Consolidated Business & Enterprise Computing Rant Thread

Discussion in 'Business & Enterprise Computing' started by elvis, Jul 1, 2008.

  1. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,289
    Sure, that works for things responsibly disclosed, If someone dropped a 0-day guest to host right now, with PoC - how would it be handled by the Major cloud providers? - at any point would they stop selling?

    Sure, they'd patch it post-haste, but I don't see them bringing down customers shit, because of it.
     
  2. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,276
    Location:
    Rocky
    I wonder how many of them are paying attention to zerodium who are offering up to a million dollars for zero click RCE's. If I had one one I can tell you right now fuck you all would be my response whilst cashing my million dollar cheque.
     
  3. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,442
    Location:
    qld.au
    I'm not aware of their policies in regards to 0day exploits without any warning as I don't believe it's happened.

    Having a public platform with bounties is critical to prevent this wherever possible, eg https://hackerone.com/slack
     
  4. mooboyj

    mooboyj Member

    Joined:
    Sep 13, 2005
    Messages:
    1,003
    Tech1 financials in the cloud, what a steaming sack of shit. Never had the displeasure of using such a god forsaken shitful product like it.
     
    samus, olie and NSanity like this.
  5. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,289
    Then how can you say


    with any confidence?
     
  6. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    36,673
    Location:
    Brisbane
  7. samus

    samus Member

    Joined:
    Jun 3, 2002
    Messages:
    1,262
    Location:
    Baulkham Hills, Sydney.
    As a government department where TechOne is a dominant supplier, I am very, very interested in why this is. Could you elaborate at all? I don't use them , but my (new) management are in talks.
     
    olie likes this.
  8. OP
    OP
    elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    36,673
    Location:
    Brisbane
    Well I'm glad we dumped them 3 years back prior to our own finance/cloud migration. Sounds like we dodged a bullet.
     
    mooboyj likes this.
  9. tobes

    tobes Member

    Joined:
    Dec 23, 2001
    Messages:
    3,521
    Location:
    Melbourne
    This thinking is naive at best and down right damaging at worst. They would 100% still sell compute even if there are known exploitations against it. Where there is money to be had they'll continue to sell.
     
  10. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,700
    Location:
    Brisbane
    At amazon/google/ms scale they're absolutely going to be targeted with shit they can't mitigate. The difference is they're far more likely to have the resources invested into identifying how badly they've been exploited, and try to fix it. Guarantee they detect malicious actors in their infrastructure all the time, they're too big to not.
     
  11. Luke212

    Luke212 Member

    Joined:
    Feb 26, 2003
    Messages:
    9,616
    Location:
    Sydney
    just like boeing sells planes that try to crash themselves without telling you, and you have to pay an extra $80,000 for a software feature that tells you when its trying to kill you.
     
    Last edited: Apr 16, 2019
  12. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,442
    Location:
    qld.au
    Not at all. If you 100% trust any 3rd party then you deserve what you get regardless, but it doesn't make thinking that the Tier 1 providers have patched 100% of the known issues dangerous.
    Hence their payouts via HackerOne etc. It's far easier to pay for exploits than deal with the fallout if they're announced elsewhere.

    I've had a chat to the internal security teams within some of the smaller providers and the work they do is amazing. Tier 1 teams would absolutely be next level again.

    AWS of course are famous for dogfooding most of their tools, which end up as another product they sell. For example: https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html

    Google are starting to push similar tools as well: https://cloud.google.com/event-threat-detection/

    Infrastructure logging is very different to standard SIEM configurations, so these sorts of tools will augment rather than replace (for now at least).
     
  13. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,289
    How do the official bug bounty payouts compare to the prices paid by the less scrupulous organisations? - actual payouts, not Zerodium Marketing shit.
     
  14. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,276
    Location:
    Rocky
    So you don't think anyone is actually getting 6 figure payouts from zerodium?
     
  15. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,289
    No, I'm saying their table of pricing is a marketing bollocks, and shouldn't be used a 'price list' when discussing bug bounties.
     
  16. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,700
    Location:
    Brisbane
    Yeah they're looking to market and sell for more, they assume the risk of not being able to sell an exploit.

    Bug bounties are useful to supplement what you're already doing, they don't replace pen tests or anything else. I think if you've got a super agile approach they can be of some benefit, but yeah, they have a purpose but it's not gonna be useful for most orgs.
     
  17. mooboyj

    mooboyj Member

    Joined:
    Sep 13, 2005
    Messages:
    1,003
    Send me a PM, it is a long rant...
     
  18. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,442
    Location:
    qld.au
    The Swiss cheese (better known as Magento) has had quite a few payouts recently: https://hackerone.com/magento/hacktivity

    They don't seem to make the reports public (probably given they're still copping big issues...), but others do. For example, here's an 18k payout from Valve: https://hackerone.com/reports/470520
     
  19. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,276
    Location:
    Rocky
    I don't get the point then. I mean, someone with a 0 day gets to decide which colour hat they want to wear. White hat and they submit to a bug bounty or responsibly disclose, risk what has happened in many cases outside of established bug bounties, getting sued by some retarded company for 'misuse of their IP' or some such dimwhittery. Black hat. Sell it to zerodium for phat stacks. I mean.. it's a viable option, you don't risk getting sued, and you get a payout that's worth what the market is willing to pay for it. And best I can tell, apart from ethical considerations, there's no reason anyone submitting to a bug bounty couldn't submit to someone like zerodium instead. Like it or not, I think it needs to be a consideration. For all the bugs that are responsibly disclosed via whatever means, how many aren't? How many of those would be if bug bounties paid better? ¯\_(ツ)_/¯
     
  20. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    12,700
    Location:
    Brisbane
    I think if you're hoping you can convince people to disclose to a bug bounty vs going blackhat you're looking at it the wrong way. Bug bounties were always for people who were a bit ethical to begin with :) Let's be honest, the caveats on many orgs heavily limits how much you could theoretically test.
     

Share This Page

Advertisement: