Full Disclosure mailing list archives
Re: Office 0day
From: kefka <kefka () kevinbeardsucks com>
Date: Mon, 25 Jun 2007 21:11:44 -0400
Depends on your definition of secure. phpninja wrote:
Also I guess if every company paid for exploits you guys would be out of a job (most everything would be secure).. I did'nt think of that.. On 6/25/07, *Troy* <gimmespam () gmail com <mailto:gimmespam () gmail com>> wrote: On 6/25/07, * phpninja* < phpninja () gmail com <mailto:phpninja () gmail com>> wrote: <i>If other places are offering $20K for a 0day, why should Microsoft offer 10 times that, when they can probably make the sale offering only $25K?</i> I would think Incentive.. Sell my exploit to some criminal network for cheap? Or would I rather Microsoft trump their offer by much more and continue consulting for microsoft rather than criminal networks. Also if I am in any industry (lets say software) I am going to strive to produce the best product possible reguardless of the profit. This means spending a lot more for peoples research than some average criminal who will then make much much more money the security researcher $1 million is much more than "much more" than $20K. $40K would be more than enough to give the needed incentive. Well I would think there would be some motivation. Unless every employee who codes at Microsoft is a money grubbing greedy person with no reguard to the person who uses their products then there would have to be some motivation to fix the product if it is flawed. While it is true that not every employee is "a money grubbing greedy person," that is, unfortunately, not how corporations work. In fact, the bigger the corporation, the harder it is for an individual within that corporation to make a difference. The fact is that, no matter how many good people work for a corporation, it all comes down to how much money the shareholders can make. lets see, they spend 50 million over 7 years (windows xp lifespan so far) not bad.. they are a 280+ billion dollar company. Your first assumption is that, in the course of 7 years, there have only been 50 major security exploits discovered by third parties in Windows XP. Your number is a bit low. But compared to a Security team of 50 people at $250,000 a year for 7 years. = 87,500,000 , Looks like their security team is costing a lot more.. Your second assumption is that Microsoft's security team consists of 50 people who are each making $250,000 a year. Microsoft pays well, but not that well. At least, not to that many people. At least, as far as I know. I may be wrong, but those numbers seem high. That is like me trying to argue that after going to a car mechanic, I should have known that the engine mount that I paid to be secure in my car would have loosened on a bumpy freeway and let my engine fall out on the freeway. I should have put a big metal sheet under my car from keeping things from falling out after i pay for service!! I just should have that knowledge magically. It just won't hold up in court. That's a straw man argument. A better analogy would be trying to sue an automobile manufacturer because your car was stolen, even though you locked the doors. After all, it's the manufacturer's fault that a security flaw existed in the car and somebody was able to break the windows to get in, isn't it? If you really want to push the analogy, you could say it's like suing a lock manufacturer because their padlock didn't prevent a thief from cutting the lock with bolt cutters and you lost your stock of gold bullion. No reasonable system administrator can expect any operating system to be completely secure. If that were the case, we wouldn't need firewalls. Anybody trained in IT knows that hackers can, have, and will, break into systems, no matter what you do. If you store customer information in a plain text file on a system connected to the Internet, you can't blame Microsoft when somebody steals it. <i>Making a *criminal* negligence case stick would be *exceedingly* hard to do</i> I don't think it would be so hard. Someone reports a critical flaw, and microsoft reports it, but does'nt patch it and does nothing about it. So they know about the flaw at hand and are'nt doing anything to fix it. That is the definition of negligence. Its like a tire company knowing of a problem in their tires, stating the problem, and not recalling the tires. They know of the problem but don't fix it. Now I've been thinking, I dont think you'd need a big DA or anything of that nature. That's civil, not criminal. There's a big difference. There's also a big difference between tires blowing out and killing people and a hacker getting some credit card numbers. Despite all this, you just stated exactly why Microsoft wouldn't want to do this. Someone sells a flaw to Microsoft. Microsoft works on a patch. Somebody's system gets compromised before the patch is ready. Now, there is no doubt that Microsoft is aware of the flaw, and a lawsuit becomes much easier to win. There was a judge in the news recently suing for $60,000,000 for a pair of pants. All you have to do is piss off the right people. You can sue anybody for any amount you want. I can file a lawsuit asking for $27 billion because somebody cut me off in traffic and caused distress. That doesn't mean I'll win. The $60 million (actually $54 million) lawsuit over a pair of pants is a great example, especially since it was thrown out of court. http://www.cnn.com/2007/LAW/06/25/trouser.trial/index.html <http://www.cnn.com/2007/LAW/06/25/trouser.trial/index.html> I guess the whole point is, yes Microsoft could offer to purchase exploits. No, we can't force them to do so. No, $1 million for an exploit is not a reasonable expectation. No, Microsoft won't do it because, as you've pointed out, once they start doing it, they're admitting they know about the exploits and may be open to lawsuits at that point. I also don't like the idea the OP had of purchasing fixes for the exploits. Operating Systems shouldn't include code written by mercenaries who sell their code to the highest bidder. -- Troy _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Office 0day toto . toto (Jun 25)
- Re: Office 0day Valdis . Kletnieks (Jun 25)
- Re: Office 0day Kradorex Xeron (Jun 25)
- Re: Office 0day secure poon (Jun 25)
- Re: Office 0day Jared DeMott (Jun 25)
- Re: Office 0day Valdis . Kletnieks (Jun 25)
- Re: Office 0day phpninja (Jun 25)
- Re: Office 0day Troy (Jun 25)
- Re: Office 0day phpninja (Jun 25)
- Re: Office 0day kefka (Jun 25)
- Re: Office 0day secure poon (Jun 25)
- Re: Office 0day Valdis . Kletnieks (Jun 25)