Re: [Full-disclosure] Office 0day

Depends on your definition of secure.
phpninja wrote:
Also I guess if every company paid for exploits you guys would be out
of a job (most everything would be secure).. I did'nt think of that..

On 6/25/07, *Troy* <gimmespam@xxxxxxxxx <mailto:gimmespam@xxxxxxxxx>>
wrote:

On 6/25/07, * phpninja* < phpninja@xxxxxxxxx
<mailto:phpninja@xxxxxxxxx>> wrote:

<i>If other places are offering $20K for a 0day, why should
Microsoft offer
10 times that, when they can probably make the sale offering
only $25K?</i>

I would think Incentive.. Sell my exploit to some criminal
network for cheap? Or would I rather Microsoft trump their
offer by much more and continue consulting for microsoft
rather than criminal networks. Also if I am in any industry
(lets say software) I am going to strive to produce the best
product possible reguardless of the profit. This means
spending a lot more for peoples research than some average
criminal who will then make much much more money the security
researcher


$1 million is much more than "much more" than $20K. $40K would be
more than enough to give the needed incentive.


Well I would think there would be some motivation. Unless
every employee who codes at Microsoft is a money grubbing
greedy person with no reguard to the person who uses their
products then there would have to be some motivation to fix
the product if it is flawed.


While it is true that not every employee is "a money grubbing
greedy person," that is, unfortunately, not how corporations work.
In fact, the bigger the corporation, the harder it is for an
individual within that corporation to make a difference. The fact
is that, no matter how many good people work for a corporation, it
all comes down to how much money the shareholders can make.

lets see, they spend 50 million over 7 years (windows xp
lifespan so far) not bad..
they are a 280+ billion dollar company.


Your first assumption is that, in the course of 7 years, there
have only been 50 major security exploits discovered by third
parties in Windows XP. Your number is a bit low.

But compared to a Security team of 50 people at $250,000 a
year for 7 years. = 87,500,000 , Looks like their security
team is costing a lot more..


Your second assumption is that Microsoft's security team consists
of 50 people who are each making $250,000 a year. Microsoft pays
well, but not that well. At least, not to that many people. At
least, as far as I know. I may be wrong, but those numbers seem
high.

That is like me trying to argue that after going to a car
mechanic, I should have known that the engine mount that I
paid to be secure in my car would have loosened on a bumpy
freeway and let my engine fall out on the freeway. I should
have put a big metal *** under my car from keeping things
from falling out after i pay for service!! I just should have
that knowledge magically. It just won't hold up in court.


That's a straw man argument. A better analogy would be trying to
sue an automobile manufacturer because your car was stolen, even
though you locked the doors. After all, it's the manufacturer's
fault that a security flaw existed in the car and somebody was
able to break the windows to get in, isn't it? If you really want
to push the analogy, you could say it's like suing a lock
manufacturer because their padlock didn't prevent a thief from
cutting the lock with bolt cutters and you lost your stock of gold
bullion.

No reasonable system administrator can expect any operating system
to be completely secure. If that were the case, we wouldn't need
firewalls. Anybody trained in IT knows that hackers can, have, and
will, break into systems, no matter what you do. If you store
customer information in a plain text file on a system connected to
the Internet, you can't blame Microsoft when somebody steals it.

<i>Making a *criminal* negligence case stick would be
*exceedingly* hard to do</i>

I don't think it would be so hard. Someone reports a critical
flaw, and microsoft reports it, but does'nt patch it and does
nothing about it. So they know about the flaw at hand and
are'nt doing anything to fix it. That is the definition of
negligence. Its like a tire company knowing of a problem in
their tires, stating the problem, and not recalling the tires.
They know of the problem but don't fix it. Now I've been
thinking, I dont think you'd need a big DA or anything of that
nature.


That's civil, not criminal. There's a big difference. There's also
a big difference between tires blowing out and killing people and
a hacker getting some credit card numbers.

Despite all this, you just stated exactly why Microsoft wouldn't
want to do this. Someone sells a flaw to Microsoft. Microsoft
works on a patch. Somebody's system gets compromised before the
patch is ready. Now, there is no doubt that Microsoft is aware of
the flaw, and a lawsuit becomes much easier to win.


There was a judge in the news recently suing for $60,000,000
for a pair of pants. All you have to do is piss off the right
people.


You can sue anybody for any amount you want. I can file a lawsuit
asking for $27 billion because somebody cut me off in traffic and
caused distress. That doesn't mean I'll win.

The $60 million (actually $54 million) lawsuit over a pair of
pants is a great example, especially since it was thrown out of
court. http://www.cnn.com/2007/LAW/06/25/trouser.trial/index.html
<http://www.cnn.com/2007/LAW/06/25/trouser.trial/index.html>

I guess the whole point is, yes Microsoft could offer to purchase
exploits. No, we can't force them to do so. No, $1 million for an
exploit is not a reasonable expectation. No, Microsoft won't do it
because, as you've pointed out, once they start doing it, they're
admitting they know about the exploits and may be open to lawsuits
at that point.

I also don't like the idea the OP had of purchasing fixes for the
exploits. Operating Systems shouldn't include code written by
mercenaries who sell their code to the highest bidder.

--
Troy

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/