Consolidated Business & Enterprise Computing Rant Thread

Discussion in 'Business & Enterprise Computing' started by elvis, Jul 1, 2008.

  1. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    12,336
    Location:
    Canberra
    What's to stop you selling it to both a bug bounty and zerodium. game the system.
     
  2. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,448
    The point was, Zerodium have a vested interest in publicly overpricing bugs, so when they sell them to NSA, they can point to there price chart and say "One Meelion Dollars", because of this, when discussing Bug Bounty, vs Black/Grey market, you can't use that price chart as indicative pricing of what a bug is worth.

    If every bug Zerodium bought from you, was burnt in the next round of vendor updates... they'd get suspicious :).
     
  3. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,325
    Location:
    Rocky
    I would imagine the contract you'd have to sign with zerodium saying they'll send ninjas after you if you do disclose elsewhere.

    One way to look at it, not how I see it though. They have a vested interest in making sure the best bugs come to them, and they're banking on being able to resell these bugs within a select pool of 'clients'. Those clients wouldn't be willing to pay if there were better/cheaper ways of getting the bugs. This is just the market responding to demand. There's nothing 'inflated' about it. Someone somewhere is willing to pay, or they wouldn't be offering the cash.
     
  4. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,448
    All I can find are press releases from Zerodium, indicating how much they pay, and more articles about team that claimed the iOS9 one. I can't find anywhere with security researches saying "Zerodium paid me X for This" - even historically, after the bugs have gone public.

    Unlike, bug bounty platforms, where I can see how much has been paid, to who, by who.


    I'm not saying Zerodium don't buy bugs. but nothing I've seen convinced me they pay according to the chart. "Up to 1 Million Dollars"... $1 fits.
     
  5. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    12,336
    Location:
    Canberra
    If I were selling zero-days for cash to someone that'd on-sell them to bad guys, I'd want to remain anonymous, lest some over zealous police force thought what you were doing was illegal.
    If I were selling zero-days for cash to someone that'd get the bugs fixed, I'd want the credit (as well as the cash).
     
    millsy, EvilGenius and PabloEscobar like this.
  6. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,448
    Fair call, but given the ego's that are often involved when it comes to security. It's a red flag for me, that nobody has posted a cheque from Zerodium on twitter.
     
  7. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,325
    Location:
    Rocky
    I can understand the scepticism, but given the attitudes around this, I can definitely understand someone not wanting to wave the flag. There are a lot of security circles you'd become persona non grata in. It's all well and good for me to say I'd happily do it for the pay day, but I don't have a reputation to maintain, and I'm never going to have a bug like this to sell in the first place so it's a meaningless comment.

    I think the most likely scenario though is that keeping your mouth shut about your pay day is part of the NDA signed when handing over the bug. Knowledge that a certain security researcher was paid x amount by a zero day reseller might be all the info needed for people to figure out what that bug is, or at least, where the bug is. Researcher X spends 6mths posting on twitter about his work in VMware, suddenly posts a check for a million dollars from zerodium. 1+1 might just equal 2 there...


    The other thing too is, there's no reason zerodium couldn't be buying these bugs for a million dollars then selling them to 5 clients for 300k each. The bug itself doesn't need to be worth a million dollars to the NSA, as long as the NSA doesn't want exclusive rights over it. If they do, they pay what zerodium ask. If they just want their exploit and don't care that some other foreign 3 letter agency has it too, they pay less.
     
    Last edited: Apr 16, 2019
  8. Hive

    Hive Member

    Joined:
    Jul 8, 2010
    Messages:
    5,410
    Location:
    Some place far away
    FUcking support systems that promise to make your life easier. They demo you a well polished system that someone has spent half their life making half useable, only show you the polished surface of the turd without showing you any of the shit underneath. Charge you fifteen thousand hookers worth of money to "train" you in the system without actually training just showing you "oh this is a sphere if you push it it will roll but squares dont let you do that oh and make sure this arbitrarily named checkbox is ticked or the system doesnt work dont ask" and then post sale giving you the kind of support and service level you could get from a shelf stacker at coles.

    What kind of crack anyone smokes to think its a step up to have to wear out a mouses left click button every week because everything is so form based and prefilled forms for standard service routines are out of the question and have to wait 20 seconds just to submit something while the computer struggles to run an overbloated turd of a fat client in 2019.

    Change is great. I get that. But change for the worse is not. Chop your leg off and try walking now and then try telling me it's a better way of doing things.


    wednesday winge
     
    Last edited: Apr 17, 2019
    samus and BAK like this.
  9. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    10,364
    Location:
    Melbourne
    change for the better is great. change for the worse is obviously not, and close behind that I would put change for nothing other than the sake of change.

    change is not something to be valued and cherished in isolation, improvement is. if things need to change to enable that, then fine - let's do it. but people get it utterly arse backwards and think that just by changing something, it will be better. if that's the limit of the simplistic thought that went into the process, then it's no surprise when the result is a fuckup.
     
    samus, Hive and PabloEscobar like this.
  10. caspian

    caspian Member

    Joined:
    Mar 11, 2002
    Messages:
    10,364
    Location:
    Melbourne
    appropriate dilbert:

    [​IMG]
     
  11. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    12,336
    Location:
    Canberra
    replace idiots with politicians....
     
  12. EvilGenius

    EvilGenius Member

    Joined:
    Apr 26, 2005
    Messages:
    10,325
    Location:
    Rocky
    Same same only different.
     
  13. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    12,336
    Location:
    Canberra
    One is a highly refined subset of the other.
     
  14. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    24,719
    freaky_beeky, samus and EvilGenius like this.
  15. Unframed

    Unframed Member

    Joined:
    Mar 30, 2010
    Messages:
    9,091
    Location:
    Hella south west
    Well that was a nice unexpected week-ish off. Now to deal with insane requests again
     
  16. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,448
    2 days On, One Day Off, One Day On, and then another weekend.

    at least 1/2 the office is off for these 3 days anyway. So much work will get done.
     
    samus likes this.
  17. samus

    samus Member

    Joined:
    Jun 3, 2002
    Messages:
    1,262
    Location:
    Baulkham Hills, Sydney.
    Yep! My commute was about 70% of normal traffic, there is about 30% of the usual staff, and I'm on seek looking for work.

    Good day!
     
    Soarer GT likes this.
  18. dakiller

    dakiller (Oscillating & Impeding)

    Joined:
    Jun 27, 2001
    Messages:
    7,897
    Location:
    Gippsland
    I've taken the 3 days off, it's a cheap 10 day holiday.
     
    DavidRa, cvidler and Hive like this.
  19. wintermute000

    wintermute000 Member

    Joined:
    Jan 23, 2011
    Messages:
    1,986
    I've got so much leave banked up I was forced to (apparently a month is too much...). I understand the financial angle, but its always hilarious when the Man says you're working too hard
    I would much prefer to be working this week and take the time when things are actually busy. I always used the same tactic over Xmas back when I was single. Work easy days over Xmas, then when everybody comes back grumbling about post-holiday blues I'll be like cya, and thanks for leaving me non-holiday prices and no crowding lol.
     
    freaky_beeky likes this.
  20. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,448
    Not taking leave is an indicator that something dodgy might be going on (and you might get caught if you take leave).
     

Share This Page

Advertisement: