RE: RE: funny comments from Hack IIS6 contest admin

["Roger A. Grimes" <roger () banneretcs com>]

-See replies below. 

-----Original Message-----
From: Steve Lord [mailto:steve () buyukada co uk] 
Sent: Sunday, May 15, 2005 7:37 AM
To: Roger A. Grimes
Cc: Dave Aitel; dailydave
Subject: Re: [Dailydave] RE: funny comments from Hack IIS6 contest admin

Roger A. Grimes wrote:

> I've heard of both of you.  Dave, I've used your software many times 
> before.  Sorry if I wasn't in awe enough for your egos.
>  
Not being funny, but you're the one who started personally attacking
Dave and Anthony. Also you should bear in mind that it's the DailyDave
list, not the DailyRoger list. If you don't like it here then please
feel free to start your own.

-I didn't come to the list, nor did I send the first email. Anthony sent
an email to the list attacking one of my statements and I responded.


> An invitation to hack a box located at www.hackiis6.com with web pages 
> full of "hack me" text certainly doesn't need a signed 
> authorization...it's explicit already.
>  
Really? Are you sure? What, for everywhere? I know in the UK if I
started breaking into boxes across the Internet because they said 'hack
me' I'd get into trouble fairly quickly if I was caught. Does that mean
that if someone defaces a web site and puts 'hack me' on the page then
it's ok because it's explicit?
-I'm positive that even within the UK that if someone invites you to
hack them, you cannot be liable for any hacks on that site that fall
within the written rules.

> So as you both are making sport of me, tell me how my statement is 
> false?
>
> First, there haven't been many 0-day exploits against W2K3 and IIS 6 
> (if any), and not that many against Windows products at all since 2000 
> was released.
>  
According to http://secunia.com/product/20/ - Windows 2000 Server is
affected by 90 Secunia advisories. 20% of reported issues remain
unpatched, the worst of which appears to be a nasty bug in the Jet
Dtabase engine, which could lead to remote system access.
-How many were zero day? One, maybe.

Windows 2003 Server Web Edition (seeing as we're looking at IIS 6) is
affected by 49 advisories according to Secunia
(http://secunia.com/product/1176/). 6 of these vulnerabilities remain
unpatched, although these are only listed as moderately critical.
-IIS 6 has only had 5 vulnerabilities publicly disclosed so far, Secunia
(BTW)only lists 3.  If W2K3 is so exploitable, please hack away at my
sight.

> Dave, how many hackers and exploit writers do you know that are 
> motivated to write exploits by large sums of money?
How many people does Dave employ that write exploits? How many people do
companies like NGS Research employ purely to find vulnerabilities?
-I assure you that they don't get paid a tremendous amount of money for
each bug they find.  Again, Dave, tell me if I'm wrong.  Do you have to
pay your bug finders $150,000 for each bug they find or do they work for
a lot less?

> Even when companies do offer money for finding bugs, as some have done 
> over the last year, it doesn't result in a ton of exploits found and 
> released.  Money isn't a prime motivator in any hack.  Hell, the real 
> money is made in run old exploits (like spambots and adware crap).
>
>  
Are you speaking from personal experience?
-I don't black hat, if that is what you mean. But its well documented
that EVERY wide spread Windows exploit uses old found vulnerabilities,
not zero day.  Hackers don't have to come up with zero day exploits to
get rich, if that is what they want...they use the old stuff.

Steve
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave