Vista Zero-Day Exploit For Sale

Snakepit Bit writes "Underground hackers are hawking a zero-day exploit for Windows Vista at $50,000 a pop, according to computer security researchers at Trend Micro. The Windows Vista exploit, which has not been independently verified, was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the anti-virus vendor. Prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range. Bots and Trojan downloaders that typically hijack Windows machines for use in botnets were being sold for about $5,000." From the article: "According to [Trend Micro CTO Raimund] Genes, the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."

I Bid

2Bits

Re:I Bid

you watching tbs too?

Re:I Bid

[jpardey]

I had only bid a deciban. You win.

There's a patch available

Windows XP.

Re:There's a patch available

[BSAtHome]

There is also an off-button. You can disconnect from the internet. You can install OSX, *BSD, GNU/Linux,... Plenty of alternatives.

Re:There's a patch available

[DittoBox]

You, uh got the joke wrong. It's like this.

Re:There's a patch available

[edwardpickman]

I like mine better Win 2000. I've never had a Win 2000 machine zombied but my XP machines are all the time. I finally got tired of fighting with security and just keep them off line. I log on with my win 2000 and my Mac. I have to run spyware software every time I log off on the Win 2000 machine but the Mac is always fine.

Re:There's a patch available

[alphax45]

where are you going on the net with your XP machine? It should not get attacked THAT much, especially if fully patched with a good A/V. I run spybot and ad-aware once a month, they never find anything but tracking cookies. Now on my dads machine I run it when ever I am home and it will find lots more, but he just clicks yes to almost everything.

Re:There's a patch available

Yeah, exactly.
XP is basically 2000 with a skin, and sub-pixel rendering.
I run an nLite'd XP from behind a shitty £20 router, and running Firefox, I have never been "'sploited" or had any spy/ad/mal/crapware on my machine, and I have a group of early-teen children who use the machine too.

There really is no reason to migrate to Vista though, if this is the case. The UI in Vista is actually worse than XP's.

Re:There's a patch available

[Sj0]

I'd go so far as to say you don't even need the cheap router, since the XP firewall seems to do a good job of closing the most dangerous ports. I've been running for quite a while without a router, and I've found that as long as you cover your ass with respect to the big things, the little things don't tend to hit.

Re:There's a patch available

[GreggBz]

If you're following the same steps (you know, Windows Update, alternate browser and Avast! or similar) with your 2000 machines as you are with your XP machines, I find it highly unlikely that one gets "zombied" while the other does not.

Windows 2000 may have it's advantages but I don't think security is one of them.

I'm a big fat Unix geek, but in reality I've never had a virus with XP or 2000 in 6 years of on again off again usage. Honest.
I stay behind a firewall, use Avast or AVG, used Netscape and now Firefox, and check my Windows Updates every week or two.

I know this is a lot of stuff that the typical user might not be privy to, but I'm guessing the slashdot crowd has the common sense to follow the above rules... or maybe not.

Re:There's a patch available

[gordgekko]

I've never had a Win 2000 machine zombied but my XP machines are all the time.

Congratulations, you may be the most incompetent XP user ever witnessed on Slashdot.

Re:There's a patch available

[NSIM]

What on earth are you doing with your machines, I've got an assortment of five XP and Vista machines (+ 1 LINUX) on my network at home and I've had any of them zombied!

Re:There's a patch available

geezus, WTF are you doing with Win xp machines that your getting zombied all the time. I put a winxp up on the net without firewall or anti-virus and used it to browse for warez for a year and never had a single problem, installed anti-virus at the end of the year and scanned it, clean system, almost didn't believe it so manually checked out all processes and what not, nothing. You'd have to be doing something incredibly wrong, like never installing patches and running every exe you see to get zombified on a regular basis and that's not an OS issue.

Re:There's a patch available

[k_187]

wait, isn't incompetent XP user redundant? ZING!

Re:There's a patch available

[Ash+Vince]

I have spent until 3am watching people fixing a win2000 server in our cabinet in a datacentre.

Since then they have lost it again but thankfully fixing it was quicker second time around.

On the other hand all our Raq550's and RaqXTR's run linux and have not given me any trouble in that regard yet. We also have a pair of win 2003 servers and they seem to do ok too.

The idea of putting win2000 or Winxp in a mission critical role strikes me as asking for trouble. I wouldn't go near vista in a server role for the next 3-4 years either.

Re:There's a patch available

[djlowe]

>I've got an assortment of five XP and Vista machines (+ 1 LINUX) on my network at home and I've had any of them zombied!

And you're proudly proclaiming this on Slashdot? I admire your courage :)

Ah...

[JoshJ]

'I think the malware industry is making more money than the anti-malware industry,' Genes said.
Thank you, Captain Obvious.
*salute*

Re:Ah...

Next, he'll inform us that the dark side is stronger...

Re:Ah...

[Swimport]

I dont think its that obvious. There are a lot of people out there that pay for security software. Not to mention the large corporations that spend millions on it. Not even mentioning the tech support jobs created to combat spam and hackers.

Re:Ah...

[pilkul]

Indeed, I'd say the claim is obviously false.

Re:Ah...

Agreed. And not only is not not obvious, I don't know how it could be. The malware industry doesn't exactly report their numbers, keep offices, or publish a trade rag.

Re:Ah...

[ultranova]

'I think the malware industry is making more money than the anti-malware industry,' Genes said.
Thank you, Captain Obvious.

What isn't quite so obvious is which side should be considered more malicious here: the malware industry, which looks for security holes to profit the Russian mafia and other zombie network controllers but may also end up compromising Vista's DRM - by, say, find an arbitrary code execution hole from Media Player - or the security industry which will inevitably end up defending the integrity of Vista's DRM as well.

Oh well. I'm just thankful that if the whole civilized world is going to be put into chains, they are made by Microsoft.

Re:Ah...

[packeteer]

Think of this simple equation. If more was spent on anti-malware then the damage malware did, nobody woudl spend the money and they would just eat the cost. I realize thats an overly simple scenario but the idea still stands. Malware is used to rip off credit cards and checks which are VERY lucrative. The anti-malware is mostly run by corporations which have a profit margin but its not nearly the same as stealing.

Re:Ah...

[Swimport]

Even assuming the cost of damages from malware exceeds the money spent on anti-malware doesnt mean the damages are ending up in someones pocket. If a company is crippled for days it may cost them millions but the person responsible for the damages doesnt necessarily get anything. Just as with spam. If you send out 100 million spam emails and make $10,000 the loss in productivity likely exceeds $10,000.

Re:Ah...

[theCoder]

Also, the security industry as a whole preys on the fears of Windows users to keep them paying for various security products. While many of these products are useful, I don't think I've ever had an anti-virus tool correctly identify a piece of malware before infection (the only time I've ever had a legitmate infection was a decade ago before virus scanning was common place). Of course, I haven't really used Windows (or anti-malware tools) in many years, so the state of things may be different today. But in talking to other people, it seems that the Nortons and McAfees of the world cause more problems for most people than they solve.

I don't think the security industry is malicious, per se, but they do continue the idea (myth?) that everyone needs their products or they won't be safe. It's funny talking to some Windows people at work who think that we need to virus scan the data our own custom software will be reading (not executing) on non-Windows platforms. I'd suggest the Mythbusters should look into this, but they'd probably just blow up the computer :)

Re:Ah...

[empaler]

I am also doubtful of an exploit for a reasonably obscure OS being worth that much money to anyone. Yes, RTM is out, but that does not make the user base wide. In three years, I can imagine the prices realistically touching that amount. Then again, I'm not a security expert.

Re:Ah...

The malware industry doesn't exactly report their numbers,

http://www.microsoft.com/msft/earnings/

keep offices,

Their headquarters is here

or publish a trade rag.

http://www.microsoft.com/technet/technetmag/

Re:Ah...

[budgenator]

since comcast provides McAfee free of additional charges, I decided to load it up on the Wife's WinXP SP2 machine, and I found it actually painful to run on a machine with rudimentary security measures like limited user privileges; then after I thought about it, the only malware ever found in the machine was in the step son's temp internet files. If the malware is effectively contained in an temp file area and never get a chance to get installed, then things must be locked down, so I yanked McAafee and just run clamWin,adaware and spybot every so often.

I don't think malware is a myth, but I do think that running limited privileges, a dedicated router, and Mozilla does a lot but so does not installing shareware on windows machines and staying out of porn, , gambling and other less reputable sites help a lot. Most reasonably intelligent people know when they're getting into the "bad neighborhoods" on the net, and if they don't shut-down the brain when they turn on the computer they do OK.

Re:Ah...

[tehcyder]

Hahaha haha u R teh fuNnny!!!!

Re:Ah...

[madhatter256]

I am in the wrong business!!!

Re:Ah...

thought to my self, well, duh, wonder how far down i have to scroll to see something from captain obvious rothflmpao

Auctions

[bucketoftruth]

Where are these online auctions for this information? Or does that information come with the same spam I get hawking "3 million email addresses for $1000!" I'd love to know what software they use to host such a site. I expect it's probably more secure than the pentagon's systems.

Re:Auctions

search http://astalavista.box.sk/

Re:Auctions

[ZPWeeks]

No, it IS the Pentagon's system!

Re:Auctions

[triso]

Where are these online auctions for this information? Or does that information come with the same spam I get hawking "3 million email addresses for $1000!" I'd love to know what software they use to host such a site. I expect it's probably more secure than the pentagon's systems. It goes without saying that it probably isn't from Redmond.

Re:Auctions

Hollywood ?

Re:Auctions

[triso]

Where are these online auctions for this information? Or does that information come with the same spam I get hawking "3 million email addresses for $1000!" I'd love to know what software they use to host such a site. I expect it's probably more secure than the pentagon's systems. It goes without saying that it probably isn't from Redmond.
  Sorry! I meant to say. "It goes without saying that the secure system probably isn't from Redmond."

closed systems

[drDugan]

this seems a natural result of closed-source software companies

I think it is a good thing: it goes to show that having closed systems puts information access at a premium instead of service and real, tangible results for your customers. Open source systems don't have this problem (they have others, 'bot' not this one).

Re:closed systems

[badriram]

please, this has nothing to do with closed systems and open systems. This has more to do with people wanting compromised machines to do their bidding, be it spam, ddos attacks, get personal info etc. These people obviously make a lot of money, so obviously they are willing to pony up thousands of dollars for a flaw that might give them access to hack millions of computers. If Linux/bsd/osx were at 90% market share, I am sure these &#@%$! will still be selling/buying vulnerabilities at these prices. (unless ofcourse it is harder to hack them, then prices would higher)

Re:closed systems

[camcorder]

Would it be better for spammer to compromise limited time open desktop computer with small bandwidth or some high-end server which is available full time w/ generous bandwidth? If latter is more feasible for spammers or ddos attacker, linux servers has more usage than windows servers. so your assumption is totally wrong.

Re:closed systems

[JaredOfEuropa]

You mean, with open source systems people can have the zero day exploits for free? Yay...

But jokes aside, you can bet that once housewives and average Joes start running Linux, it will be worthwhile to develop such exploits, and you will start seeing them.

Re:closed systems

[indigoid]

No, you're wrong, actually. They are much better off pwning eleventy billion little computers, because they are way harder (or impossible?) to effectively blacklist, filter and otherwise protect from.

A big server with lots of bandwidth will stand out like a honeymooner's dick (thanks Billy Birmingham) and be rapidly blacklisted. See: RBL, ORBS, etc

Re:closed systems

[badriram]

Ill bite.

1. Linux servers do not have a higher marketshare than windows servers, check your facts.
2. Servers be linux or windows, typically have people that are more computer literate, hence are alrady better protected, monitored, and locked away.
3. millions of unmonitored desktops, with careless users, with broadband connections will always be a better target.

Re:closed systems

you can bet that once housewives and average Joes start running Linux

Hahahaha!

Re:closed systems

1. Linux servers do not have a higher marketshare than windows servers, check your facts.
So well how do you explain, Vista with almost 0% market share?

Re:closed systems

>
> Linux servers do not have a higher marketshare
> than windows servers, check your facts.
>

This is very uncertain.

Depending on studies, they might only count the money made on sells, the number of sells, the money made on support contracts, the number of such contracts... sometimes, they only include GNU/Linux and other UNIX-like distributions/OSes specifically oriented to servers, sometimes they only count GNU/Linux distributions (excluding other UNIX-like, notably xBSD). Sometimes, they only count sells of contracts for hardware+OS, or the amount of money made on these. Sometimes, they only use statistics, which are sometimes highly biases. Sometimes, these statistics are based only on numbers from x companies (which most often benefits to Windows, as GNU/Linux and other UNIX-like OSes installations, even for servers, are far more diversified).

In most cases, they do not try to evaluate the real number of servers. And as GNU/Linux and xBSD (notably) are far more easily distributable, being mostly free (yeah, there are versions dedicated to servers, which are not, but except support -which some companies sure are attached to-, and some customization, they do not add much...), the final number is not representative of the number of GNU/Linux and other UNIX-like servers.

If you count only the money made on sales of GNU/Linux server-oriented distributions, then, yes, Windows servers most probably have more "market share". However, you are not counting other UNIX-like distribution (though different, sometimes to a large extend, they share many similarities, and most often, numerous pieces of software), you are not counting most firewalls/routers, you are not counting most Web servers (well, those who are not known to run IIS, that is like 75% of Web servers), you are not counting most semi-amateur, geeky-amateur, and geeky-admin servers of all kind, on professionnal connections, etc., that is, your number only matters to Microsoft PR/marketing dudes.

Re:closed systems

[jpardey]

I highly doubt that first one. Have you seen that ad on slashdot where microsoft mentions linux explicitly? You never mention your competition unless you are losing. It might be easier to locate and clean up large servers spamming, but they could still be useful for hosting phishing sites or holding porn or distributing spyware. It's also funny that you should say that server operators are more computer literate, because I don't see many FTP home server users giving away account passwords, which was done by a band's website, the band was mentioned here a while back. Files could be added and deleted, and someone could have upladed a spyware program and called it player.exe or something. I emailed the admin, and he said they were replacing it.

Re:closed systems

[grcumb]

If Linux/bsd/osx were at 90% market share, I am sure these &#@%$! will still be selling/buying vulnerabilities at these prices.

But that will never happen, where BSD and Linux are concerned. In fact, it's designed not to happen. The fact of the matter is that people in the FOSS world recognise that monoculture is a dangerous thing, and actually built the entire system to contain as few monolithic elements as possible.

See, the Toolkit Approach doesn't just make the systems integration task easier, it's also more secure by design. By focusing on a wide selection of single-purpose tools, we're able to achieve two things:

1. Code simplicity. This doesn't make code any less susceptible to exploit, but it makes it easier to spot and properly fix problems. The self-standing aspects of a toolkit approach ensure that maintaining compatibility with other tools through the patching process is simpler as well. There are no hidden, unpublished APIs or other hooks. Everything interacts (in innumerable permutations) through the same known processes.
2. Heterogeneity. While the way in which tools and libraries are combined and used are limited, the number of combinations are virtually endless. So even if someone does find a zero-day exploit in a particular tool or library, they still don't have a universally effective means of actually gaining access to machines and using that exploit. The variety of flavours of BSD and Linux, as well as the number of different configurations, ensures that the impact of even a very serious problem with a very popular tool will be much more limited than it would be in the Windows world.

There are costs associated with this approach, of course. The burden of systems integration is much heavier on the individual organisation. Some find this too heavy. Others rely on outside sources to cope with it (cf. RedHat, IBM). This in turn leads to the danger of a monoculture, albeit much more limited in scope than Microsoft's, where small armies of technicians apply cookie-cutter solutions throughout a number of enterprises.

Weighed in the balance, though, my personal preference is for a FOSS solution every time. Thought the possibility of exploit remains, at least I'm not starting at such a huge deficit as I would be with Windows.

Re:closed systems

[LordNimon]

You never mention your competition unless you are losing.

That's a ridiculous thing to believe.

Re:closed systems

[jasmak]

You have also got to take into consideration that those millions of careless users are probably doing a lot of online transactions where there is very valuable information at stake for each of them.

Re:closed systems

[flyingfsck]

Linux servers can also get infected with bots - 'redone' for example. I have cleaned a few. Access is usually obtained via a combination of SSH, Apache and idiotic short passwords. BTW, Google alone probably run more Linux servers than there are MS servers in the whole world.

Re:closed systems

[jpardey]

Never mention them BY NAME. In fact, even if you are losing, it is best to avoid it. Your competition should be irrelevant, only used/eaten/bought by the foolhardy. I believe Pepsi ads were far more likely to mention Coke, than Coke ads were to mention Pepsi.

Re:closed systems

[toadlife]

Just for kicks, while back I wrote a simple shell script, set the executable flag and zipped it up using ark. I emailed the archive to myself and opened it up in KMail. Since KDE is a highly functional desktop environment, saving the attachment, and unzipping it was an easy as it is in Windows XP. After unzipping it, I double-clicked on it. KDE dutifully executed the shell script, which created another script in my ~/.kde/autostart/ directory. There are other places where I could have placed the script besides the autostart directory that would have achieved the same end.

What's interesting about KDE, is that when you double click on a shell script, it executes, but you don't see it, as KDE doesn't bother to open up a konsole/xterm window for the script. The same happens with shell scripts in ~/.kde/autostart/.

The whole exercise was to "infect myself" on a UNIX-type OS in a way similar (most Windows email worms today require the user to unzip and execute) to the way many Windows users infect themselves.

From there, all I would need to set up shop as a spam bot would be a tiny, pre-compiled SMTP mailer, which I could download from http://i.own.ju/ or embed into the shell script, Loki installer style and use wget to retrieve commands. Throw in common exploits that pop up in programs like firefox, kmail, flash, java, etc, and you have yourself a whole new bot platform with the added bonus of a better network stack.

Re:closed systems

[CrossChris]

I'll bite back:

1. Windows IIS has 77% non-Windows. Windows is rapidly becoming irrelevant in business and web serving arenas (mostly outside the USA).

2. It doesn't matter how "computer literate" any Windows "administrator" is: unless that computer is physically disconnected from the outside world, ANYONE can gain access with the highest level of priveledge and have entirely unrestrained access to the entire contents of the machine.

3. The "unmonitored" Windows desktops just worsen the situation: open access to ANY Windows-based machine is trivial as long as it's connected to the outside world. You don't even need to pay for expensive expploits, though they'll help!

ANY company that uses Windows (of ANY variety) doesn't value their data, is incompetent and should therefore be avoided. Windows has NEVER been suitable for business, and now that there are truly viable alternatives, there's no reason to pay Gates anything.

Re:closed systems

Hardly.

Notice nobody is selling zero-day exploits for Lunix or OuSu-X. And it's not because they are secure: it's because a brainless monkey can write viruses and exploits for either of them.

Re:closed systems

[hullabalucination]

I tried pretty much the same thing (both with a tar'd shell script and an RPM package) under KDE 3.5.x (I forget which exact version, it's been a few weeks ago and I've upgraded to FC6 now) on Fedora Core 5, emailed to myself via Thunderbird. It appears that Thunderbird strips the executable flag coming back in, so I have to upgrade my privileges to be able to execute a shell script, even when sending and receiving under the same user account.

* * * * * *

I am still learning.
--Michelangelo

Re:closed systems

[toadlife]

That doesn't make much sense to me. Thunderbird shouldn't be mucking with your attachments, and tar must preserve file attributes to fulfill it's purpose which is backup. I just did a quick test with thunderbird/KDE 3.5.4/FreeBSD 6.2 and it still works great. I even logged out and logged in as my sons account to retrieve the file.

Could this be a "linuxism" at work?

Re:closed systems

this seems a natural result of closed-source software companies

I think it is a good thing: it goes to show that having closed systems puts information access at a premium instead of service and real, tangible results for your customers. Open source systems don't have this problem (they have others, 'bot' not this one).

That's a pretty sad comment. It hardly requires the intelligence of a toddler to see that this has nothing to do with open vs. closed systems. This could just as well be a zero-day exploit for an upcoming version of the Linux kernel, and there probably are such exploits sold somewhere too.

Some people are so fanboyish about Linux and OSS that it has managed to rot even the most basic logic units of their brains.

Price increasing

[Threni]

So it's getting harder? Or is that just wishful thinking?

Re:Price increasing

[thoughtcriminal87]

More probable that demand is going up.

Re:Price increasing

So it's getting harder? Or is that just wishful thinking?

Not just harder, but longer and thicker, according to the zombie e-mail I receive.

l33t hax0r

[pchan-]

the typical price of a destructive exploit has increased dramatically, driving an underground market that could exceed the value of the legitimate security software business. 'I think the malware industry is making more money than the anti-malware industry,' Genes said."

Sounds like I need to switch jobs. Finally, a job where discovering Windows bugs will pay off instead of just generating more work for me.

Re:l33t hax0r

[AltGrendel]

Finding the bug is one thing. Being able to write a program that will successfully exploit it on a consistent basis is another.

Re:l33t hax0r

[bluefoxlucid]

Exploiting is easier for me than finding. There are a million people smarter than me who ensured that the bug you found doesn't exist; that you found it indicates something special. Now, any jackass can take advantage of the same damn thing the last 5000 bugs made possible...

Please define "zero-day"

[Schraegstrichpunkt]

Could the Slashdot editors please define the term "zero-day exploit"? I was under the---apparently mistaken---impression that it meant an exploit that was released on or before the day that a given piece of software was released.

Re:Please define "zero-day"

[Omnifarious]

No, it's an exploit released before there's a patch that fixes the hole the exploit exploits.

zero-day warez are cracked (i.e. DRM removed) versions of programs available on the same day or before the commercial versions are released.

Re:Please define "zero-day"

It means that an exploit has been found in the wild before the security companies know about it. The term "zero day" is also used to refer to warez that are available before the actual product is available on store shelves.

Re:Please define "zero-day"

[wframe9109]

"Underground hackers are hawking a zero-day exploit for Windows Vista at $50,000 a pop" = "Undeground hackers are hawking an exploit for Windows Vista at $50,000 a pop on the day the exploit is released." The value of the exploit diminishes with age, no?

Re:Please define "zero-day"

[bigtomrodney]

No a Zero-Day exploit is one which is capable of exploiting on or before the vulnerability is discovered/made public. So the author was possibly the only one with knowledge of the vulnerability. Wiki Article Of course the usual amount of misunderstanding of the terminology has diluted the meaning somewhat.

Re:Please define "zero-day"

[wframe9109]

I guess I'm out of the loop. I always thought 0-day access implied access to materials the day they were released.

Re:Please define "zero-day"

I believe it means "is so dangerus that it needs to be fixed within zero days"

Re:Please define "zero-day"

[gustolove]

the day after patch-tuesday for windows

Re:Please define "zero-day"

[Schraegstrichpunkt]

So then how is it different from an exploit for an "unpatched" vulnerability?

Methinks it's a recently-made-up scare word.

Re:Please define "zero-day"

[thouth]

0day isn't a some recent made up word, it's a very useful one to distinguish between whether the bug that the exploit is leveraging is publicly known or not. It is used alot by anyone in the security industry on both sides of the trench.

Re:Please define "zero-day"

The media idiots and security vendors bastardized this term. 0-day originally meant an vulnerability unknown to the vendor hence there is no patch or work-around for it.

Then security vendors tried to use it to mean any vulnerability without a patch, known or unknown because then they could rightly claim that their software mitigated a 0-day vulnerability, which really meant thier software could mitigate a known vulnerability. That's where the media idiots jumped in because 0-day sound cool and scary.

There is no point in trying to correct them. That ship has sailed. Just like "hacker" now means criminal when the original definition was a badge of honor.

Now that the vulnerability is known, it is just an unpatched vulnerability.

Re:Please define "zero-day"

[Vo0k]

Zero-day warez - yep, you're right.
Zero-day exploits - exploit to unpatched vulnerablity.

DDR RAM isn't a dance training device either.

Re:Please define "zero-day"

[AI0867]

mod parent up

Re:Please define "zero-day"

[Cousin+Scuzzy]

In other words it's an exploit affixed before there's a fix that fixes the exploitable the exploit exploits.

Re:Please define "zero-day"

[Neoncow]

Won't somebody mod this AC -1 Funny??

Re:Please define "zero-day"

[Omnifarious]

*chuckle*

Re:Please define "zero-day"

[dragonturtle69]

Sad that you posted anonymously. This is the correct definition.

Re:Please define "zero-day"

"0-day originally meant an vulnerability unknown to the vendor hence there is no patch or work-around for it... [pointless bashing]... Now that the vulnerability is known, it is just an unpatched vulnerability." That is wrong.

Zero-day refers to an exploit discovered before an application's release date. Hence there are zero days before the exploit is used after the software is released.

The simple rumor that there is an auction selling such an exploit does not change whether or not it can be referred to as 0-day. At this point, no one knows how the exploit operates because it theoretically will be kept a secret until the day of release, and then it will be used. It cannot be patched pre-release because no details about it are known.

From the time the exploit becomes public (ie. after the day of release), until security vendors or Microsoft track down the bug and patch it, it will be an "unpatched vulnerability." Until then, pre-release, it is correct to call it a zero-day vulnerability.

What do Linux virii cost?

[k1e0x]

Or are they open source..? ;)

Economy

[rowama]

This is just another example of how M$ is good for the economy. All you anti-capitalist, libertarian nerds can sit down and shup up, now.

Kidding, of course.

Re:Economy

[EnsilZah]

I was under the impression that libertarians were the embodiment of capitalism.

Re:Economy

[rowama]

> I was under the impression that libertarians were the embodiment of capitalism.

Another reason for anti-capitalist, libertarian nerds to sit down and shut up. They are obviously confused.

Kidding again, of course.

Re:Economy

[glas_gow]

I was under the impression that libertarians were the embodiment of capitalism.

That's neo-liberalism you're confusing with old fashioned liberalism. With neo-liberalism the emphasis is on freedom of the market, based on an article of faith that the market is some magical entity that'll solve all admisitrative problems. With old fashioned liberalism the freedom of one person is balanced against the freedom of another, the consequence of which is a system of legislation to protect those freedoms.

Re:Economy

[muonman]

A 'true' libertarian (of which there are none) believes that
limitation on stockholder liability, which constitutes the key
component of capitalism, is an unnecessary and improper intrusion
by the government into the societal infrastructure.

Re:Economy

He said libertarian. Not Liberalism.

Re:Economy

http://en.wikipedia.org/wiki/Parable_of_the_broken _window

Re:Economy

[westlake]

I was under the impression that libertarians were the embodiment of capitalism.

a capitalist system demands respect for tangible and intangible property.

almost everything is ultimately reduced to pieces of papers. mere tokens. an entry in a ledger. a bill of lading.

abstraction demands literacy. competence in math.

a capitalist system demands a mechanism for the enforcement of contracts.

a capitalist system needs reliable weights and measures.

standard time. stable currencies. defenses against highwaymen, thieves and counterfeiters.

the list goes on and on and on.

a capitalist system needs a government.

Re:Economy

I call BS. I'm definitely libertarian, and that includes neolib to some degree, but no libertarian I know has ever claimed that the market will solve all problems.

It just *tends* to solve problems better than centralized rule-by-command, because it has incentives to improve. For the short term, a dictatorship (including Socialism, democracy (mass dictatorship), or whatever) *might* be better, even though in most cases dictatorships tend to bring much more harm, of course.

Re:Economy

Right, but what we have today in the US is hardly capitalism (it's more like half-socialist / half-corporatist), so remember not to judge capitalism by what you see in the "free" market today. (The foundation and first prerequisite of a capitalist transaction is voluntary association. The more government intervention, i.e. coercion, injected into what would otherwise be a system of voluntary trade, the less you are talking about capitalism.

Re:Economy

[John+Hasler]

You confound "libertarian" and "anarchist".

Re:Economy

[GregNorc]

And let's keep in mind a European Libertarian would be highly confused at the ranting of an American libertarian.

Re:Economy

[AlHunt]

> was under the impression that libertarians were the embodiment of capitalism

We are. That answer was $1.00 (cheaper than Google Answers)

Please mail payment forthwith.

Mr. Haney was a Libertarian

Re:Economy

[edxwelch]

No, a libertarian is some one who was born between Sept. 24 -Oct. 23, you uneducated clod

Re:Economy

This must be the Windows "ecosystem" that MS is always talking about.

Re:Economy

because it has incentives to improve.

Just enough for companies to make more money than they lose. Here's a question for you: Say you were producing spinach and you had to spend $x to clean the spinach off to make sure there was no e.coli on it, but you knew that the vast majority of your consumers would cook your spinach (killing the e.coli), the vast majority of the remaining consumers would rinse the
spinach themselves, and the majority of the rest would suffer no ill effects. You hire an actuary, who crunches some numbers, and comes back and tells you that without cleaning the spinach yourself, N people would get sick, M people would die, and if they managed to figure out that it was your spinach that caused this, you'd lose about $y. If $x>$y, why clean the spinach?

I think this guy has the right idea, but the problem is more than slavery or a lack of compassion. If a company can make money by killing you, what in the free market can stop it?

Re:Economy

[Live_in_Dayton]

When the spinach in California was found to have e.coli. People stopped buying it, restaurants stopped buying it, and supermarkets eventually stopped putting it on their shelves. The market took care of it. If spinach starts getting people sick, people adjust and stop buying it. Those are the incentives to improve using the example that you gave.

Re:Economy

So you want to force both producers and buyers like me to pay for spinach that is pre-desinfected? But what if I don't care.

The other poster already answered that most people stopped buying that stuff, but of course you don't know such contaminations in advance, either (so how could any regulation prevent this in the future? we don't KNOW what's gonna / what could happen to food growing out there).

And if some people *choose* to buy the cheaper variety, simply because they will kill the germs themselves, alright (or does any company have the intellectual monopoly on knowing how to kill germs?), then who are you or anybody else to stop them doing that?

Besides, I HIGHLY doubt that even a tiny number of people dying would be any cheaper than simply cleaning that stuff... If you get sued, you're dead as a company, unless you make really awesome profits, and that does not happen in a competitive, open (i.e. not regulated to death) setting, because market entry is easy.

Re:Economy

[Colin+Smith]

European libertanians? Surely you mean European liberals. The word libertanian isn't even in the Oxford English Dictionary. The word is an American invention to get round the redefinition of liberal. As a European Liberal, I have some sympathy with American Libertanians.

Re:Economy

[FusionDragon2099]

That's a Libra. Who's the uneducated clod now?

Re:Economy

[Overly+Critical+Guy]

You need to read his words more closely. He said libertarians, not liberals. Libertarians are all about personal and economic freedoms because they believe the free market regulates itself, as in nature.

Re:Economy

[glas_gow]

You need to read his words more closely. He said libertarians, not liberals. Libertarians are all about personal and economic freedoms because they believe the free market regulates itself, as in nature.

The term neo-liberal or economic-liberal is specific to the context in which the original poster made the statement. A libertarian, on the other hand, as defined in the Oxford English Dictionary, is an advocate of liberty, in the broadest sense. That term is a little too broad and ambiguous to be making the kind of statements which the original poster made. To clarify, under the broadest sense, you could claim Briget Bardot, who advocates animal liberty, to be a libertarian. I fail to see how that would make Briget Bardot the embodiment of capitalism.

Credit card numbers?

[SubGhandi]

The auction marketplace is also selling driver's licenses for $150, birth certificates for $150, Social Security cards for $100, and credit card numbers with security code and expiration date for between $7 and $25. I wonder if any idiots actually used their own credit cards to purchase a stolen credit card number?
What a great way to harvest additional numbers!

Re:Credit card numbers?

The market standard is egold actually.

Re:Credit card numbers?

[DittoBox]

For those who don't know...

http://en.wikipedia.org/wiki/Egold

From the wiki page: "e-gold is a digital gold currency operated by Gold & Silver Reserve Inc. under e-gold Ltd., and is a system which allows the instant transfer of gold ownership between users. e-gold Ltd. is incorporated in Nevis, Lesser Antilles."

Re:Credit card numbers?

There are 10 kinds of people in the world: those who understand binary and those who don't. So, who's the other 8!?

That should of course be "So who's the other eaten," not 8.

Why doesn't Microsoft buy those out?

I really don't get it. To me it seems it would be economically wise to buy these out and then fix the bugs.

Re:Why doesn't Microsoft buy those out?

[mochan_s]

I really don't get it. To me it seems it would be economically wise to buy these out and then fix the bugs.

Why do?

After a user buys a copy of Vista, Microsoft receives no more money from the user.

It would probably be economically wise to spend time in developing another product.

