RE: funny comments from Hack IIS6 contest admin

["Roger A. Grimes" <roger () banneretcs com>]

Re-read the posting.  I said MOST people on the list would not be able
to hack the site if the reward was bigger.  That is because MOST people
on the list don't have the skillz and could not acquire them.  Serious
hacking is something either you have or you don't...I'm not talking
about the hacking where you must rely on a misconfiguration to be
successful (because our box is not misconfigured), but the zero-day
stuff.

I assure you that the hackers that are capable of hacking this box are
motivated for far less money, if any.  Take Dave at Immunity.  He makes
more money than the average hacker, but I assure you that he makes far
less than $250K on each hack he discovers.  (Tell me if I'm wrong,
Dave).  Professional hackers may make more than $250K, but what
motivated them initially was far less money, if any.  The best hackers
in the world that released the most devastating exploits, did it for
free...not money. It was either to improve the product or for the
"glory" in the community.  Consistent hackers...the best...want more
money...but what motivated them initially was far less.

Would more money motivate more people?  Yes, of course.  But Anthony,
people like you wouldn't be able to hack it regardless of the award.  In
fact, Anthony, I'll personally give you, and you alone, $2000 reward of
my own money, if you hack it (by yourself without any external help) by
midnight tonight.  Go!

If fact, tell me the IP address you're hacking from (so I can track you)
and send one original hack that might possibly be successful...I doubt
you can even do that.  It won't get you any award, but at least I won't
see you as the poser you so obviously are.

Or are you already calling your more knowledgable friends for help or
deciding on what witty response to send why you don't hack my box? 

Roger A. Grimes
admin () hackiis6 com

-----Original Message-----
From: Anthony Zboralski [mailto:bcs2005 () bellua com] 
Sent: Friday, May 13, 2005 4:38 PM
To: dailydave
Cc: Roger A. Grimes
Subject: funny comments from Hack IIS6 contest admin

Did you guys notice this dumb Hack IIS6 Contest to win an Xbox?

     http://www.hackiis6.com

Below are the comments I posted on Slashdot and a reply from Roger
Grimes, who claims that if MS increases the price to $250K it will not
affect the result of the contest:))


Is this a joke?!? The reward is worthless! (Score:3, Informative) by acz
(120227) <z&hert,org> on Friday May 06, @08:15AM (#12448998) You have to
be retarted to use an 0day IIS exploit to win an XBox when you can sell
it for around 20K or impress customers during a pen test... (A pen test
can be worth between 15K to 200K depending on the scope of the project).

One hour of security consulting earns you an XBox, why bother with this
contest?

Link to post on vuln sharing club, here [immunitysec.com]

Re:Is this a joke?!? The reward is worthless! (Score:1) by acz (120227)
<z&hert,org> on Friday May 06, @10:31AM (#12449395) make the reward 250K
and this web site will be hacked right away.

Re:Is this a joke?!? The reward is worthless! (Score:0) by Anonymous
Coward on Friday May 06, @07:12PM (#12453220) This sort of claim is so
not true. Ebay, Microsoft, Msn, Hotmail, and so many other sites run on
IIS 6. Certainly, there is financial gain beyond $250K to be made if you
successfully hack those sites. They aren't (while you can never be sure
any computer system isn't hacked...they aren't publicly known to be
hacked).

Hacking success is driven by desire and consistent effort, only a bit of
which is money-driven. The spyware and ad-ware related hackers are
certainly driven by money, but many other hackers (i.e. gov't
hackers) aren't.

It's probably safe to say that most people on this list, including
anyone claiming so (like you) would not be able to hack the site if
given a bigger prize. Some might...but the ones who can really do it
aren't out making knowingly false claims and bragging of skills they
don't have and probably couldn't acquire. Of course, on the other end of
the spectrum, if given a bigger prize, I would probably secure the site
beyond the basics as well...and things like that...so it would not be a
one-sided build up.

Roger A. Grimes
admin () hackiis6 com

Re:Is this a joke?!? The reward is worthless! (Score:1) by acz (120227)
<z&hert,org> on Friday May 13, @10:24PM (#12523673) Some of the
companies you have mentioned have been hacked and will be hacked
again... Didn't Microsoft get winnt4 and win2k src stolen last year?
(it's probably still on edonkey.)

I was talking about legal ways to make money from a vulnerability or
exploit without resorting to fraud or crime.


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave