$10k Bounty for Critical Windows Flaws

An anonymous reader writes "iDefense, a Verisign company, is offering $10,000 to any researchers who find and report to it information on a previously unknown Windows flaw for which Microsoft later issues a "critical" advisory, according to a story over at Washingtonpost.com. Not really surprising, considering that Russian hacking groups are now paying thousands of dollars for exploits that attack unpatched holes in Windows. From the article: "Details of the flaw must be submitted exclusively to iDefense by March 31. There is no limit on the number of prizes that can be paid: if five researchers find and report five different Windows flaws for which Microsoft later issues critical advisories, all five will get paid...iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities.""

Buy MSFT now

[biocute]

I mean, who better than Bill Gates himself to submit hundreds of thousands of Windows exploits and makes zillions of them?

1. Design flawed OS
2. Wait for bounty on flaws
3. Submit flaws
4. Issue "critical" advisories on those flaws
5. Profit!!!

Mind you, if the bounty is for announced "patch" instead of "advisory", it will be almost impossible for BG to claim the prize.

Re:Buy MSFT now

[kalirion]

Because in the time that it would take him to submit hundreds of thousands of critical flaws, he can make more money just by sitting on his ass?

Re:Buy MSFT now

[Class+Act+Dynamo]

"Hello, ummm, my name is, um, Gil Baites. I would like to submit 45,000 flaws that I suspect will be reported quite soon by Microsoft. However, I do not have any certain knowledge of this event, as I have no connection to the company. Now if you'll excuse me, I must go back to my mansion and to my wife Gelinda. Thank you."

Re:Buy MSFT now

[borawjm]

It's all a joke...

On April 1st, iDefense will file for bankruptcy. Ha. Ha. "April Fools!"

Vista!

Now where's my check?

Re:Vista!

[Mayhem178]

Nope, sorry. This is a fruitless offer. Windows doesn't contain flaws. It has unpublished features. No money for you.

I could use an extra 10k

[Yaksha42]

It's times like this, when the rent is due, that I wish I knew more about hacking. :(

They're calling it...

[deathbyzen]

Operation: Who Wants To Be A Millionaire?

Remember though

[saskboy]

If you're in the hunt, don't focus on Windows 3.1 or ME, since as of June 30, 2006 Windows will no longer be issuing critical warnings for either of those Operating Systems even if they know they exist. Well they might issue one out of the goodness of their hearts to encourage an upgrade to X...err Vista, but there will be no official patch.

On second thought, maybe looking at Windows 3.0 coding errors would reveal flaws in Vista. After all, think of the WMF flaw...

Re:Remember though

[truthsearch]

Considering the copyright notice on Windows XP is from 1985 to present finding security vulnerabilities in their old software may not be such a bad idea. At least some of the old code still resides in current versions of Windows. They've never performed a complete rewrite.

Re:Remember though

I could've sworn that Steve Gibson said the flaw exists only in the NT series of the OSes.

Re:Remember though

[lucas+teh+geek]

If you're in the hunt, don't focus on Windows 3.1 or ME, since as of June 30, 2006 Windows will no longer be issuing critical warnings for either of those Operating Systems even if they know they exist.

frankly im quite suprised windows 3.1 was issued critical warnings up until then

Can anybody say, "lawsuit"?

I can't imagine MS is gonna be too pleased with this.

And they have a couple law-talkin guys on staff.

Re:Can anybody say, "lawsuit"?

[Uncle+Rummy]

Why not? iDefense doesn't just release the vulnerabilities unannounced or sit on them exploiting them for profit, they submit them to Microsoft Security and publish only after a patch has been released. If anything, Microsoft should be happy that somebody is providing independent researchers a financial incentive not to release 0-day vulnerabilities to public lists.

Re:Can anybody say, "lawsuit"?

[Schraegstrichpunkt]

No no, iDefense is going to sue Microsoft for their losses caused by Microsoft's bugs! ;)

Re:Can anybody say, "lawsuit"?

[ClamIAm]

Sue them for what? I don't see how this is any different from other vulnerability bounties, or even a more general science bounty. The only way MS could sue someone is if they made NDAs mandatory for those who use Windows. And then, they could only sue the person who "leaked" the information.

Re:Can anybody say, "lawsuit"?

[Feanturi]

I dunno, what do they get out of being the ones to report the flaw to MS? If I found a critical flaw and reported it directly to MS, would I get paid? I doubt it. So how does iDefense get their money back? An army of spamming/DDOSing zombies for a month or so, and then report it would be my guess. That's if I was prone to paranoia, which I'm not, so stop looking at me like that! There was a look there, don't deny it, I'm onto you!!

WTF?

[wangotango]

Why would "russian hacker groups" be paying thousands of dollars for unpatched expliots? Not many remaining?

Re:WTF?

if they were really hacking groups why would they pay for them wouldnt they be selling em

Re:WTF?

[bwthomas]

Because they don't want to spend time diving into stolen source; who wants to learn to read Hungarian notation on top of english?

Re:WTF?

[mythosaz]

(a) There is no telling how many remain. Windows may be getting close to "tight" in terms of remote exploitability, or it may still have several gaping holes. RPC-based exploits (the "real" dangerous ones) seem to have been closed for a while. It's mostly overflows and breakouts now, and mostly on user-initiated processes. [User-initiated processes don't spread like wildfire inside of corporate networks, like RPC-type flaws. Dangerous, but not panic-level stuff...]

(b) People pay for these exploits because if they can take advantage of them, they can continue to spread their spam and malware from and to unwitting, unwilling and unaware people. Turning thousands of PCs into your own private email relay stations is motivation. Installing scumware/adware/spyware on thousands more is motivation.

Re:WTF?

[jlarocco]

Why would "russian hacker groups" be paying thousands of dollars for unpatched expliots? Not many remaining?

I didn't RTFA, but I'd guess it goes something like:

1. Pay thousands of dollars for working Windows exploit
2. Create code that uses the exploit to install keyloggers or other nastiness
3. ???
4. Profit!!

Re:Buy MSFT now missing step

[saskboy]

You forgot step 4.0.1 ???
Which is probably:
Buy Bounty company - then pay self.

