Slashdot Mirror
3Com to Buy Security Flaws?
Zonoprh writes "CNET reports that 3Com's TippingPoint division is starting a pay-for-vulnerability program called the Zero Day Initiative. It seems 3Com plans to use the vulnerabilities they purchase to fuel signatures in their protection technologies, in addition to sharing the same data with other security vendors. From the article, "Money has increasingly become an incentive for hackers. Program's such as TippingPoint's offer a legitimate way for them to get paid for their bug hunting. There is also an underground market for vulnerabilities. Cybercriminals pay top dollar for previously undisclosed flaws that they can then exploit to break into computer systems, experts have said.""
We've all seen the shocking bombings in London recently caused by extremist muslims who, quite frankly have nothing better to do with thier time.
But what about the 'normal' muslims, I hear you cry - how can they go about our lives in this post 7-7 world?
Hi, I'm The_Fire_Horse and you might remember me from such posts as
Cheese - what does it mean to the average Muslim, and
Islam - what *is* the point? I mean... really!
Today, we are going to discuss how the average bright eyed, yet naive mulsim can go about their lives following the devastating and shocking bomb attacks on London.
Step 1 - Dont be ashamed
You are a muslim - you have chosen your religeon freely because you parents told you to and despite nagging doubts in the back of your head that it is all a bit 'silly', you will continue to follow whatever interpretation of the koran anyone happens to talk about. Dont feel dumb - it isnt your fault - remember, that you have millions of others thinking just the same way, so you must be right!
Step 2 - Pack up your camping gear
You are going out to the country, so you will need lots of supplies! Get yourself a nice big backpack and fill it will pots, pans, food, clothes and spare copies of the koran because you will be out in the wilderness for several days.
Step 3 - Heading for the train
The train trip will take a while, so you will want to listen to some 'koran on tape' cassettes - put your walkman in your rucksack and feed the headphone wires out the top so you have access to the music.
OK, IT'S TIME TO GO!!!
With your headphones hanging out of your rucksack and your teatowel wrapped around your head, you can now proudly walk out the door of your hovel to the nearest train station to head off to your camping trip.
Step 4 - Dealing with the Police
If the police take an interest in you, simply screech "ALLAH BE PRAISED" and reach for your headphones so that you can let them hear the magical insight of the 'koran on tape'.
Should the police then reach for their guns, you will need to quickly remove your student id from your inside jacket pocket and show it to them. Dont worry - everything will sort itself out (Allah will know what to do)
...are vulnerability blackmail and extortion ..or are they already here?
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
So I gotta wonder how they are gonna determine who is reputable and who is not ...
Hulk SMASH Celiac Disease
There's money to be made, but not in the gold fields of California, but in the datafields of Microsoft. "There's bugs in them thar discs!!!".
Much better way to deal with bugs, I'm surprised no one thought about this before. I guess the real test will be to see how they deal with the bugs they "buy"
I knew 3COM was big, but big enough to buy Microsoft? Wow!
My very own get-rich-quick scheme. Im Rich! Yay!
If someone is able to break into your system offer to pay them to keep it secure from others like themselves.
What was the famous counterfeiters name that the FBI hired to spot fakes? He was the basis for the movie 'Catch me if you Can'.
Allow them to use their powers for good, because if you don't, they will continue to use their powers, in whichever direction (good or bad) that they can. The big companies might as well use them as a tool (and pay them) to create/maintain better secured software.
And they said zombies weren't real!
They don't share the info on the exploits. With CERT the bug is known even if crucial details are not. With 3Com, it's a murky secret. According to their own data they will sit on them until they have notified every security company first. Only then will they tell the public putting everybody at risk. Worst yet from a business standpoint they can pay of a exploit only to have somebody else notify the world the next day. That's money lost. Unless they want to go an copyright the exploit they are assed out.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
buying one of their shitty OfficeConnect WLAN/ADSL routers. It has several annoying features including regular hangs and connection drops on both the WLAN and WAN side. Do they fix their broken software despite knowing of the problems? No. They despatch sage advice such as "turn the firewall off and it might stop crashing".
I would never trust them for any sort of corp. networking gear having seen the total balls-up they can make at the consumer end.
3Com gets paid to alert its customers of vulnerabilities in near-real-time. Which means, more vulnerabilities fixed == less $$$ for them over time.
Hmmm, great business model...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
OMG 0day!! th4tz so 31337!
3com r the pwnag3.
Most hackers I know are hunter gatherers. When the supply of old pizza crusts is exhausted, they migrate to a new range.
Yet another way for Microsoft to generate revenue.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
that's the Microsoft/SCO theory anyway. (and yes I am kidding)
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
This reminds me of mob "insurance".
"You know, if you don't pay us to protect you, something bad could happen to you."
Anyone else see a moral issue here?
