Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Office 0day
From: Troy <gimmespam () gmail com>
Date: Mon, 25 Jun 2007 16:48:12 -0700

On 6/25/07, phpninja <phpninja () gmail com> wrote:

<i>If other places are offering $20K for a 0day, why should Microsoft
10 times that, when they can probably make the sale offering only

I would think Incentive.. Sell my exploit to some criminal network for
cheap? Or would I rather Microsoft trump their offer by much
more and continue consulting for microsoft rather than criminal networks.
Also if I am in any industry (lets say software) I am going to strive to
produce the best product possible reguardless of the profit. This means
spending a lot more for peoples research than some average criminal who will
then make much much more money the security researcher

$1 million is much more than "much more" than $20K. $40K would be more than
enough to give the needed incentive.

 Well I would think there would be some motivation. Unless every employee
who codes at Microsoft is a money grubbing greedy person with no reguard to
the person who uses their products then there would have to be some
motivation to fix the product if it is flawed.

While it is true that not every employee is "a money grubbing greedy
person," that is, unfortunately, not how corporations work. In fact, the
bigger the corporation, the harder it is for an individual within that
corporation to make a difference. The fact is that, no matter how many good
people work for a corporation, it all comes down to how much money the
shareholders can make.

lets see, they spend 50 million over 7 years (windows xp lifespan so far)
not bad..
they are a 280+ billion  dollar company.

Your first assumption is that, in the course of 7 years, there have only
been 50 major security exploits discovered by third parties in Windows XP.
Your number is a bit low.

 But compared to a Security team of 50 people at $250,000 a year for 7
years. = 87,500,000 , Looks like their security team is costing a lot

Your second assumption is that Microsoft's security team consists of 50
people who are each making $250,000 a year. Microsoft pays well, but not
that well. At least, not to that many people. At least, as far as I know. I
may be wrong, but those numbers seem high.

That is like me trying to argue that after going to a car mechanic, I
should have known that the engine mount that I paid to be secure in my car
would have loosened on a bumpy freeway and let my engine fall out on the
freeway. I should have put a big metal sheet under my car from keeping
things from falling out after i pay for service!! I just should have that
knowledge magically. It just won't hold up in court.

That's a straw man argument. A better analogy would be trying to sue an
automobile manufacturer because your car was stolen, even though you locked
the doors. After all, it's the manufacturer's fault that a security flaw
existed in the car and somebody was able to break the windows to get in,
isn't it? If you really want to push the analogy, you could say it's like
suing a lock manufacturer because their padlock didn't prevent a thief from
cutting the lock with bolt cutters and you lost your stock of gold bullion.

No reasonable system administrator can expect any operating system to be
completely secure. If that were the case, we wouldn't need firewalls.
Anybody trained in IT knows that hackers can, have, and will, break into
systems, no matter what you do. If you store customer information in a plain
text file on a system connected to the Internet, you can't blame Microsoft
when somebody steals it.

 <i>Making a *criminal* negligence case stick would be *exceedingly* hard
to do</i>

I don't think it would be so hard. Someone reports a critical flaw, and
microsoft reports it, but does'nt patch it and does nothing about it. So
they know about the flaw at hand and are'nt doing anything to fix it. That
is the definition of negligence. Its like a tire company knowing of a
problem in their tires, stating the problem, and not recalling the tires.
They know of the problem but don't fix it. Now I've been thinking, I dont
think you'd need a big DA or anything of that nature.

That's civil, not criminal. There's a big difference. There's also a big
difference between tires blowing out and killing people and a hacker getting
some credit card numbers.

Despite all this, you just stated exactly why Microsoft wouldn't want to do
this. Someone sells a flaw to Microsoft. Microsoft works on a patch.
Somebody's system gets compromised before the patch is ready. Now, there is
no doubt that Microsoft is aware of the flaw, and a lawsuit becomes much
easier to win.

There was a judge in the news recently suing for $60,000,000 for a pair of
pants. All you have to do is piss off the right people.

You can sue anybody for any amount you want. I can file a lawsuit asking
for $27 billion because somebody cut me off in traffic and caused distress.
That doesn't mean I'll win.

The $60 million (actually $54 million) lawsuit over a pair of pants is a
great example, especially since it was thrown out of court.

I guess the whole point is, yes Microsoft could offer to purchase exploits.
No, we can't force them to do so. No, $1 million for an exploit is not a
reasonable expectation. No, Microsoft won't do it because, as you've pointed
out, once they start doing it, they're admitting they know about the
exploits and may be open to lawsuits at that point.

I also don't like the idea the OP had of purchasing fixes for the exploits.
Operating Systems shouldn't include code written by mercenaries who sell
their code to the highest bidder.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]