RE: RE: funny comments from Hack IIS6 contest admin

["Roger A. Grimes" <roger () banneretcs com>]

I've heard of both of you.  Dave, I've used your software many times
before.  Sorry if I wasn't in awe enough for your egos.

An invitation to hack a box located at www.hackiis6.com with web pages
full of "hack me" text certainly doesn't need a signed
authorization...it's explicit already. 

So as you both are making sport of me, tell me how my statement is
false?  

First, there haven't been many 0-day exploits against W2K3 and IIS 6 (if
any), and not that many against Windows products at all since 2000 was
released. 

Dave, how many hackers and exploit writers do you know that are
motivated to write exploits by large sums of money?  They want money for
sure...but most discover and release the exploits for free.  Another
large category of exploits are released to give free publicity to
security companies (like yours).  Yeah, there are professional black
hats that do work for large sums of money, but they are not likely to be
running their mouth on a mail list about the cheap prize given on a hack
contest page hosted for fun.  

Even when companies do offer money for finding bugs, as some have done
over the last year, it doesn't result in a ton of exploits found and
released.  Money isn't a prime motivator in any hack.  Hell, the real
money is made in run old exploits (like spambots and adware crap).  

Roger

-----Original Message-----
From: Dave Aitel [mailto:dave () immunitysec com] 
Sent: Saturday, May 14, 2005 8:09 PM
To: Roger A. Grimes
Cc: Anthony Zboralski; dailydave
Subject: Re: [Dailydave] RE: funny comments from Hack IIS6 contest admin

Interesting how Roger assumes that any professional penetration tester
would hack a random machine on the Internet without a signed Hold
Harmless.  I also think it's funny how he insults Anthony here, implying
that he's never heard of him, which says a lot more about Roger than it
does about Anthony. :> I assume anyone who wanted to break into the box
would be hacking from 68.106.158.136?

Just for the record, I'll give people 2 XBoxes if they send me working
IIS6 0day. :>

I talk about IIS6 a little in this recent interview-thing.
http://www.security-forums.com/forum/viewtopic.php?t=29695&highlight=

Lots of SPIKE features got implemented during my review of IIS6. Almost
all of those are in the public release.

-dave

Roger A. Grimes wrote:

> I assure you that the hackers that are capable of hacking this box are 
> motivated for far less money, if any.  Take Dave at Immunity.  He makes

> more money than the average hacker, but I assure you that he makes far 
> less than $250K on each hack he discovers.  (Tell me if I'm wrong, 
> Dave).  Professional hackers may make more than $250K, but what 
> motivated them initially was far less money, if any.  The best hackers 
> in the world that released the most devastating exploits, did it for 
> free...not money. It was either to improve the product or for the 
> "glory" in the community.  Consistent hackers...the best...want more 
> money...but what motivated them initially was far less.
>
> Would more money motivate more people?  Yes, of course.  But Anthony, 
> people like you wouldn't be able to hack it regardless of the award.  
> In fact, Anthony, I'll personally give you, and you alone, $2000 reward

> of my own money, if you hack it (by yourself without any external help)

> by midnight tonight.  Go!
>
> If fact, tell me the IP address you're hacking from (so I can track 
> you) and send one original hack that might possibly be successful...I 
> doubt you can even do that.  It won't get you any award, but at least I

> won't see you as the poser you so obviously are.
>
> Or are you already calling your more knowledgable friends for help or 
> deciding on what witty response to send why you don't hack my box?
>
> Roger A. Grimes
> admin () hackiis6 com
>  

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave