LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   General (http://www.linuxquestions.org/questions/general-10/)
-   -   For sale: Windows 8 zero-day vulnerability (http://www.linuxquestions.org/questions/general-10/for-sale-windows-8-zero-day-vulnerability-4175435720/)

onebuck 11-05-2012 08:37 AM

For sale: Windows 8 zero-day vulnerability
 
Hi,

Now we can see some insight to MS Win/8. Did not take long to find a security issue(s) for Microsoft's supposedly 'Most secure' OS ever.

For sale: Windows 8 zero-day vulnerability I am sure it won't be long before this is verified and published.

Good read!

TobiSGD 11-05-2012 10:20 AM

Come on, let's be fair. Those people are searching for exploits to sell them. Of course they are now concentrating on compromising a new and nonetheless soon to be very widely used OS. If Ubuntu would be as widely used as Windows (and that is what they want, see Bug #1) I doubt it would last longer to the attacks of those people than Windows. A whole army of crackers is torturing that OS, and of course they will find exploits.

onebuck 11-05-2012 11:26 AM

Member Response
 
Hi,

Very fair for a company to make a profit.
Good enterprise to gain something from someone that is out to make a profit too. I see no fault in a company that finds vulnerabilities and sells to reputable clients. Just like someone who develops for OS to know security issues or vulnerabilities thus protecting their application(s).

Microsoft released the OS with Win/8 to be the safest ever, so if someone finds a exploit or weakness then by all means provide it to the highest bidder. Not sure if Microsoft has ever purchased from Vupen.

sundialsvcs 11-05-2012 10:05 PM

Well, it's kinda unethical to try to sell a ZDE, but it also would be a waste of anybody's money to buy them. ZDE's are widely publicized as soon as they are found. The odds of someone actually having a secret that no one else has are zero. (If they did, the first guy who bought it would probably blab.)

But also: ZDE's do exist, and probably always will, as long as human-beings are the ones who design computer software. Every operating system ever written has them; including of course Linux. It really isn't a slight on the software-engineers at Microsoft, nor particularly upon Win8, to assert that they exist. They do. They always do.

exvor 11-05-2012 10:28 PM

I am not sure I would agree that windows 8 will be the most popular OS. I think many people are going to stick with windows 7. I played around with windows 8 in a local computer store here for a little while and honestly I don't see why I would bother to upgrade. After you get past the horrible tablet interface and get to the real desktop it looks, feels, and acts like windows 7. I know I am not your average consumer, but I think most people are going to see this as well, and I know for a fact that many if not almost all companies wont touch windows 8 since it cause a massive loss in productivity due to user training. Lets be honest anyone who has worked at a helpdesk knows that most business users are not the best with technology. ;)

salasi 11-06-2012 01:10 AM

This does seem to have got a bit of publicity, including here.

Quote:

The sometimes controversial firm, which sells the exploits it develops to Western government agencies and deliberately avoids sharing vulnerability details with vendors, said that the exploit it has cooked up allows it to take over Windows 8 machines running Internet Explorer 10.
Sometimes controversial?

Or, from the Computerworld article

Quote:

Vupen occupies a gray area of computer security research, selling vulnerabilities to vetted parties in governments and companies but not sharing the details with affected software vendors. The company advocates that its information helps organisations defend themselves from hackers, and in some cases, play offense as well.
Hmm, everyone would be better placed to defend themselves against hackers if Vupen disclosed back to Microsoft and Microsoft fixed in a timely manner. So that seems a little disingenuous, at best. Although, 'Microsoft' and 'timely' is problematic, too. But that's not the way that Vupen make money.

Quote:

So what's the vulnerability worth? It's hard to say. Vupen doesn't publish a public price list. But Melbourne said "the value of the bug will only increase with time, of course, the longer Vupen sits on it and if no one else stumbles upon it.
Quote:

Originally Posted by sundialsvcs (Post 4823104)
Well, it's kinda unethical to try to sell a ZDE, but it also would be a waste of anybody's money to buy them. ZDE's are widely publicized as soon as they are found. The odds of someone actually having a secret that no one else has are zero. (If they did, the first guy who bought it would probably blab.)

Here's the issue; normally security researchers do something approximating to full disclosure that allows the organisation which authors the software to correct the problem(s), preferably before anyone actually exploits the vulnerability. For this lot's intellectual property to be worth anything, they need to avoid the standard 'disclose and let fix' cycle for as long as possible, in order to monetise their discovery.

I tried to come up with an analogy for this behaviour, and the closest I came was 'I know the name of the serial killer, but I'm going to keep the details secret for now, because that way I get to blackmail them for longer' (not an exact analogy, but...). I don't think that you can regard this as entirely in the interests of humanity, but, as is said of a number of professions, they do have to make money, somehow. Anyhow, in private conversation, I'm leaning towards a slightly stronger expression than 'kinda unethical'.

sundialsvcs 11-06-2012 07:10 AM

It's also a way to inflate your own reputation among people foolish enough to buy from you. An independent review of the supposed vulnerability might quickly disclose snake-oil, and/or conclude that they're simply taking public knowledge and reselling it to suckers. If they don't tell you, not only don't you know, but you will tend to inflate your perception of them because, "I've got a secret, secret, secret ..." People love to think that they're "in on something," and I'm quite sure they'll buy it.

onebuck 11-06-2012 09:28 AM

Member Response
 
Hi,

I would think if your 'secret(s)' are not valid then sooner than later customers would stop paying for your service. The company had better be reputable and able to continue providing a valid service thus return customers.

Security, be it personal or corporate is important or their service would never be used. Maybe for paranoia driven companies or people but for valid user concerns to have a secure system environment like MS Windows.

sundialsvcs 11-06-2012 03:22 PM

In legitimate security circles, there are no secrets-through-obscurity. You just got conned into paying for "a secret" that might not be one at all, and whose only legitimate purpose in life is breaking-and-entering anyway.


All times are GMT -5. The time now is 11:14 PM.