Slashdot Mirror
Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux Zero-Days (bleepingcomputer.com)
Exploit broker Zerodium is offering rewards of up to $500,000 for zero-days in UNIX-based operating systems like OpenBSD, FreeBSD, NetBSD, but also for Linux distros such as Ubuntu, CentOS, Debian, and Tails. From a report: The offer, first advertised via Twitter earlier this week, is available as part of the company's latest zero-day acquisition drive. Zerodium is known for buying zero-days and selling them to government agencies and law enforcement. The company runs a regular zero-day acquisition program through its website, but it often holds special drives with more substantial rewards when it needs zero-days of a specific category. The US-based company held a previous drive with increased rewards for Linux zero-days in February, with rewards going as high as $45,000. In another zero-day acquisition drive announced on Twitter this week, the company said it was looking again for Linux zero-days, but also for exploits targeting BSD systems. This time around, rewards can go up to $500,000, for the right exploit.
Meanwhile: Windows exploits are still only worth $2.
No sig today...
We already have more than enough for Windows and MacOS, no need to pay for anything there.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This makes me sad. People working on open source projects get nothing. Sometimes they get some money. Sometimes they get some fame. People who don't build anything, but find a hole, they are heroes, they get prizes, they are worshiped.
If there is a commonly used open source library without hackable bugs, you won't even hear about the author who committed his/her own time to build reliable software.
If someone finds a bug, then she will get some prize, and will be invited to a conference. And the library author will be publicly bashed as an idiot.
Sometimes open source people don't even get mentions.
I was working on a patch for a huge open source project once. I spent hours on that. Two other people helped me, they also spent some significant time on that. And we managed to implement this. Who was mentioned in the release changelog? The person who committed that. Then I stopped spending my precious time on such things like giving someone the credits for my work. I love programming, I work on my own projects instead.
And all that makes me sad.
...in compromising the comps of the 8 people in the world using Unix?
Being OSS systems, there's now real incentive for bad actors to try to INSERT "Zero day" exploits in to mainline code, putting yet even more pressure maintainers to try and keep them.
Creating a zero day so obscure that nobody notices and then you sell it.
Wondering if the price is the same even if you write the bug...
now... let me see the quality of systemd code...
...BSD is dying!!!
I snail-mailed in my comment.
> now... let me see the quality of systemd code
That's where I would go looking. Lennart Poettering has been pretty clear that his perspective is that it's not his job, or the job of the systemd developers, to write secure, robust code. It's the job of the annoying security people to point out the security issues and then convince him that the problem is so bad it absolutely must be fixed - even though that takes up time that could instead be used to make systemd bigger and more comprehensive.
The last time I saw a similarly bad attitude about security was WordPress about 12 years ago. The leadership at WordPress got a better attitude after the media reported widespread exploits of exactly the kinds of exposures I had warned them about a couple years before.
They are going to break the world.
Step 1) Create an init system riddled with vulnerabilities and bad code
Step 2) ?
Step 3) Profit!
And now we know that step 2 is to sell them to Zerodium
Not a good idea, unless they are also released to the public for their self defense against the authorities.
Comment removed based on user account deletion
Here goes my bid !!!
This article has several links to Poettering responding to security bugs, and what he what he's (not) going to do to fix problems, or note any fixes in the changelings or commit messages. This is why he won the Pwnie award for lamest vendor response to security issues.
https://www.theregister.co.uk/...
Firstly, it would have made a hell of a lot more sense to spell it "Zerodiem". Somebody probably took the dot-com already.
Secondly, buying exploits only to turn around and sell them to actors of questionable intent is pretty scummy. In fact, it's downright shitty. Shame on you.
0-day exploit in OpenBSD? Hahahaha
If Linux gets pwned then all of the shitty windows systems surfing the web are about to get pwned too.
I wonder if apk hosts file engine is exploitable?
At 12,000 lines for something that consolidates existing host files it probably is.
So by extension, also RedHat Enterprise Linux, Scientific Linux, and Oracle Linux?
And today Alexander Peter Kowalski decides to prove that he is the biggest fucking retard to ever walk the planet. His software does nothing to protect against these types of attacks. At best his software will stop your computer from doing a DNS lookup of a host that was maybe making use of one of these exploits long after a patch was available and long after that host started utilizing that exploit. Too bad for him that there are measures that provide real security some of which actually stand a chance of protecting from unknown attacks. This is something that APK's work can never do as it only makes a feeble easily circumvented attempt to stop well known hosts that may make use of an exploit.
Maybe APK should instead state that his work is:
The least efficient, most naive way of trying to provide security.
At least then he would be telling the truth.
You advertisers FEAR my hosts program blocking ads that infect/track/slow us & you try CENSORSHIP hiding my posts downmodbombing 'em (I run you DRY of 'em in the end every single time)!!
