On Thu, Oct 18, 2001 at 04:44:38PM +0000, RT wrote: > Moderators: Pass if you will. I think this seriously impacts the whole > industry. > > This email was written after I contacted a prominent "exploit collector" and > asked for the new SSH exploit. He asked me "how much are you willing to pay, I > selling 'sploits now". I said "You wanna WHAAT?". Afterwards I thought about IMHO,that's fair.. you have no clue, no skills, and want to earn money on other people knowledge. You gotta pay for that. The only annoying thing these days is that sploits get leaked to oximorons who figure out to make business out of that. but it won't last long. > it, and here are some comments/predictions as to what is happening in the > industry. .. > * Assessment/Pen-test firm 456 test for the problem. > > Obviously things does not always goes this way. L33t Hacker might write an > exploit from the start. Exploit writers are usually after fame, wanting to see > their names in lights on a MS advisory. In the above mentioned process the one > people/firms that makes money from the bug are Security Firms 123 and 456. The Yes. And that's the reason why most of the exploits (and interesting bugs themselves) haven't been showing much on public recently. Go read http://anti.security.is/texts.php?file=antisec.html, very educational reading. People just don't want their skills and knowledge being (ab)used by so called 'Security Proffesionals' with 2 rows of oximoronic acronyms in their signatures. (guess everyone heard of CISSP joke, right?) > and they sell 0-day exploits. They start off by selling exploit directly to the > client and it goes like this: Directly to the clients.. cases known when clients are not security companies at all, but just some kids who are pretty much after CC and other funky stuff with heaps easy but slighly illegal bucks behind. > * Security firm 123 and vendor ABC get it, build patch (and the usual) Sounds about right.. with the only difference that Security firm will never want to publish the code which they paid their $$ for. And the vendor will never issue a patch, cuz the bug is not public, therefore they don't care, since it doesn't affect their PR. *period* > 123 and 789, not willing to pay for the code are booted out of several > contracts, as their client's networks were compromised. That's the reason why companies maintain their r/d labs.. if they have money.. and a bit of clue. > same as paying for arms. Paying for exploits would make them illegal in no > time. It would very much hurt the industry - the whole security industry - from Who cares?! I don't care, guys who write exploits wouldn't care much, cuz everyone is sick of oximorons pretending to be 'Phd CPSD BBSCD certified security proffesionals' with the only monkey-skill of point&clicking.. > the software vendor to the security vendor to the "ethical hackers", and all yes. The vast majority of 'ethical hackers' is who I am talking about.. This kind of people gotta die off, once their full-discolsure 'er33tism' feed is cut. > heat from their law enforcement agencies. A bigger challenge is to write the > code AND make money in an honest way, AND keeping sane in the process, and I the problem is that people are not honest. if you act in a honest way with them, they just rip you off. So if it's acted in unfair way, let it be unfair in both ways. > hear people saying - full disclosure is the reason behind script kiddies, the > reason behind worms that cost us millions. Well lets quickly think about just > that. Worms are good. They keep people aware that security _IS_ an issue. Script kiddies: nonsense, the real problem of full disclosure is that these kiddies is who you hire to secure your network most of the time.. just because they show you the tools written by other guys. This thing gonna end up.. whatever...just my $0.02. 3am here, maybe I am just rambling.. -- http://www.notlsd.net PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 13:23:45 PDT