I hope they have lots of money

[Apowers2023]

Because they are certainly gonna need it.

Linux needs a similar plan.

[MikeFM]

This is what Linux companies should be doing. Pay developers that find an exploit in Linux a couple thousand dollars and make sure the hole gets fixed quickly. Obviously then it becomes a race for the companies to have their own employees find and fix the holes before outside developers do the same. Maybe have some lesser (since they're already getting a paycheck) bounty available to their own employees that find the holes and fix them.

As open as Linux is this kind of motivation could really bring in the eyeballs to make those holes shallow and get them patched up. Make the bounty $10,000 for critical bugs and maybe $2000 for lesser security bugs. If you get the kernel patched up then start working on libraries and then apps and by then it should be time to start looking at the kernel again.

Re:Linux needs a similar plan.

[GigsVT]

Artifex does a bug bounty for ghostscript, but it's for patches, not for reports. $500 or $1000, depending on how critical a bug you fix.

Re:Linux needs a similar plan.

[MikeFM]

I've heard of similar projects for Linux before but if they still exist I never hear anything about them. It really needs to be a well publized project if such a thing exists - otherwise people won't know about it and contribute.

Re:Linux needs a similar plan.

[flathead_iv]

I've heard of similar projects for Linux before but if they still exist I never hear anything about them. It really needs to be a well publized project if such a thing exists - otherwise people won't know about it and contribute.

Ubuntu has bounties.

Flathead

Re:Linux needs a similar plan.

[freeweed]

Yeah, and considering the $10,000 applies to vulnerabilities rated as "critical", you'd hardly ever pay out.

A "critical" Windows flaw is one that allows remote exploitation. Find me a Linux distro in the past 3 or 4 years that is remotely exploitable in a default configuration, and *I'll* pay you the bounty.

$10 k isn't a lot for hackes

[madnuke]

That isn't a lot when you could sell the exploit on the internet like the WMF exploit was a snip at $5000 each, think how many people bought that in the malicous website, porn internet, fake-anti spyware companies like Win Hound. Some how I don't think this will last long.

Re:$10 k isn't a lot for hackes

[kebes]

Yes but the idea is obviously to encourage the "good guys" to find and report the holes before the "bad guys" find out about them. Most people would not trade security holes for cash on the black market, but they would certainly deliver them to a security company for pay.

Re:$10 k isn't a lot for hackes

[Uncle+Rummy]

Some how I don't think this will last long.

It's already been around for a year and a half, according to the dates on this page. In case you're skeptical of the source, those dates do seem about right - I remember seeing their announcements on the major security lists (it generated a bit of derisive controversy on full disclosure, as I recall), and 2 summers ago sounds about right.

Re:$10 k isn't a lot for hackes

[idef]

The Vulnerability COntributor Program (VCP) has actually been around for nearly four years. The program was launched in the summer of 2002. http://www.idefense.com/intelligence/vulnerabiliti es/ Michael Sutton Director, iDefense Labs

Re:$10 k isn't a lot for hackes

[Uncle+Rummy]

Wow - has it really been that long? Oy. Thanks for making me feel just a little bit older ;)

Re:$10 k isn't a lot for hackes

[a.d.trick]

The major difference here is that this is legal and the right thing to do. Selling expliots to scum like that is on the same moral level of skiddies. A lot of hackers have no desire damage innocent people, the rest are lame.

Found it!

[Fr05t]

iexplore.exe

You may send the prize money to PO Box 3872, Moncton, NB, Canada

Re:Found it!

[sleighb0y]

At least have common sense to include a postal code..

Re:Found it!

According to Canada Post's postal code lookup site, the address is bogus.

Shrewd business move for Verisign

[Weaselmancer]

They're investing in the first corporate-sponsored botnet. Now you can give your spam relay the corporate sponsorship it's always been craving! For an added bonus, we'll throw in a few auth certificates if you decide to become an elite Platinum Botnet customer!

Don't delay, act now! Really, we mean it. Because offer is only valid until Microsoft's next Critical Advisory.

Re:Shrewd business move for Verisign

Maybe they were so tired of getting caught off-guard by worms and viruses that $10,000 seems like a good deal just for the early warning. And it probably is.

double play - now thats easy

check this:

normaluser finds cirtical flaw.

normaluser submits it exclusively to this company

the company talks anonymously to microsoft and tells them to pay up or some flaws will be sold to russian hackers. company demans that microsoft never publishes the details about the flaw and just silently fixes it in some of their next hotfixes, exclusive premium stuff or hidden knowledgebase entries or some major servicepack/featurepack alltogether, if microsoft doesnt cooperate company threatens to exploit the security flaw

company tells the normaluser that microsoft doesnt considers this hole as critical so they dont need to pay the normaluser any money in exchange.

repeat all over.

Re:double play - now thats easy

[PitaBred]

Even easier: MS just set this up as a shell company. That way there's not even bribing going on, just fucking the consumer like Microsoft loves to do.

In the words of Dilbert

[gasmonso]

Some Vista developer is saying to himself, "I'm gonna code me a minivan!"

http://religiousfreaks.com/

What if five people find the same flaw?

[autopr0n]

I mean, couldn't someone find a flaw, get together with 10 of his friends, and everyone reports it independantly? What happens then?

Re:What if five people find the same flaw?

my guess is the first to submit gets the prize.

Re:What if five people find the same flaw?

[idef]

Correct - "Only the initial submission for a given vulnerability will qualify for the reward. "
http://labs.idefense.com/labs.php?show=21#a21

Michael Sutton
Director, iDefense Labs

Re:What if five people find the same flaw?

[Marty!AG]

Doesn't this give incentives to software designers to engineer flaws in their product? People working at M$ on Winblows must be tempted to put some (more) flaws in Winblows. They could then get their mates to claim the bounties.

Re:What if five people find the same flaw?

[Marty!AG]

Dude, your scheme sucks. You're going to get your ass sued off bigtime.

Free Press - Contest is a joke...

[xxxJonBoyxxx]

"iDefense will change the focus of the challenge with each quarter -- the next challenge may focus on another vendor, or it may just center on particular class of vulnerabilities."

Or, iDefense may never pay any of the $10K prizes, citing independent discovery, not-really-critical status or just the fact that Verisign knows how to say "fuck you" better than almost anyone. Instead, they'll just get shitloads of free press for their cheesy security contest and a couple of marks will sign up for and/or buy whatever it is that Verisign/iDefense is hawking today.

Re:Free Press - Contest is a joke...

[SMS_Design]

I gotta say, it would seem that iDefense has always been willing to toss cash around a bit. I went to a party of theirs in Vegas once, and had a great time.

Cheap labour

Sorry, but $10k is very low for what it's actually worth, and they only pay if Microsoft marks it Critical...

Upcoming headline

Microsoft patches 87,000 critical flaws. Verisign files for bankruptcy protection.

Re:Upcoming headline

Man, what a good sense of humor. For some odd reason, I wish it would happen.

Re:Upcoming headline

[kadathseeker]

Windows will one step (okay, 87,000 steps) closer to finally being as stable as nitroglycerin. M$ slaves around the world rejoice. *nix users either 1.) laugh at the unwashed masses, 2.) sigh and shake their heads at the primitive savages, or 3.) be too busy being productive to notice.

Re:Upcoming headline

Unless they're on Gentoo, at which point the compilation of KDE 3.5 will have finished JUST in time for the KDE 4.0 sources to be made available. :D

Posting as AC because some nimrod with mod points marked my last obviously-kidding post as flamebait. Hit: if it's a joke, move on and focus on modding insightful and interesting posts UP rather than modding funny comments down.

Windows research is clearly more profitable...

[ninja_assault_kitten]

This should put to rest any notion that for a researcher, it's *MUCH* more profitable to discover vulnerabilities affecting MS software than it is any other software vendor.

This trial by fire is also the reason why it's been quite some time since we've seen a blaster/sapphire-like vulnerability discovered.

There's no inherent security architecture protecting Firefox, Linux, OSX that doesn't also exist in Windows. They're merely relying on security through obscurity in a different sense. That sense being that not nearly as many researchers care of devote the time to analysis of codelines that won't be worht their while, either financially or egotistically.

Re:Windows research is clearly more profitable...

[LordLucless]

There's no inherent security architecture protecting Firefox, Linux, OSX that doesn't also exist in Windows.

That's total bollocks. Granted, the fact that windows is more popular than linux is *one* factor that discourages malware for linux, but it's far from the only one.

Linux systems are designed to be run by users, and administered as root. Windows systems, by and large, are impossible to run as anything but root - many programs require root access to work properly, and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement. Windows developers have been encouraged for years to write programs dependant on root access. Execute permissions prevent accidental execution of malware on Linux, as does not having a stupid system of extensions which are so easily spoofed (especially when default windows behaviour is to hide recognized extensions!). The move over to NTFS was good, but it only really hit the public with XP. I still know many people using FAT-based systems. How long has Linux been running a permissions-based filesystem? There's a few architectural security advantages Linux has over windows. On the more abstract level, being open source gives Linux the potential to be more secure - it's hard to hide critical vulnerabilities in Linux, whereas MS has a history of doing so for windows.

Firefox is another issue entirely; it's an application, not an OS. But comparing it to MS's Internet Explorer, it's far and away more secure. It doesn't install things behind the user's back, as MS IE does so very often. It doesn't allow the incredibly-insecure ActiveX components. I've never had a spyware infection or browser hijack simply by browsing in firefox. On my new laptop, however, I was browsing around using IE while I waited for firefox to download, and in between the time it took to start the download, and the time it had finished, IE had managed to install a little bugger called Aurora for me . Thanks IE!

Re:Windows research is clearly more profitable...

[ninja_assault_kitten]

Heh... so blind, so sad.

Re:Windows research is clearly more profitable...

And what prevents the people that find these exploits from double dipping?

1: Find windows Exploit
2: Sell for $5000 a pop
3: Submit for $10000
4: Since 2, it is now a "critical" patch
5: Profit $$$!

Re:Windows research is clearly more profitable...

[drsmithy]

Linux systems are designed to be run by users, and administered as root. Windows systems, by and large, are impossible to run as anything but root - many programs require root access to work properly, [...]

This is solely an application problem. It has _nothing_ to do with Windows.

[...] and Windows (up until recently) never had the equivelant of a linux sudo to get around that requirement.

It's always had the functionality.

Windows developers have been encouraged for years to write programs dependant on root access.

Encouraged how ? What Microsoft documentation can you provide showing that developers have been told to write applications dependant on Administrator level access ? How do you reconcile this claim with the requirement of the "Made for Windows XP" logo that applications must run in a normal user account ?

Execute permissions prevent accidental execution of malware on Linux, as does not having a stupid system of extensions which are so easily spoofed (especially when default windows behaviour is to hide recognized extensions!).

Very little malware is executed "accidentally". If you seriously think the need to run "chmod a+x" or GUI equivalent is going to stop many people from running their "watching the dancing elephants" program, you're delusional. People are happy to open up password-protected zipfiles to get their malware fix, having to make something executable is barely a speed bump.

The move over to NTFS was good, but it only really hit the public with XP.

Probably because XP was the first release of NT that was aimed at the public. Not that file permissions are particularly important to malware in the typical case.

I still know many people using FAT-based systems. How long has Linux been running a permissions-based filesystem?

Does it matter ? Most unmanaged machines are single user and the most important files on the system are the ones the user has full permissions to anyway.

Windows NT has defaulted to NTFS since the day it was released. If people are running it on FAT, someone has made a conscious decision to change the default.

There's a few architectural security advantages Linux has over windows.

Like what ? Having to manually make files executable is about the only thing I can think of that would come close to this, and at most it's a minor issue.

On the more abstract level, being open source gives Linux the potential to be more secure - it's hard to hide critical vulnerabilities in Linux, whereas MS has a history of doing so for windows.

There's been no shortage of "critical vulnerabilities" in OSS apps that have gone unnoticed for extended lengths of time.

On my new laptop, however, I was browsing around using IE while I waited for firefox to download, and in between the time it took to start the download, and the time it had finished, IE had managed to install a little bugger called Aurora for me . Thanks IE!