* You'll ALWAYS fail vs. me & you know it - give up - you have NO POWER over me (you know - the thing "your kind" CRAVES because you've always been powerless whimps, lol)
(HOWEVER - I quite CLEARLY have POWER over you - FEAR, proven by you STALKING ME constantly via your UNIDENTIFIABLE anonymous posts proving you DO indeed, FEAR me...)
MORE PROOF that "your kind" FEARS my program AND me:
You VAINLY tried to "downmod hide" THIS post last time I posted it https://tech.slashdot.org/comm...
(No matter - I nullify your MULTIPLE SOCKPUPPET farmed "downmodpoint" EFFETE useless 'weapon' EASILY since I have UNLIMITED posting ability vs. most AC posters - you LOSE again as ALWAYS as I run you DRY of your "downmodpoints" inevitably by REPOSTING... lol!)
APK
P.S.=> THANK YOU Jesus for keeping WEEZILS like him on the low end of the food chain since God HELP us if "your kind" (the 'not-men' UNIDENTIFIABLE anonymous DO-NOTHING "ne'er-do-well" JEALOUS "Lil' Jowies" (lol) in LIFE) ever DO get power - you're the WRONG KIND to have it - as you ABUSE it since you've NEVER had it or responsibility that COMES w/ it & you never will & you KNOW it (vainly seeking it online & there you FAIL too & I'm the PROOF thereof))... apk
Hosts BLOCK sources of malscript (faster vs. slower usermode parse in NoScript), malware, botnet C&C's that USE such exploits the article alludes to FAR more efficiently on resources used (less moving parts bloating RAM/CPU use + opening doors for EXPLOIT (see Tavis Ormandy on AntiVirus & DNS redirect poisoning) + do more for FAR less vs. ANY 1 competing method, natively & aren't 'souled-out' like AdBlock (ADVERTISER BRIBED to not do the 1 job it has by DEFAULT most users won't change as they don't dig into setttings) w/ it's usermode slow (vs. kernelmode cpu time precedence Ring 0 speed hosts has) & messagepass + RAM bloat onto usermode slow browser when addons are stack OR parsing slow!
* CAN'T BE HARMED BY WHAT YOU CAN'T TOUCH & thus it can NEVER harm you!
APK
P.S.=> Go away ADVERTISER (you fear me & WHY) https://it.slashdot.org/commen...
Cool story, bro. You Linturds are in for some serious hurt. The butthurt unleashed when the floodgates open on Linux exploits is gonna be amazing to experience first-hand.
Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017
his hosts program is actually pretty good by xenotransplant August 10 2015
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015
I like your host file system by Karmashock September 09 2015
I do use APK's host file on all my systems at home by OrangeTide December 01 2017
APK I know people give you a lot of shit regarding hosts but please don't ever stop nasredin June 12 2015
I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017
* Best part = Linux 64-bit model's faster/more efficient (2x the work in 1/2 the time)
APK
P.S.=> For a faster/safer/more reliable internet... apk
Selling them to the government. And they buying it? If I did it, they would put me in prison for it.
Are you going to be an asshole and sellout to this company? Or will you do the right thing? I'd sell it to them, collect their dirty money, and then publicly notify the right people. Then maybe disappear for a while, heheheh!
I do use APK's host file on all my systems at home by OrangeTide December 01 2017
I've terminated my use of APK hosts. Too much spam from the creator.
“Common sense is not so common.” — Voltaire
See subject: By users (12,000 single space lines) & why I chose Object Pascal for it (length built-in 4 strings & works on strings) vs. C++ my other fav per https://apple.slashdot.org/com... + Pascal's/Delphi's outperforms C++ by MORE than DOUBLE in the past tests in MATH & STRING work (which EVERY program does mind you).
* IF someone were to FIND such a bug I'd correct it fast too! I wrote ALL of its code from scratch/by hand into a SINGLE 'stand-alone' TRUE executable file & NO external dependences (other than OS & IP stack API).
APK
P.S.=> Hasn't happened YET in either Win32/64 OR Linux versions (after 6++ yrs. of this current codebases PUBLIC release (1st was in 2001, no bugs found there either))... apk
See subject: By users (12,000 single space lines) & why I chose Object Pascal for it (length built-in 4 strings & works on strings) vs. C++ my other fav per https://apple.slashdot.org/com... + Pascal's/Delphi's outperforms C++ by MORE than DOUBLE in the past tests in MATH & STRING work (which EVERY program does mind you).
* IF someone were to FIND such a bug I'd correct it fast too! I wrote ALL of its code from scratch/by hand into a SINGLE 'stand-alone' TRUE executable file & NO external dependences (other than OS & IP stack API).
APK
P.S.=> Hasn't happened YET to date in either Win32/64 OR Linux versions (after 6++ yrs. of this current codebases PUBLIC release (1st was in 2001, no bugs found there either))... apk
See subject & APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).