Re:Why doesn't Microsoft buy those out?

[_KiTA_]

After a user buys a copy of Vista, Microsoft receives no more money from the user.

It would probably be economically wise to spend time in developing another product.

Not to mention, if you never fix the bugs, the customers just might be willing to pay for your next OS. ... at least for a while.

Re:Why doesn't Microsoft buy those out?

[toejam316]

Yes, but in the mean time you'll only be sucking in the first "Wave" of buyers, and a few stragglers every now and then. OEM's will stop as less people buy OEM stuff, and normal users wont buy it because everyone who uses it says its bad and they lost xxxx and xxxx happened to them after. I doubt it'd be feasable. Definately not as feasable as just fixing the bugs, or better yet, make a new windows with the old NT Kernal sandboxed so it has backwards compatibility yet more stability and less bugs. Sounds good to me.

Re:Why doesn't Microsoft buy those out?

[gutnor]

I really don't get it. To me it seems it would be economically wise to buy these out and then fix the bugs. 1. This could be due to the legal implication

I'm not sure law will look kindly at a company that fund illegal activities to improve their business. And if it comes from a security company, just having your name attached that kind of illegal activity could kill your credibility big time ( like 'they did that to fix the bug, yeah sure like petrol in irak is just a coincidence' whatever true or false that may be )

2. Buying would just drive the prices up, hence increase the prices and therefore maybe get the interest of even bigger player in the field. Logistically expensive venture such as bribes, kidnapping, ... would become profitable.

No

If the sheer amount of resources focused on infiltrating default Windows systems was focused on Linux, you'd be putting out 100 advisories a week for the next two years till you caught up.
http://www.exterminatewhitehats.com/

Well, Duh!

[jc42]

'I think the malware industry is making more money than the anti-malware industry,' Genes said.

Malware is a profit-making industry. Anti-malware is aimed at eliminating profits, not making them. It doesn't take an economic genius to understand the implications.

How many times have /. readers been reminded that companies exist to generate profit for their owners?

Re:Well, Duh!

Anti-malware is aimed at eliminating profits, not making them.

Umm, no. It's about taking the profits from one group (crackers, fraudsters, etc.) and transferring them to another group (McAfee, Symantec, etc.).

And if you've ever used any Windows anti-virus or anti-malware software, what you'll know to be true is that such programs are often as harmful as those they claim to eradicate. It's almost expected for a computer running Norton's software to run at 25% to 50% of its normal speed. McAfee's software is a royal pain in the ass to remove safely from a system, more so than many worms and trojans. And once your McAfee subscription expires, it'll harass you day in and day out to renew. I've seen people get that sort of subscription renewal harassment dialog more often than they get spam!

The only way to deal with such problems is to not use Windows. Then you're basically immune, for the time being, from the viruses, worms, and other malware. And as such, you don't need to resort to shitty anti-virus software that ends up being majorly problematic. Thankfully we have mature operating systems like Mac OS X, Ubuntu Linux, FreeBSD and Solaris at our disposal.

Re:Well, Duh!

[Brandybuck]

How many times have /. readers been reminded that companies exist to generate profit for their owners?

Thank you Sherlock for telling us that companies exist to make profit. Next thing you know you'll be telling us that people work for companies to get a salary.

Here's a big cluestick to knock that tinfoil off your head: there is a world of difference between the goal of generating profit legally and ethically, and the goal of generating profit by any means whatsover.

Duh.

Re:Well, Duh!

I haven't looked at an anti-malware product since the AV companies *required* email addresses to regularly update their products. I long ago stopped thinking of them in terms of their being the good guys in all this.

And when you stop using antivirus programs on Microsoft platforms that require antivirus programs, you simply move on to non-Microsoft products. Redmond is now in the AV business because they realize how many people have permanently sworn off Symantec, McAfee and the rest.

Do a 30 day trial of even the second tier AV vendors, and then do the math when you see how much they want for their 2 year subscriptions. And after another renewal you've paid more for "protection" than what Windows XP Pro cost you in the first place.

The Crackers Respond

Speaking as a cracker, I'm more interested in the quick buck. I'm not out to make Microsoft or its users suffer, except for suffering that gets me the quick buck.

As an exploit developer, holding off on zero-day exploits means there's a pretty good chance that someone else will find the same flaw and sell the same exploit ahead of me. That's no way to make money.

Re:The Crackers Respond

as a liar, you lick dingleberry juice

Microsoft

[Worldestroyer]

If Microsoft really cared about the security of their customers systems, they'd buy those 0-day exploits and release patchs immediately. But like I said, Microsoft would have to care, and I don't see hell freezing over anytime soon.

Re:Microsoft

[I'm+Don+Giovanni]

We don't know that the exploits are legit.
Microsoft buying them would be giving in to blackmail.
And, these hackers clearly have zero scruples, so what's to prevent them from selling the exploits to others after Microsoft bought them?
Get real.

Oh come on now...

[jorghis]

You know the people selling this stuff arent exactly the most ethical folks in the world. Do you think that just maybe they are asking for 30k without any really good exploits to give you for that money?

It isnt smart to assume that there are zero day exploits for Vista available just because some reporter says he heard there is someone who wants to anonymously sell you an exploit he promises is really good. Even if these exploits are real (big if) noone said anything about how big of a security hole we are talking about here.

How about if I tell you that I heard someone offered to sell an Linux exploit of an unknown nature for 50 grand? Should we all run around talking about how Linux is insecure now?

This seems like a journalist trying to come up with something good to write about and slashdot forwarding it on as anti-ms fud.

Re:Oh come on now...

[DavidD_CA]

This seems like a journalist trying to come up with something good to write about and slashdot forwarding it on as anti-ms fud. And either of those actions surprise you, how?

Re:Oh come on now...

[CODiNE]

People who pay $50,000 for something aren't afraid to kill you if you lie to them. This especially makes sense if the mafia / SPAM connections are true.

Re:Oh come on now...

[dw604]

Maybe it's entrapment by MS

Re:Oh come on now...

People who kill, for whatever reason, are not going to pay you. They pay with the gold-'loaded gun to your face'-card. Not paper or plastic, but lead kiddie...

seriously.

Re:Oh come on now...

It'ss most likely not their own CC they are using to pay either :)

Carded or by other means of funding.

Would you pay with your legit CC for an exploit? no, that would be daft and amaturish and neither would I.

Salami slice alot of accounts (brokers are a prime target in ID theft for such funds). The brokers are insured (up to a limit) to settle the issue. This has been a big issue during the past year with US brokers and its spreading to the UK next big time.

If I where you I would never have assets in an account over the insured limit. Spread it across accounts if need be and so on and get some kind of KEY DONGLE for extra strong AUTH generaton. I refuse to use accounts without something I OWN aswell as something I know. RSA keys etc.

Re:Oh come on now...

They can't kill you if they can't find you in that far off country you're in. That's the beauty of remote communications. Besides, they may not be killers... some people kill for a pair of shoes without remorse. Some people rob banks and run scams but don't have it in them to murder.

Re:Oh come on now...

[Reservoir+Penguin]

How do you think deals in other black market areas are conducted? I suspect most of the underground drug deals are not scams and the actual exchange of criminal merchandise does take place. Criminals do have their own brand of ethics and 'honor'.

Re:Oh come on now...

[tehcyder]

Do you think that just maybe they are asking for 30k without any really good exploits to give you for that money?

And I don't suppose you'd find it easy to sue them and recover the money if you were sold a pup. Seems like a great business model to me.

Re:Oh come on now...

[tehcyder]

People who pay $50,000 for something aren't afraid to kill you if you lie to them.

Well, let's see, I paid well over $50,000 for my house, and even if the vendors had lied to me about the roof leaking, I wouldn't go out and kill them. So I think that's a bit of a generalisation.

How do these auction sites do business?

[nyckidd]

The article doesn't have much detail about this "auction-style" marketplace, but I have to wonder, how are people transferring $50,000 between two parties in exchange for such goods? "Underground" would really have to be quite underground for this to be going on without much notice, no?

I also wonder if Trend Micro felt obligated to report this "discovery" to any authorities before they contacted eWeek about it...

Re:How do these auction sites do business?

I have to wonder, how are people transferring $50,000 between two parties in exchange for such goods?

Just ask your friendly neighborhood drug dealer.

Re:How do these auction sites do business?

[winomonkey]

Well, I doubt that they are using their Wells Fargo student checking accounts to do these transactions.

There is this whole criminal world out there where people, I don't know, "buy things that are illegally acquired." I believe that it is called a black market, and you can buy anything from weapons to people to drugs to, well, botnet systems. Shoot, there is even a baby formula black market that is valued at 7 billion dollars. There is this whole world of organized crime, one which is becoming more and more technically savvy.

Underground is, well, underground. This isn't just some highschool kid with an "underground h@x0r link" that can get you a cracked version of some software. That's the faux-underground. This stuff that they are talking about is real, is hugely profitable, and mysterious to the uninitiated. A 50,000 dollar transfer, especially with foreign accounts, isn't as tricky as you might imagine.

Yeah, right

[LaughingCoder]

... according to computer security researchers at Trend Micro ...

... like Trend Micro doesn't have anything to gain by people thinking there are Vista exploits. Seriously, Norton, McAfee and Trend Micro are all worried that their golden goose may be cooked if Vista is significantly more secure than XP. And I loved the use of the cloak-and-dagger word "infiltrated" to strike further fear into people. This seems to me little more than a sad attempt to remain relevant by an anti-virus vendor.

Re:Yeah, right

[bobcat7677]

Nah, they aren't really scared of being uselss. It's just a marketing battle. Microsoft started it by creating an OS that makes the user "feel" more secure and then making all sorts of forward looking statements about how it's "the most secure OS ever". (my analysis of Vista so far has yielded little in the way of concrete security improvments, but lots of little gadget things that appear to be intended only to make the average user "feel secure".) Given the impressive bloat, mid-stream changes, and overall changes, you know there has to be a whole new playground of exploits waiting to be found. Assuming the AV companies can figure out how to protect a target this big, they will keep the people buying far into the night as long as they can offset micrsoft's brainwashing attempts. And even then, the first time Joe Average starts noticing his computer "isn't running right", he will probably get the idea that this thing isn't as secure as they let on and start shopping for AV software again. Allthough, after spending that much on the OS, maybe they will have had enough and just chuck it out the window and get a Mac.

Re:Yeah, right

[LaughingCoder]

... my analysis of Vista so far has yielded little in the way of concrete security improvments ...

You must not have looked very hard. Actually there have been substantive changes as regards security, not the least of which is that the user is *not*, by default, running with administrator privileges. This is the #1 reason *nix types criticize Windows as insecure and it has been fixed. Now, I'm sure with all the bloat and "rushed" schedules, problems will creep in, but the very fact that the average home user is no longer an admin should have a huge effect on overall security. Secondly, the windows firewall is now bidirectional - a substantial improvement over XP. IE7 is much improved over IE6, though it is also avaiable to XP users. There are other lesser improvements (you can "analyze" them here: http://technet.microsoft.com/en-us/windowsvista/aa 905073.aspx).

I believe the AV vendors are quite concerned, and rightfully so. As regards your statement that it's all a "marketing battle", you are correct. However, it is the AV vendors waging that battle, trying to convince users they are still necessary. Time will tell.

Re:Yeah, right

[Watson+Ladd]

Well, they didn't do the security right. The same old holes in RPC and badly-made default permissions still exist. Windows will never be secure. Microsoft would have to spend huge amounts of money on it and it wouldn't sell very well.

Re:Yeah, right

[LaughingCoder]

Windows will never be secure. Microsoft would have to spend huge amounts of money on it and it wouldn't sell very well.

On this we can agree, though I would probably say "Microsoft will never be as secure as a server-based OS". As you know there are degrees of security, so making a blanket statement without qualifying what you mean by secure is fairly meaningless. Anyhow, a desktop that is as locked down as a hardened server would be extremely annoying to use, even for technically saavy users. For the typical home user it would be downright maddening, and so, as you correctly suggest, it wouldn't sell very well.

Re:Yeah, right

Seriously, Norton, McAfee and Trend Micro are all worried that their golden goose may be cooked if Vista is significantly more secure than XP.

Trend Micro probably should be more worried about their own machines being pwned and participating in retaliating DDoS attacks of spammers. My servers are under such an attack right now, and some participating IPs belong to TREND MICRO INCORPORATED (this easily to block "?fuck+abuse" was hitting me dozens of times per second from thousands of different IPs around the world):

66.180.82.84 - - [14/Dec/2006:08:04:39 +0200] "GET /?fuck+abuse HTTP/1.1" 200 3746 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
66.180.82.87 - - [14/Dec/2006:08:04:39 +0200] "GET /?fuck+abuse HTTP/1.1" 200 3746 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
66.180.82.85 - - [14/Dec/2006:08:04:39 +0200] "GET /?fuck+abuse HTTP/1.1" 200 3746 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
66.180.82.89 - - [14/Dec/2006:08:04:40 +0200] "GET /?fuck+abuse HTTP/1.1" 200 3746 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
66.180.82.81 - - [14/Dec/2006:08:04:42 +0200] "GET /?fuck+abuse HTTP/1.1" 200 3746 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
66.180.82.88 - - [14/Dec/2006:08:04:43 +0200] "GET /?fuck+abuse HTTP/1.1" 200 3746 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
66.180.82.86 - - [14/Dec/2006:08:04:46 +0200] "GET /?fuck+abuse HTTP/1.1" 200 3746 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"

And whom this 66.180.82.0/24 IP range belongs to?

OrgName: TREND MICRO INCORPORATED
OrgID: TREND-7
Address: 10101 N. De Anza Blvd,
City: Cupertino
StateProv: CA
PostalCode: 95014
Country: US

NetRange: 66.180.80.0 - 66.180.95.255
CIDR: 66.180.80.0/20
NetName: NET-TRENDMICRO-COM
NetHandle: NET-66-180-80-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Assignment
NameServer: TMNS1.TRENDMICRO.COM
NameServer: TMNS2.TRENDMICRO.COM

Re:Yeah, right

[bobcat7677]

Yes, the default user thing is pretty important. But that is sticking your finger in the leaking dam. I don't count the firewall improvements for much, a "personal software firewall" of any flavor should not be relied upon IMHO. Having a firewall on the same hardware you are trying to protect doesn't make much sense except as a last line of defence. You can't be touching the fire and not get burned as they say. IE7 is not a vista improvement as you mentioned. "Network Access Protection" is a big hack in my opinion to compensate for the fact that there are too many holes to keep them plugged. Windows Service Hardening may help, but seems to just be a way of allowing the developers to code sloppy and get away with it. Frankly the list of "security enhancements" seems pretty short for "the most secure OS ever". I'm not usually this negative about MSFT. My company actually provides MSFT based solutions. It's just that the more I am exposed to Vista, the more I find to dislike about it. The security enhancements (or lack thereof) is only a very small part of this story... The saga goes on from there, but alas it is time for bed so that story will have to be another night.

Re:Yeah, right

[drsmithy]

You must not have looked very hard. Actually there have been substantive changes as regards security, not the least of which is that the user is *not*, by default, running with administrator privileges. This is the #1 reason *nix types criticize Windows as insecure and it has been fixed. Now, I'm sure with all the bloat and "rushed" schedules, problems will creep in, but the very fact that the average home user is no longer an admin should have a huge effect on overall security.

It won't.

Well, it probably will in the short term, as all the old bits of malware that fail on unprivileged accounts get worked out of the system, but the simple fact is that, for the vast bulk of things the average piece of malware wants to do, elevated privileges are a luxury, not a necessity. Not to mention elevating privileges is not especially difficult ("Click here to see b00bies"), even *without* any behdn-the-scenes trickery with buffer overflows and the like.

Which is not to say an unprivileges account is a _bad_ thing, but it's a long, long way from a silver bullet. I can't foresee it making much of a difference.

I believe the AV vendors are quite concerned, and rightfully so. As regards your statement that it's all a "marketing battle", you are correct. However, it is the AV vendors waging that battle, trying to convince users they are still necessary. Time will tell.

AV Vendors have little to be really afraid of. AV software will remain an important part of "securing" the average end user's computer for as long as they're able to execute arbitrary code.

Virii is not a word

http://en.wikipedia.org/wiki/Plural_of_virus

Can we add this to the /. FAQs?

Re:Virii is not a word

[k1e0x]

Even if you did I would still use it. I like the word and I'm not afraid of grammar police.

Exploit auction site?

"His code pwned Windows even better than he said it would! A++++++!!!!!!!11!!"

Re:Price increasing - Publicity stunt

[louarnkoz]

This looks very much like a publicity stunt, not "sane malware economics". Suppose that you actually know of a bug in Vista and of the corresponding exploit. Do you think that "just now" is the right time to go to market?

Think again. Vista has not yet been put on the market. Right now, it is available to bulk purchases by enterprises, but there is no indication that these enterprises are engaging in massive upgrades. It is also available for download by MSDN subscribers. All in all, there are probably a million or 2 copies out there, most of which are used in secure settings.

PC will start shipping with Vista January 30, 2007. The industry ships maybe 200 millions PC per year. Assume 50% of them will shipwith Vista, that's 8 millions Vista shipment per month. These will be your classic "malware target" PC, complete with clueless users and broadband connections. So, by the end of February, the target market for the supposed "0-day exploit" will be at least 4 times larger than it is now.

So, why sell a Vista exploit now? The probable result will be to tip Microsoft, and get them to release some patch before January 30. The net result in term of infected PC would be near zero. If you are a malware peddler, why would you form $50,000 for a dud?

I think this 'exploit" smells very much of a publicity stunt.

-- Louarnkoz

Hi, welcome to...

[thrill12]

0-day-bay, your place for new gadgetries in the world of ScRiPtKidDieS GoNE CoMmErCIal !
Today, we have on offer a few jolly nice samples of the finest goods, what do you think of:
* Evil worm 2 - Dr.Evil himself would promote this one, if he were a real person, but alas: this Evil worm 2 does not come with frickin' lasers on its head. Made in China, this worm can eat away the fumbly firewalls of most present day Windows machines !
All that, at a price of just $30.000 !

* Glasnost x-ploit - Oh my, in the Western world we make the x-ploit, but in Russia - where this lovely piece of software was born - they x-ploit you ! Just like in the old days of Gorbatchov, this Glasnost worm certainly opens ... backdoors ! ha ha !
For just the measle amount of $15.000, you could have your very own Glasnost'ed Windows botnet in no time !

Last but not least, we wouldn't want to forget our bestseller, our hitman, our top product in the fine world of Windows Redecorating Software : Yoghurt Trojan !
Not the milk-product, but you could say it's milky white cream covers most Windows PC's pretty well ! It has no aftertaste like some worms, and definitely likes to morph into different appearances ! It can definitely lighten the spirits of whoever is at the controls and includes a lovely "MAD"-button in case some law enforcement officer decides to peak into your operation : no more evidence, because no more Trojaned PC's survive the Mutually Assured Deletion of this king of kings !
All that, for just $50.000, it's a bargain !

lol

[CDPatten]

my favorite part was

"an auction-style marketplace infiltrated by the anti-virus vendor" .

LOL. I'm certainly no hack and found where they were being sold.

Its funny how companies try and make themselves more relevant than they really are....

Re:lol

Care to share?

Re:Patch

There ARE a couple of patches for this: Mac OS X and Linux

All grammar aside, why is this modded down? Since when did Slashdot suddenly become Pro-Microsoft and Anti-Linux? The trends on this site are very funny to watch over the years. In the same way that suddenly there are crazy Intel fan-boys who just bash AMD now. I wonder what the next trend will be....

The solution is obvious.

Never allocate memory on the stack. Ever.

This is actually very surprising

[RootWind]

Looks like someone is in need of really fast cash. If they wanted to maximize their profits they would not reveal their exploits until Vista is on a much larger amount of computers. Otherwise it will only have the chance to affect very few machines before being patched. That is unless they are selling the exploits with err... "full rights" to the highest bidder in that they would not tell anyone else, and the "winner" can sit on the exploit as long as they want before using it for nefarious purposes.

Re:This is actually very surprising

[goarilla]

i think some people just race to get the first exploit for vista out of the door
like the warez groups try to get their warez out as soon as possible
it's also a fame game

it must give a real adrenaline rush when your exploit would be the first
that actually works

Re:This is actually very surprising

[rickatnight11]

Most prefer not to sit on illegal software for it to "mature" if you will. Much rather generate some income and move on to the next project.

Open source does not equal free beer

[nietsch]

It is perfectly within the terms of the GPL to sell open source software. It is just easier to give it away for free and charge for services/work you do for paying customers.

Re:Patch

[ElBeano]

It has to do with the population of mods online right now. There is a clear pattern in the modding of the responses to this news item. Partisanship... it seems. I think Mac OsX and Linux will shine brighter over the next few years, as compared to Vista.

Malware

[StormReaver]

"I think the malware industry is making more money than the anti-malware industry...."

1) If you consider Microsoft Windows to be malware (I do), then this is self-evident.

2) Even if you don't consider Windows to be malware, just wait until Vista. Microsoft is pushing anti-malware companies into bankruptcy by embedding its own anti-malware sofware (which is only marginally worse than the non-Microsoft counterparts). There may soon be no non-Microsoft anti-malware companies remaining, at which time the only money to be made in that sector is by the criminals. Since the difference between Microsoft's terrible anti-malware attempts and the currently terrible non-Microsoft anti-malware abortions will be negligible, nobody will buy the non-Microsoft stuff anymore. The criminals will have the industry cornered.

Re:Malware

Can I buy pot from you?

Re:Malware

I've mentioned this before. Windows is insecure because other people, including legitimate ones, have an interest in keeping it that way. Consider what you're saying here: First, Microsoft is bad, because Windows is insecure. Second, how dare Microsoft try to make Windows more secure?! Obviously, this is a monopolistic move intended to bring about the end of the world.