Maybe not.

(Although I bet you weren't running as a non-Admin user, as well.)

Re:Windows research is clearly more profitable...

[LordLucless]

Heh ... so smug, so laughable

Re:Windows research is clearly more profitable...

[LordLucless]

Encouraged how ? What Microsoft documentation can you provide showing that developers have been told to write applications dependant on Administrator level access ? How do you reconcile this claim with the requirement of the "Made for Windows XP" logo that applications must run in a normal user account ?

They encouraged it prior to the release of XP. Then they released XP, and changed the way programs are supposed to perform OS operations. Ok, that was a good step. But you can't expect millions of programs out there to be re-written to do it the new way. Even though they have now changed the way they recommend programs be written for their OS, their previous stance still has repurcussions in the current state of windows software.

Very little malware is executed "accidentally". If you seriously think the need to run "chmod a+x" or GUI equivalent is going to stop many people from running their "watching the dancing elephants" program, you're delusional. People are happy to open up password-protected zipfiles to get their malware fix, having to make something executable is barely a speed bump.

I'd say a whole lot of malware is executed accidentally. Ok, so the people who will jump through a hundred hoops to destroy their system are beyond hope, no matter what architecture they use. But it's the people who encounter a file like...

"holiday photo.gif_________________________________.exe"
(Due to slashcode, you'll have to pretend those underscores are whitespace)

...and click it that I'm talking about. Particularly when the last ".exe" has been hidden by the OS. The problem is that double-clicking a file has two meanings - "execute me" and "open me with associated program". If the OS uses an execute bit, then it forces users to manually specify which of these actions are to be performed - which means fewer users accidentally executing what they assumed to be a non-executable file.

Does it matter ? Most unmanaged machines are single user and the most important files on the system are the ones the user has full permissions to anyway.

Many of the machines used by inexperienced people I see these days are family machines. There's a Mum account, a Dad account, a little Johnny and little Betsie account. Households with multiple computers (at least in Australia, might be different in the US) tend to be those with computer-savvy household members in my experience. And if your file system is permissions-based, it means little Johnnies naieve attempt to access the wonderful world of internet porn won't delete all Daddy's financial records.

There's been no shortage of "critical vulnerabilities" in OSS apps that have gone unnoticed for extended lengths of time.

Which is why I used the word "potentially". Also, notice that I wasn't talking about bugs that go unnoticed, I was talking about bugs that are found, but sat on by Microsoft. In the OS community, as soon as a bug is found it can be patched by anyone. This is the advantage of an OS whose source code is public - anyone can modify it to protect themselves. So even if Linus (or Redhat, or whoever you consider to be the MS equivelant in Linuxland) doesn't develop a patch, some other party can. You're not going to be seeing the same sort of thing happening in Windowsworld because nobody really has any clue how it all works - they don't have access to the code.

Re:Windows research is clearly more profitable...

[drsmithy]

They encouraged it prior to the release of XP. Then they released XP, and changed the way programs are supposed to perform OS operations.

How ? Give some specific examples.

Ok, that was a good step. But you can't expect millions of programs out there to be re-written to do it the new way. Even though they have now changed the way they recommend programs be written for their OS, their previous stance still has repurcussions in the current state of windows software.

Developers have had no excuse not to be writing LUA-friendly applications since about 1998. That's when every shipping version of Windows had support for per-user profiles and registries.

I'd say a whole lot of malware is executed accidentally.

Ignorantly != accidentally. If they double-click an icon, that's deliberate.

Ok, so the people who will jump through a hundred hoops to destroy their system are beyond hope, no matter what architecture they use. But it's the people who encounter a file like [...] and click it that I'm talking about.

Look, I realise it's difficult for a lot of technically-inclined folks to grok, but these sort of people make up the _majority_ of computer users. Heck, the number of people who will even think _at all_ of the possible and expected results before trying to open some arbitrary file would struggle to hit a double-digit percentage.

To most people a PC is like a TV, only less reliable. They don't need to worry about some TV show destroying their PC, why should they worry about some piece of software doing that same thing ?

Particularly when the last ".exe" has been hidden by the OS.

Realistically, this makes no difference. If people will open password protected zipfiles to run software, then they'll follow the one or two instructions in an email it takes to chmod +x a file and run it.

The problem is that double-clicking a file has two meanings - "execute me" and "open me with associated program".

Conceptually, a double click action only has one meaning - "open this" (or "activate this"). Whether this actually entails running an executable or passing the file to a handler program is an implementation detail that the user doesn't - and shouldn't have to - know about (it's like the difference between turning the TV on via the power switch or the remote). I'd be astounded if you could find even a handful of people out of every hundred who knew about the concepts of "running an executable vs opening a file".

If the OS uses an execute bit, then it forces users to manually specify which of these actions are to be performed - which means fewer users accidentally executing what they assumed to be a non-executable file.

It won't work. All it'll do is piss people off who have to go through extra steps to do the things that have been completely transparent up until that day. Then they'll go and set the file executable and run it anyway.

(Also, FWIW, NTFS does have the equivalent of an "execute bit".)

Many of the machines used by inexperienced people I see these days are family machines. There's a Mum account, a Dad account, a little Johnny and little Betsie account.

You'll probably also find that the vast bulk of data on these machines is in a "shared folder". IIRC Windows calls it "Common Files".

Households with multiple computers (at least in Australia, might be different in the US) tend to be those with computer-savvy household members in my experience.

Well, I'm Australian as well and from what I've seen, most "household computers", if they're even used by more than one person, just have a single account that everyone uses.

And if your file system is permissions-based, it means little Johnnies naieve attempt to access the wonderful world of internet porn won't delete all Daddy's financial records.

I'm well aware of what it means, my point is that the vast bulk of non-OS/application data on any given machine i

Re:Windows research is clearly more profitable...

[LordLucless]

Developers have had no excuse not to be writing LUA-friendly applications since about 1998. That's when every shipping version of Windows had support for per-user profiles and registries.

