[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Office 0day

<i>If other places are offering $20K for a 0day, why should Microsoft offer
10 times that, when they can probably make the sale offering only $25K?</i>

I would think Incentive.. Sell my exploit to some criminal network for
cheap? Or would I rather Microsoft trump their offer by much
more and continue consulting for microsoft rather than criminal networks.
Also if I am in any industry (lets say software) I am going to strive to
produce the best product possible reguardless of the profit. This means
spending a lot more for peoples research than some average criminal who will
then make much much more money the security researcher

<i>Yes. They could.  But if they've bought exclusive rights to the exploit,
why
should they?  Remember why the concept of "full disclosure" started in the
first place - because if a vendor is the only one who knows about a hole,
they
have little to no motivation to actually *fix* it.
</i>

Well I would think there would be some motivation. Unless every employee who
codes at Microsoft is a money grubbing greedy person with no reguard to the
person who uses their products then there would have to be some motivation
to fix the product if it is flawed.

<I>Which is a better bet for Microsoft - spending $15 million on a big PR
and
advertising campaign that announces the 'New Secure Attitude', or spending
$50M on quietly fixing the broken software?
</i>

lets see, they spend 50 million over 7 years (windows xp lifespan so far)
not bad..
they are a 280+ billion  dollar company.

But compared to a Security team of 50 people at $250,000 a year for 7 years.
= 87,500,000 , Looks like their security team is costing a lot more..

Also I should'nt have to take into consideration 'the amount of security im
willing to pay for' If I can only get so much (guaranteed?) security for 1
price.

<i>Microsoft could *easily* argue that the webmaster
or sysadmin or whatever *should* have known that "software is hackable" and
taken additional precautions of their own.</i>

That is like me trying to argue that after going to a car mechanic, I should
have known that the engine mount that I paid to be secure in my car would
have loosened on a bumpy freeway and let my engine fall out on the freeway.
I should have put a big metal sheet under my car from keeping things from
falling out after i pay for service!! I just should have that knowledge
magically. It just won't hold up in court.

<i>Making a *criminal* negligence case stick would be *exceedingly* hard to
do</i>

I don't think it would be so hard. Someone reports a critical flaw, and
microsoft reports it, but does'nt patch it and does nothing about it. So
they know about the flaw at hand and are'nt doing anything to fix it. That
is the definition of negligence. Its like a tire company knowing of a
problem in their tires, stating the problem, and not recalling the tires.
They know of the problem but don't fix it. Now I've been thinking, I dont
think you'd need a big DA or anything of that nature. There was a judge in
the news recently suing for $60,000,000 for a pair of pants. All you have to
do is piss off the right people.

just some thoughts..


On 6/25/07, Valdis.Kletnieks@xxxxxx <Valdis.Kletnieks@xxxxxx> wrote:


On Mon, 25 Jun 2007 13:18:42 PDT, secure poon said:

> *Proposition*
>
> Microsoft is a 280+ billion dollar corporation. Why don't/can't they
have a
> standard ransom fee for security flaws?
>
> 0day Remote OS flaw: $1,000,000
> 0day  IE explorer flaws that give administrative shells: $200,000
> 0day (other flaws) that affect other products (ie office): $200,000
> etc..(these fees could be much higher)

If other places are offering $20K for a 0day, why should Microsoft offer
10 times that, when they can probably make the sale offering only $25K?

Remember - Microsoft isn't there to make good software. It's there to
make a profit.

> Provided the person who discovered the vulnerability gives a full
working
> patch, Then Microsoft could patch the hole right away and people could
> update.

Yes. They could.  But if they've bought exclusive rights to the exploit,
why
should they?  Remember why the concept of "full disclosure" started in the
first place - because if a vendor is the only one who knows about a hole,
they
have little to no motivation to actually *fix* it.

>         (yes i know lots of people don't update but at least it is a
start,
> and then legally they would be so liable). Maybe this concept isint new
and
> I am just in the dark about it.

There's companies in the security arena buying 0days, been happening for
years already.

> Why does'nt Microsoft (or any company) do this?

There's plenty of companies that make a living fixing the problems in the
Microsoft products (IDS and A/V and all the rest), and they've been doing
it
for a while.  It would be a *bad* idea for Microsoft to get caught doing
that,
as the instant they shell out some money for a 0day, they lose most of
their
plausible deniability.  It's hard to argue "We didn't know about that bug
until
the public posting on the XYZ-L list on Dec 3" if the other side's lawyers
find
records of buying a 0day for the hole back in early April.

Something to keep in mind is that security is *always* about tradeoffs,
especially when you're a vendor.  You're probably *not* interested in
shipping
a massively hardened secure system - only a few sites are truly paranoid
or require that sort of thing.  Windows XP will end up selling hundreds of
millions of copies - the amount of security in those will end up being the
amount of security that hundreds of millions of Joe Sixpack customers are
willing to actually *pay* for.

Since Microsoft is a for-profit corporation, their security team is
charged with
reducing the *total* cost of the security - the expense of actually
auditing
any existing code, and writing new code to stricter standards, *plus* the
costs of fixing bugs once they escape, *plus* the costs of keeping
customers
happy when a security bugfix changes an API and production software
breaks,
*plus* the PR costs of following your planned decision.

Which is a better bet for Microsoft - spending $15 million on a big PR and
advertising campaign that announces the 'New Secure Attitude', or spending
$50M on quietly fixing the broken software?

>                                                   And also has Microsoft
ever
> been held criminaly liable for negligence in a criminal case for not
> patching a flaw leading to a security breach?

Making a *criminal* negligence case stick would be *exceedingly* hard to
do,
as you'd have to find a district attorney who wanted to try to press
charges,
and it's hard to make it stick against a corporation - the legal standard
really *does* approach "the defendant knew or should have known that their
behavior was likely to result in somebody literally getting hurt or
killed".
(One web site gave the hypothetical examples of a canoeing tour operator
that
takes kids who are beginning canoers out on a lake, without life
preservers,
when stormy weather is forecast, or a company releasing toxic chemicals
that
they should have known would end up in a town's drinking water).

It would be a lot easier to make a case for civil liability for the
negligence,
but then you'd have a *big* problem - by using a non-pirated copy of
Windows,
you presumably agreed to the EULA, where you disclaimed most of the
obligations
you would normally have.  And *at best*, you'd only be able to pin them
with
"contributory negligence" - Microsoft could *easily* argue that the
webmaster
or sysadmin or whatever *should* have known that "software is hackable"
and
taken additional precautions of their own.

A number of pretty clever people have been looking at this, and it's
pretty
generally agreed that the test case you'd want to see in court would be a
non-Microsoft shop (so they're not party to the EULA) who gets DDoS'ed or
otherwise attacked from compromised Windows boxes, such that the
compromise
allows the attacker to remain anonymous/unfindable.  And even then it's
not
a clearly winnable *practical* suit to battle - if the plaintiff company
only lost $250,000 due to the DDoS, and the attorney is doing it for the
semi-standard 30% of the award, and it will take more than $75K worth of
legal just to get the case rolling, it becomes difficult to get the
lawsuit
moving.  So you'd need either a non-Microsoft shop that lost millions of
dollars due to the DDoS, or a law firm that wants to rack up *lots* of
pro bono hours..

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/