Full Disclosure mailing list archives

Re: Office 0day

From: kefka <kefka () kevinbeardsucks com>
Date: Mon, 25 Jun 2007 21:11:44 -0400

Depends on your definition of secure.
phpninja wrote:

Also I guess if every company paid for exploits you guys would be out 
of a job (most everything would be secure).. I did'nt think of that..

On 6/25/07, *Troy* <gimmespam () gmail com <mailto:gimmespam () gmail com>> 
wrote:

     On 6/25/07, * phpninja* < phpninja () gmail com
    <mailto:phpninja () gmail com>> wrote:

        <i>If other places are offering $20K for a 0day, why should
        Microsoft offer
        10 times that, when they can probably make the sale offering
        only $25K?</i>
         
        I would think Incentive.. Sell my exploit to some criminal
        network for cheap? Or would I rather Microsoft trump their
        offer by much more and continue consulting for microsoft
        rather than criminal networks. Also if I am in any industry
        (lets say software) I am going to strive to produce the best
        product possible reguardless of the profit. This means
        spending a lot more for peoples research than some average
        criminal who will then make much much more money the security
        researcher

     
    $1 million is much more than "much more" than $20K. $40K would be
    more than enough to give the needed incentive.
     

         Well I would think there would be some motivation. Unless
        every employee who codes at Microsoft is a money grubbing
        greedy person with no reguard to the person who uses their
        products then there would have to be some motivation to fix
        the product if it is flawed.

     
    While it is true that not every employee is "a money grubbing
    greedy person," that is, unfortunately, not how corporations work.
    In fact, the bigger the corporation, the harder it is for an
    individual within that corporation to make a difference. The fact
    is that, no matter how many good people work for a corporation, it
    all comes down to how much money the shareholders can make.

        lets see, they spend 50 million over 7 years (windows xp
        lifespan so far) not bad..
        they are a 280+ billion  dollar company.

     
    Your first assumption is that, in the course of 7 years, there
    have only been 50 major security exploits discovered by third
    parties in Windows XP. Your number is a bit low. 

         But compared to a Security team of 50 people at $250,000 a
        year for 7 years. = 87,500,000 , Looks like their security
        team is costing a lot more..  

     
    Your second assumption is that Microsoft's security team consists
    of 50 people who are each making $250,000 a year. Microsoft pays
    well, but not that well. At least, not to that many people. At
    least, as far as I know. I may be wrong, but those numbers seem
    high. 

        That is like me trying to argue that after going to a car
        mechanic, I should have known that the engine mount that I
        paid to be secure in my car would have loosened on a bumpy
        freeway and let my engine fall out on the freeway. I should
        have put a big metal sheet under my car from keeping things
        from falling out after i pay for service!! I just should have
        that knowledge magically. It just won't hold up in court.

     
    That's a straw man argument. A better analogy would be trying to
    sue an automobile manufacturer because your car was stolen, even
    though you locked the doors. After all, it's the manufacturer's
    fault that a security flaw existed in the car and somebody was
    able to break the windows to get in, isn't it? If you really want
    to push the analogy, you could say it's like suing a lock
    manufacturer because their padlock didn't prevent a thief from
    cutting the lock with bolt cutters and you lost your stock of gold
    bullion.
     
    No reasonable system administrator can expect any operating system
    to be completely secure. If that were the case, we wouldn't need
    firewalls. Anybody trained in IT knows that hackers can, have, and
    will, break into systems, no matter what you do. If you store
    customer information in a plain text file on a system connected to
    the Internet, you can't blame Microsoft when somebody steals it. 

         <i>Making a *criminal* negligence case stick would be
        *exceedingly* hard to do</i>
         
        I don't think it would be so hard. Someone reports a critical
        flaw, and microsoft reports it, but does'nt patch it and does
        nothing about it. So they know about the flaw at hand and
        are'nt doing anything to fix it. That is the definition of
        negligence. Its like a tire company knowing of a problem in
        their tires, stating the problem, and not recalling the tires.
        They know of the problem but don't fix it. Now I've been
        thinking, I dont think you'd need a big DA or anything of that
        nature.

     
    That's civil, not criminal. There's a big difference. There's also
    a big difference between tires blowing out and killing people and
    a hacker getting some credit card numbers.
     
    Despite all this, you just stated exactly why Microsoft wouldn't
    want to do this. Someone sells a flaw to Microsoft. Microsoft
    works on a patch. Somebody's system gets compromised before the
    patch is ready. Now, there is no doubt that Microsoft is aware of
    the flaw, and a lawsuit becomes much easier to win.
     

        There was a judge in the news recently suing for $60,000,000
        for a pair of pants. All you have to do is piss off the right
        people.

     
    You can sue anybody for any amount you want. I can file a lawsuit
    asking for $27 billion because somebody cut me off in traffic and
    caused distress. That doesn't mean I'll win.
     
    The $60 million (actually $54 million) lawsuit over a pair of
    pants is a great example, especially since it was thrown out of
    court. http://www.cnn.com/2007/LAW/06/25/trouser.trial/index.html
    <http://www.cnn.com/2007/LAW/06/25/trouser.trial/index.html>
     
    I guess the whole point is, yes Microsoft could offer to purchase
    exploits. No, we can't force them to do so. No, $1 million for an
    exploit is not a reasonable expectation. No, Microsoft won't do it
    because, as you've pointed out, once they start doing it, they're
    admitting they know about the exploits and may be open to lawsuits
    at that point.
     
    I also don't like the idea the OP had of purchasing fixes for the
    exploits. Operating Systems shouldn't include code written by
    mercenaries who sell their code to the highest bidder.
     
    -- 
    Troy

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Office 0day toto . toto (Jun 25)
- Re: Office 0day Valdis . Kletnieks (Jun 25)
- Re: Office 0day Kradorex Xeron (Jun 25)
  - Re: Office 0day secure poon (Jun 25)
    - Re: Office 0day Jared DeMott (Jun 25)
    - Re: Office 0day Valdis . Kletnieks (Jun 25)
    - Re: Office 0day phpninja (Jun 25)
    - Re: Office 0day Troy (Jun 25)
    - Re: Office 0day phpninja (Jun 25)
    - Re: Office 0day kefka (Jun 25)
    - Re: Office 0day Valdis . Kletnieks (Jun 25)
  - Re: Office 0day Jared DeMott (Jun 25)