Netscape rewards are an insult
The idea that Netscape (like Microsoft) thinks they can get free testing services from all over the net by real experts just by offerring a tee shirt is down right offensive. I have a better idea. How about an open market in break-in software. We crack Netscape and offer the crack code to the highest bidder. Bids start at US$25K per hole. For the insult, Netscape has to outbid the competition by a factor of 2 to get the details of the hole. Here's how it works: - We get a panel of 5 cypherpunk judges who test each claimed hole. - Exploit code is sent to the panel for verification. - If they verify the hole, it is put up for bid. - Winning bidder gets the code for 3 months before it is released on hacker BBS systems throughout the world. - The panel of judges splits 25% of the money paid for the code as pay for their efforts. The rest goes to the author. I have an even better idea. How about if Netscape gets some competent programmers with real security expertise, adds in some good change controls, a serious internal testing program, quality control ala ISO-9000, internal IT auditors, external IT auditors, training and education for their employees, and everything else it takes to be in the software business in a serious way. As an alternative, we could help them contact the shareholders for a lawsuit. After all, they are a public company now and are responsible to the shareholders for the value of their stock. If it goes down because they aren't doing an adequate job of software quality control, the officers may be personally liable. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
On Sat, 14 Oct 1995, Dr. Frederick B. Cohen wrote:
The idea that Netscape (like Microsoft) thinks they can get free testing services from all over the net by real experts just by offerring a tee shirt is down right offensive.
THE NETSCAPE BUGS BOUNTY (major snip) And if the security bug you find is severe as defined by Netscape, and hasn't been previously found, and can be reproduced by us, we'll write you a check for $1000. "Previously Found" means that either an internal tester or someone else who doesn't work for Netscape has already reported a bug that causes the same defect. That's a bit more than just a t-shirt. Since they're being open about bug finding, it would be reasonable and helpful for them to publish all discovered bugs to prevent duplication and give people a forum for concentrating efforts. As for the t-shirts, it'd real nice at job interviews to show up with personalized "(insert your name here) cracked netscape, and all I got was this lousy t-shirt" signed with netscape's pgp key (and verifiable at their soon to appear (hint, hint) "Bug tester's Hall of Fame"). Looks nice on CV's too.
Frederick B. Cohen writes:
The idea that Netscape (like Microsoft) thinks they can get free testing services from all over the net by real experts just by offerring a tee shirt is down right offensive. [...$25k...]
They always did that, without even giving away T-shirt since they released the first beta version to world. As long as people enjoy playing for free with a product and give feed back and see the program improved... why would it stop ? Personally, though I prefer free products (but ppl have to get some money for a living....), I think it is not that bad an idea, and I trust lot of people will continue to do it for the fun of it {As long as the company is *really* listening to reports....} dl -- Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Linux|PGP|Gnu|Tcl|... Freedom Prime#1: cent cinq mille cent cinq milliards cent cinq mille cent soixante sept cryptographic arrangements Ortega South Africa SDI plutonium CIA
On Sat, 14 Oct 1995, Dr. Frederick B. Cohen wrote:
I have a better idea. How about an open market in break-in software. We crack Netscape and offer the crack code to the highest bidder. Bids start at US$25K per hole. For the insult, Netscape has to outbid the competition by a factor of 2 to get the details of the hole. Here's how it works:
Funny that you mention it, the other mailing list (or rather set of lists) I'm on is devoted to a just such market system. The Idea Futures home page is at http://if.arc.ab.ca/~jamesm/IF/IF.shtml. You'll find a few familiar faces.
The idea that Netscape (like Microsoft) thinks they can get free testing services from all over the net by real experts just by offerring a tee shirt is down right offensive.
I have a better idea. How about an open market in break-in software. We crack Netscape and offer the crack code to the highest bidder. Bids start at US$25K per hole. For the insult, Netscape has to outbid the competition by a factor of 2 to get the details of the hole. Here's how it works: *cut* You know, this all seems kind of greedy to me.. It used to be people would find holes for *fun* and not for profit. It's still possible to do
On Sat, 14 Oct 1995, Dr. Frederick B. Cohen wrote: that you know 8-).
