Announcement

Collapse
No announcement yet.

The Vulnerability Business....?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • The Vulnerability Business....?

    I'm referring to an EWeek print article Dealing In Vulnerabilities Vol. 25 #4 Page 14 2/4/08. If you don't have the rag, it's talking about the Realplayer exploit discovered 12/16/07 and as of 1/31/08 still un-patched and Real Networks can't seem to find the exploit in their own code.

    So what do people think about individuals/companies that specialize in breaking other peoples software for the purpose of selling the info for profit either back to the software manufacturer or other interested parties.

    Is this fair game, good for software security, bottom feeding, or extortion? So what do you think about companies like Gleg featured in the article?

    xor

    Time Line According to EWeek
    12/16/07 Gleg ships RP exploit to subscribers of the VulnDisco exploit pack
    1/01/08 Gleg release video of exploit
    1/02/08 Realnetworks contacts Gleg to ask for flaw info. Gleg refuses
    1/03/08 Carnegie Mellons CERT/CC issues an alert and attempts to get info from Gleg. Gleg refuses
    1/31/08 Exploit still unpatched

    Here is a video of the exploit http://www.gleg.net/realplayer11.html
    Last edited by xor; February 7, 2008, 19:32.
    Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

  • #2
    Re: The Vulnerability Business....?

    Originally posted by xor View Post
    So what do people think about individuals/companies that specialize in breaking other peoples software for the purpose of selling the info for profit either back to the software manufacturer or other interested parties.

    Is this fair game, good for software security, bottom feeding, or extortion? So what do you think about companies like Gleg featured in the article?

    xor
    Gee I donno, but I seem to remember a non Windows based DOS system where the code was always tight and non-exploitable when there was no Internet. So do we accept crap code today due to turn around time and pressures to get it out first? For security reasons, Vista was kept secret too long from the vendors who write for it, and Microsoft and its customers are already paying the pauper for that especially in the area of compatibility, and its lack of drivers. Those who write applications for Vista were under incredible pressure to write code to meet Vista's release date, and as a result, you can bet that many of those applications have holes an elephant could walk through. Should a company be "paid" to find weaknesses? Sure why not. If there is a market for exploit discovery won't it make the software more solid and more secure? I think we all got into trouble the day we accepted "crap code" and then had to learn to clean it up after market sales. Let the opportunistic exploits begin!
    Last edited by Greyhatter; February 8, 2008, 14:10.

    Comment


    • #3
      Re: The Vulnerability Business....?

      I think that it is fair game, and good for security. Companies need to write better code or at least do OS so that a community can help with debugging & vetting it.

      xor
      Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

      Comment


      • #4
        Re: The Vulnerability Business....?

        i think the market is doing what markets do... sorting itself out, sometimes irrationally and often imperfectly but overall we're driving toward qualities such as responsibility and reliability.

        i'm willing to say that even the italian guys who started wabisabilabi had their heads in the right place (but didn't explain things enough to the general public and thus people panicked) since the end result is fewer vulnerabilities affecting a smaller crop of people in a shorter time line overall.
        Last edited by Deviant Ollam; February 8, 2008, 18:31.
        "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
        - Trent Reznor

        Comment


        • #5
          Re: The Vulnerability Business....?

          if people continue to consume crap, they'll continue to be supplied crap. I think it's good for security and awareness overall. People need to start taking notice.

          Comment


          • #6
            Re: The Vulnerability Business....?

            Originally posted by Cicada View Post
            if people continue to consume crap, they'll continue to be supplied crap.
            Yes, and if you look below there is a cycle:

            http://www.wyethah.ca/images/dungbeetlelifecycle.gif
            Last edited by Greyhatter; February 10, 2008, 12:43.

            Comment


            • #7
              Re: The Vulnerability Business....?

              The real question is what came first the brood ball or the egg? :)

              xor
              Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

              Comment


              • #8
                Re: The Vulnerability Business....?

                Originally posted by xor View Post
                The real question is what came first the brood ball or the egg? :)

                xor
                I think perhaps the egg...

                "The first independent version of Microsoft Windows, version 1.0, released on November 20, 1985."

                Then...

                Brooding (sloppy programmers) came later?

                But then what do I know?
                Last edited by Greyhatter; February 10, 2008, 13:14.

                Comment

                Working...
                X