$10k Bounty for Critical Windows Flaws 138
An anonymous reader writes "iDefense, a Verisign company, is offering $10,000 to any researchers who find and report to it information on a previously unknown Windows flaw for which Microsoft later issues a "critical" advisory, according to a story over at Washingtonpost.com. Not really surprising, considering that Russian hacking groups are now paying thousands of dollars for exploits that attack unpatched holes in Windows. From the article: "Details of the flaw must be submitted exclusively to iDefense by March 31. There is no limit on the number of prizes that can be paid: if five researchers find and report five different Windows flaws for which Microsoft later issues critical advisories, all five will get paid...iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities.""
Can anybody say, "lawsuit"? (Score:3, Insightful)
And they have a couple law-talkin guys on staff.
$10 k isn't a lot for hackes (Score:4, Insightful)
Shrewd business move for Verisign (Score:3, Insightful)
They're investing in the first corporate-sponsored botnet. Now you can give your spam relay the corporate sponsorship it's always been craving! For an added bonus, we'll throw in a few auth certificates if you decide to become an elite Platinum Botnet customer!
Don't delay, act now! Really, we mean it. Because offer is only valid until Microsoft's next Critical Advisory.
Free Press - Contest is a joke... (Score:5, Insightful)
Or, iDefense may never pay any of the $10K prizes, citing independent discovery, not-really-critical status or just the fact that Verisign knows how to say "fuck you" better than almost anyone. Instead, they'll just get shitloads of free press for their cheesy security contest and a couple of marks will sign up for and/or buy whatever it is that Verisign/iDefense is hawking today.
Verisign?? (Score:3, Insightful)
Re:WTF? (Score:3, Insightful)
(b) People pay for these exploits because if they can take advantage of them, they can continue to spread their spam and malware from and to unwitting, unwilling and unaware people. Turning thousands of PCs into your own private email relay stations is motivation. Installing scumware/adware/spyware on thousands more is motivation.
Re:Can anybody say, "lawsuit"? (Score:2, Insightful)
Clank go the handcuffs (Score:3, Insightful)
"Sir, you've just violated the DMCA by making our mistakes public. Off to jail you go."
What about beta? (Score:3, Insightful)
Re:Windows research is clearly more profitable... (Score:5, Insightful)
That's total bollocks. Granted, the fact that windows is more popular than linux is *one* factor that discourages malware for linux, but it's far from the only one.
Linux systems are designed to be run by users, and administered as root. Windows systems, by and large, are impossible to run as anything but root - many programs require root access to work properly, and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement. Windows developers have been encouraged for years to write programs dependant on root access. Execute permissions prevent accidental execution of malware on Linux, as does not having a stupid system of extensions which are so easily spoofed (especially when default windows behaviour is to hide recognized extensions!). The move over to NTFS was good, but it only really hit the public with XP. I still know many people using FAT-based systems. How long has Linux been running a permissions-based filesystem? There's a few architectural security advantages Linux has over windows. On the more abstract level, being open source gives Linux the potential to be more secure - it's hard to hide critical vulnerabilities in Linux, whereas MS has a history of doing so for windows.
Firefox is another issue entirely; it's an application, not an OS. But comparing it to MS's Internet Explorer, it's far and away more secure. It doesn't install things behind the user's back, as MS IE does so very often. It doesn't allow the incredibly-insecure ActiveX components. I've never had a spyware infection or browser hijack simply by browsing in firefox. On my new laptop, however, I was browsing around using IE while I waited for firefox to download, and in between the time it took to start the download, and the time it had finished, IE had managed to install a little bugger called Aurora for me . Thanks IE!
Re:Linux needs a similar plan. (Score:3, Insightful)
A "critical" Windows flaw is one that allows remote exploitation. Find me a Linux distro in the past 3 or 4 years that is remotely exploitable in a default configuration, and *I'll* pay you the bounty.