Re: Office 0day

[Troy <gimmespam () gmail com>]

On 6/25/07, phpninja <phpninja () gmail com> wrote:
> <i>If other places are offering $20K for a 0day, why should Microsoft
> offer
> 10 times that, when they can probably make the sale offering only
> $25K?</i>
>
> I would think Incentive.. Sell my exploit to some criminal network for
> cheap? Or would I rather Microsoft trump their offer by much
> more and continue consulting for microsoft rather than criminal networks.
> Also if I am in any industry (lets say software) I am going to strive to
> produce the best product possible reguardless of the profit. This means
> spending a lot more for peoples research than some average criminal who will
> then make much much more money the security researcher

$1 million is much more than "much more" than $20K. $40K would be more than
enough to give the needed incentive.


>  Well I would think there would be some motivation. Unless every employee
> who codes at Microsoft is a money grubbing greedy person with no reguard to
> the person who uses their products then there would have to be some
> motivation to fix the product if it is flawed.

While it is true that not every employee is "a money grubbing greedy
person," that is, unfortunately, not how corporations work. In fact, the
bigger the corporation, the harder it is for an individual within that
corporation to make a difference. The fact is that, no matter how many good
people work for a corporation, it all comes down to how much money the
shareholders can make.

lets see, they spend 50 million over 7 years (windows xp lifespan so far)
> not bad..
> they are a 280+ billion  dollar company.

Your first assumption is that, in the course of 7 years, there have only
been 50 major security exploits discovered by third parties in Windows XP.
Your number is a bit low.

 But compared to a Security team of 50 people at $250,000 a year for 7
> years. = 87,500,000 , Looks like their security team is costing a lot
> more..

Your second assumption is that Microsoft's security team consists of 50
people who are each making $250,000 a year. Microsoft pays well, but not
that well. At least, not to that many people. At least, as far as I know. I
may be wrong, but those numbers seem high.

That is like me trying to argue that after going to a car mechanic, I
> should have known that the engine mount that I paid to be secure in my car
> would have loosened on a bumpy freeway and let my engine fall out on the
> freeway. I should have put a big metal sheet under my car from keeping
> things from falling out after i pay for service!! I just should have that
> knowledge magically. It just won't hold up in court.

That's a straw man argument. A better analogy would be trying to sue an
automobile manufacturer because your car was stolen, even though you locked
the doors. After all, it's the manufacturer's fault that a security flaw
existed in the car and somebody was able to break the windows to get in,
isn't it? If you really want to push the analogy, you could say it's like
suing a lock manufacturer because their padlock didn't prevent a thief from
cutting the lock with bolt cutters and you lost your stock of gold bullion.

No reasonable system administrator can expect any operating system to be
completely secure. If that were the case, we wouldn't need firewalls.
Anybody trained in IT knows that hackers can, have, and will, break into
systems, no matter what you do. If you store customer information in a plain
text file on a system connected to the Internet, you can't blame Microsoft
when somebody steals it.

 <i>Making a *criminal* negligence case stick would be *exceedingly* hard
> to do</i>
>
> I don't think it would be so hard. Someone reports a critical flaw, and
> microsoft reports it, but does'nt patch it and does nothing about it. So
> they know about the flaw at hand and are'nt doing anything to fix it. That
> is the definition of negligence. Its like a tire company knowing of a
> problem in their tires, stating the problem, and not recalling the tires.
> They know of the problem but don't fix it. Now I've been thinking, I dont
> think you'd need a big DA or anything of that nature.

That's civil, not criminal. There's a big difference. There's also a big
difference between tires blowing out and killing people and a hacker getting
some credit card numbers.

Despite all this, you just stated exactly why Microsoft wouldn't want to do
this. Someone sells a flaw to Microsoft. Microsoft works on a patch.
Somebody's system gets compromised before the patch is ready. Now, there is
no doubt that Microsoft is aware of the flaw, and a lawsuit becomes much
easier to win.


There was a judge in the news recently suing for $60,000,000 for a pair of
> pants. All you have to do is piss off the right people.

You can sue anybody for any amount you want. I can file a lawsuit asking
for $27 billion because somebody cut me off in traffic and caused distress.
That doesn't mean I'll win.

The $60 million (actually $54 million) lawsuit over a pair of pants is a
great example, especially since it was thrown out of court.
http://www.cnn.com/2007/LAW/06/25/trouser.trial/index.html


I guess the whole point is, yes Microsoft could offer to purchase exploits.
No, we can't force them to do so. No, $1 million for an exploit is not a
reasonable expectation. No, Microsoft won't do it because, as you've pointed
out, once they start doing it, they're admitting they know about the
exploits and may be open to lawsuits at that point.

I also don't like the idea the OP had of purchasing fixes for the exploits.
Operating Systems shouldn't include code written by mercenaries who sell
their code to the highest bidder.

--
Troy

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/