Yields more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address that most firewalls use) more efficiently/FASTER + NATIVELY 4 less!
(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploitation).
* ONLY 1 of its kind in GUI on Linux!
Better vs. Windows model in speed/efficiency/merge.
APK
P.S.=> What you can't touch can't hurt you... apk
Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017
his hosts program is actually pretty good by xenotransplant August 10 2015
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015
I like your host file system by Karmashock September 09 2015
I do use APK's host file on all my systems at home by OrangeTide December 01 2017
I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017
* Best part = Linux 64-bit model's faster/more efficient (2x the work in 1/2 the time)
APK
P.S.=> For a faster/safer/more reliable internet... apk
Anyone's free to read what I wrote will know you're full of crap as usual ya UNIDENTIFIABLE anonymous troll that STALKS me like a psycho you are.
APK
P.S.=> Long ways on this thread for one of your POST BURIALS you try by "forums sliding" lol, & I also see I've RUN YOU DRY of your "downmodpoins" you MULTIPLE SOCKPUPPET farm to abuse to downmodbomb me too, lol - you're all outta ammo (I never am & just repost until you + your many sockpuppets are & I win, always).... apk
This crap company is disgusting and should be nuked off the face of this earth and so should the shady people sub-human garbage behind this shit company
See subject, says it all & sad to see you go was nice while it lasted!
* ... but @ least I'm on topic (stalling zero-day malware payloads) - you're not - I also keep another quote from you on how hosts files stall ads even in video streams too!
(... & now? It's "Miller Time" on a HOT summer night on my deck w/ some pals soon this evening under the stars playing chess, cards & drinking beers & having a cookout (chicken & burgers))
APK
P.S.=> "Onwards & UPWARDS"... apk
You are clearly a fake APK
Everyone knows that the real APK sucks gigantic moose cock, not goat cock.
Why would an advertiser need to impersonate you? You do more damage to your own brand than they could do if they tried.
Unfortuantly APK is not functional or well. Since is work is so inconsequential he needs to spam and be obnoxious so that he can feel like he matters.
I don't have to: Registered /.ers do for me https://it.slashdot.org/commen... but not 4u JEALOUS "Lil' Jowie" (lol) the do-NOTHING "Ne'er-Do-Well" who STALKS ME by UNIDENTIFIABLE anonymous posts!
* RoTfLmAo!
APK
P.S.=> I go easy next time I TEAR YOU & YOUR easily dismantled 'points' apart (since you made THIS so easy to do) https://it.slashdot.org/commen... where you FAILED vs. ME & your security issue riddled, crippled, buggy, inefficient, SLOWER & LESS capable "so-called 'solutions'" FAIL vs. hosts ... apk
Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017
his hosts program is actually pretty good by xenotransplant August 10 2015
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015
I like your host file system by Karmashock September 09 2015
I do use APK's host file on all my systems at home by OrangeTide December 01 2017
I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017
* Best part = Linux 64-bit model's faster/more efficient (2x the work in 1/2 the time)
APK
P.S.=> See subject: ONLY THING THAT'S DAMAGED HERE IS YOUR LIMITED BRAIN (lol)... apk
The past few days, 1 source of hosts data I use intercepts s0.2mdn.net & gets in the way of TONS of music videos' ads (but makes me reload 2x to get them to play).
* You have to understand, OrangeTide, that I MYSELF don't do the blocking (other than my OWN searches or findings on MY PERSONAL HOSTS FILE here on my system) - my sources, do!
(Hence, my app allows you to EDIT in/out what you wish OR put an exception into its filters (only currently possible on Linux model, Windows one is hardcoded BUT SAME EXACT LIST...)).
APK
P.S.=> However, I also know you KNOW all this already - why you're doing what you are now, I have no idea... apk
Says my UNIDENTIFIABLE anonymous STALKER full of such "integrity" (not) & "courage" (especially not in fear of me obviously) + "ne'er-do-well" bs as he has NOTHING to show for himself yet vainly TRIES to "put down" my work others like & use... lol!
APK
P.S.=> I must've REALLY "got your goat" @ some point SO BADLY that you WASTE YOUR TIME (in your obviously WASTED life) STALKING ME by UNIDENTIFIABLE anonymous posts - which you MOST likely started trying to "take me on" & I SHOT YOU TO PIECES (beneath 1 of your many SOCKPUPPETS accounts "your kind", the 'not-men' as I call you, use to farm 'downmodpoints' I always RUN YOU DRY of easily nullifying your 1 effete useless weapon too) & you're QUITE OBVIOUSLY still "butthurt" your FRAGILE EGO couldn't take it - clue: Don't start things YOU can't finish - since YOU certainly CAN'T FINISH ME, lol - I'm way too STRONG for WEEZILS like you... apk