Mozilla Starts Bug Bounty Program

AnamanFan writes "The Mozilla Foundation announced the Mozilla Security Bug Bounty Program, an initiative that rewards users who identify and report security vulnerabilities in the open source project's software. Sponsered by Linspire, Inc and Mark Shuttleworth, the program will give $500 to users who report a significant bug in Mozilla software. Users who identify security bugs in Mozilla software are encouraged to go to the Security Projects Page for more information."

microsoft

[pvt_medic]

if microsoft did this they go bankrupt in a week


obligatory jab at microsoft

Re:microsoft

[dsbaha]

That is assuming that they'll even recongize the problem!

Not just MS

[krog]

What if Slashdot gave $503 for every 503 Service Unavailable?

Malda and company would be living off ramen and store-brand Mountain Dew in less than a week.

Re:Not just MS

[Spellbinder]

the strange thing is that slashdot gives me 503 errors in mozilla but works well in IE at the same time
that really drives me crazy
that and playing doom 3 all night long

Re:Not just MS

[cdemon6]

Yes, and:

- $200 for every served request
- $301 for every redirect
- ...

Re:Not just MS

[spektr]

Hm. What's causing this?

Maybe this? [technocrat.net]

Re:Not just MS

[spektr]

It said that OSDN (and thereby slashdot) has been bought by Microsoft. But now they deny it. [technocrat.net]

In other words, the end of the world was canceled. :-D

Profit!!!

[Jeremiah Cornelius]

1) Submit buggy patch under alias 1

2) Report bug to bounty programme under alias 2

3) PR0FIT!!!

4) Repeat as necessary...

Re:Profit!!!

[Warlok]

Sounds like a Dilbery cartoon:

PHB: We're awarding $10 for every bug you find and fix.
Dilbert: Where you going Larry?
Larry: I'm going to code myself a new Porsche.

Re:Not just MS

[xmas2003]

I wonder if the 503 errors are perhaps related to more folks pulling RSS feeds from /. - even though they limit it, if enough folks have this on full-auto, it adds up.

it's entrapment!

[Anonymous Coward]

Dear pvt medic,

Thank-you for identifying this IE exploit! The FBI prize patrol should be by shortly with your reward!

Sincerely,
Bill Gates

Re:microsoft

[Negatyfus]

It's funny this has never happened to me.

The difference between mozilla.org and Microsoft

[Anonymous Coward]

mozilla.org offers a $500 bounty for discovering "critical" [mozilla.org] security holes, while Mircosoft offers [cnn.com] a $250,000 bounty for catching virus authors.

Re:The difference between mozilla.org and Microsof

[Marc Desrochers]

If MS did offer a bounty on bugs instead of a bounty on those exploiting them, the first few claims would probably be from the same people, the exploit writers. Much money might be saved in handing out a smaller amount, rather than a quarter mil that still leaves the problem in place.

<naiveté>Some might even conceivably make some sort of living at it, rather than writing exploits </naiveté>

Re:The difference between mozilla.org and Microsof

[jesser]

Many worms spread using holes that are already publicly known at the time the worm is written.

Re:The difference between mozilla.org and Microsof

[Frizzle Fry]

People already do make a living finding flaws in microsoft products. They are software testers and microsoft employs plenty of them. I'm sure they are making more than the equivalent of $500/ per bug.

Re:The difference between mozilla.org and Microsof

[Kent Recal]

+6 Insightful.

great idea

[dieyack]

I think this is a great idea, and that it will help mozilla become a lot more secure (and pretty fast I might add)

Re:great idea

[tiger99]

Yes, I would agree with that. Did you notice how quickly the last Mozilla hole was fixed, and how small, in fact tiny (1kb), the download was to fix it?

I have used Mozilla, and before it, Netscape for almost all browsing for a long time now, and simply do not get the problems that IE users get.

Re:Not really.

[tiger99]

Yes you are quite correct, and thanks for the clarification. My memory is clearly becoming a bit volatile these days, I did know once upon a time it was the shell: issue. Nevertheless the very small fix from Mozilla cured the problem. I think M$ ought to pay them!

