Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: EXPLOITS FOR SALE (AUCTION SITE)
From: wac <waldoalvarez00 () gmail com>
Date: Tue, 10 Jul 2007 02:02:00 -0400

On 7/8/07, jt5944-27a <jt5944 () hushmail com> wrote:

thank you? okay - thank you for creating this wonderful software
that we use. thank you for listening to our defect requests and
thank you for addressing them in a meaningful time frame. but thank
you for finding bugs? are you on drugs?


Drugs? What are you talking about? That is completely off-topic. A hit that
bounces back to yourself.

they didnt ask you to look for defects. this sounds like those
people who paint house numbers on your curb and then want to be
paid even through you never said to paint the numbers. or those
windshield washers who want you to pay them for smearing your
window when you didnt ask for it. the only people who should be
paid to find vulnerabilities are the people asked to find
vulnerabilities.


What about those who come right into your face without even trying to find
them? Hey we know how software works. We are all using it and we can think.
And sometimes we can track them down too. Don't forget that.

And what about those bugs that are created on purpose. A trojanized
software or device is too obvious (remember NSA-Crypto AG). But a security
bug. Well "sorry we made a mistake we are providing a fix". However can
serve the same purpose as a trojan horse. They simply can know earlier and
fix it later if something goes "out of control". That could explain why
fixes take so much time sometimes and why there are so many bugs. (Just a
theory with some base).

No, ppl searching for vulnerabilities should not be only the ones asked to
do it. Should be every third party around. And guess what. It is being done
right now for whatever purpose. Won't be better if they are sold in the
public light than in the shadows? At least we know what is flawed otherwise
not even a clue. You are right now only looking at the top of the iceberg.
After looking at that website and looking at yahoo messenger 8.1 being on
sale I am considering not to use it for a while or put it under a protection
layer or use alternatives. Why? Somebody else could have found that too and
could be using it. And if somebody asks my opinion to install some soft
listed there I would tell them not to do it because it is not safe. That
means security after all. And if they make money. Then good. Somebody that
knows how to find them was rewarded and encouraged to do more research.
Something you "forgot" to do before distributing to ppl. Yep cutting the
bill putting ppl under risk. That reminds me cars that exploded because of
bad design and ppl becoming ill with cancer or something else by feeding
chickens with hormones and stuff like that. On the other side I am pretty
sure that those grey foreigners you all talk about already have their own
working teams and already have undisclosed technology. The one you don't
know. You better favor research so you can put the finger on the hole before
water begins to flow.

But using your very own "who asked you". I could reply also to you. Who
asked you to make a software/service/device? Yet more who asked you to make
something that is broken? But yet more who asked you to make something that
is broken and that you sell/provide as if it is good? But then I don't want
to reply to you that way because I understand that things needs to be done
even if nobody asks for them. That also applies to security research. Hey
many times people doesn't ask because they simply ignore things.

And about the windshield washers. Well you could understand that they are
usually ppl with extreme need for some cash (otherwise they wouldn't be
doing that) many times just to eat while you drive your fancy car. You could
be more human than that. If I were in that situation and I have some cash
and some of them smear my windshield I would not be poorer/richer for giving
them something. That would make me a lot better than you.

After all they are working, not robbing/assaulting ppl on the streets or
hitting your neck to steal your wallet. Or do you prefer that? They have the
right to live too and you are pushing them to find desperate alternatives.
That's what is wrong. And since you are simply taking the example to compare
it with security research then take it back to the original example, compare
and "see" for yourself.

should we pay burglars for breaking into our homes?


No we could pay key makers that know when your lock can be broken so a
burglar doesn't break into your home. That's quite different. You will be
paying for your own security. Hey burglars are already paying for that and
you are only complaining. Doing it is not going to change anything. Don't
you think is better to try new or better alternatives? Even if that means
that you will make a little less money or that it will cost you a little
extra?

and what about
open source projects? should nonprofit groups be forced to pay for
defects that they never asked people to look for?


Good point but I already have a couple of answers to you because that
crossed my mind too.

1- Open Source != 0 profit. Sometimes there is a lot of profit on
advertising and tech support. Not to mention services. At least in mature
widely used projects. Do I need to remind you the million earned by red hat,
mandrake, mandriva, suse... Hey there is a south african millionaire just
sending to you free CDs to get a piece of the market. (nothing wrong with
that). What about the profit that provides advertising on sourceforge
(severely flawed btw). No profit? You are so wrong.

2- Donations could also help a lot in the case of some software used by a
lot of people. The most important simply because it affects many. Something
here and there multiplied by hundreds/thousands/millions can do the trick at
least in some cases. Ok let's proof that with numbers. Let's see... a memory
leak in the linux kernel. Hmm. Let's suppose there are only 6 millions of
linux users (there are more i could try linuxcounter to have an idea) and
that each one of us give 1 cent. Just one cent. Does it looks too much for
you? (you probably spend more downloading free things from the internet)
Well 6000 000 /100 = 60 000. Is on sale for a lot less than that. I see...
we can have that hole closed by tomorrow. I would be more than happy to
provide 1 usd and get 100 vulnerabilities closed in linux or any other open
source soft (or not open). If everybody follows your way take take and not
give. Well then things keep the way they are. Broken and insecure. After all
debugging is a part of software development. >> The hardest part <<. So
donations could go to that part of software development too.

3- You can always provide it for free. There is ppl that enjoys to get a
name and doesn't needs the money (nothing wrong with that either since that
also encourages research). That would be a fall back to the current system.

But then I could ask you in return. Should security researchers/hackers be
*forced* to turn their heads to the black market when they need money to
live or to do more research or start projects on their own? I don't think
that is a good or clever idea. You are not going to prevent it by just
saying it. Nobody is going to become millionaire doing security research.
There are better ways to make money. For example... selling soft. Can I add
broken too? Yes I can add that too. You say "thank you" for broken stuff and
many times even pay for those broken things many times simply ignoring
things.

if they dont pay
then should we stop looking?


No. But paying for it should make more ppl that pays attention to other
things pay attention to security defects as well as for other kind of
defects. And should also make some other ppl invest resources/time/work into
that. Maybe that way we all could get safer stabler
software/devices/services. Isn't that good?

companies that pay for exploits are honest about it. zdi and vcp
let their customers know about risks before the rest of the world.
the bounty comes from their customer registration fees. customers
pay to hear about exploits first.


What does this means? That companies are honest but the researchers are not
honest? Excuse me those companies do not make the hard work. Researchers do
it.

Regards
Waldo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]