 
to be fixed officially before I go public. First notify the software developer 
in this case. This symapthy does not apply for commercial vendors in whose 
licence agreements is written that the product does not fit for any purpose.

> c) Suppose, a bug has been unearthed, does the software vendor pay the
> security firms for unearthing the bugs?

Generally no. The only exception for me was Netscape - they had (probably also 
have, check at their site) a bug bounty program, which basically means paying 
for reproducible security bugs.

> d) How do security firms like yours unearth bugs?  Do you have
> specialized teams which work on unearthing these bugs? 

The general algorithm is with typing on the keyboard. Mouse engineering brought 
to the masses is not effective, I believe.

> e) Are there security firms which talk to hacker community to unearth
> bugs?  

I think you have the term "hacker" wrong.
Check http://www.jargonfile.com/jargon/html/entry/hacker.html

> f) What sort of tools do you use to unearth bugs?  Would they be similar
> to what hackers use?

See the answer to e)
For me the most interesting bugs were found without any tools, just my old 
brain. Anyway grep and flawfinder can help in some cases.


> Looking forward to hearing from you. 

Me too, for the Floyd stuff.

> Thanks
> Karthik
>
> Karthik Kannan
> Carnegie Mellon University
> http://www.andrew.cmu.edu/~kkannan

Georgi Guninski
http://www.guninski.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html