But yes, some bugs hang around for a loooooooooong time, but AFAIK some bugs dating from Windoze 95, or before, and still present, possibly in a slightly different form, have not been fixed yet. I was reminded of one yesterday, when Xtra Pathetic l

Sod the security problems - what about...

[FyRE666]

...the rendering bug I've had with Firefox since... well... forever! Only on Slashdot - for the disbelievers I've slapped a couple of screenshots up here [demon.co.uk]. These are with the latest STABLE release, not a nightly bugfest, BTW...

Re:Sod the security problems - what about...

[Zaiff Urgulbunger]

I'm not that bothered about it myself, but I agree it does exist! I think some installs are affected more than other though - I'm sure my 0.8 install was okay, but I'm currently running 0.9.1 (patched) on Win2K and it is rendering /. strangely.

The work around is to increase and decrease the font size (ctrl + then ctrl -).

Re:Sod the security problems - what about...

[jesser]

The bug (217527) is not fixed in Firefox branch nightlies either, but it's "plussed" for Firefox 1.0 PR, so you can expect it to be fixed. See bug 217527 and bug 246382 (a regression caused by the fix for bug 217527) for details.

I wonder if he's kicking himself...

[NoMercy]

A few days ago you might remember someone who created an article on the vunribilities of a fake browser being made in a empty window using XUL...

Guess he's 500 dolars down for blowing the whistle a week early :)

Re:I wonder if he's kicking himself...

[Anonymous Coward]

The initial bug report was made almost three years ago, marked confidential, and ignored. He was far too late to claim the bounty on that particular bug.

Re:I wonder if he's kicking himself...

[CTho9305]

It was ignored largely because a nearly-as-convincing fake can be created with DHTML, so blocking XUL doesn't add any real security. How many people really use different themes (so the DHTML fake would look wrong)?

In Other News...

[Anonymous Coward]

Microsoft puts bounty $5,000 on head of anyone uncovering IE security flaws.

Re:In Other News...

[Patik]

Nope, it's $250,000.

Anyone know a Mozilla programmer?

[jsimon12]

Cause we could go ahead and program ourselves a couple new minivans this evening ;) (yes I know Wally from Dilbert said it before I did, but this just seemed like the perfect time to use it)

Re:Anyone know a Mozilla programmer?

[BigFire]

The quote being:

"I'm going to write me a minivan".

Re:Anyone know a Mozilla programmer?

[joeytsai]

There was related strip where Dilbert and Ratbert were talking in front at Dilbert's desk.

(From memory):

Dilbert: Ratbert, for every bug I fix I get a bonus. Dance on the keyboard for me so I can fix your bugs.

(Ratbert dances on Dilbert's keyboard).

Ratbert: How am I doing?

Diblert: Not good. You've just created a web browser.

Fantastic Idea

[LanMan04]

This will give all budding CS majors (and lazy security geeks) a reason to hunt for bugs, other than being inquisitive.

Skills

[www.sorehands.com]

It may help the "budding CS majors" to build code analysis and debugging skills. Debugging skills are not taught in school.

Re:Skills

[jeff67]

True, debugging is not on curricula. But you will almost certainly fail out of school if you don't start picking up debugging basics immediately after you write your first line of code (bug).

Re:Skills

[kryptkpr]

Not all debugging methods are created equal.. lots of extra printf calls will only get you so far. I can't count the number of fellow students whom I had to teach to use a debugger in my algorithms class.

Debugging should definitely be taught in classes.. at least the basics of what a debugger is, how it can help you, and how to compile your program so a debugger can read it and give you source-level breakpoints.

Not using a debugger

[www.sorehands.com]

Using a debugger without knowing what you are looking for is virtually useless. One needs to apply scientific methods and smart tool related methods.

Re:Skills

[Anonymous Brave Guy]

Not all debugging methods are created equal.. lots of extra printf calls will only get you so far.

That's certainly true, although IME a little work to instrument code properly (via printf or something similar but more powerful/flexible) can go a very long way. We have quite a neat system on the project I currently work on, which basically keeps a stack trace and lets you record diagnostic messages at several levels of priority, and then lets you customise the diagnostic file that's generated based on w

Re:Skills

[upsidedown_duck]

But you will almost certainly fail out of school if you don't start picking up debugging basics immediately after you write your first line of code (bug).