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
And have a great bonus program which will pay you a nice bonus, but what they fail to mention is how much a vulnarability is worth. They have all what it needs here just to screw you with:
1. 3-com makes an offer and the researcher (nice name for a change) accepts it, and keeps his mouth closed.
2. Another researcher (who wishes to stay anonymous) already submitted this bug
It would be nice if they said like how much the bases is what they are willing to pay, and that you can look in the bug database (probably just on some kind of specific property so you can recognize the bug).
However I do like the ZDI platinum bonus: Blackhat training in Las Vegas (with the $20.000 bonus, should be a good few days (-: )
My wife's sketchblog Blob[p]: Gastrono-me
How long till someone finds a security flaw in 3com's online payment system and assigns themselves a financial reward for discovering the security flaw.
iDefense (recently acquired by VeriSign) has been doing this years.
If Microsoft would do this, they would go broke (-:
My wife's sketchblog Blob[p]: Gastrono-me
If you really want a bug to be fixed...
Post the details of the vaunrability on Slashdot. That's the one way to get the company responsible for the flawed code to fix it, fast.
I think this is a great initiative!
Now you can make money AND have a positive impact on online security and thus society.
Once I've report a (serious) bug and I was mostly treated as a criminal. With this program I'll earn some money and I don't have to deal with irresponsible companies that prefer to ignore bugs.
Well done 3Com!
So will they credit the bug hunters or they will treat them as their workers. Sharing information is good move but isn't that a marketting strategy that will make people think like 'Look 3com is the first to find vulnerabilities from all that reports'.
Did it really say "0-day Initiative"?
That's like AOL founding the "^_^Rofloffle Institute for Instant Message Research".
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
Some of us spend weeks praying in an attempt to get closer to ALMIGHTY ALLAH.
You really shouldn't make fun of us, just because we believe in the Koran, instead of the Bible. Surely we are just as valid as Christians?
IIRC, Sun did this with the early versions of Solaris. The transtion from SunOS to Solaris was really painful, especially wrt. SunOS binary compatibility. Now that I think about it, it could have just been a bounty on compatibility problems.
(S(SKK)(SKK))(S(SKK)(SKK))
20 years ago I wrote a security system, and offered the staff a free lunch if they could find any "undocumented behavior". It's a quick and cheap way to build confidence. I had a couple of takers, but both quit their spiel while they were laying out their case... Seem they didn't RTFM! ; )
If they "buy" a software vulnerability, and build a signature for it, will somebody else who builds a signature (e.g., snort) for it be violating some IP right like copyright or patent?
3COM is not the first security company to buy 0days, I am aware of several others including iDefense (recently acquired by Verisign) who were doing this and resell their advisory services.
I dont see a bif problem in this if they share it with cert, even if they give priority notification to their large accounts.
Will they be able to match what the underground organizations' that they are trying to compete w/ - buck for buck - for the love of a black-hat?
Once you've stolen a couple of thousand credit card numbers, you can quite easily buy vulnerabilities - because no one's really accountable to the money you spend.
Companys such 3Com on the other hand have limited budgets, albeit big budgets but limited none the less. How will 3Com explain it to their customers and shareholders when a hacker sells a vulnerability first to an underground org, and then to 3Com?
I suppose its better than appealing to a hacker's consience. Maybe a solid job offer for discovering 10+ vulnerabilities first might work? ..
_Vishal www.squad9.com
I am willing to give money to people so they can go back to grade school and learn that YOU DON'T USE AN APOSTROPHE TO MAKE A PLURAL.
As others have pointed out in more esteemed fora, this is not the first attempt to establish some sort of double-blind auction for 0day exploits - iDefense have been trying it for a long time. To paraphrase Halvar (I think it was?) "we don't trust them, either." (Which is a shame really as they've released some good software to the community - iDefense that is - but the lame "sell us your 0day" programme lost them probably more cred than the software earned them.
The issue is that if you get paid for finding a flaw, you could get sued for it and there is a nice money trail back to you. 3Com makes no pretense at anonymity or grants any immunity from liablity. While I admit that's not likely, they would sue 3Com first and name you as a co-defendant, your still in it with them. This has happened in the past, I see no reason it's not gonna happen again.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Step 1: Create popular, mission critical software that every business will want to install
Step 2: Insert sneaky vulnerabilities
Step 3: Sell bugs to 3COM
Step 4: PROFIT!!!!
Isn't the law in USA trying to lean towards "if you figure out these exploits then you ARE a criminal" ? If so, wouldn't you want to remain anonymous?
... orthodox jews. Now that would create some fun!
"I bet that leaking information would kind of mark you as disreputable" mendaliv (898932)
So you just don't have a good grasp of english.
I would advise that from now on you just posted Anonymously.
---
What country are you from? WHAT is no country I ever heard of do they speak English is WHAT? ENGLISH, Mudda&**&* do you speak it?