That was support for multiple users was added. But when did MS start saying that programs should be developed so they can work in a non-root setting? From the development perspective, "LUA-friendly" is just another feature. If you don't need it, you don't use it. You just keep doing things the way you usually do. It's not until MS issues best practices and "written for XP"-type certification that development houses are going to change their in-house practices (if then). The "encouragement" I was trying to refer to in the last paragraph was that situation. Microsoft didn't go out there saying "we want everyone to write insecure code". But they created a system that let developers assume they had global read/write to the harddrive. Once the developers fall into that mindset, changing it is going to be a long, slow process. That's the encouragement I'm talking about - they set up single-user system, and then tried to change it mid-stride to a multi-user one.

Ignorantly != accidentally. If they double-click an icon, that's deliberate.

It's a deliberate action, but they're not intentionally trying to run a program. It's like the difference between giving away your credit card numbers to random strangers, and being spoofed into giving to someone setting up a fake ebay interface. One is plain stupidity, and one is fraud.

Conceptually, a double click action only has one meaning - "open this" (or "activate this"). Whether this actually entails running an executable or passing the file to a handler program is an implementation detail that the user doesn't - and shouldn't have to - know about

Except that every user has to know that running code can be dangerous. Every user has to know that, or there's no helping them. And most, especially these days, do. If you simply modified the popup box that appears when you double-click a file with an unassigned helper app to say something like "This file appears to be an executable. Executable files may damage your computer and/or files. If you are sure you want to execute this file, right click and tick 'Make File Executable'" it would be a big help. It wouldn't help those bound and determined to run the happy elephants screensaver no matter the cost, but it'd help those who were fooled into believing that .PIF was a .JPG.

You'll probably also find that the vast bulk of data on these machines is in a "shared folder". IIRC Windows calls it "Common Files"....most "household computers", if they're even used by more than one person, just have a single account that everyone uses

Maybe we've just had exposure to different households. Most that I've seen just save stuff to "My Documents" or the desktop, both of which are separate for each user.

In the Real World, however, this hypothetical difference doesn't add up to a hill of beans, because the vast bulk of OSS users only get their software through "vendors" like Red Had, Gentoo, Ubuntu and the like - so they're in exactly the same situation waiting for them as they would be waiting for Microsoft.

The thing is, the vendors themselves don't always write the patches. People in the Linux community did. With MS, there's one central point of failure - Microsoft. If they drop the ball, you're SOL. With Linux, if the usual guy doesn't deliver a patch in a timely fashion, some other interested party can. And then the vendors can vet his patch, and deliver it. People don't have to be able to code themselves to benefit from the advantages of open code. It's not a case of telling people to patch their own kernel, it's about not being totally dependant on a single entity for your patches.

When Linux has the same userbase proportion and demographic that Windows does, it will have the same problems, unless som

Re:Windows research is clearly more profitable...

[drsmithy]

That was support for multiple users was added. But when did MS start saying that programs should be developed so they can work in a non-root setting?

Probably long before then, given NT was multiuser since the day it was released.

You are making an extraordinary claim that Microsoft's development guidelines contradicted not only general best practices, but also sheer common sense. I think that demands some proof.

From the development perspective, "LUA-friendly" is just another feature. If you don't need it, you don't use it.

Rubbish. Taking advantage of per-user data stores and avoiding writing or modifying data in system areas unless absolutely necessary is are practices that any remotely competent software should follow without even thinking about it. Shit, I'm only a SysAdmin and even I remember enough from my programming classes to know that.

You just keep doing things the way you usually do. It's not until MS issues best practices and "written for XP"-type certification that development houses are going to change their in-house practices (if then).

Rubbish. If you're a developer with even a shred of pride in writing good software you don't write software that needs Administrator privileges to run.

The "encouragement" I was trying to refer to in the last paragraph was that situation. Microsoft didn't go out there saying "we want everyone to write insecure code". But they created a system that let developers assume they had global read/write to the harddrive. Once the developers fall into that mindset, changing it is going to be a long, slow process.

"Because I can" is not sufficient justification for writing bad software. Developers have had 7+ years to change their habits and code.

That's the encouragement I'm talking about - they set up single-user system, and then tried to change it mid-stride to a multi-user one.

No, the move from DOS-based Windows to NT-based Windows was a punch that had been telegraphed for a good 8 years by the time it actually happened. This included a transitional period of both OSes being - from the developers' perspective - "multi user" of _at least_ 3 years.

It was in no way a "sudden" or "mid-stride" change. It was a planned, structured transition. Developers have had no excuse for releasing apps that needlessly require Administrator level privileges for at _least_ a period of 5 - realistically closer to 7 - years.

It's a deliberate action, but they're not intentionally trying to run a program.

If they're consciously double-clicking an icon, expecting something to happen, it's a deliberate act. I'll grant you the *results* - installing malware instead of seeing the dancing elephants - might not be desired, but that's beside the point, which is that *users will run stuff that will hurt them if they think it will do something they want and this is nearly impossible to "protect" against*.

Except that every user has to know that running code can be dangerous.

Sadly, no. Mainly because most users don't really understand what "running code" (vs, say, "opening a document") really is and why a computer can't understand why something is "bad"[0] when it's so obvious to them.

Every user has to know that, or there's no helping them.

This is kind of the point I'm trying to make.

And most, especially these days, do.

Rubbish. If they did, malware would be an annoyance, not a plague.

If you simply modified the popup box that appears when you double-click a file with an unassigned helper app to say something like "This file appears to be an executable. Executable files may damage your computer and/or files. If you are sure you want to execute this file, right click and tick 'Make File Executable'" it would be a big help.

That the "Open Attachment" dialogs in Outlook have been saying essentially this for ~6 years now, and also defaulting to "Save" rather than "Open", sugges

More Incentive required to make this worthwhile.

[Klootzak]

This would be more about notoriety than money.

Think about it - hacker gets paid $10k for finding a critical flaw and reporting it.

Hacker finds a critical flaw and blackmails a company for HUNDREDS of thousands.

It happens, I see it often enough when called in to do security-audits after-the-fact, and no, it's not me that's doing the blackmailing ;)

Re:Sig

[maxume]

Better?

http://www.urbandictionary.com/define.php?term=red iculous

Why only Windows?

[feranick]

Maybe I am provocative... Anyway: when are we going to have similar initiatives for OSX or linux?