Right. Just like those full-blown graduates I used to work with would take a week to write a Java text-processing program that could have been written in five minutes with Perl or sed. How about those database tables with things like "Email1" and "Email2"? What about choosing Oracle and Web Logic with full J2EE dressing for a site that has only a few

/. Millionaire

[baby_head_rush]

Imagine if /. paid a nickle for every 503 error.

Re:/. Millionaire

[NeoThermic]

>> Imagine if /. paid a nickle for every 503 error.

I'd beat you to death with a sack of them...

NeoThermic

Re:/. Millionaire

[ClippyHater]

I was getting a ton of them today--I cleared my cache and emptied my cookies. All now seems to be well.

I'll stick my neck out

[NeoThermic]

...but doesn't this sound a bit desperate? IF Microsoft did this, people would be singing from the halls that Microsoft has given in, or getting desperate. (And alot of people would be rich).

All credit to the Mozilla Foundation if they can keep their image with this kind of approch to secuirty.

Now, who's going to be the first to earn their $500?

NeoThermic

Re:I'll stick my neck out

[ajrs]

I'll chop it off for you. You might want to check out this link about TeX [cbbrowne.com], which has had a bounty for decades.

I think you might have confued bragging with desperation.

Re:I'll stick my neck out

[mytec]

My perception of the success Mozilla/Firefox has beside a breadth of features is its security. I wonder if this bounty is more preemptive in nature to help ensure the positive security piece-of-mind Mozilla/Firefox has rather than the type of bounty Tex has.

If Mozilla/Firefox where to lose the mainstream perception of a more secure browser why would users of IE switch?

Re:I'll stick my neck out

[alefbet]

If Mozilla/Firefox where to lose the mainstream perception of a more secure browser why would users of IE switch?

I switched for the features. I stayed for the security.

(Oh, and switching to Linux had something to do with it, too, in my case.)

Re:I'll stick my neck out

[Mr_Silver]

My perception of the success Mozilla/Firefox has beside a breadth of features is its security. I wonder if this bounty is more preemptive in nature to help ensure the positive security piece-of-mind Mozilla/Firefox has rather than the type of bounty Tex has.

Alternativily could it be a bit of PR to deflect from the controvesy surrounding the two recently publicised bugs which had been sat on by the Mozilla team for several years before they got around to being fixed?

Re:I'll stick my neck out

[Zaiff Urgulbunger]

Alternativily could it be a bit of PR to deflect from the controvesy surrounding the two recently publicised bugs which had been sat on by the Mozilla team for several years before they got around to being fixed?

Naa, its purely a small amount of money to focus a lot of eyes on the problem. If it was pure PR they'd probably offer a much large some of money for catching virus writters or something?!

Re:I'll stick my neck out

[jesser]

TeX's bounty is for all bugs, not just security holes.

mozilla.org's bounty is more similar to djb's bounties for security holes in his server software, djbdns [cr.yp.to] and qmail [cr.yp.to]. The major differences between mozilla.org's bounty and djb's are that mozilla.org produces client software rather than server software, and we expect our bounty to be won (multiple times).

Re:I'll stick my neck out

[ajrs]

there is an interesting notion. When does an bug get grandfathered?

Re:I'll stick my neck out

[jandrese]

IMHO, the interface on the TeX parser (or whatever it is called) is a bug. The learning curve on the command line parser is astounding, and that's before you even consider setting up the Metafont stuff. TeX has a lot of nice features, but it is a nightmare for the casual user. Fortunatly these days casual users have OpenOffice and the like, but I still have chills from back in College where we had to mark up our papers in TeX (or pay for a copy of Word and Windows 3.0 down at the Campus Bookstore).

Re:I'll stick my neck out

[FooBarWidget]

"IF Microsoft did this, people would be singing from the halls that Microsoft has given in, or getting desperate."

So? It's their own fault that they've gotten a reputation that's so bad that people treat them differently.

Re:I'll stick my neck out

[juhaz]

Microsoft already does it. Only, being Microsoft, they do it backwards and pay for catching bad guys who exploit the bugs in their software, instead of paying for fixing them damn bugs.

