[Dailydave] Some Sums
Olef Anderson
olef.anderson at gmail.com
Thu Feb 8 12:48:36 EST 2007
About this whole fuzzer business, how about putting some cold hard cash
where the corporate mouthpiece is at ?
Since obviously you happen to have some VC money, a booth at the RSA floor
is a sign, you can back your claims with real currency. I would love to give
you the opportunity.
Lets take the latest Microsoft Exchange release (2007) and 2 weeks of your
time running your PROTOS fuzzer. At the end of the 2 weeks if you can find
the existing remote root hole in it, I am offering to pay you the bugs worth
of $150 000.00. However If you are not successful, I should be payed the
very same amount which in return I shall present you the exploit. From that
point you will be free to coordinate vendors, release advisories whatever it
takes. Just to clarify a point though, no DoSes are acceptable, should be an
overflow that leads to clear code execution ( the mailing list subscribers
could be the judge of that).
Wouldn't that be nice to prove that you actually know what you are talking
about ?
On 2/7/07, Ari Takanen <ari.takanen at codenomicon.com> wrote:
>
> Hmmm, distantly related to this: Maybe us fuzzer developers should
> save hashes of some millions of attacks somewhere also, so that we can
> prove our tools were used to find the flaws in the first
> place... Looking at past iDefence disclosures for example, I am
> beginning to doubt that they reward for publishing flaws instead of
> finding flaws (this is like patent system in Europe which rewards
> first to file, not first to invent)... More and more flaws are found
> using tools, and pre-packaged attacks. If a flaw is found using a
> product like Codenomicon/PROTOS or CANVAS, I supposed the reward
> should also be paid to the tool developer and not the tool user. ;)
>
> Tongue-in-the-cheek-greetings,
>
> /Ari
>
> > Date: Wed, 7 Feb 2007 02:11:16 -0500 (EST)
> > From: "Steven M. Christey" <coley at mitre.org>
> > Subject: Re: [Dailydave] Some Sums
> > To: dailydave at lists.immunitysec.com
> > Message-ID: <200702070711.l177BGJw026300 at faron.mitre.org>
> >
> >
> > > I take it that's going to be the hash of some file or other data
> > > you're > going to produce for someone at sometime in the future?
> > > Couldn't you just > have used a ZK protocol and left us all out of
> > > it? ;-) If you're going to use > our inboxes as substitutes for
> > > escrow/notarisation centres, you could perhaps > tell us just a
> > > little bit more about what you're doing!
> >
> > MD5/SHA-1 crackability issues aside*, the next question that
> > immediately comes to mind is why there isn't a central place for
> > researchers to do exactly this - make a claim about knowledge that's
> > provably fixed in a certain place and time. Oh, wait, we're all
> > individuals and we don't need anybody else. There's no need to
> > organize in any way, shape, or form. After all, when Ilfak posted
> > that third-party patch, ABSOLUTELY EVERYBODY knew who he was and
> > immediately trusted him, so why not Halvar? Sorry, I forgot about the
> > outside world for a second.
> >
> >
> > Snarkily and respectfully,
> > Steve
> >
> >
> > * crypto is my kryptonite, I defer to the geniuses.
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20070208/cf9b5136/attachment-0001.htm
More information about the Dailydave
mailing list