Could I trouble you to keep your rabid enthusiasm firmly based in the land of logic?

Adam

Re:Malware

Your subcategory of irrational MS haters has to be the most amusing of all. You manage to argue, within the space of only a couple of paragraphs, that MS sucks because Windows insecure and that they suck because they try to improve security. I'll never understand how fanatics like you avoid imploding from cognitive dissonance.

Re:Price increasing - Publicity stunt

[SEMW]

A publicity stunt by whom exactly? It would have to be someone who gains from FUD about Vista & Microsoft, which rather limits the field. It's hardly Apple's style, and I can't exactly imagine it's a group of philanthropic open source advocates who are trying to get everyone to switch to Linux.

Where's the Popularity Argument Now?

[twitter]

Oh, ho ho. All the apologists are quick to argue that, "The only reason the bad guys target Windoze is because it's popular." What bullshit that is.

Vista has what market share now? Less than Mac or Linux I'm sure and everyone knows that it's going to stay that way for years. Yet there's already a market for exploits. What this should tell you is that the value of an exploit it's ability to work, regardless of market share. The bad guys know that M$ security sucks and that the holes they buy today will be good for months if not years to come. No one bothers with GNU/Linux exploits because the GNU/Linux market is fragmented and quick healing. Linux exploits don't take down every distribution but just about every distribution is quick to fix problems. GNU/Linux exploits, relative to Windoze, don't work or last long.

Re:Where's the Popularity Argument Now?

You are a complete idiot, aren't you?

Vista has no marketshare because it's NOT OUT YET. But! It will be popular because it's a Microsoft OS, and they made all the other Windows machines, and that's what everybody else uses, so companies won't see a reason to bother changing that trend. Nobody wants to change the way they work, but they do want to "keep up with the Jones's" so they'll all upgrade to the latest version to be safer and more secure no matter how much of that is image and how much is real.

Maybe you should shut off the half of your brain that runs your Linux fanboyism and actually take a look at facts, graphs, statistics, trends. Then again, from what I've seen of your posts, you'll post some more anti-MS bullshit and pretend it proves a point. It doesn't.

Get a grip.

Re:Where's the Popularity Argument Now?

[bjorniac]

Erm, you ever think they might be targeting it because it's ABOUT to become popular? Couple Window's track record of massive uptake to Windows' track record of poor security on initial releases and I think you're onto a winner. Vista looks likely to become BIG because masses of people will want the new version of Windows because they think new=better. For undefined metrics of better. Think about it like this - if there's a new series of American Idol coming out, people will pay a lot of money to advertise during its timeslot. Sure, there aren't any viewers yet, but given its track record, you can bet there will be a few million watching come the first few shows.

Re:Where's the Popularity Argument Now?

It's so infinitely sad that this is modded +4. Nevermind the inane rambling "arguments", you should be at -1 merely for using "M$" and "Windoze". Posts like these really make me lose faith in the Slashdot community. Momma told me not to feed the trolls, but here I go anyway...

Vista has what market share now? Less than Mac or Linux I'm sure and everyone knows that it's going to stay that way for years.

No, "everyone" doesn't know that.

What this should tell you is that the value of an exploit it's ability to work, regardless of market share.

That doesn't even make sense. It is obvious to anyone with half a brain, or even less, that the more boxes something work on, the more valuable it is. How could you even begin to argue otherwise? Do you think an OS/2 exploit would sell for as much? How about an exploit for BeOS? If not because of lack of market share, why not?

The bad guys know that M$ security sucks and that the holes they buy today will be good for months if not years to come.

In what world does MS not attempt to patch critical security holes? Can you point me to one instance during the last two years where a known critical exploit wasn't patched in less than a month (let alone years)? If we're not talking about known exploits, then you're being pretty disingenuous, since by definition such exploits are unknown. You have no idea how many of them there are or for how long they work, nor how many exist for Linux systems.

No one bothers with GNU/Linux exploits because the GNU/Linux market is fragmented and quick healing.

It couldn't be because 99% of all naive computer users, which are the targets of 99% of all exploits (aiming to create botnets or snatch bank credentials or whatever), run Windows? Within your fanatical zealoty reality distortion field that probably doesn't even make sense. To the rest of us, however, it's pretty fucking obvious.

No company in the world has ever spent as much on improving security as MS has during the last years. No company in the world employs more brilliant security specialists. No OS has ever been designed with security in mind from the ground up as Vista has. The people who deny these things are the same people who are so full of hatred that they can't even spell the names of the things they are attacking correctly, but have to revert to the kind of mockery that most of us left behind in kindergarten. That is, people like you.

Responding to posts like yours leave a bad taste. Consider this the last time.

Re:Price increasing - Publicity stunt

[Macthorpe]

The answer was in the article.

According to [Trend Micro CTO Raimund] Genes

Anti-virus software makers, concerned at the visage that MS has put up of a more secure Vista, trying to ensure sales of anti-virus products on new boxes.

Simple as that.

Is it illegal to sell a zero-day exploit?

[5plicer]

Hypothetically, let's say you've discovered a vulnerability in a major vendor's software. You reported the vulnerability to them almost a year ago, and they assure you that they're still working on a fix. Would it be illegal in Canada or the US to sell code which shows how to exploit the vulnerability (say on eBay)? How about just going public with it (giving it away... say on Slashdot)?

Re:Is it illegal to sell a zero-day exploit?

[WK1]

I don't think there are any laws against it. But you'll likely be sued.

Vista Market Share? Re: closed systems

[twitter]

If Linux/bsd/osx were at 90% market share, I am sure these &#@%$! will still be selling/buying vulnerabilities at these prices.

So why is anyone buying Vista exploits? To answer that question you have to admit either that M$ does not fix problems for months and years or that the "popularity" argument is bogus. People traffic Windoze exploits because they work today and keep working tomorrow. Non free is a broken development model.

Re:Vista Market Share? Re: closed systems

twitter, please read this carefully. Following this advice will make Slashdot a better place for everyone, including yourself.

                * As a representative of the Linux community, participate in mailing list and newsgroup discussions in a professional manner. Refrain from name-calling and use of vulgar language. Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer. Your words will either enhance or degrade the image the reader has of the Linux community.
                * Avoid hyperbole and unsubstantiated claims at all costs. It's unprofessional and will result in unproductive discussions.
                * A thoughtful, well-reasoned response to a posting will not only provide insight for your readers, but will also increase their respect for your knowledge and abilities.
                * Always remember that if you insult or are disrespectful to someone, their negative experience may be shared with many others. If you do offend someone, please try to make amends.
                * Focus on what Linux has to offer. There is no need to bash the competition. Linux is a good, solid product that stands on its own.
                * Respect the use of other operating systems. While Linux is a wonderful platform, it does not meet everyone's needs.
                * Refer to another product by its proper name. There's nothing to be gained by attempting to ridicule a company or its products by using "creative spelling". If we expect respect for Linux, we must respect other products.
                * Give credit where credit is due. Linux is just the kernel. Without the efforts of people involved with the GNU project , MIT, Berkeley and others too numerous to mention, the Linux kernel would not be very useful to most people.
                * Don't insist that Linux is the only answer for a particular application. Just as the Linux community cherishes the freedom that Linux provides them, Linux only solutions would deprive others of their freedom.
                * There will be cases where Linux is not the answer. Be the first to recognize this and offer another solution.

From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy

Somebody please mod the parent up, or do whatever it is that makes a post display on the default view (as display in the default view does not necessarily seem to be related to mod points).

Re:Vista Market Share? Re: closed systems

[rtb61]

Nahh. Linux is about freedom, Linux users feel free to post, troll, comment, reccommend and flame as you see fit or unfit as appropriate to your mood, enjoy and be happy (it's cool to be an individual ;-) ).

For all the paid to post marketdroid lusers, obey, conform and bow to your M$ masters (sucks to be you :-( ).

Don't let the marketdroids fool you, forums are all about expressing yourself creatively, so if something like M$=B$ makes sence and is understood, use it, the same as windoze and windrones and even Micro-Softies.

We are individuals and are not an extension of the PR/B$ corporate marketing machine. There are already plenty of companies servicing and supporting Linux who act in a professional and business like manner and already effectively market their services and open source software products to other commercial entities and governments.

For the rest, it's Linux, it's cool and have fun ;).

Re:Vista Market Share? Re: closed systems

They are buying Vista exploits because they know that Vista will quickly take over the market as all Microsoft OSs have done in the past.

We Need Vista To Ship & Stay #1...

[BoRegardless]

So I can safely do all my work easier in Mac OSX 10.5 ;-?

Re:Price increasing - Publicity stunt

[Threni]

> So, why sell a Vista exploit now?

Someone else might find it. They'll presumably take the $50,000 now.

you can get IT

[GregNorc]

I'm curious as to whether selling such an exploit would be allowed on Ebay. A++++++++ WOULD BUY AGAIN, OWNED OVER 50,000 noobs!

Re:you can get IT

[triso]

I'm curious as to whether selling such an exploit would be allowed on Ebay.A++++++++ WOULD BUY AGAIN, OWNED OVER 50,000 noobs! I doubt it. They do not allow anything that could possibly hurt another person: weapons, Nazi memorabilia, even guides to make weapons, bombs or fireworks are verboten.

Re:you can get IT

[FishWithAHammer]

They allow gas-powered airsoft guns, though. Those very well could kill someone.

Re:Price increasing - Publicity stunt

[triso]

So, why sell a Vista exploit now? Even though it is called "a Vista exploit," it probably works on XP and other versions of Windows.

How much damage from 'fake' security holes?

[HockeyPuck]

I wonder how much damage they could inflict on companies (consumers of Vista as well as MSFT) by making claims about having a zero day exploit? I bet using the right channels someone could get MSFT to spend quite a bit of resources auditing code.

Similar to how millions now have to take off our shoes in the airport b/c ONE guy tried to light his shoes on an airplane.

Legality

[RiotXIX]

Is this legal? It's like someone overhearing a conversation (or perhaps intentionally overhearing it) between two plotting murderers and auctioning it to news corps/potential victims for where it's going to take place. I find it obscene: by all means get some money for your efforts, but computers control serious things - consider a case where Microsoft (or similar) buys the information before the the press, in order to cover up an embarrasing situation. Someone uses it because Systemantic or whoever didn't get to it in time (or couldn't afford to), and bam some critical computer goes down, when a patch could have been deployed first. I'm not impressed.

Double Duh!

[triso]

'I think the malware industry is making more money than the anti-malware industry,' Genes said.
 
Malware is a profit-making industry. Anti-malware is aimed at eliminating profits... Tell that to the twenty or so anti-virus companies that exist. There is some concern about viruses being written indirectly by the anti-virus folks to keep the money coming in. There is no proof for such a conspiracy. Everyone seems to blame the Russian Mafia or simply Organized Crime.

Actually, this is a zero+1ns exploit

[rtssmkn]

at the beginning there was vista (from where did they get that name?)

SCNR

Carsten

Netcraft Confirms It!

[empaler]

Netcraft does confirm "top servers'" back end make.
Apache wins by a long shot, but that could be served on Windows too.

I'll Believe It When It's Confirmed

[ThinkFr33ly]

I had no doubt that there would be flaws found in Vista. No non-trivial software is bug free.

But Vista has a lot of features that makes the inevitable bugs much, much harder to take advantage of.

The single most common attack vector in Windows is IE. Virtually all the malware installed on machines today was likely installed by a drive-by-download caused by one of the many, many holes in IE.

But users running Vista have Protected Mode, which effectively isolates IE and prevents it from doing damage. It's possible that protected mode has a flaw, but judging by how it works I find that unlikely.

In addition, the fact that Vista users aren't running as admin makes flaws that affect the interactive user much, much less dangerous. The ability to take over the entire machine, or even run arbitrary code effectively as the interactive user, are almost non-existent.

I suspect that this is either fraudulent, or it doesn't have the ability to root the box.

Re:I'll Believe It When It's Confirmed

[schon]

Vista has a lot of features that makes the inevitable bugs much, much harder to take advantage of. Yes, and I'll bet that each one of those features has it's own bugs which can be exploited - which makes the entire computer easier to exploit, not harder.

It's possible that protected mode has a flaw, but judging by how it works I find that unlikely. I see you've already considered the possibility that the features will have their own bugs. However, unlike you, I will decide to err on the side of historical evidence.

Historically, MS doesn't know how to write secure software, and takes several attempts to get it right. Why would these new features be any different?

Vista users aren't running as admin You're claiming that the OS enforces this? It will refuse to run non-system apps as Admin?

So what happens with all of the existing software that requires Administrative privileges to run? There are thousands of them. Will they all stop working when you upgrade to Vista?

The ability to take over the entire machine, or even run arbitrary code effectively as the interactive user, are almost non-existent. Apparently you (and MS?) have never heard of a little thing called the local root exploit? All of us Unix guys know that just because a user doesn't have root, doesn't mean that there's not a way for them to get it.

What was that quote? Oh yeah - "Those who do not understand Unix are condemned to reinvent it, poorly." (Henry Spencer)

Re:I'll Believe It When It's Confirmed

[ThinkFr33ly]

Point by point...

Yes, and I'll bet that each one of those features has it's own bugs which can be exploited - which makes the entire computer easier to exploit, not harder.

The features I was referring to are things like ASLR. Even a flawed implementation of ASLR will make the computer harder to exploit, not easier. To assume that any new feature will automatically result in a more vulnerable computer is a flawed assumption. It completely depends on the feature in question.

I see you've already considered the possibility that the features will have their own bugs. However, unlike you, I will decide to err on the side of historical evidence.

Of course I've considered that. Your claim that any new feature automatically makes the computer less security is equally as flawed as the opposite assumption. (An assumption I was *not* making.)

If you read the link about Protected Mode IE you would see that it uses a fairly innovative model to secure IE. The quick summary is that all "privileged" operations must go through a broker which is only a few thousand lines of code. IE must use this broker because its process runs as a user will even fewer privileges than a Guest account. Since the broker is relatively simple, it is *much* easier to audit 2000 lines of code than to audit the 2,000,000 lines of code (that was a guess) in IE. So even to write a file to the user's desktop, IE must "ask" the broker to perform this operation on IE's behalf, as the broker is running with the same privs as the user. A flaw that allowed a bad guy to try and get IE to write someplace else on the file system, for instance, would fail due to a lack of privs.

I'm sure you'll now say that all it will take is a problem with the privs system in Windows, and this model breaks down. Very true. But priv elevation exploits are much, much more rare than a bug in IE. The privs system in Windows is very, very well fleshed out. It has had a few exploits over the years, but those exploits are usually a lot harder to create than one of the billion different ways one can take advantage of the swiss cheese that is IE.

Furthermore, features such as the ASLR I previously mentioned would make these exploits extremely hard as well.

Protected Mode IE has, in effect, dramatically reduced the attack surface of IE. You can consider this a feature, but it's a feature that can really only reduce vulnerabilities, not increase them.

Historically, MS doesn't know how to write secure software, and takes several attempts to get it right. Why would these new features be any different?

Good question. Historically, you're obviously correct. Past Microsoft products have been iffy, at best. But Microsoft (or, rather, the people who work there) isn't stupid. They DO learn from their mistakes, no matter how much Slashdotters think they don't. Microsoft has implemented drastic changes in their development process.

Some products that have resulted from that new process are IIS 6, the .NET Framework (versions 1, 1.1, 2, and 3). If you do a search on your favorite security site, you'll see that these products have almost NO security holes. IIS 6 has dramatically fewer vulnerabilities than Apache, for instance. These products are obviously attacked a great deal, so their lack of holes is definitely not from a lack of attempts.

You're claiming that the OS enforces this? It will refuse to run non-system apps as Admin?

So what happens with all of the existing software that requires Administrative privileges to run? There are thousands of them. Will they all stop working when you upgrade to Vista?

Yes, the OS does enforce this. If you had read the links I posted, you would know that. It's called UAC. (User Account Control.) While your questions are good ones, they should that your conclusions about Vista are assumptions, and are not based on

Re:I'll Believe It When It's Confirmed

[schon]

To assume that any new feature will automatically result in a more vulnerable computer is a flawed assumption. Bullshit. You said it yourself:

No non-trivial software is bug free. The more features (code) you add, the larger the bug count. It's a well-known axiom in security circles that every bug is a potential security vulnerability. Therefore, every feature you add makes your software more vulnerable. By definition.

Perhaps if you understood general computer security a little better, it might be helpful for you to understand my arguments. You seem to have done some reading on MS security, but there's a whole world outside of MS. There's a good beginner article here that might help you.

If you do a search on your favorite security site, you'll see that these products have almost NO security holes. This is exactly what I'm talking about. You can't point to the current number of publically-known vulnerabilities and make assumptions about the number of undiscovered security holes. Just because a piece of software has "very few" publically-known vulnerabilities one day, does not mean that a dozen won't be released tomorrow.

IIS 6 has dramatically fewer vulnerabilities than Apache Ah, the #1 mistake of those who do not understand computer security - play "count the publically-known vulnerabilities" to determine which product more secure.

your conclusions about Vista are assumptions, and are not based on any kind of research on your part. And your conclusions about computer security in general are also assumptions (and incorrect ones, at that.) The difference between you and me is that the research I have done is regarding time-proven, proven peer-reviewed techniques, whereas yours is limited to Microsoft propaganda.

Apparently you would rather be condescending and content in your ignorance than to do research on a subject before making claims. No more than you. We have a claim of an exploit in Vista, and your attitude (without doing any research at all) is that it is "fraudulent".

I was hoping that you might pick up that I was pointing out your hypocrisy, but evidently I was too subtle.

I guess it's easier to regurgitate quotes than to actually research a subject. I guess it's easier to regurgitate MS propaganda than to actually have an understanding of a subject.

Re:I'll Believe It When It's Confirmed

[FishWithAHammer]

I wish I had mod points for this post. I'm no Windoid (hell, typing this on Edgy right now), but the Slashbots need a good kicking once in a while.

WinXP Security Configuration Guide

[flyingfsck]

Windows XP Professional Common Criteria Configuration Guide:
http://download.microsoft.com/download/5/3/b/53b53 a3e-39d5-4d30-86f2-146aa2c7be45/wxp_common_criteri a_configuration_guide.zip

If you have the patience to follow that guide, then your WinXP will be locked down and secure.

But do they really need Root/??

Even if you can't break into to root... they can run their bots as another user prog... can't they. even in a sandbox, ie. bot can run inside the IE sandbox!

-sdf

The New Economy

[Haxx]

In other related news. the only way to get a Nintendo Wii at this time, is to pay 70-120% more than retail on ebay.

AC is harassing twitter

[jrobinson5]

Mr. AC, I see you post this same reply to twitter every time he posts.

Exhibit 1

Exhibit 2

Exhibit 3

Exhibit 4

Exhibit 5

Exhibit 6

Exhibit 7

In fact, the list goes on, you seem to have posted this same reply verbatim to every single one of twitter's posts! Just look at the list of posts made by twitter and notice every single one of them, starting on a certain date, has the same reply by you, verbatim. I dunno what you have against twitter, and while I certainly don't endorse his claims, it seems stupid for you to harass him like this.

(if you weren't an AC I would guess karma whoring, as most of these replies tend to get +5)

Re:AC is harassing twitter

[jrobinson5]

Exactly.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Easy enough to prove

If I was buying from them, I'd set up a Vista box on the Internet, install all the current updates, then tell them its IP address and ask them to break into it. If they were successful, then the exploit is worth it.

Seems a bit early to buy such an exploit though, since there are essentially no Vista boxes on the Internet right now. In a six months when there are millions of them since most new PCs will come with it, MS or someone else may have found the hole and patched it before you were able to use it to really make use of it.

wow, my first thought is

[SaberTaylor]

this $50,000 incentive will be great for improving security. (since once an exploit has been offered for sale, there are many avenues for that problem to be leaked to general awareness.)

Hello President Bush!

Ok, so why the hesk can't the US government stop this? If there is a market for illigal goods which I'm sure these are illigal then why doesn't the FBI just arrest these guys? The cynical side of me says the FBI is either too incompentent to go after real criminals or they are too lazy. Lazy or stupid is a hard one when it comes to the FBI. But geez-lousie!

Nope

[misanthrope101]

No, you're thinking of Pamela Anderson.

True. We don't know it's real.

[Beryllium+Sphere(tm)]

If this is anything like the auction markets for credit card numbers, they'll have some kind of reputation tracking.

Vista

[Dobeln]

It will be shipping on pretty much all new computers headed for clueless users over the next year - it is certain that it will rapidly overtake LINUX in both regular and (more importantly) clueless user market share. :P

Microsoft Could Prevent This From Happening

They could pre-install Trojans and botnet software. Then just make them available for a SMALL fee... It would eliminate the underground market for exploits.

haha

[moondo]

microsoft always stimulates the economy!

Re:What do Linux virii cost, & are they open s

[WK1]

A1) Viruses are free. Better market penetration that way. If you meant free as in libre, you're going to have a hard time enforcing copyright on one.
A2) Some viruses have been delivered with source. Most are not. Although, scripting viruses, by definition, are open source.

But the most important question is...

[pjf(at)gna.org]

Where are these Paypal's "donate" buttons?

Social and economic liberalism

[Colin+Smith]

With neo-liberalism the emphasis is on freedom of the market, based on an article of faith that the market is some magical entity that'll solve all admisitrative problems. You're mistaking social liberalism with economic liberalism. Liberals, liberalism are/is about both. I'd go as far as arguing that you can't in reality have one without the other, which is why our freedoms are being squashed the world over. Neither the Democrats, nor the Republicans, the Tories or New Labour are Liberal.