Verisign??

[Rob+T+Firefly]

It's an interesting concept, but I wouldn't trust Verisign to get the tuna out of a can that had already been opened. I wonder what their deal is here.

IT industry focus

[msbsod]

If iDefense (Verisign) can come up with $10K per critical Microsoft Windows flaw, why can't HP (or any other party interested in a secure environment) come up with money to support the development of applications for their own, very secure operating system: HP OpenVMS? Why does this industry focus so much on Microsoft Windows and totally ignore alternatives?

Re:IT industry focus

[aqfire]

support the development of applications for their own, very secure operating system: HP OpenVMS? Why does this industry focus so much on Microsoft Windows and totally ignore alternatives?

Maybe the question you should be asking is: Why does everyone USE windows instead of HP OpenVMS? And the answer is usually, because being able to use it is primary and being able to use it securely is secondary. Most people can't just pick up an OpenVMS server and use it in 5 minutes--ok so most can't pick it up at all. And that's why the industry focuses on Windows--because everyone and their grandma is using it.

Re:IT industry focus

[msbsod]

If that were true, then why bother with OS X, BSD, SCO :-), AIX, Linux, QNX, or any other software product not from Microsoft? Besides, my granny is heating her snuggery with an HP Integrity Superdome Server.

Re:IT industry focus

[aqfire]

Well, sure you're going to see all of those as newsworthy, but most of the news is focused on the biggest market--actually I think Windows gets less coverage than its market share would dictate by itself (thank God).

At work, the only HP server we have is running Exchange with windows.. I wouldn't trust granny with that much power.

Re:More Incentive required to make this worthwhile

[mmkkbb]

The $10K is certain. The few hundred K is a risk (or not an option for those with scruples)

Re:More Incentive required to make this worthwhile

[DenDude]

/* Hacker finds a critical flaw and blackmails a company for HUNDREDS of thousands. */

I believe the correct phrase is "extortion".
 
/* The $10K is certain. The few hundred K is a risk (or not an option for those with scruples) */

Given the above comment, it's also not an option for those that don't want to go to prison.

Re:More Incentive required to make this worthwhile

[Klootzak]

You're not seriously insinuating I lack scruples are you?

I said I see this when I'm asked to come in and TRY to make sure it doesn't happen again, not because I do it myself?

If you work in the finance sector you will KNOW this happens and you will KNOW Banks and other financial businesses don't like it publicized when they are taken for a ride.

Re:More Incentive required to make this worthwhile

[Klootzak]

Yet someone else who is assuming I'm extorting companies?

I said in the above, I SEE this as part of my job, I don't DO it?

You guys love your conclusion-jumping don't you?

Flaws? But I thought they were called "features"!

I pay for features I want.

I get paid for flaws I find.

Flaws = Features, or so I am told.

Great Scott, Marty! Do you know what this means? I need 1.21 gigawatts to...

*head esplodes* er, I mean "Erased... from existence!"

Let's get the most obvious one out of the way

Users.

My prize may be donated to the Association for Smacking Stupid People Upside the Head.

I just found a MAJOR flaw in Vista Beta.

I was sitting there at my desk, when all of a sudden PENIS BIRD happened.

    )
  ( \
    X
8====D

THE BLOOD IS ON YOUR HANDS, MR. GATES!

Re:I just found a MAJOR flaw in Vista Beta.

[MarkChovain]

Wow - And people complain that I make little sense sometimes. I mean, seriously - if you write a program computed the distance between two objects, and later on used that distance to get out of style, it just has suited up.

STOP and THINK

M$ is going to provide code for free, but to get the code you must pay Verisign $500.

They only need 20 people to sign up to break even.

Re:More Incentive required to make this worthwhile

[DenDude]

/* Yet someone else who is assuming I'm extorting companies?
I said in the above, I SEE this as part of my job, I don't DO it?
You guys love your conclusion-jumping don't you? */

uhh.... seriously, no more espresso. I didn't accuse you of anything, I said that the thing you are DESCRIBING is extortion. Now, you can gather whatever info you want from the above comment, and re-think your response.

Re:More Incentive required to make this worthwhile

[Klootzak]

My apologies, but I would've thought ANYONE on Slashdot would know it's illegal and immoral and runs the risk of prision? That's common knowledge?

What may NOT be common knowledge is how often it happens, because the companies it happens to don't like their customers to know their security has been compromised.

I read into your response because you stated the obvious... just having my first coffee of the morning now, cafe-latte, not espresso ;)

Yo,

[weierstrass]

put down the crackpipe please.
Do you have a disease? you think everyone on the internet is talking about you?

Neither the GP nor its sibling post are implying anything about your conduct. Both are making the same point - for some people extortion isn't an option. They're not suggesting YOU engage in extortion.

No possible reading of their posts suggests anything different to me.

Besides, if you can't take a few cheap digs and insinuations without wetting yourself, you shouldn't be here, pinhead.

Re:Yo,

[Klootzak]

I asked if they were insinuating something based on the fact anyone with more than 2 braincells already knows it's illegal and immoral, and most people wouldn't do it, the point of my post is people still do.

I didn't wet myself at all mate, you seem to be the one who overreacted.

Re:Yo,

[charlesnw]

I normally don't feed trolls but I am in the mood today..... Get off your high horse Klootzak. You are the one over reacting. You need to pay attention and engage mind before mouth/typing. Consider yourself shot down and corrected. You totally misread the post and are out of line. weierstrass made a valid point and corrected you. You decided to take it wrong. Way wrong. I have a feeling you think you are always right and argue a lot. I am going to say your male. Late 20's. Single. I could go on and on about your psych makeup but I won't.

Re:Yo,

[Klootzak]

Why would I bother arguing? No-one cares about me? :)

Male yes, late 20s no, single no, but no-one cares, so why comment?

I'm obviously argumentative, you can see so in my posts, full of hostility and lack of knowledge on the topic :)

Re:Yo,

[charlesnw]

Ah but you have a sense of humor and that is what matters :) Just need to relax a bit more and think before typing/speaking.

Re:Yo,

[Klootzak]

/* Just need to relax a bit more and think before typing/speaking. */

Ditto!