Have things really come to this? Besides the legal implications of discovering a hole and then selling the information to someone, (who presumably will only want this information for one purpose) where has the attitude of doing for the sake of doing gone? Has Netscape been pestering security experts on the net for free work? Have they been plaguing people or lists with email asking the net to do their jobs? I am tired of hearing people who may have had the urge to find weaknesses and bugs now going greedy and deciding that they should be paid for it. If you dont want to participate then don't! Its that simple. If you feel netscape is a greedy money grubbing company who deserves to pay 25k for a bug report then start a company and develop a competing product which you feel deserves to get bug reports. The reason why the Internet has become so popular/powerful is the willingness of people to help out and distribute information. As a computer/networking professional I have saved hundreds of hours worth of my time when someone has been able to answer a question or solve a problem for me. Likewise I have and continue to give back just as many hours back answering others questions. That attitude is completely lacking in your suggestion and I can only hope that the those opinions are in the minority even today. The ironic part is the people who have been the most successful at finding bugs are not the ones who are demanding money for it! ---> Phil
From: fc@all.net (Dr. Frederick B. Cohen) Date: Sat, 14 Oct 1995 07:53:53 -0400 (EDT)
The idea that Netscape (like Microsoft) thinks they can get free testing services from all over the net by real experts just by offerring a tee shirt is down right offensive.
I have a better idea. How about an open market in break-in software. We crack Netscape and offer the crack code to the highest bidder. Bids start at US$25K per hole. For the insult, Netscape has to outbid the competition by a factor of 2 to get the details of the hole. Here's how it works:
- We get a panel of 5 cypherpunk judges who test each claimed hole. - Exploit code is sent to the panel for verification. - If they verify the hole, it is put up for bid. - Winning bidder gets the code for 3 months before it is released on hacker BBS systems throughout the world. - The panel of judges splits 25% of the money paid for the code as pay for their efforts. The rest goes to the author.
I have an even better idea. How about if Netscape gets some competent programmers with real security expertise, adds in some good change controls, a serious internal testing program, quality control ala ISO-9000, internal IT auditors, external IT auditors, training and education for their employees, and everything else it takes to be in the software business in a serious way.
As an alternative, we could help them contact the shareholders for a lawsuit. After all, they are a public company now and are responsible to the shareholders for the value of their stock. If it goes down because they aren't doing an adequate job of software quality control, the officers may be personally liable.
-- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Phil typed:
Have things really come to this? Besides the legal implications of discovering a hole and then selling the information to someone, (who presumably will only want this information for one purpose) where has the attitude of doing for the sake of doing gone?
It's one thing to do good for the sake of doing good. Most of us do that every day by participating in this list. It's quite another thing to be insulted in the process. I think that Netscape's reward is an insult, If they think you can find major security bugs in Netscape for as little as $1000, they should take the product off the market, or at least stop claiming that it offers security.
Has Netscape been pestering security experts on the net for free work? Have they been plaguing people or lists with email asking the net to do their jobs?
They do far worse. They claim security when they don't have it, and when the cypherpunks demonstrate the false claims, Netscape offer insulting future tribute. I think that if they are sincere, they should reward the individuals who found the last few holes with $25,000 each, and show that they really mean business.
I am tired of hearing people who may have had the urge to find weaknesses and bugs now going greedy and deciding that they should be paid for it. If you dont want to participate then don't! Its that simple. If you feel netscape is a greedy money grubbing company who deserves to pay 25k for a bug report then start a company and develop a competing product which you feel deserves to get bug reports.
I'm not greedy, and I have never found a novel security hole and told the affected people they had to pay to find out about it. I just don't like seeing sincere people who volunteer their efforts being insulted or trivialized or taken advantage of by the big-money people - and make no mistake about it - that is what the Netscape offer is really all about. The $25K is a trivial amount for finding such a hole in a product that is supposed to secure billions of dollars worth of electronic funds transfers. If the bad guys find a hole, it could easily cost millions. If you don't believe me, look at the statistics for other holes in the credit card and telecommunications businesses. They losses are in the billions each year. If Netscape won't bet $25K that they have no such holes, why should their clients bet millions that the bad guys won't find and exploit one.
