Re: 0-day exploit..do i hear $1000?

[Fyodor <fygrave () tigerteam net>]

On Thu, Oct 18, 2001 at 04:44:38PM +0000, RT wrote:
> Moderators: Pass if you will. I think this seriously impacts the whole
> industry.
>
> This email was written after I contacted a prominent "exploit collector" and
> asked for the new SSH exploit. He asked me "how much are you willing to pay, I
> selling 'sploits now". I said "You wanna WHAAT?". Afterwards I thought about

IMHO,that's fair.. you have no clue, no skills, and want to earn money on
other people knowledge. You gotta pay for that. The only annoying thing
these days is that sploits get leaked to oximorons who figure out to
make business out of that. but it won't last long.

> it, and here are some comments/predictions as to what is happening in the
> industry.
..

> * Assessment/Pen-test firm 456 test for the problem.
>
> Obviously things does not always goes this way. L33t Hacker might write an
> exploit from the start. Exploit writers are usually after fame, wanting to see
> their names in lights on a MS advisory. In the above mentioned process the one
> people/firms that makes money from the bug are Security Firms 123 and 456. The

Yes. And that's the reason why most of the exploits (and interesting
bugs themselves) haven't been showing much on public recently. Go read
http://anti.security.is/texts.php?file=antisec.html, very educational
reading. People just don't want their skills and knowledge being
(ab)used by so called 'Security Proffesionals' with 2 rows of oximoronic
acronyms in their signatures. (guess everyone heard of CISSP joke, right?)


> and they sell 0-day exploits. They start off by selling exploit directly to the
> client and it goes like this:

Directly to the clients.. cases known when clients are not security
companies at all, but just some kids who are pretty much after CC and
other funky stuff with heaps easy but slighly illegal bucks behind.

> * Security firm 123 and vendor ABC get it, build patch (and the usual)

Sounds about right.. with the only difference that Security firm will
never want to publish the code which they paid their $$ for. And the
vendor will never issue a patch, cuz the bug is not public, therefore
they don't care, since it doesn't affect their PR. *period*

> 123 and 789, not willing to pay for the code are booted out of several
> contracts, as their client's networks were compromised.

That's the reason why companies maintain their r/d labs.. if they have
money.. and a bit of clue.

> same as paying for arms. Paying for exploits would make them illegal in no
> time. It would very much hurt the industry - the whole security industry - from

Who cares?! I don't care, guys who write exploits wouldn't care much,
cuz everyone is sick of oximorons pretending to be 'Phd CPSD BBSCD
certified security proffesionals' with the only monkey-skill of
point&clicking..

> the software vendor to the security vendor to the "ethical hackers", and all

yes. The vast majority of 'ethical hackers' is who I am talking about..
This kind of people gotta die off, once their full-discolsure 'er33tism'
feed is cut.

> heat from their law enforcement agencies. A bigger challenge is to write the
> code AND make money in an honest way, AND keeping sane in the process, and I

the problem is that people are not honest. if you act in a honest way
with them, they just rip you off. So if it's acted in unfair way, let it
be unfair in both ways.

> hear people saying - full disclosure is the reason behind script kiddies, the
> reason behind worms that cost us millions. Well lets quickly think about just
> that.

Worms are good. They keep people aware that security _IS_ an issue.
Script kiddies: nonsense, the real problem of full disclosure is that
these kiddies is who you hire to secure your network most of the time..
just because they show you the tools written by other guys. This thing
gonna end up..



whatever...just my $0.02. 3am here, maybe I am just rambling..

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1