Dailydave mailing list archives
Re: RE: funny comments from Hack IIS6 contest admin
From: Bas Alberts <bas.alberts () immunitysec com>
Date: Sat, 14 May 2005 22:24:51 -0400
Hello Roger, I usually refrain from getting sucked into DD discussions, but I felt I had to make some comments here. All egos aside, I think what's ocurring here is the old 'admin' vs 'hacker' misconception debate. First of all, it's true that a lot of people don't hack because they're motivated by monetary gain. They hack because they..well .want to hack. Now this crowd of researchers would not give up a good bug against IIS6, because hey..less hacking for them. The people that do have some financial motive in what they do clearly aren't motivated by any such challenge either. Especially since traditionally these things have always turned out to be marketing shams (remember the Last Stage of Delirium vs. Argus Pitbull debacle? Look it up.) Point being, are there w2k3 0day bugs out there? Most definitely. Are there bugs in IIS6? I'm almost certain there are, if not the IIS6 team will have pulled off the greatest feat in software engineering ever, completely bugfree software. Clearly history does not tend to agree. Can your box be owned? Yes, given enough resources and motivation I personally believe anything and everything can be owned. Will people be motivated by such a construction as your contest? Not likely. Personally I have to say I didn't even look twice, hell I haven't even visited the website. It sort of reminds me of some Dutch 'hack this win2k box' contest though, which at the time could have been easily owned by a plethora of 0day bugs floating around at the time. Guess what? It never happened. You talk about the history of 'most devastating exploits' etc. implying an altruistic nature of 'real hackers'. Personally I've met very few 'real hackers' who willingly give up their research. Historically really good bugs get 'killed'...and often the people to publically disclose them are not the ones who first found the issue. It's naive to think that any one person has special powers, and you have to assume that things you'll hear about 2 years from now are already actively being exploited. This is just the reality of things. In any event, I hope that sheds some light on the issue of 0day and people's willingness to give said commodity up. G'luck with your contest. Sincerely, Bas On Sat, May 14, 2005 at 09:31:21PM -0400, Roger A. Grimes wrote:
I've heard of both of you. Dave, I've used your software many times before. Sorry if I wasn't in awe enough for your egos. An invitation to hack a box located at www.hackiis6.com with web pages full of "hack me" text certainly doesn't need a signed authorization...it's explicit already. So as you both are making sport of me, tell me how my statement is false? First, there haven't been many 0-day exploits against W2K3 and IIS 6 (if any), and not that many against Windows products at all since 2000 was released. Dave, how many hackers and exploit writers do you know that are motivated to write exploits by large sums of money? They want money for sure...but most discover and release the exploits for free. Another large category of exploits are released to give free publicity to security companies (like yours). Yeah, there are professional black hats that do work for large sums of money, but they are not likely to be running their mouth on a mail list about the cheap prize given on a hack contest page hosted for fun. Even when companies do offer money for finding bugs, as some have done over the last year, it doesn't result in a ton of exploits found and released. Money isn't a prime motivator in any hack. Hell, the real money is made in run old exploits (like spambots and adware crap). Roger -----Original Message----- From: Dave Aitel [mailto:dave () immunitysec com] Sent: Saturday, May 14, 2005 8:09 PM To: Roger A. Grimes Cc: Anthony Zboralski; dailydave Subject: Re: [Dailydave] RE: funny comments from Hack IIS6 contest admin Interesting how Roger assumes that any professional penetration tester would hack a random machine on the Internet without a signed Hold Harmless. I also think it's funny how he insults Anthony here, implying that he's never heard of him, which says a lot more about Roger than it does about Anthony. :> I assume anyone who wanted to break into the box would be hacking from 68.106.158.136? Just for the record, I'll give people 2 XBoxes if they send me working IIS6 0day. :> I talk about IIS6 a little in this recent interview-thing. http://www.security-forums.com/forum/viewtopic.php?t=29695&highlight= Lots of SPIKE features got implemented during my review of IIS6. Almost all of those are in the public release. -dave Roger A. Grimes wrote:I assure you that the hackers that are capable of hacking this box are motivated for far less money, if any. Take Dave at Immunity. He makesmore money than the average hacker, but I assure you that he makes far less than $250K on each hack he discovers. (Tell me if I'm wrong, Dave). Professional hackers may make more than $250K, but what motivated them initially was far less money, if any. The best hackers in the world that released the most devastating exploits, did it for free...not money. It was either to improve the product or for the "glory" in the community. Consistent hackers...the best...want more money...but what motivated them initially was far less. Would more money motivate more people? Yes, of course. But Anthony, people like you wouldn't be able to hack it regardless of the award. In fact, Anthony, I'll personally give you, and you alone, $2000 rewardof my own money, if you hack it (by yourself without any external help)by midnight tonight. Go! If fact, tell me the IP address you're hacking from (so I can track you) and send one original hack that might possibly be successful...I doubt you can even do that. It won't get you any award, but at least Iwon't see you as the poser you so obviously are. Or are you already calling your more knowledgable friends for help or deciding on what witty response to send why you don't hack my box? Roger A. Grimes admin () hackiis6 com_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- funny comments from Hack IIS6 contest admin Anthony Zboralski (May 13)
- Re: funny comments from Hack IIS6 contest admin Steve Lord (May 13)
- Re: funny comments from Hack IIS6 contest admin Allan Liska (May 14)
- <Possible follow-ups>
- RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- Re: funny comments from Hack IIS6 contest admin Anthony Zboralski (May 14)
- Re: RE: funny comments from Hack IIS6 contest admin Dave Aitel (May 14)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- Re: RE: funny comments from Hack IIS6 contest admin Bas Alberts (May 14)
- Re: RE: funny comments from Hack IIS6 contest admin Steve Lord (May 15)
- RE: RE: funny comments from Hack IIS6 contest admin I)ruid (May 17)
- RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 14)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 15)
- Re: RE: funny comments from Hack IIS6 contest admin Holden Williamson (May 15)
- RE: RE: funny comments from Hack IIS6 contest admin Roger A. Grimes (May 17)
- Re: RE: funny comments from Hack IIS6 contest admin H D Moore (May 17)
- Re: funny comments from Hack IIS6 contest admin Holden Williamson (May 18)
- Re: Re: funny comments from Hack IIS6 contest admin H D Moore (May 18)
- Re: RE: funny comments from Hack IIS6 contest admin H D Moore (May 17)
- RE: RE: funny comments from Hack IIS6 contest admin I)ruid (May 17)