The reason why the Internet has become so popular/powerful is the willingness of people to help out and distribute information. As a computer/networking professional I have saved hundreds of hours worth of my time when someone has been able to answer a question or solve a problem for me. Likewise I have and continue to give back just as many hours back answering others questions. That attitude is completely lacking in your suggestion and I can only hope that the those opinions are in the minority even today.
It's not my attitude that's changing the Internet. It's the nature of any technology that it can be used for both good and evil. The Internet is no longer a research tool, and there are plenty of people using it for criminal purposes. If we don't start seriously rewarding people who find and help fix the holes, we are dooming the Internet. And, oh yeah, the reason the Internet became so popular so fast had nothing to do with free distribution of information. It had to do with the Vice President making public announcements about the NII, enormous public relations efforts, and lots of national advertising. The free information has been there for 25 years or so. The advertising and the enormous growth started when the marketing people got going.
The ironic part is the people who have been the most successful at finding bugs are not the ones who are demanding money for it!
The ironic part is that a company that claims to have a "secure" method for using credit cards on the Internet thinks that their security is so weak that it only takes $1000 to find a major hole. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
In message <9510141801.AA01730@all.net>, Dr. Frederick B. Cohen writes: [...]
The $25K is a trivial amount for finding such a hole in a product that is supposed to secure billions of dollars worth of electronic funds transfers. If the bad guys find a hole, it could easily cost millions. If you don't believe me, look at the statistics for other holes in the credit card and telecommunications businesses. They losses are in the billions each year. [...]
Note well: Netscape is offering this reward for finding bugs in *beta* release code. In other words the code that they *know* crashes, code that they susspect has security releated bugs, code that they don't think is (yet) good enough to charge a mesely $40 for! If they don't get buried in bad press for this, I would guess that they may have a diffrent program with a diffrent set reward for finding bugs in their for-sale version. Or not. After all I susspect that like most other places they are more intrested in making the next product the best in the world then making the last one "as good as the box says". Besides nobody said you have to report your bugs to Netscape just because they gave you free software and offered some sort of reward for finding bugs. If you don't think the "pay" (including the posability of having the software fixed) is high enough, don't report the bugs.
fc@all.net said:
The idea that Netscape (like Microsoft) thinks they can get free testing services from all over the net by real experts just by offerring a tee shirt is down right offensive.
They can. Maybe not from you, but people were poking holes in Netscape before *anything* was offered. Greed isn't the sole motivator of people.
I have a better idea. How about an open market in break-in software. We crack Netscape and offer the crack code to the highest bidder. Bids start at US$25K per hole. For the insult, Netscape has to outbid the competition by a factor of 2 to get the details of the hole. Here's how it works:
A bit too mercenary-like for my tastes, and a bit lacking in ethics. Tracking down security holes and selling them to the highest bidder without giving details to all doesn't just hurt Netscape.
I have an even better idea. How about if Netscape gets some competent programmers with real security expertise, adds in some good change controls, a serious internal testing program, quality control ala ISO-9000, internal IT auditors, external IT auditors, training and education for their employees, and everything else it takes to be in the software business in a serious way.
This sounds like a better idea. And it isn't mutually exclusive with the "Bugs Bounty" or T-shirts.
From what I recall, Netscape has hired decent programmers. I don't know about their internal business practices. From what I've seen, though, they have the right attittude about fixing security, rather than sweeping it under the rug and suing people who alledge security faults. Certainly their release of their PRNG code is proof of that.
Bob
participants (7)
-
Bob Snyder -
fc@all.net -
Henry Wertz -
Josh M. Osborne -
Laurent Demailly -
Philip J. Nesser -
s1018954@aix2.uottawa.ca