Re: 0-day exploit..do i hear $1000?

From: foobat_private
Date: Fri Oct 19 2001 - 07:45:42 PDT

Next message: dullienat_private: "Re: 0-day exploit..do i hear $1000?"

Previous message: Dom De Vitto: "RE: Time-to-patch vs Disclosure method"
In reply to: Rebecca Kastl: "RE: 0-day exploit..do i hear $1000?"
Next in thread: Jose Nazario: "Re: 0-day exploit..do i hear $1000?"
Next in thread: Fyodor: "Re: 0-day exploit..do i hear $1000?"
Reply: Jose Nazario: "Re: 0-day exploit..do i hear $1000?"
Reply: Markus Kern: "Re: 0-day exploit..do i hear $1000?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To simplify, there are two reasons to be in the IT security world:  to
improve computer security, or to use bad computer security as a means to
an end (theft, extortion, ...).

Security companies fall into the first category.  People pay them to help
improve their network and computer security.  They do this, roughly, by
advising on network architecture, operating system/application
security, etc.

Advisories are generated, sometimes with exploit code, to make a vendor
aware of a problem.  The vendor can fix the problem and issue a
patch.  This is all good for the former scenario above, where the aim
is to improve security.  

If exploits returned to the underground, the security companies could
still operate.  If advisories werent released (caused by the fact the
exploits arent publicly released) then computer security would suffer.

But security companies dont need some 0day script to exploit a
vulnerability, they just need to know about the vulnerabilities.  
Designing networks doesnt need exploits, writing firewall rulesets doesnt
need exploits, implementing a corporate security policy doesnt need
exploits.  Knowledge of vulnerabilities in services offered on that
network is needed, but this too doesnt need exploits.

Why would a security firm pay someone any money at all for an
exploit?  They buy it, it roots their clients, but there is no recommended
way of fixing it - the vendor doesnt know so theres no patch.  The only
solution would be to buy the 'rights' to it, and inform the vender,
cooperate, and get the patch out.  But then the sellers would only sell
one copy; once the vuln is public noone else needs the actual exploit
code.

And this leads to the conflict in the above two views of the security
world. 

It makes sense for security firms (people in the business making money) to
actively share their research.  They work with vendors and improve their
customers security.  They will never know if their customers are totally
secure, because there could be a exploit out for something that hasnt been
researched by the firms yet.  But they'll get there eventually.

So maybe its like a race.  

Firms dont need to buy exploits, but they should recruit people into their
r&d labs to find bugs. 

In the race, i wonder who is faster - the people getting paid and
rewarded, or the leeto underground people who get little fame, little 
money. 

> People simply don't read advisories, and never apply patches.

I guess security consultant firms read advisories very closely.  And i
guess clients install patches when the consultants inform them of the
vulns.


If people in the 'underground' want to use their skills to make money
either help improve computer security (and get a job in some r&d lab), or
rob a bank with your unreleased exploit.  The former option is probably
more sensible tho...

- foob

Next message: dullienat_private: "Re: 0-day exploit..do i hear $1000?"
Previous message: Dom De Vitto: "RE: Time-to-patch vs Disclosure method"
In reply to: Rebecca Kastl: "RE: 0-day exploit..do i hear $1000?"
Next in thread: Jose Nazario: "Re: 0-day exploit..do i hear $1000?"
Next in thread: Fyodor: "Re: 0-day exploit..do i hear $1000?"
Reply: Jose Nazario: "Re: 0-day exploit..do i hear $1000?"
Reply: Markus Kern: "Re: 0-day exploit..do i hear $1000?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 09:08:10 PDT