This just seems like rewarding people for deliberately creating bad software and then turning around and selling the vulnerabilities to 3Com for money.
In theory it's a great idea, but once the "human factor" comes in...
"Homer: Marge, I agree with you -- in theory. In theory, communism works. In theory." (The Simpsons)
A lot of hackers will have to put their money where mouth is. A hear a lot of even "black hats" say they do it for sport, for money, etc., but not maliciously. This provides them an outlet to safely do so, let's see if they bite.
insert inflammatory anti-microsoft comment here
On one hand, this bounty will motivate "hackers" to disclose vuln's to 3com, who then will work with the vendor to fix the problem - and make themselves look good in the process - which means there is a legitimate way for some of these people to make real money off of their discoveries instead of turning them into worms or viruses.
And on the other hand, there is a lot of potential for abuse. We could see vulnerability stuffing in open source to get a kick-back (I know it's hard to believe it could happen, but remember - there is money involved), we could see 3com dissing people on the bounty checks which could motivate the hacker to turn the vuln into a worm more quickly to get back at 3com and then there is just the fundamental philosophy that 3com is rewarding someone for doing something bad.
We're going to have to wait to see how this plays out over time. It doesn't seem like a good idea to me, but then 3com has to be able to compete with the big boys now that they own Tipping Point.
Jerry
http://www.cyvin.org/
Maybe I could patent a vulnerability, then sell the patent to SCO.
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
LOL, this sounds like the guy on the corner who telss you give me $20 and I'll be right back with your smoke, just gotta get it from my buddy.
Give us what we want and MIGHT give you what WE THINK is fair.
Isn't this similar to the Danegeld that the English used to pay to the Vikings, to keep them from pillaging their towns & burning their crops?
(worked for a time, anyway).
Chip H.
I don't like the sound of this:
This clause seems to indicate that no open source projects are going to benefit from this `advanced notification' scheme. Since patches to open source code are, well, open source, they'd be construed as revealing the nature of the vulnerability, and so 3com won't release the vulnerability information. I really don't like the fact that this clause seems to be giving closed-source products and vendors a leg up when it comes to security notifications.
There is a spellbook here; eat it? [ynq]
Hemos? Ignoramus more like.
At the bottom of the
Hypothetical situation here:
1) Some hackerpunk writes the new and improved FloobleSchnork worm, which attacks, crashes and spreads thru Cisco switches and routers running IOS.
2) 3Com buys the intellectual property of this worm from the hackerpunk and develops a solution to defend against it.
3) 3Com, of course, patents the holy crap out of their solution in such a matter so that nobody else can implement any form of solution whatsoever to defend against the worm. The USPTO, in their brilliant wisdom, grants the patent in the time it takes for your average bureaucrat to rubber-stamp a sheet of paper without reading it.
4) ??? *
5) Profit!!!
* Where the mystery "???" step is either (A) Cisco tries to write a fix into their IOS and 3Com sues them for patent infringement or (B) Cisco just caves in and licenses the patented technology from 3Com. Either way, step #5 still produces 3Com's desired end-result.
The only way you can get all color hats to really use their talents to rip apart, test, and validate where holes are located is CASH! Maybe, just maybe some standards will evolve on how to properly design, write and test software prior to releasing it to the public. There is no excuse with the tools available today for some of this stuff to actually make it past a QA department evaluation. If companies want others to locate problems, there is no reason why those OTHERS should not be paid for their time and effort.
Black Gray White Hats Unite to protect http://testing.OnlyTheRightAnswers.com
Many North Americans might not realize that a "boot" is a car trunk, and "kit" I take as meaning equipment from the 3com storage room.
Saskboy's blog is good. 9 out of 10 dentists agree.
blackmail.....
extortion......
actually, between all the Billions I made from suckers, it is very difficult to actually pinpoint that kind of a revenue.....
oh, yes.............racketering............
that's the U.S. word for it......
good grief, nearly missed that one..........
So this is where pirates work for a living...
Only the ones who haven't ever read a book, or traveled outside their town. Just about everyone knows what a boot is, and has at least heard kit used before.
As far as I can tell, you submit the full details of the bug to 3com, including exploit code if available. They take a look at it, and decide if they'll offer you some money. If you decide you like the offer, you fill out a W-9 form (in the US), and they send you a check/paypal/whatever.
Perhaps I'm just paranoid, but why would I send them the full details on an exploit without any guarantee back from them? If there was a way to negotiate a deal before providing them the code, it would be alluring, but being forced to trust them to give a reasonable amount of money for what you're submitting feels like it'll get abused.
And then having to fill out a W-9, giving them my SSN, address, and so on just isn't a very comforting thought.
That _Chocolypse Now_ link from your .sig gave me Chuckles ;).
--
make install -not war