$10k Bounty for Critical Windows Flaws 138
An anonymous reader writes "iDefense, a Verisign company, is offering $10,000 to any researchers who find and report to it information on a previously unknown Windows flaw for which Microsoft later issues a "critical" advisory, according to a story over at Washingtonpost.com. Not really surprising, considering that Russian hacking groups are now paying thousands of dollars for exploits that attack unpatched holes in Windows. From the article: "Details of the flaw must be submitted exclusively to iDefense by March 31. There is no limit on the number of prizes that can be paid: if five researchers find and report five different Windows flaws for which Microsoft later issues critical advisories, all five will get paid...iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities.""
Buy MSFT now (Score:5, Funny)
1. Design flawed OS
2. Wait for bounty on flaws
3. Submit flaws
4. Issue "critical" advisories on those flaws
5. Profit!!!
Mind you, if the bounty is for announced "patch" instead of "advisory", it will be almost impossible for BG to claim the prize.
Re:Buy MSFT now missing step (Score:1)
Which is probably:
Buy Bounty company - then pay self.
Re:Buy MSFT now (Score:2)
Re:Buy MSFT now (Score:2)
Simpler plan for MS (Score:4, Funny)
Re:Simpler plan for MS (Score:2)
Oh wwait...
Re:Simpler plan for MS (Score:1)
Re:Simpler plan for MS (Score:1)
Re:Buy MSFT now (Score:2, Funny)
On April 1st, iDefense will file for bankruptcy. Ha. Ha. "April Fools!"
In other news, (Score:2)
No bounty for you.
Vista! (Score:5, Funny)
Re:Vista! (Score:1, Funny)
I could use an extra 10k (Score:3, Funny)
They're calling it... (Score:2, Funny)
Remember though (Score:5, Interesting)
On second thought, maybe looking at Windows 3.0 coding errors would reveal flaws in Vista. After all, think of the WMF flaw...
Re:Remember though (Score:2)
Re:Remember though (Score:1)
Can anybody say, "lawsuit"? (Score:3, Insightful)
And they have a couple law-talkin guys on staff.
Re:Can anybody say, "lawsuit"? (Score:2, Insightful)
Re:Can anybody say, "lawsuit"? (Score:2)
BAH (Score:2)
You crazy English are messing up my English!
Re:Can anybody say, "lawsuit"? (Score:2)
Re:Can anybody say, "lawsuit"? (Score:1)
Linux needs a similar plan. (Score:5, Interesting)
As open as Linux is this kind of motivation could really bring in the eyeballs to make those holes shallow and get them patched up. Make the bounty $10,000 for critical bugs and maybe $2000 for lesser security bugs. If you get the kernel patched up then start working on libraries and then apps and by then it should be time to start looking at the kernel again.
Re:Linux needs a similar plan. (Score:2, Informative)
Re:Linux needs a similar plan. (Score:2)
Re:Linux needs a similar plan. (Score:1)
Ubuntu has bounties [ubuntu.com].
Flathead
Re:Linux needs a similar plan. (Score:3, Insightful)
A "critical" Windows flaw is one that allows remote exploitation. Find me a Linux distro in the past 3 or 4 years that is remotely exploitable in a default configuration, and *I'll* pay you the bounty.
Remote holes in Linux distros (Score:2, Funny)
Mandrake
Slackware (IIRC)
So, is that $10,000 per instance...?
$10 k isn't a lot for hackes (Score:4, Insightful)
Re:$10 k isn't a lot for hackes (Score:2)
Re:$10 k isn't a lot for hackes (Score:1)
It's already been around for a year and a half, according to the dates on this page [idefense.com]. In case you're skeptical of the source, those dates do seem about right - I remember seeing their announcements on the major security lists (it generated a bit of derisive controversy on full disclosure, as I recall), and 2 summers ago sounds about right.
Re:$10 k isn't a lot for hackes (Score:1)
Re:$10 k isn't a lot for hackes (Score:1)
Re:$10 k isn't a lot for hackes (Score:1)
The major difference here is that this is legal and the right thing to do. Selling expliots to scum like that is on the same moral level of skiddies. A lot of hackers have no desire damage innocent people, the rest are lame.
Found it! (Score:5, Funny)
You may send the prize money to PO Box 3872, Moncton, NB, Canada
Re:Found it! (Score:1)
Shrewd business move for Verisign (Score:3, Insightful)
They're investing in the first corporate-sponsored botnet. Now you can give your spam relay the corporate sponsorship it's always been craving! For an added bonus, we'll throw in a few auth certificates if you decide to become an elite Platinum Botnet customer!
Don't delay, act now! Really, we mean it. Because offer is only valid until Microsoft's next Critical Advisory.
