Full Disclosure mailing list archives
Re: EXPLOITS FOR SALE (AUCTION SITE)
From: wac <waldoalvarez00 () gmail com>
Date: Tue, 10 Jul 2007 02:02:00 -0400
On 7/8/07, jt5944-27a <jt5944 () hushmail com> wrote: thank you? okay - thank you for creating this wonderful software
that we use. thank you for listening to our defect requests and thank you for addressing them in a meaningful time frame. but thank you for finding bugs? are you on drugs?
Drugs? What are you talking about? That is completely off-topic. A hit that bounces back to yourself. they didnt ask you to look for defects. this sounds like those
people who paint house numbers on your curb and then want to be paid even through you never said to paint the numbers. or those windshield washers who want you to pay them for smearing your window when you didnt ask for it. the only people who should be paid to find vulnerabilities are the people asked to find vulnerabilities.
What about those who come right into your face without even trying to find them? Hey we know how software works. We are all using it and we can think. And sometimes we can track them down too. Don't forget that. And what about those bugs that are created on purpose. A trojanized software or device is too obvious (remember NSA-Crypto AG). But a security bug. Well "sorry we made a mistake we are providing a fix". However can serve the same purpose as a trojan horse. They simply can know earlier and fix it later if something goes "out of control". That could explain why fixes take so much time sometimes and why there are so many bugs. (Just a theory with some base). No, ppl searching for vulnerabilities should not be only the ones asked to do it. Should be every third party around. And guess what. It is being done right now for whatever purpose. Won't be better if they are sold in the public light than in the shadows? At least we know what is flawed otherwise not even a clue. You are right now only looking at the top of the iceberg. After looking at that website and looking at yahoo messenger 8.1 being on sale I am considering not to use it for a while or put it under a protection layer or use alternatives. Why? Somebody else could have found that too and could be using it. And if somebody asks my opinion to install some soft listed there I would tell them not to do it because it is not safe. That means security after all. And if they make money. Then good. Somebody that knows how to find them was rewarded and encouraged to do more research. Something you "forgot" to do before distributing to ppl. Yep cutting the bill putting ppl under risk. That reminds me cars that exploded because of bad design and ppl becoming ill with cancer or something else by feeding chickens with hormones and stuff like that. On the other side I am pretty sure that those grey foreigners you all talk about already have their own working teams and already have undisclosed technology. The one you don't know. You better favor research so you can put the finger on the hole before water begins to flow. But using your very own "who asked you". I could reply also to you. Who asked you to make a software/service/device? Yet more who asked you to make something that is broken? But yet more who asked you to make something that is broken and that you sell/provide as if it is good? But then I don't want to reply to you that way because I understand that things needs to be done even if nobody asks for them. That also applies to security research. Hey many times people doesn't ask because they simply ignore things. And about the windshield washers. Well you could understand that they are usually ppl with extreme need for some cash (otherwise they wouldn't be doing that) many times just to eat while you drive your fancy car. You could be more human than that. If I were in that situation and I have some cash and some of them smear my windshield I would not be poorer/richer for giving them something. That would make me a lot better than you. After all they are working, not robbing/assaulting ppl on the streets or hitting your neck to steal your wallet. Or do you prefer that? They have the right to live too and you are pushing them to find desperate alternatives. That's what is wrong. And since you are simply taking the example to compare it with security research then take it back to the original example, compare and "see" for yourself. should we pay burglars for breaking into our homes? No we could pay key makers that know when your lock can be broken so a burglar doesn't break into your home. That's quite different. You will be paying for your own security. Hey burglars are already paying for that and you are only complaining. Doing it is not going to change anything. Don't you think is better to try new or better alternatives? Even if that means that you will make a little less money or that it will cost you a little extra? and what about
open source projects? should nonprofit groups be forced to pay for defects that they never asked people to look for?
Good point but I already have a couple of answers to you because that crossed my mind too. 1- Open Source != 0 profit. Sometimes there is a lot of profit on advertising and tech support. Not to mention services. At least in mature widely used projects. Do I need to remind you the million earned by red hat, mandrake, mandriva, suse... Hey there is a south african millionaire just sending to you free CDs to get a piece of the market. (nothing wrong with that). What about the profit that provides advertising on sourceforge (severely flawed btw). No profit? You are so wrong. 2- Donations could also help a lot in the case of some software used by a lot of people. The most important simply because it affects many. Something here and there multiplied by hundreds/thousands/millions can do the trick at least in some cases. Ok let's proof that with numbers. Let's see... a memory leak in the linux kernel. Hmm. Let's suppose there are only 6 millions of linux users (there are more i could try linuxcounter to have an idea) and that each one of us give 1 cent. Just one cent. Does it looks too much for you? (you probably spend more downloading free things from the internet) Well 6000 000 /100 = 60 000. Is on sale for a lot less than that. I see... we can have that hole closed by tomorrow. I would be more than happy to provide 1 usd and get 100 vulnerabilities closed in linux or any other open source soft (or not open). If everybody follows your way take take and not give. Well then things keep the way they are. Broken and insecure. After all debugging is a part of software development. >> The hardest part <<. So donations could go to that part of software development too. 3- You can always provide it for free. There is ppl that enjoys to get a name and doesn't needs the money (nothing wrong with that either since that also encourages research). That would be a fall back to the current system. But then I could ask you in return. Should security researchers/hackers be *forced* to turn their heads to the black market when they need money to live or to do more research or start projects on their own? I don't think that is a good or clever idea. You are not going to prevent it by just saying it. Nobody is going to become millionaire doing security research. There are better ways to make money. For example... selling soft. Can I add broken too? Yes I can add that too. You say "thank you" for broken stuff and many times even pay for those broken things many times simply ignoring things. if they dont pay
then should we stop looking?
No. But paying for it should make more ppl that pays attention to other things pay attention to security defects as well as for other kind of defects. And should also make some other ppl invest resources/time/work into that. Maybe that way we all could get safer stabler software/devices/services. Isn't that good? companies that pay for exploits are honest about it. zdi and vcp
let their customers know about risks before the rest of the world. the bounty comes from their customer registration fees. customers pay to hear about exploits first.
What does this means? That companies are honest but the researchers are not honest? Excuse me those companies do not make the hard work. Researchers do it. Regards Waldo
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: EXPLOITS FOR SALE (AUCTION SITE), (continued)
- Re: EXPLOITS FOR SALE (AUCTION SITE) ascii (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) Dave Hull (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) J.A. Terranson (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) wac (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) Michal Zalewski (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) Peter Dawson (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) George Ou (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) scott (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) Adam Muntner (Jul 08)
- Re: EXPLOITS FOR SALE (AUCTION SITE) wac (Jul 09)