Re: Miller, Pwn2Own's winner tells Apple, Microsoft to find their own bugs

[Rich Kulawiec <rsk () gsp org>]

On Wed, Mar 31, 2010 at 04:31:49PM -0700, Craig Schmugar quoted:
> Microsoft has fessed up to hiding details on software vulnerabilities
> that are discovered internally, insisting that full disclosure of every
> security-related product change only serves to aid attackers. 

This (the insistence) is naive.  It makes two presumptions that we know
are not true:

1. The collection of people, processes and systems involved are leak-proof.

2. Independent discovery is unlikely.


Were I to trouble myself to be in the malware creation and dissemination
business, I'd probably exploit both.  (2) is obvious, since we all know
that independent labs exist and are hard at work discovering flaws and
creating malware to exploit them for profit.  (1) is less obvious,
but I'll bet that $100K/year under the table would buy me a reliable
data feed from one of the M$ folks on the inside.  And I could probably
recoup some of that cost by selling choice pieces of that info for
$5K here, $12K there.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.