Simpler plan for MS

[this+great+guy]

I have a simpler plan for MS:

1. Design flawed OS
2. Sell flawed OS
3. Profit !!!

Any ressemblance to any situation, person, event, past, present and future is completely fortuitous.

Re:Simpler plan for MS

[this+great+guy]

Oh wwait...

Re:Simpler plan for MS

[hackwrench]

Some time ago I hit cancel on copying files off of a CD-RW. The copy dialog box is still up... Why?

Re:Simpler plan for MS

[hackwrench]

Oh and now the drive has dropped off the My Computer list and refuses to open. Thank you Microsoft for giving us your buggy OS.

Re:Simpler plan for MS

Nobodys making you use Windows, if you don't like it, quit bitching and switch to something else.

Re:Simpler plan for MS

[hackwrench]

Ony thing is, what little I know of everything else, everything else is just as bad but in different aspects. Better the scum you know than the scum you don't.

What does iDefense do with it?

[grahamdrew]

Umm... what's to stop iDefense from sitting on the details of the flaw? They say the submission must be exclusive and to get the cash Microsoft must issue a critical advisory. If iDefense does whatever they want with it and doesn't tell Microsoft, doesn't that mean Microsoft can't issue an advisory on a flaw they don't know about and iDefense doesn't have to give the submitter jack? Yeah, I admit it's far-fetched but I'd be reading the fine print to say the least.

Re:What does iDefense do with it?

Disclaimer - I work for VeriSign MSS. I speak for myself as an individual, not for my employer.

What exactly would iDefense gain from doing that? The business model revolves around being able to discover existing exploits _before_ they are exploited by the blackhats, and responsibly _disclosing_ that exploit - to vendors, and to customers.

Sitting on exploits until the blackhats start using them destroys the value of the service.

BAH

[Schraegstrichpunkt]

s/their/its/

You crazy English are messing up my English!

Re:BAH

[Maxhrk]

s/You/Your/?

Clank go the handcuffs

[TallMatthew]

"Here's your exploit, now where's my ten grand?"

"Sir, you've just violated the DMCA by making our mistakes public. Off to jail you go."

What about beta?

[TopSpin]

If I discover an obscure remotely exploitable security flaw in a Microsoft beta product (thus, unlikely to lead to a "critical" advisory,) why should I not sit on it until a few months after release and get paid?

Re:What about beta?

I don't see the question.

Hey everybody

[weierstrass]

Klootzak is an extortionist!!
Klootzak smokes crack for breakfast!!
Klootzak jumps to conclusions!!

see, noone cares about you, your sad life or your pathetic insecurities.

Re:Hey everybody

[Klootzak]

LOL, you're quite amusing. /* see, noone cares about you, your sad life or your pathetic insecurities. */

I'd beg to differ - if that were the case you wouldn't have replied ;)

Please continue, I find unrequited abuse very entertaning :)

Why this will not work

[Da+w00t]

Bugs are worth more on the black market. Blackhats do not release their bugs to $VENDOR, that puts a stop to their money making by droping adware, keyloggers, and trojans on poor unsuspecting Joe Average User. No matter how large the bounty is, no matter how appealing the company tries to make it, it will only attract white hats, and some greyhats.

The best exploits stay underground for an extremely long time until a whitehat catches a blackhat doing something careless (like not deleting their exploit they load on a system) or sniffing the exploit off the wire.

Hacking as a Career

[Paraplex]

So now hacking can be a career? It's now beneficial to train lots of people in the art of hacking?

$10,000 for the first person to discover a backdoor into the national bank!
one of those people is gonna leave with $10,000, the rest are leaving with a lot more than that!

British Govt worried Vista is too secure

[russ1337]

I just picked this up from Gizmodo

That article is sez that Vista is too secure, and that the British govt wants a back door....
The Russian mafia are going pay haxors big bucks for a back door if they find one (like the recently found WMF exploit - which some claim is a purposely put in 0 day exploit). I cant believe a Governments would push for this type of exploit, as they really just fuel the spy-ware and hacking economy!

If the British govt get their way, Vista WILL have exploits, so its just a matter of finding them.
The haxors mindset is completley different if they know if there is a way in.

At the end of the day I'd rather have the Russian mafia snooping my computer... They are less likely to turn up at 5am in SWAT gear and arrest me for copying my CD to my iPod at the MPAA's request....

well... all I can say is I welcome these new Russian hacker overlords...

A New Type of Online Auction Service?

[cyberscan]

Maybe crackers can sell their exploits to the highest bidder with the 10 Grand to I Defense being the reserve price.
With all of the programmers out of jobs due to outsourcing, this is a way for American workers to compete on a level playing field.

Re:More Incentive required to make this worthwhile

[russ1337]

what about e-bay.. sell the exploit to the higest bidder?

For sale: One windows Exploit, hardly used. Make money quickly through carefully placed advertizing. Reserve $10,000.

CRITICAL

Right! ..Like I would leave it up to M$ to decide if it was "critical". I would sell it to the Ruskies and get paid.

Re:More Incentive required to make this worthwhile

[Klootzak]

Hahaha, good idea, obviously you're the entrepreneurial type. :)

Make more money just working in "white-hat" security consulting if you are good enough to find exploits though, any company involved in asset-management or even just high-volume b2b transactions craves those skills (for obvious reasons).

Re:More Incentive required to make this worthwhile

[mmkkbb]

No, I'm not insinuating anything about you. You read my post incorrectly.

I said that blackmailing for hundreds of thousands of dollars is not an option for those with scruples. There is no ambiguity in that sentence.

Re:More Incentive required to make this worthwhile

[mmkkbb]

My apologies, but I would've thought ANYONE on Slashdot would know it's illegal and immoral and runs the risk of prision? That's common knowledge?

OK, in the root of this thread, in the subject line, you say that more incentive is required to make this offer worthwhile. My reply and the GP state that there is, in fact, a possibility that there are security researchers who would rather have bugs fixed and get a smaller reward than risk prison time for a larger purse that may end up being nothing. This may be a result of a risk vs. reward calculation, OR it may be a result of actual honesty.

