Vulnerability Development mailing list archives
Re: 0-day exploit..do i hear $1000?
From: Fyodor <fygrave () tigerteam net>
Date: Fri, 19 Oct 2001 02:54:46 +0700
On Thu, Oct 18, 2001 at 04:44:38PM +0000, RT wrote:
Moderators: Pass if you will. I think this seriously impacts the whole industry. This email was written after I contacted a prominent "exploit collector" and asked for the new SSH exploit. He asked me "how much are you willing to pay, I selling 'sploits now". I said "You wanna WHAAT?". Afterwards I thought about
IMHO,that's fair.. you have no clue, no skills, and want to earn money on other people knowledge. You gotta pay for that. The only annoying thing these days is that sploits get leaked to oximorons who figure out to make business out of that. but it won't last long.
it, and here are some comments/predictions as to what is happening in the industry.
..
* Assessment/Pen-test firm 456 test for the problem. Obviously things does not always goes this way. L33t Hacker might write an exploit from the start. Exploit writers are usually after fame, wanting to see their names in lights on a MS advisory. In the above mentioned process the one people/firms that makes money from the bug are Security Firms 123 and 456. The
Yes. And that's the reason why most of the exploits (and interesting bugs themselves) haven't been showing much on public recently. Go read http://anti.security.is/texts.php?file=antisec.html, very educational reading. People just don't want their skills and knowledge being (ab)used by so called 'Security Proffesionals' with 2 rows of oximoronic acronyms in their signatures. (guess everyone heard of CISSP joke, right?)
and they sell 0-day exploits. They start off by selling exploit directly to the client and it goes like this:
Directly to the clients.. cases known when clients are not security companies at all, but just some kids who are pretty much after CC and other funky stuff with heaps easy but slighly illegal bucks behind.
* Security firm 123 and vendor ABC get it, build patch (and the usual)
Sounds about right.. with the only difference that Security firm will never want to publish the code which they paid their $$ for. And the vendor will never issue a patch, cuz the bug is not public, therefore they don't care, since it doesn't affect their PR. *period*
123 and 789, not willing to pay for the code are booted out of several contracts, as their client's networks were compromised.
That's the reason why companies maintain their r/d labs.. if they have money.. and a bit of clue.
same as paying for arms. Paying for exploits would make them illegal in no time. It would very much hurt the industry - the whole security industry - from
Who cares?! I don't care, guys who write exploits wouldn't care much, cuz everyone is sick of oximorons pretending to be 'Phd CPSD BBSCD certified security proffesionals' with the only monkey-skill of point&clicking..
the software vendor to the security vendor to the "ethical hackers", and all
yes. The vast majority of 'ethical hackers' is who I am talking about.. This kind of people gotta die off, once their full-discolsure 'er33tism' feed is cut.
heat from their law enforcement agencies. A bigger challenge is to write the code AND make money in an honest way, AND keeping sane in the process, and I
the problem is that people are not honest. if you act in a honest way with them, they just rip you off. So if it's acted in unfair way, let it be unfair in both ways.
hear people saying - full disclosure is the reason behind script kiddies, the reason behind worms that cost us millions. Well lets quickly think about just that.
Worms are good. They keep people aware that security _IS_ an issue. Script kiddies: nonsense, the real problem of full disclosure is that these kiddies is who you hire to secure your network most of the time.. just because they show you the tools written by other guys. This thing gonna end up.. whatever...just my $0.02. 3am here, maybe I am just rambling.. -- http://www.notlsd.net PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
Current thread:
- 0-day exploit..do i hear $1000? RT (Oct 18)
- Re: 0-day exploit..do i hear $1000? Jonathan M. Smith (Oct 18)
- Re: 0-day exploit..do i hear $1000? Fyodor (Oct 18)
- Message not available
- RE: 0-day exploit..do i hear $1000? Scoubidou (Oct 18)
- Re: 0-day exploit..do i hear $1000? Joe G. (Oct 18)
- RE: 0-day exploit..do i hear $1000? Ron DuFresne (Oct 18)
- RE: 0-day exploit..do i hear $1000? Scoubidou (Oct 18)
- Re: 0-day exploit..do i hear $1000? dullien (Oct 19)
- <Possible follow-ups>
- Re: 0-day exploit..do i hear $1000? rain forest puppy (Oct 18)
- Re: 0-day exploit..do i hear $1000? RT (Oct 18)
- RE: 0-day exploit..do i hear $1000? Steve (Oct 18)
- RE: 0-day exploit..do i hear $1000? (a net admins 2 cents) leon (Oct 20)
- Re: 0-day exploit..do i hear $1000? security curmudgeon (Oct 20)
- Re: 0-day exploit..do i hear $1000? bacano (Oct 21)
- Re: 0-day exploit..do i hear $1000? RT (Oct 18)