Re:Sig (Score:1)
http://www.urbandictionary.com/define.php?term=re
In the words of Dilbert (Score:5, Funny)
Some Vista developer is saying to himself, "I'm gonna code me a minivan!"
http://religiousfreaks.com/ [religiousfreaks.com]What if five people find the same flaw? (Score:5, Interesting)
Re:What if five people find the same flaw? (Score:2, Informative)
http://labs.idefense.com/labs.php?show=21#a21 [idefense.com]
Michael Sutton
Director, iDefense Labs
Free Press - Contest is a joke... (Score:5, Insightful)
Or, iDefense may never pay any of the $10K prizes, citing independent discovery, not-really-critical status or just the fact that Verisign knows how to say "fuck you" better than almost anyone. Instead, they'll just get shitloads of free press for their cheesy security contest and a couple of marks will sign up for and/or buy whatever it is that Verisign/iDefense is hawking today.
Re:Free Press - Contest is a joke... (Score:1)
Upcoming headline (Score:5, Funny)
Re:Upcoming headline (Score:1)
More Incentive required to make this worthwhile. (Score:1, Redundant)
Think about it - hacker gets paid $10k for finding a critical flaw and reporting it.
Hacker finds a critical flaw and blackmails a company for HUNDREDS of thousands.
It happens, I see it often enough when called in to do security-audits after-the-fact, and no, it's not me that's doing the blackmailing
Re:More Incentive required to make this worthwhile (Score:2)
Re:More Incentive required to make this worthwhile (Score:1)
I said I see this when I'm asked to come in and TRY to make sure it doesn't happen again, not because I do it myself?
If you work in the finance sector you will KNOW this happens and you will KNOW Banks and other financial businesses don't like it publicized when they are taken for a ride.
Yo, (Score:1)
Do you have a disease? you think everyone on the internet is talking about you?
Neither the GP nor its sibling post are implying anything about your conduct. Both are making the same point - for some people extortion isn't an option. They're not suggesting YOU engage in extortion.
No possible reading of their posts suggests anything different to me.
Besides, if you can't take a few cheap digs and insinuations without wetting yourself, you shouldn't be here, pinhead.
Re:Yo, (Score:1)
I didn't wet myself at all mate, you seem to be the one who overreacted.
Hey everybody (Score:1)
Klootzak smokes crack for breakfast!!
Klootzak jumps to conclusions!!
see, noone cares about you, your sad life or your pathetic insecurities.
Re:Hey everybody (Score:1)
I'd beg to differ - if that were the case you wouldn't have replied
Please continue, I find unrequited abuse very entertaning
Re:Yo, (Score:1)
Re:Yo, (Score:1)
Male yes, late 20s no, single no, but no-one cares, so why comment?
I'm obviously argumentative, you can see so in my posts, full of hostility and lack of knowledge on the topic
Re:Yo, (Score:1)
Re:More Incentive required to make this worthwhile (Score:2)
I said that blackmailing for hundreds of thousands of dollars is not an option for those with scruples. There is no ambiguity in that sentence.
Re:More Incentive required to make this worthwhile (Score:1)
I believe the correct phrase is "extortion".
Given the above comment, it's also not an option for those that don't want to go to prison.
Re:More Incentive required to make this worthwhile (Score:1)
I said in the above, I SEE this as part of my job, I don't DO it?
You guys love your conclusion-jumping don't you?
Re:More Incentive required to make this worthwhile (Score:1)
I said in the above, I SEE this as part of my job, I don't DO it?
You guys love your conclusion-jumping don't you? */
uhh.... seriously, no more espresso. I didn't accuse you of anything, I said that the thing you are DESCRIBING is extortion. Now, you can gather whatever info you want from the above comment, and re-think your response.
Re:More Incentive required to make this worthwhile (Score:1)
What may NOT be common knowledge is how often it happens, because the companies it happens to don't like their customers to know their security has been compromised.
I read into your response because you stated the obvious... just having my first coffee of the morning now, cafe-latte, not espresso
Re:More Incentive required to make this worthwhile (Score:2)
OK, in the root of this thread, in the subject line, you say that more incentive is required to make this offer worthwhile. My reply and the GP state that there is, in fact, a possibility that there are security researchers who would rather have bugs fixed and get a smaller reward than risk prison time for a larger purse that may end up being nothing. This may be
Re:More Incentive required to make this worthwhile (Score:1)
For sale: One windows Exploit, hardly used. Make money quickly through carefully placed advertizing. Reserve $10,000.
Re:More Incentive required to make this worthwhile (Score:1)
Make more money just working in "white-hat" security consulting if you are good enough to find exploits though, any company involved in asset-management or even just high-volume b2b transactions craves those skills (for obvious reasons).
Why only Windows? (Score:2, Interesting)
Verisign?? (Score:3, Insightful)
IT industry focus (Score:2)
Re:IT industry focus (Score:1)
support the development of applications for their own, very secure operating system: HP OpenVMS? Why does this industry focus so much on Microsoft Windows and totally ignore alternatives?
Maybe the question you should be asking is: Why does everyone USE windows instead of HP OpenVMS? And the answer is usually, because being able to use it is primary and being able to use it securely is secondary. Most people can't just pick up an OpenVMS server and use it in 5 minutes--ok so most can't pick it up at a
Re:IT industry focus (Score:2)
Re:IT industry focus (Score:1)
Well, sure you're going to see all of those as newsworthy, but most of the news is focused on the biggest market--actually I think Windows gets less coverage than its market share would dictate by itself (thank God).