Liberalism in America has come to mean socially liberal and economically restrictive. It's an incorrect definition of the word liberalism, and as such you've had to invent a new word to mean liberal; libertanian.

In the US, you have the Democrats who are socially liberal and economically restrictive, or the Republicans who are socially restrictive and economically liberal. This really means that you can never have true freedom, you can never have the kind of society which created the USA in the first place. You simply switch from one type of restriction to another.

The market isn't magical, it's a many to many system which rewards those who perform a task best where many is approximately the size of the population, it essentially introduces n^2 processing to find the best solution to problems. Instead of one government legislator (or indeed a thousand) trying to think up and enforce a solution, you have n people deciding from n^2 choices what is best for them, where n might be 300 million. While no market is that large, the potential for finding the best solution is still many times that of a governmental/legislative route.

None of the things you mention require government

[Colin+Smith]

Capitalism doesn't require a government. It may be more efficient with one, but a single overriding authority isn't required.

Re:Price increasing - Publicity stunt

[baadger]

Not to mention malware development time. If you're spending $50,000 for the tip off, you don't want to mess up the implementation.

As example

[DrYak]

2. Heterogeneity.

As an actual example to your arguments, one may cite the discussion that was featured a few days ago about Red Hat wanting to clean and improve their RPM system.

There was quite a few users complaining about alleged dependency hell that they linked to the RPM format it self, when in fact those problems are due to the fact that several different distribution use the RPM format and one size won't fit all. A single RPM package will only work with a small subset of distribution flavors, featuring a specific version of system libraries, compiled with a specific version of GCC (ABI may change accross major versions) and maybe some specific version of toolkits and kernel.

Much of the alleged problems that newbies encounter when installing binary package, is that they download the first RPM they find, thinking "but my system does indeed support RPM package". Install it, and then encounter problems, because that RPM wasn't tailored for their specific system.

And that was for *legitimate* softwares that are supposed *just to run*. Now it's going to be even harder for trojan and viruses, which are supposed to exploit bugs to escalate privileges, which are supposed to camouflage themselves and go undetected, etc...

As others said in this thread, in fact Linux, BSD and the various such other OSS have a grater market share than Vista which still isn't released to the consumer market. But if cyber criminal are already racing to get exploits, it's because, in several months if those holes stay unpatched, their nice tool will be able to infect thousands of PCs world wide.

Targeting Linux for malware is targeting an obscure cloud of confusingly heterogenous code bases.
Targeting Windows is target maybe 3 different codebases. Currently, mostly WinXP SP2, pre-SP2 and 2k. In a few months : Vista, XP SP2, XP SP1. One ring to rule them all.

Most people are not experts

[Nicolay77]

If the same people that use Windows for Powerpoint and Word and have a gazillion worms in their system used Linux, their systems would be as infected as they are now.

They would probably using a 2.2 kernel, a very old build of KDE, and so on.

The fact is: Smart users don't get infected, naive users do. Some smart users use Linux, some smart users use Windows. Most naive users use Windows.

Target the naive users and ignore the smart. No matter what OS the smart people use.

Your comment kinda reminds me...

of punk rockers talking about their cloths. Ask one why they dress in black leather, spikes, etc. and they'll tell you that it's about being free, free from the conformity most people embrace. Comment that it appears that they too have embraced conformity because, well, most punks look very similiar, and you'll get a response about....being free.

Linux zealots: annoying the rest of us because...well, because they're free!

So? Re:Most people are not experts

[twitter]

If the same people that use Windows for Powerpoint and Word and have a gazillion worms in their system used Linux, their systems would be as infected as they are now. They would probably using a 2.2 kernel, a very old build of KDE, and so on. The fact is: Smart users don't get infected, naive users do.

No, everyone who uses Windoze gets infected. It's not something you can do anything about because only M$ can "improve" the system. See here for well documented facts about the ongoing M$ security dissaster. A market for Vista exploits just goes to prove that nothing has changed.

Projecting Windows flaws to the free software world is not something you can do. The fact is that you can't even project those flaws to other non free OS like Mac. I dare you to tell me that all OSX users are somehow "smart" and that's why they don't get overrun with botnet malware. A user would be hard pressed to find a distro still using a 2.2 kernel and upgrading has never been hard. You have to go back four or five years for that, even in the conservative world of Debian. Sarge came with 2.4 and 2.6 kernels and Etch is about to go stable. Woody, back in 2001 or so, was the last time you could get a 2.2 kernel by default. More importantly, actual kernel problems have been patched up and never were the kind of threat found in the M$ world. KDE is as easy to upgade as your OS is. I'm using Etch with KDE 3.5 to write this, on a 266 MHz PII laptop that probably came with a Win98 OEM CD and never could have been upgraded to 2000 let alone XP. In the non free software world, people use that OEM CD until they can't stand it, then consider the computer itself dead. The free software world is much easier than that. The proof, of course, is in the data: there are no widespread security problems outside the M$ world.

Is it just me...

[MikeTheMan]

...or did anyone else read the summary as "TrendMicro is selling Vista expoits for $50,000 a pop"

Re:So? Re:Most people are not experts

[FishWithAHammer]

No, everyone who uses Windoze gets infected.

I run XP SP2, Kapersky, and run an antivirus/antispyware (Avast and Spybot) about once every month.

I've never had a virus infection on this machine or my previous machine. The only virus I've ever gotten was one back in the days of Windows 95, when my parents plugged my computer directly into a 'net connection and I didn't yet know how to protect the computer properly.

People who know what they're doing don't get infected. You are wrong.

Total Cost Of Pwnership

So... the "total cost of pwnership" of a computer running Vista is $50,000. Interesting.

Re:So? Re:Most people are not experts

twitter, please read this carefully. Following this advice will make Slashdot a better place for everyone, including yourself.

• As a representative of the Linux community, participate in mailing list and newsgroup discussions in a professional manner. Refrain from name-calling and use of vulgar language. Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer. Your words will either enhance or degrade the image the reader has of the Linux community.
• Avoid hyperbole and unsubstantiated claims at all costs. It's unprofessional and will result in unproductive discussions.
• A thoughtful, well-reasoned response to a posting will not only provide insight for your readers, but will also increase their respect for your knowledge and abilities.
• Always remember that if you insult or are disrespectful to someone, their negative experience may be shared with many others. If you do offend someone, please try to make amends.
• Focus on what Linux has to offer. There is no need to bash the competition. Linux is a good, solid product that stands on its own.
• Respect the use of other operating systems. While Linux is a wonderful platform, it does not meet everyone's needs.
• Refer to another product by its proper name. There's nothing to be gained by attempting to ridicule a company or its products by using "creative spelling". If we expect respect for Linux, we must respect other products.
• Give credit where credit is due. Linux is just the kernel. Without the efforts of people involved with the GNU project , MIT, Berkeley and others too numerous to mention, the Linux kernel would not be very useful to most people.
• Don't insist that Linux is the only answer for a particular application. Just as the Linux community cherishes the freedom that Linux provides them, Linux only solutions would deprive others of their freedom.
• There will be cases where Linux is not the answer. Be the first to recognize this and offer another solution.

From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy

The odds are against you.

[twitter]

I run XP SP2, Kapersky, and run an antivirus/antispyware (Avast and Spybot) about once every month. I've never had a virus infection on this machine or my previous machine.

Like 75% of Windows users, you probably rate your machine as "moderately" to "very" secure. Yet more than 80% of windows computers are part of the botnet. What do you think you know that 90% of windows users don't? It's all well laid out here in stunning and referenced detail.

Re:The odds are against you.

[FishWithAHammer]

I don't run software that isn't vetted against rootkits, etc., and I keep very up-to-date on security issues with the operating system and associated programs.

I don't pirate software; more than half of the problems I see when I'm fixing computers comes from downloading cracks, etc. from unsafe sources and getting infected.

I remain behind a hardware firewall with zero inbound ports.

I don't accept media from others. If someone wants to give me a file, they can do so via e-mail, not a potentially infectious flash drive or CD.

(Obviously these cannot always hold when using a laptop--and mine runs Linux.)

Re:The odds are against you.

[jb.hl.com]

Yet more than 80% of windows computers are part of the botnet.

HAHAHAHAHAHAHAHAHAHAHAHA!

HAHAHAHAHAHAHAHA! HAAAAAAAAAAAAAAHAHAHAHAAHAHAAHAHAHA!!!

You make up statistics (80%?! please) and then babble on about "the botnet", this presumably being the same botnet that posts nasty things about you on Slashdot, sends spam emails, DDOSs websites and brought the Third Reich to power which you so lovingly reference all the time.

Really, I have no idea how you have any credibility. Oh wait, you don't. Sorry.

"Hacker"

[gerf]

I always thought Hacker meant a guy who spat a lot.

I misspoke...

[hullabalucination]

It will allow me to save the archive to disk, then extract the shell script and run it without altering permissions. What Thunderbird won't allow me to do is execute the embedded shell script directly; it will pass it off to the default archive manager but my manager will only allow me save the script or look at it in my default text editor. I could certainly configure the manager to run the script but that's not the default behavior out of the box.

This, however, is a far cry from the last few Windows malware cleanups I've had to do for clients, friends and families who insist that they did no active downloading/unzipping of anything to get hit (and most of them are smart enough not to click on attachments from unknown sources). I've seen Java "dropper"-type malware get past my AV on first install (merely surfing to a Web page), but get flagged on subsequent activity. You always wonder if there is more stuff getting by that the AV isn't noticing.

A surprising number of folks are still on Win98/Win2K and just refuse to upgrade (no matter what I tell them), so I figure I'll still be fielding requests to fix drive-by infections for a few years to come).

Re:I misspoke...

[toadlife]

Understood. Some old email clients on Windows were certainly much more promiscuous that what you will see on UNIX-type desktops now. My point was only how trivial it would be to commandeer a UNIX type OS given the same conditions (lots of *dumb* users) as Windows.

This is a stupid joke organized by FSF!!!!

[ertisan]

2006/12/15 BadVista.org: FSF launches campaign against Microsoft Vista http://badvista.fsf.org/

Capitalism at it's Finest

[Larry_Dillon]

All of the big companies and the government talk about how much they like capitalism, but then complain about things like this. But when you think about it, it's capitalism working exactly as it's supposed to: The market is assigning a dollar value to exploits.

Microsoft has been very lax in the area of security, enabling a market to evolve around exploiting it's weaknesses. Microsoft got it's self into this position by maintaining a monopoly. Absent a monopoly, M$ would have had to compete on quality and would have been forced, by way of competing, more secure products, to secure it's own systems.

So, they may be able to cheat consumers, influence the US government's regulators, but in the long run they cannot escape market forces.

Hm

[mqduck]

$50,000?? That's alot of money to spend in the hope that you'll be given the code promised. I think there may be another possibility. Maybe the seller of this is hoping for just one customer: Microsoft. They don't want these things to be used, and what's $50,000 them anyway?

Re:Hm

[rickatnight11]

What would be the point of MS buying it? Best case they get a copy of the code...and the seller continues to distribute. It's not as if the product runs out.