The fact that you see this so often suggests that it is NOT common knowledge that blackmail is illegal.

DMCA violation?

[sl4shd0rk]

Do the world a great service by finding windows bugs and then take it up the ass for 15 years when Shyster H. Lawyer decides to prosecute under the dmca because you took apart some binaries. Don't agree? Why do you think symantec and friends didn't want to mess with the BMG fiasco? Same reason. Microsoft made this mess, let them straighten it out.

Yippy!

[McGiraf]

Hurray, verisign is going broke!

I found a flaw!!!

[Khyber]

d:\setup.exe

I'll take my ten grand now. Oh wait, I found another one!!

explorer.exe

There's twenty grand you owe me now!

Re:I found a flaw!!!

[Feanturi]

Delete NTLDR and your system is safe forever.

Re:I found a flaw!!!

[cheaphomemadeacid]

oh man i'm gonna be *SOOOOOOO* rich!#!#

find /mount/c_disk/windows/ >> bug_report

Re:I found a flaw!!!

[Khyber]

I could disconnect from the net and be safe forever too. I wonder if I'll get a $50K reward for issuing that particular advisory? I see it now... "Your computer is connected to the Net. We recommend ripping your modem, network card, and wireless networking devices to ensure your PCs safety."

In other news,

[Propaganda13]

In other news, Microsoft scraps their old advisory system and implements levels similar to Homeland Security Advisory System.

No bounty for you.

Great Idea To Make MS Care About Bugs

[davidphogan74]

Either MS can start paying out for exclusive bugs, making iDefense's offer worthless, or they can start being more proactive about finding and patching critical problems.

It seems like a real win/win for Windows users no matter what.

I think I found the biggest flaw ever!!!!

[caligula+jones]

the ability to turn on a machine running windows! now, where's my $10k?

How long?

[No2Gates]

I think with that bounty, they'll be bankrupt in 4 days.

Future /. Headline

[Morden]

Verisign iDefence charged with selling exploit information to Russian hacker groups

did he say 'pr0n'?

[nsaneinside]

Ass? Uh...

Of course...

[Eric+Damron]

the devil is in the details. Any really good flaw reported will fall just this side of critical. Not critical no $10,000.00. No bad press.

A potential problem

[Mr.+Shotgun]

1) Find flaw
2) Report to iDefense
3) Sign Non Disclosure Agreement as a condition for receiving payment
4) iDefense reports info to MS
5) MS never publishes flaw
6) ???....WTF!

Or perhaps I am just being too cynical.

Re:A potential problem

[bobbyhc]

7. realize mistake and contact russian mafia (if you're gonna go this route, fuck the non-disclosure agreement anyway)

Re:Flaws? But I thought they were called "features

[csplinter]

thats 1.21 jiggawatts actually

Remote holes in Linux distros

[StupidKatz]

RedHat
Mandrake
Slackware (IIRC)

... and any other distro which enabled OpenSSH versions 2.3.1p1 through 3.3 by default.

So, is that $10,000 per instance...? ;)

Re:Remote holes in Linux distros

[Rob+Seace]

"Original release date: June 26, 2002"

Ok, I suppose that just barely makes it under the parent's "last 3 or 4 years" limit... ;-)

But, I think you need to take a closer look at the vendor responses:

RedHat: "The Red Hat Linux OpenSSH packages were not compiled with either BSD_AUTH or SKEY enabled, therefore in order to be vulnerable to this issue a user would need to have enabled the configuration option "PAMAuthenticationViaKbdInt" in their sshd configuration file (the default is disabled)."

Suse: "SuSE Linux products are not affected to the mentioned problem unless the administrator of an openssh installation has actively added the configuration option (PAMAuthenticationViaKbdInt) to the daemon configuration file /etc/ssh/sshd_config to turn this option on. In other words: We are not vulnerable by default."

I'll give you that Mandrake and Slack both just say they've upgraded to a new version, but I
don't see any confirmation that they were ever actually vulnerable in default configuration,
either... I tend to suspect they probably weren't, and just upgraded as a precaution... (They
should anyway, just to allow for those who need to enable those vulnerable options for some
reason...)

Re:Remote holes in Linux distros

Bah, there's the details, tripping me up again. ;)
-
StupidKatz

Zero days and cash

Well I've got a new zero day this morning, a SQL injection that allows you to bypass login on 'a particular web app'. It not worth much except perhaps a few roots, located with the appropriate googlehack.

Discovering a significant zero day is quite hard, as the exploit also needs to be reliable and not work every once in a while, some exploits can be used repeatedly on the same target, others are a one shot deal.

I've been trading private exploits/ tools for some time and have a reasonable collection, I trade a few tools and exploits I've developed. I don't want to sell what I've developed, I trade occasionally with folk who I can trust and share a bit with the crew I hang with.

It's a hobby , not a business but then you have guys like Dave Aitel who made a small fortune from it.

Another proposed patch

[thegnu]

"Your computer is connected to the Net. We recommend ripping your modem, network card, and wireless networking devices to ensure your PCs safety."

There are two other effecting patching mechanisms:

1)With a turkey baster, apply a decoction of Starbucks's latest Windows XP patch, Christmas Blend, released this last December.

2)This is a more complex process, but well worth the effort.
a)unplug your AC
b)make a diagram of the weird slanty plug shape (the slants keep out hackers!)
c)with a pair of craftsman hacker pliers, ply the PC plug into an anti-hacker configuration matrix
d)plug into the anti-hacker power plug, making sure the switch on the power supply says 110 (the lower bandwidth also keeps hackers out)

Am I too pessimistic?

[pigs,3different1s]

I don't mean to sound overly pessimistic, but this is my take on this: M$ has a long history on understating the severity of bugs. Their own ratings, for what we would call a "critical flaw", ranges anywhere from "This is a feature!" to "Minor bug". My opinion here is that the odds of M$ publicly agreeing with you that it's a critical flaw, are somewhat worse than your chance of winning the lottery, getting hit by lightning, and meeting an alien from another galaxy... all on the same day.

In related news...

[slapout]

...iDefense recently signed a secret agreement with Microsoft whereby Microsoft would pay it $20,000 for every unknown Critical Windows Flaw it could find.