<br>About this whole fuzzer business, how about putting some cold hard cash where the corporate mouthpiece is at ?<br>Since obviously you happen to have some VC money, a booth at the RSA floor is a sign, you can back your claims with real currency. I would love to give you the opportunity.
<br><br>Lets take the latest Microsoft Exchange release (2007) and 2 weeks of your time running your PROTOS fuzzer. At the end of the 2 weeks if you can find the existing remote root hole in it, I am offering to pay you the bugs worth of $150
000.00. However If you are not successful, I should be payed the very same amount which in return I shall present you the exploit. From that point you will be free to coordinate vendors, release advisories whatever it takes. Just to clarify a point though, no DoSes are acceptable, should be an overflow that leads to clear code execution ( the mailing list subscribers could be the judge of that).
<br><br>Wouldn't that be nice to prove that you actually know what you are talking about ?<br><br><div><span class="gmail_quote">On 2/7/07, <b class="gmail_sendername">Ari Takanen</b> <<a href="mailto:ari.takanen@codenomicon.com">
ari.takanen@codenomicon.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hmmm, distantly related to this: Maybe us fuzzer developers should
<br>save hashes of some millions of attacks somewhere also, so that we can<br>prove our tools were used to find the flaws in the first<br>place... Looking at past iDefence disclosures for example, I am<br>beginning to doubt that they reward for publishing flaws instead of
<br>finding flaws (this is like patent system in Europe which rewards<br>first to file, not first to invent)... More and more flaws are found<br>using tools, and pre-packaged attacks. If a flaw is found using a<br>product like Codenomicon/PROTOS or CANVAS, I supposed the reward
<br>should also be paid to the tool developer and not the tool user. ;)<br><br>Tongue-in-the-cheek-greetings,<br><br>/Ari<br><br>> Date: Wed, 7 Feb 2007 02:11:16 -0500 (EST)<br>> From: "Steven M. Christey" <
<a href="mailto:coley@mitre.org">coley@mitre.org</a>><br>> Subject: Re: [Dailydave] Some Sums<br>> To: <a href="mailto:dailydave@lists.immunitysec.com">dailydave@lists.immunitysec.com</a><br>> Message-ID: <
<a href="mailto:200702070711.l177BGJw026300@faron.mitre.org">200702070711.l177BGJw026300@faron.mitre.org</a>><br>><br>><br>> > I take it that's going to be the hash of some file or other data<br>> > you're > going to produce for someone at sometime in the future?
<br>> > Couldn't you just > have used a ZK protocol and left us all out of<br>> > it? ;-) If you're going to use > our inboxes as substitutes for<br>> > escrow/notarisation centres, you could perhaps > tell us just a
<br>> > little bit more about what you're doing!<br>><br>> MD5/SHA-1 crackability issues aside*, the next question that<br>> immediately comes to mind is why there isn't a central place for<br>> researchers to do exactly this - make a claim about knowledge that's
<br>> provably fixed in a certain place and time. Oh, wait, we're all<br>> individuals and we don't need anybody else. There's no need to<br>> organize in any way, shape, or form. After all, when Ilfak posted
<br>> that third-party patch, ABSOLUTELY EVERYBODY knew who he was and<br>> immediately trusted him, so why not Halvar? Sorry, I forgot about the<br>> outside world for a second.<br>><br>><br>> Snarkily and respectfully,
<br>> Steve<br>><br>><br>> * crypto is my kryptonite, I defer to the geniuses.<br>_______________________________________________<br>Dailydave mailing list<br><a href="mailto:Dailydave@lists.immunitysec.com">Dailydave@lists.immunitysec.com
</a><br><a href="http://lists.immunitysec.com/mailman/listinfo/dailydave">http://lists.immunitysec.com/mailman/listinfo/dailydave</a><br></blockquote></div><br>