LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices

Reply
 
Search this Thread
Old 11-05-2012, 09:37 AM   #1
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,441
Blog Entries: 4

Rep: Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503
For sale: Windows 8 zero-day vulnerability


Hi,

Now we can see some insight to MS Win/8. Did not take long to find a security issue(s) for Microsoft's supposedly 'Most secure' OS ever.

For sale: Windows 8 zero-day vulnerability I am sure it won't be long before this is verified and published.

Good read!
 
Old 11-05-2012, 11:20 AM   #2
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,648
Blog Entries: 2

Rep: Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095
Come on, let's be fair. Those people are searching for exploits to sell them. Of course they are now concentrating on compromising a new and nonetheless soon to be very widely used OS. If Ubuntu would be as widely used as Windows (and that is what they want, see Bug #1) I doubt it would last longer to the attacks of those people than Windows. A whole army of crackers is torturing that OS, and of course they will find exploits.
 
Old 11-05-2012, 12:26 PM   #3
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,441
Blog Entries: 4

Original Poster
Rep: Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503
Member Response

Hi,

Very fair for a company to make a profit.
Good enterprise to gain something from someone that is out to make a profit too. I see no fault in a company that finds vulnerabilities and sells to reputable clients. Just like someone who develops for OS to know security issues or vulnerabilities thus protecting their application(s).

Microsoft released the OS with Win/8 to be the safest ever, so if someone finds a exploit or weakness then by all means provide it to the highest bidder. Not sure if Microsoft has ever purchased from Vupen.
 
Old 11-05-2012, 11:05 PM   #4
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,452

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
Well, it's kinda unethical to try to sell a ZDE, but it also would be a waste of anybody's money to buy them. ZDE's are widely publicized as soon as they are found. The odds of someone actually having a secret that no one else has are zero. (If they did, the first guy who bought it would probably blab.)

But also: ZDE's do exist, and probably always will, as long as human-beings are the ones who design computer software. Every operating system ever written has them; including of course Linux. It really isn't a slight on the software-engineers at Microsoft, nor particularly upon Win8, to assert that they exist. They do. They always do.

Last edited by sundialsvcs; 11-05-2012 at 11:07 PM.
 
Old 11-05-2012, 11:28 PM   #5
exvor
Senior Member
 
Registered: Jul 2004
Location: Phoenix, Arizona
Distribution: LFS-Version SVN-20091202, Arch 2009.08
Posts: 1,496

Rep: Reputation: 68
I am not sure I would agree that windows 8 will be the most popular OS. I think many people are going to stick with windows 7. I played around with windows 8 in a local computer store here for a little while and honestly I don't see why I would bother to upgrade. After you get past the horrible tablet interface and get to the real desktop it looks, feels, and acts like windows 7. I know I am not your average consumer, but I think most people are going to see this as well, and I know for a fact that many if not almost all companies wont touch windows 8 since it cause a massive loss in productivity due to user training. Lets be honest anyone who has worked at a helpdesk knows that most business users are not the best with technology.
 
Old 11-06-2012, 02:10 AM   #6
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,919

Rep: Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778
This does seem to have got a bit of publicity, including here.

Quote:
The sometimes controversial firm, which sells the exploits it develops to Western government agencies and deliberately avoids sharing vulnerability details with vendors, said that the exploit it has cooked up allows it to take over Windows 8 machines running Internet Explorer 10.
Sometimes controversial?

Or, from the Computerworld article

Quote:
Vupen occupies a gray area of computer security research, selling vulnerabilities to vetted parties in governments and companies but not sharing the details with affected software vendors. The company advocates that its information helps organisations defend themselves from hackers, and in some cases, play offense as well.
Hmm, everyone would be better placed to defend themselves against hackers if Vupen disclosed back to Microsoft and Microsoft fixed in a timely manner. So that seems a little disingenuous, at best. Although, 'Microsoft' and 'timely' is problematic, too. But that's not the way that Vupen make money.

Quote:
So what's the vulnerability worth? It's hard to say. Vupen doesn't publish a public price list. But Melbourne said "the value of the bug will only increase with time, of course, the longer Vupen sits on it and if no one else stumbles upon it.
Quote:
Originally Posted by sundialsvcs View Post
Well, it's kinda unethical to try to sell a ZDE, but it also would be a waste of anybody's money to buy them. ZDE's are widely publicized as soon as they are found. The odds of someone actually having a secret that no one else has are zero. (If they did, the first guy who bought it would probably blab.)
Here's the issue; normally security researchers do something approximating to full disclosure that allows the organisation which authors the software to correct the problem(s), preferably before anyone actually exploits the vulnerability. For this lot's intellectual property to be worth anything, they need to avoid the standard 'disclose and let fix' cycle for as long as possible, in order to monetise their discovery.

I tried to come up with an analogy for this behaviour, and the closest I came was 'I know the name of the serial killer, but I'm going to keep the details secret for now, because that way I get to blackmail them for longer' (not an exact analogy, but...). I don't think that you can regard this as entirely in the interests of humanity, but, as is said of a number of professions, they do have to make money, somehow. Anyhow, in private conversation, I'm leaning towards a slightly stronger expression than 'kinda unethical'.
 
Old 11-06-2012, 08:10 AM   #7
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,452

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
It's also a way to inflate your own reputation among people foolish enough to buy from you. An independent review of the supposed vulnerability might quickly disclose snake-oil, and/or conclude that they're simply taking public knowledge and reselling it to suckers. If they don't tell you, not only don't you know, but you will tend to inflate your perception of them because, "I've got a secret, secret, secret ..." People love to think that they're "in on something," and I'm quite sure they'll buy it.
 
Old 11-06-2012, 10:28 AM   #8
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,441
Blog Entries: 4

Original Poster
Rep: Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503Reputation: 1503
Member Response

Hi,

I would think if your 'secret(s)' are not valid then sooner than later customers would stop paying for your service. The company had better be reputable and able to continue providing a valid service thus return customers.

Security, be it personal or corporate is important or their service would never be used. Maybe for paranoia driven companies or people but for valid user concerns to have a secure system environment like MS Windows.
 
Old 11-06-2012, 04:22 PM   #9
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,452

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
In legitimate security circles, there are no secrets-through-obscurity. You just got conned into paying for "a secret" that might not be one at all, and whose only legitimate purpose in life is breaking-and-entering anyway.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SMB Client using Windows Check via various vulnerability scanners metallica1973 Linux - Security 0 02-24-2011 05:11 PM
LXer: Last day to take advantage of the 50% off Bordeaux Sale LXer Syndicated Linux News 0 08-19-2010 11:00 AM
LXer: A no-cost Windows killer: On Sale Now, only $26! LXer Syndicated Linux News 0 01-20-2010 02:10 PM
LXer: CodeWeavers Valentine's day Sale LXer Syndicated Linux News 0 02-06-2009 04:10 PM
Test shows unpatched Windows system's vulnerability shazam75 Linux - News 29 05-06-2006 03:54 AM


All times are GMT -5. The time now is 04:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration