Matasano Chargen - Latest Comments in Laziness Of A Blogger At Midnight

Re: Laziness Of A Blogger At Midnight

cash333 — Fri, 10 Jul 2009 14:07:12 -0000

You right vulnerability does sells, It has happened to me.

Re: Laziness Of A Blogger At Midnight

cash333 — Fri, 10 Jul 2009 14:05:01 -0000

I too an guilty of midnight blogging. I like to read blog and post comments. It is fun. You need to udate your post.

Re: Laziness Of A Blogger At Midnight

Traveller_Adventure — Sat, 04 Jul 2009 19:25:13 -0000

What a useful post here. Very informative for me..TQ friends...

Cheers,
Buat Duit Dengan Blog

Re: Laziness Of A Blogger At Midnight

newsham — Wed, 11 Jul 2007 14:44:19 -0000

I imagine there are better ways to use economics and markets to improve code quality. For example, a prediction market on wagers such as "there will be a remotely exploitable vulnerability in Internet Explorer in October 2007." People who are intimately familiar with the code quality could make money by using their knowledge to set the right price. People who research vulnerabilities in IE can "game" the system by releasing bugs and collecting payoffs. These insider trades are actually good because in the long run they feret out bugs and give a realistic assessment of the security of a system (if shares are priced between $0 and $1, they will approach the probability of a bug being found). Win Win! And no need to sell vulns in private.

(Oh yah, if you happen to be a heavy user of a technology, you can buy shares as a hedge against damages when vulns are released...)

Re: Laziness Of A Blogger At Midnight

Dave G. — Wed, 11 Jul 2007 12:18:57 -0000

@Mike

There is one area where I disagree with your post. There are plenty of researchers and affected code bases that have an excess of time and lack of funds. For example, open source projects aren't going to pay 700 Euro's for a defect in their code.

Re: Laziness Of A Blogger At Midnight

Mike Murray — Wed, 11 Jul 2007 12:03:50 -0000

Have to say, I was just being a pain. I understood the point, but there was another facet that I wanted to expound upon.

Taking this point to its extreme, the interesting question would be around the economics of the auction itself - as you point out, it's possible that the value of the product radically changes during the auction.

This isn't a problem that eBay has.

Re: Laziness Of A Blogger At Midnight

batz — Wed, 11 Jul 2007 11:41:33 -0000

When I saw this I thought, "Woohoo, now we can contribute a bunch of crappy modules to open source projects, then auction off vulnerabilities in them."

This probably won't happen, as the stakes are far too low. An exploit auction is certainly a provocative idea. Whether it has an economic impact on exploit development remains unclear.

Re: Laziness Of A Blogger At Midnight

Bee Binger — Wed, 11 Jul 2007 10:42:26 -0000

"(*) Who is to say that the vulnerability for sale is the one of the vulnerabilities identified by our readers."

In my opinion it does not matter whether the exact vulnerability being sold was found or not, just that a vulnerability was found.

For most people whether their intentions are good or bad as long as they have one way to exploit an application reliably then this is all they need.

As Stefan pointed out, the easy "require()" bugs are patched, but the application is riddled with bugs where the user can control calls to exec. What more do you need? I think any unpatched bug ( or many bugs in this case ) in an application makes buying a random one for it worthless.