Re: RE: funny comments from Hack IIS6 contest admin

[Bas Alberts <bas.alberts () immunitysec com>]

Hello Roger,

I usually refrain from getting sucked into DD discussions, but I felt
I had to make some comments here. All egos aside, I think what's
ocurring here is the old 'admin' vs 'hacker' misconception debate.

First of all, it's true that a lot of people don't hack because
they're motivated by monetary gain. They hack because they..well
.want to hack. Now this crowd of researchers would not give up
a good bug against IIS6, because hey..less hacking for them.

The people that do have some financial motive in what they do clearly
aren't motivated by any such challenge either. Especially since
traditionally these things have always turned out to be marketing
shams (remember the Last Stage of Delirium vs. Argus Pitbull
debacle? Look it up.)

Point being, are there w2k3 0day bugs out there? Most definitely.
Are there bugs in IIS6? I'm almost certain there are, if not the
IIS6 team will have pulled off the greatest feat in software
engineering ever, completely bugfree software. Clearly history
does not tend to agree.

Can your box be owned? Yes, given enough resources and motivation
I personally believe anything and everything can be owned. Will
people be motivated by such a construction as your contest? Not
likely. Personally I have to say I didn't even look twice, hell
I haven't even visited the website. It sort of reminds me of
some Dutch 'hack this win2k box' contest though, which at the
time could have been easily owned by a plethora of 0day bugs
floating around at the time. Guess what? It never happened.

You talk about the history of 'most devastating exploits' etc.
implying an altruistic nature of 'real hackers'. Personally
I've met very few 'real hackers' who willingly give up their
research.

Historically really good bugs get 'killed'...and often the people
to publically disclose them are not the ones who first found
the issue. It's naive to think that any one person has special
powers, and you have to assume that things you'll hear about
2 years from now are already actively being exploited. This is
just the reality of things.

In any event, I hope that sheds some light on the issue of
0day and people's willingness to give said commodity up.

G'luck with your contest.

Sincerely,
Bas

On Sat, May 14, 2005 at 09:31:21PM -0400, Roger A. Grimes wrote:
> I've heard of both of you.  Dave, I've used your software many times
> before.  Sorry if I wasn't in awe enough for your egos.
>
> An invitation to hack a box located at www.hackiis6.com with web pages
> full of "hack me" text certainly doesn't need a signed
> authorization...it's explicit already. 
>
> So as you both are making sport of me, tell me how my statement is
> false?  
>
> First, there haven't been many 0-day exploits against W2K3 and IIS 6 (if
> any), and not that many against Windows products at all since 2000 was
> released. 
>
> Dave, how many hackers and exploit writers do you know that are
> motivated to write exploits by large sums of money?  They want money for
> sure...but most discover and release the exploits for free.  Another
> large category of exploits are released to give free publicity to
> security companies (like yours).  Yeah, there are professional black
> hats that do work for large sums of money, but they are not likely to be
> running their mouth on a mail list about the cheap prize given on a hack
> contest page hosted for fun.  
>
> Even when companies do offer money for finding bugs, as some have done
> over the last year, it doesn't result in a ton of exploits found and
> released.  Money isn't a prime motivator in any hack.  Hell, the real
> money is made in run old exploits (like spambots and adware crap).  
>
> Roger
>
> -----Original Message-----
> From: Dave Aitel [mailto:dave () immunitysec com] 
> Sent: Saturday, May 14, 2005 8:09 PM
> To: Roger A. Grimes
> Cc: Anthony Zboralski; dailydave
> Subject: Re: [Dailydave] RE: funny comments from Hack IIS6 contest admin
>
> Interesting how Roger assumes that any professional penetration tester
> would hack a random machine on the Internet without a signed Hold
> Harmless.  I also think it's funny how he insults Anthony here, implying
> that he's never heard of him, which says a lot more about Roger than it
> does about Anthony. :> I assume anyone who wanted to break into the box
> would be hacking from 68.106.158.136?
>
> Just for the record, I'll give people 2 XBoxes if they send me working
> IIS6 0day. :>
>
> I talk about IIS6 a little in this recent interview-thing.
> http://www.security-forums.com/forum/viewtopic.php?t=29695&highlight=
>
> Lots of SPIKE features got implemented during my review of IIS6. Almost
> all of those are in the public release.
>
> -dave
>
> Roger A. Grimes wrote:
>
> > I assure you that the hackers that are capable of hacking this box are 
> > motivated for far less money, if any.  Take Dave at Immunity.  He makes
>
> > more money than the average hacker, but I assure you that he makes far 
> > less than $250K on each hack he discovers.  (Tell me if I'm wrong, 
> > Dave).  Professional hackers may make more than $250K, but what 
> > motivated them initially was far less money, if any.  The best hackers 
> > in the world that released the most devastating exploits, did it for 
> > free...not money. It was either to improve the product or for the 
> > "glory" in the community.  Consistent hackers...the best...want more 
> > money...but what motivated them initially was far less.
> >
> > Would more money motivate more people?  Yes, of course.  But Anthony, 
> > people like you wouldn't be able to hack it regardless of the award.  
> > In fact, Anthony, I'll personally give you, and you alone, $2000 reward
>
> > of my own money, if you hack it (by yourself without any external help)
>
> > by midnight tonight.  Go!
> >
> > If fact, tell me the IP address you're hacking from (so I can track 
> > you) and send one original hack that might possibly be successful...I 
> > doubt you can even do that.  It won't get you any award, but at least I
>
> > won't see you as the poser you so obviously are.
> >
> > Or are you already calling your more knowledgable friends for help or 
> > deciding on what witty response to send why you don't hack my box?
> >
> > Roger A. Grimes
> > admin () hackiis6 com
> >  
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave