For sale: A new Windows 8 zero-day vulnerability
-
You forgot the third type - the guy that walked past afterwards or even watched the lil' old lady unpack her things and leave her purse there. For a sum of just $5, he offers to tell her something that would be very much to her advantage. (Personally, I'd pay the b@stard then follow them home, but that's another matter) Look, I agree - if the world was filled with #2 type of people then it would be a truly awe-inspiring, wonderful place to live. I think it's entirely impossible to have too many of them. It's the #2s that make CodeProject and other sites like it flourish. Each of us benefits from that. However as far as I'm concerned, your analogy while quite good, falls short of accurately modelling the situation being discussed. Neither person #1 nor person #2 could have _their_ privacy breached as a result of the lady's forgetfulness. Many millions of people stand to suffer as a result of these flaws Microsoft keeps asking us to beta test. The little old lady is not only unlikely, but also not suspected to be building Molotov cocktails in her garden shed, ready to assault the neighbourhood. With that in mind, there is no perceivable benefit for the community at large by failing to reveal to her that she's left her purse out - and in so doing so, granted access to her home to anybody with her details. Furthermore, do you think the little old lady would then stroll out to collect her purse at a time that was convenient to her, regardless of the harm that may be caused to her neighbours/people in her phone-book in the time that the purse is not in her hands? Some companies have a history of being very slow to implement fixes, even after the exploits have been made public - I'm looking right at you Adobe.. Until such a time that Microsoft, Adobe et al try to buy the exploit details AND are refused, I think they're simply reaping what they've already sown. It's our data and our lives they're elephanting with - if they can't be bothered doing it in a secure manner, and are to bull-headed (stubborn) to pay for someone else to do their homework for them, elephant em. I equally curious as to just why it is that wish them to die a horrible death. Is it any of the following: a) They search for exploits b) They charge for their time and work c) They do it in part as a way of beating the offending company. How about releasing info on how to gain root-access to your Android or iPhone? Is that done by those deserving a death in brimstone too? What about those that are reported to be in
But how much do you want them to spend? You are making the assumption that Microsoft does not care and actively ignores security vulnerabilities? Maybe they have in the past, but do you have any recent examples? Microsoft has stepped up it's security game in recent years and news I received from this website, indicates Microsoft software, despite its ubiquity does not have any vulnerabilities in the top ten exploited vulnerabilities? A better analogy, perhaps would be if you have a broken lock in your house and I sold knowledge of the lock to a local cat burglar - closer to being an accessory to the crime.
Idaho Edokpayi
-
But how much do you want them to spend? You are making the assumption that Microsoft does not care and actively ignores security vulnerabilities? Maybe they have in the past, but do you have any recent examples? Microsoft has stepped up it's security game in recent years and news I received from this website, indicates Microsoft software, despite its ubiquity does not have any vulnerabilities in the top ten exploited vulnerabilities? A better analogy, perhaps would be if you have a broken lock in your house and I sold knowledge of the lock to a local cat burglar - closer to being an accessory to the crime.
Idaho Edokpayi
The issue of an exact (or ballpark) figure for the sum paid is not something I have examined or considered. It's the willingness to approach and offer to pay something that I'm looking for.. Not quite sure what of my words has led you to conclude that I assume Microsoft to be either/both dissinterested/actively ignoring known vulnerabilities. In fact, I read just yesterday a request by one of their staff that adequate time to enact a fix be allowed between revealing the vulnerability to them and the general public. (I'll look for a link when I'm done here) Presumably, they are in the position of asking (rather than dictating) as a direct consequence of failing to enter into a commercial agreement with the holders of said vulnerabilities. My employer pays me, and before doing so has me sign an NDA. Simple. Paypal have a 'find-the-flaw' system, whereby they OFFER to pay for information related to security flaws in their products. Bad idea, or clever and practical? I like your analogy - did you approach the lock's maker first, offering you the information you learned to them for a sum, in the interests of them improving their product? Or was this not a consideration, with you instead choosing to go straight to the thieves? In fact, something somewhat similar happened recently - the maker of electronic door-locks for hotel rooms has had their sloppy work exposed. (I understand that the lock manufacturer was not made aware of this earlier than others. :mad::(( ) Surely this situation is to the benefit of all except those that had formerly been taking advantage of the hack? http://www.forbes.com/sites/andygreenberg/2012/07/23/hacker-will-expose-potential-security-flaw-in-more-than-four-million-hotel-room-keycard-locks/[^] Thanks for your thoughts, I appreciate them. :)
Make it work. Then do it better - Andrei Straut
-
It's because I agree with your 2nd line, that I think the Stuxnet and Flame virii were the lesser of a number of evils. In planting the virii, the time taken to successfully enrich uranium in Iran was increased. Thus, providing more time to analyze the threat (perceived or real) posed by a rogue state controlling nuclear materials. A quite possible alternative would have involved bombing the place into oblivion in the dead-of-night, much to the detriment of any staff in the facility at the time. Israel has certainly done that kind of thing before. But, that's all a small facet of the problem at hand - it would be a shame to inflate it's importance (I hope I haven't been seen to do so) Thank-you for your thoughts, GeekForChrist. I appreciate them. :)
Make it work. Then do it better - Andrei Straut
enhzflep wrote:
Thank-you for your thoughts, GeekForChrist. I appreciate them. :)
Thank you. :-D
