On Mon, 25 Jun 2007 13:18:42 PDT, secure poon said: > *Proposition* > > Microsoft is a 280+ billion dollar corporation. Why don't/can't they have a > standard ransom fee for security flaws? > > 0day Remote OS flaw: $1,000,000 > 0day IE explorer flaws that give administrative shells: $200,000 > 0day (other flaws) that affect other products (ie office): $200,000 > etc..(these fees could be much higher) If other places are offering $20K for a 0day, why should Microsoft offer 10 times that, when they can probably make the sale offering only $25K? Remember - Microsoft isn't there to make good software. It's there to make a profit. > Provided the person who discovered the vulnerability gives a full working > patch, Then Microsoft could patch the hole right away and people could > update. Yes. They could. But if they've bought exclusive rights to the exploit, why should they? Remember why the concept of "full disclosure" started in the first place - because if a vendor is the only one who knows about a hole, they have little to no motivation to actually *fix* it. > (yes i know lots of people don't update but at least it is a start, > and then legally they would be so liable). Maybe this concept isint new and > I am just in the dark about it. There's companies in the security arena buying 0days, been happening for years already. > Why does'nt Microsoft (or any company) do this? There's plenty of companies that make a living fixing the problems in the Microsoft products (IDS and A/V and all the rest), and they've been doing it for a while. It would be a *bad* idea for Microsoft to get caught doing that, as the instant they shell out some money for a 0day, they lose most of their plausible deniability. It's hard to argue "We didn't know about that bug until the public posting on the XYZ-L list on Dec 3" if the other side's lawyers find records of buying a 0day for the hole back in early April. Something to keep in mind is that security is *always* about tradeoffs, especially when you're a vendor. You're probably *not* interested in shipping a massively hardened secure system - only a few sites are truly paranoid or require that sort of thing. Windows XP will end up selling hundreds of millions of copies - the amount of security in those will end up being the amount of security that hundreds of millions of Joe Sixpack customers are willing to actually *pay* for. Since Microsoft is a for-profit corporation, their security team is charged with reducing the *total* cost of the security - the expense of actually auditing any existing code, and writing new code to stricter standards, *plus* the costs of fixing bugs once they escape, *plus* the costs of keeping customers happy when a security bugfix changes an API and production software breaks, *plus* the PR costs of following your planned decision. Which is a better bet for Microsoft - spending $15 million on a big PR and advertising campaign that announces the 'New Secure Attitude', or spending $50M on quietly fixing the broken software? > And also has Microsoft ever > been held criminaly liable for negligence in a criminal case for not > patching a flaw leading to a security breach? Making a *criminal* negligence case stick would be *exceedingly* hard to do, as you'd have to find a district attorney who wanted to try to press charges, and it's hard to make it stick against a corporation - the legal standard really *does* approach "the defendant knew or should have known that their behavior was likely to result in somebody literally getting hurt or killed". (One web site gave the hypothetical examples of a canoeing tour operator that takes kids who are beginning canoers out on a lake, without life preservers, when stormy weather is forecast, or a company releasing toxic chemicals that they should have known would end up in a town's drinking water). It would be a lot easier to make a case for civil liability for the negligence, but then you'd have a *big* problem - by using a non-pirated copy of Windows, you presumably agreed to the EULA, where you disclaimed most of the obligations you would normally have. And *at best*, you'd only be able to pin them with "contributory negligence" - Microsoft could *easily* argue that the webmaster or sysadmin or whatever *should* have known that "software is hackable" and taken additional precautions of their own. A number of pretty clever people have been looking at this, and it's pretty generally agreed that the test case you'd want to see in court would be a non-Microsoft shop (so they're not party to the EULA) who gets DDoS'ed or otherwise attacked from compromised Windows boxes, such that the compromise allows the attacker to remain anonymous/unfindable. And even then it's not a clearly winnable *practical* suit to battle - if the plaintiff company only lost $250,000 due to the DDoS, and the attorney is doing it for the semi-standard 30% of the award, and it will take more than $75K worth of legal just to get the case rolling, it becomes difficult to get the lawsuit moving. So you'd need either a non-Microsoft shop that lost millions of dollars due to the DDoS, or a law firm that wants to rack up *lots* of pro bono hours..
Attachment:
pgp0rUOzvbXKR.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/