At work, the only HP server we have is running Exchange with windows.. I wouldn't trust granny with that much power.
Let's get the most obvious one out of the way (Score:2, Funny)
My prize may be donated to the Association for Smacking Stupid People Upside the Head.
What does iDefense do with it? (Score:1)
Clank go the handcuffs (Score:3, Insightful)
"Sir, you've just violated the DMCA by making our mistakes public. Off to jail you go."
What about beta? (Score:3, Insightful)
Why this will not work (Score:1)
The best exploits stay underground for an extremely long time until a whitehat catches a blackhat doing something careless (like not deleting their exploit they
Hacking as a Career (Score:1)
$10,000 for the first person to discover a backdoor into the national bank!
one of those people is gonna leave with $10,000, the rest are leaving with a lot more than that!
British Govt worried Vista is too secure (Score:1)
That article is sez that Vista is too secure, and that the British govt wants a back door....
The Russian mafia are going pay haxors big bucks for a back door if they find one (like the recently found WMF exploit - which some claim is a purposely put in 0 day exploit). I cant believe a Governments would push for this type of exploit, as they really just fuel the spy-ware and hacking economy!
If the British govt get their way, Vista WILL have exploits, so its just a
A New Type of Online Auction Service? (Score:1)
With all of the programmers out of jobs due to outsourcing, this is a way for American workers to compete on a level playing field.
DMCA violation? (Score:3, Interesting)
Yippy! (Score:1)
I found a flaw!!! (Score:4, Funny)
I'll take my ten grand now. Oh wait, I found another one!!
explorer.exe
There's twenty grand you owe me now!
Re:I found a flaw!!! (Score:2)
Re:I found a flaw!!! (Score:2)
Great Idea To Make MS Care About Bugs (Score:1)
It seems like a real win/win for Windows users no matter what.
I think I found the biggest flaw ever!!!! (Score:1)
How long? (Score:1)
Of course... (Score:2)
In related news... (Score:2)
Re:WTF? (Score:1)
Re:WTF? (Score:3, Insightful)
(b) People pay for these exploits beca
Re:WTF? (Score:2)
I didn't RTFA, but I'd guess it goes something like:
Re:double play - now thats easy (Score:1, Troll)
Re:I just found a MAJOR flaw in Vista Beta. (Score:1)
Re:Windows research is clearly more profitable... (Score:5, Insightful)
That's total bollocks. Granted, the fact that windows is more popular than linux is *one* factor that discourages malware for linux, but it's far from the only one.
Linux systems are designed to be run by users, and administered as root. Windows systems, by and large, are impossible to run as anything but root - many programs require root access to work properly, and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement. Windows developers have been encouraged for years to write programs dependant on root access. Execute permissions prevent accidental execution of malware on Linux, as does not having a stupid system of extensions which are so easily spoofed (especially when default windows behaviour is to hide recognized extensions!). The move over to NTFS was good, but it only really hit the public with XP. I still know many people using FAT-based systems. How long has Linux been running a permissions-based filesystem? There's a few architectural security advantages Linux has over windows. On the more abstract level, being open source gives Linux the potential to be more secure - it's hard to hide critical vulnerabilities in Linux, whereas MS has a history of doing so for windows.
Firefox is another issue entirely; it's an application, not an OS. But comparing it to MS's Internet Explorer, it's far and away more secure. It doesn't install things behind the user's back, as MS IE does so very often. It doesn't allow the incredibly-insecure ActiveX components. I've never had a spyware infection or browser hijack simply by browsing in firefox. On my new laptop, however, I was browsing around using IE while I waited for firefox to download, and in between the time it took to start the download, and the time it had finished, IE had managed to install a little bugger called Aurora for me . Thanks IE!
Re:Windows research is clearly more profitable... (Score:2)
This is solely an application problem. It has _nothing_ to do with Windows.
[...] and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement.
It's always had the functionality.
Windows developers have been encouraged for years to write programs dependant on
Re:Windows research is clearly more profitable... (Score:2)
They encouraged it prior to the release of XP. Then they released XP, and changed the way programs are supposed to perform OS operations. Ok, that was a good step. But you can't expect millions of program
Re:Windows research is clearly more profitable... (Score:2)
How ? Give some specific examples.
Ok, that was a good step. But you can't expect millions of programs out there to be re-written to do it the new way. Even though they have now changed the way they recommend programs be written for their OS, their previous stance still has repurcussions in the current state of windows software.
Developers have had no excuse not to be w
Re:Windows research is clearly more profitable... (Score:2)
That was support for multiple users was added. But when did MS start saying that programs should be developed so they can work in a non-root setting? From the development perspective, "LUA-friendly" is just another feature. If you don't need it, you don't use it. You just keep doing things the way you usually do. It's no
Re:Windows research is clearly more profitable... (Score:2)
Probably long before then, given NT was multiuser since the day it was released.
You are making an extraordinary claim that Microsoft's development guidelines contradicted not only general best practices, but also sheer common sense. I think that demands some proof.
From the development perspective, "LUA-friendly" is just another feature. If you don't need i
Re:Windows research is clearly more profitable... (Score:2)