From: Chris Poulter (Chris.Poulter@uniqueworld.net)
Date: Tue Dec 19 2006 - 19:29:25 EST
Roger,
I'm hoping Vista will be a surprise, my presumption (and presumptions
are only a personal view) is based on the number of XP exploits over the
2006 period which could be considered the time that MS started to vamp
up its security efforts, which I think is relative to the development
time frames of Vista and its security implementations, and the "talk" of
Vista exploits, although small, is actually relative to the number of
Vista machines deployed and only RTM availability, with commercial
coming next year.
Mind you, I sort of void my argument above since most of the people
doing vulnerability testing on Vista would have an illegal copy and are
able to fully delve into Vista at this early stage of its life...
Having said all that, maybe me saying "everyone is expecting" was
premature as it was my presumption of the communities feelings based on
past MS experiences, not solid fact....like you said, only time will
tell...I personally like the intuitiveness of Vista and some of its new
core features, the security and stability side on the other hand will
play its course over the coming years...
Chris
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Sels, Roger
Sent: Tuesday, December 19, 2006 11:11 PM
To: pen-test@securityfocus.com
Subject: RE: Trend Micro's Vista "0day exploit auction" claim
Chris,
Good points.
However how did you come to the ascertion that everyone is expecting
lots
of exploits ? I for one didn't express this opinion.
Keeping Windows 2003 in mind (and how widely it's deployed, admittedly)
we
could be in for a surprise with Vista. Maybe that's too optimistic ;
only
time will tell.
Kr
Roger
On Wed, December 20, 2006 12:54 am, Chris Poulter wrote:
> 50k per vulnerability opposed to hundreds (unlikely) 60-100k/year
> (unlikely) - the Q/A's might only get 40-50k/year, a security
> vulnerability technician would be the one getting paid the big bucks,
> but there wouldn't be "hundreds" of them? - how do you work that one
out
> to be more feasible?
>
> Considering everyone is presuming there will be lots of exploits,
> 50k/exploit will equate to a much larger payout....
>
> And exploit the exploiters? - how do you figure this one as well?
> Someone getting paid 50k/exploit is far more beneficial to the
> "exploiter" than getting nothing and just sharing the love....where MS
> would lose out more if this happened and leave them more exposed...
>
> I'm not arguing for either side of the case as I haven't looked into
it
> enough to make my own judgment, but I don't think your assessment is
> accurate...
>
> -----Original Message-----
> From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]
> On Behalf Of Cody Tubbs
> Sent: Wednesday, December 20, 2006 10:40 AM
> To: Radu Oprisan
> Cc: pen-test@securityfocus.com
> Subject: Re: Trend Micro's Vista "0day exploit auction" claim
>
> It's cheaper to pay kids 50k for actually finding flaws, rather than
> paying hundreds of QA engineers 60-100k a pop to spend months finding
> nothing. Another reason M$ sucks, exploit the exploiters.
>
> -Cody Tubbs
>
> Radu Oprisan wrote:
>> Ryan Meyer wrote:
>>
>>> A number of popular tech news sources are reporting Trend Micro's
> CTO,
>>> Raimund Genes, publicly claiming that there are "auctions" for
> zero-day
>>> Windows Vista exploits. Further, he claims these auctions are
> fetching
>>> approx $50,000.
>>>
>>> Could anyone verify Trend Micro's claim?
>>>
>>
>>
>>> It seems dubious, at best, to me and possibly nothing more than pure
> FUD.
>>>
>>> Sorry to get off topic.
>>>
>>> Ryan Meyer
>>>
>>
>> This could also be some covert way for microsoft to find their own
>> vulnerabilities. That has happened before.
>>
>>
>
>
>
-- Life is 10 percent what you make it and 90 percent how you take it. - Irving Berlin
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:28 EDT