Similar idea at Microsoft

[Locky]

Instead they have a $10 million dollar pool of rewards for the capture of people who exploit the bugs for malicious purposes.

I think the saying 'an ounce of prevention is worth a pound of cure' is applicable here.

Re:Similar idea at Microsoft

[hkmwbz]

The security hole is already there. How do you prevent it by paying people for finding it? Microsoft paid money to catch the virus author because he was doing massive damage. Why? Not because the security hole wasn't found (it was), but because people don't patch their systems.

I'm not usually one to stand up for Microsoft, but come on! What is it with you people who compare Microsoft's reward for catching virus authors and Mozilla's security bounty?

Security holes are found in IE all the time. So what's

Way to turn the tables on M$!

[Exmet Paff Daxx]

Micro$oft gives out millions of dollars to catch people who exploit bugs in their browser! Now Linux gives out cash directly to people who find the bugs, rewarding engineers instead of snitches. I hope the major news outlets cover the huge difference in paradigm here- good cop instead of bad cop.

Everyone failed my last Gmail invite challenge, and I'm up to three invites, so here's a new one: there are sixteen factual errors in this article [nytimes.com]. I'll give you one for free: Bush is not a downhiller! Spot them all for a Gmail invite.

-Exmet

Re:Way to turn the tables on M$!

[Short Circuit]

Now Linux gives out cash...

Be a little careful how you word things. This is specific to the Mozilla Foundation. It doesn't have anything to do with Linux. But it does look great from a leadership role.

Your sig

[KjetilK]

Hm, your sig indicates that you might be the first to collect the bounty, or does it mean something entirely different?

Re:Way to turn the tables on M$!

[rd_syringe]

1.) Using a dollar sign in the word Microsoft doesn't make you clever.
2.) Your sig has been proven false. Already, we've seen two critical security holes in the past month, one of which was known for five years but covered up and marked as "confidential."

Re:Way to turn the tables on M$!

[Tony-A]

I hope the major news outlets cover the huge difference in paradigm here- good cop instead of bad cop.

There's a huge difference in paradigm, but if the media does anything about it, it will be to bury it.

With the possible exception of some stuff by Knuth, everything has bugs, where possible inputs produce undesirable outputs.

Given that there are bugs, what's the better way to stumble into them?
Something nasty and hidden?
Something spectacular and harmless?

No, the media will be worse than useless. Since

A gentleman's agreement

[Anonymous Coward]

If you've ever won any money at a charity fund-raiser, you know the deal:

1) go up and accept your check
2) nod and smile alot
3) donate your check back to the charity

Is there a prayer people motivated by this bounty have the same modicum of class?

Mozilla Foundation not a charity

[0x0d0a]

The Mozilla Foundation isn't a charity -- they got a donation, and are going to use it. All the people that want to donate time and are already finding security bugs can already do so.

Speaking of which, $500 is probably a *lot* of money if you're working in certain countries.

Oh, and I'm hoping that the MF won't run into problems with people trying to scam the system by introducing security problems and then "discovering" them.

Re:Mozilla Foundation not a charity

[Saeed al-Sahaf]

Speaking of which, $500 is probably a *lot* of money if you're working in certain countries.

Imagine the outsourcing possibilities...

Nitpick: charity

[fm6]

The Mozilla Foundation isn't a charity -- they got a donation, and are going to use it.

That's what a charity does -- people give them money, and they spend it in ways that are consistent with their charter.

Let me guess -- you associate the word "charity" with well-meaning handouts that mainly benefit people who have lots of lame excuses for not working. There are charities like that, but that's not what the word means.

The question is..

[xerox_rat]

This seems like it could become rather popular, after all people like money. Will the developers at mozilla all of a sudden find themselves with bugs that aren't?

Don't get me wrong I think this is a great idea, and as others have said it should really spur on the tightening of security for the browser.

Continuing the Netscape Legacy

[Anonymous Coward]

Until fairly recently, Netscape used to have a similar bug bounty program but they offered $1000. So it's really just a continuation of the legacy.

Get rich quick

[Anonymous Coward]

1. Submit buggy software to Mozilla project.

2. "Find" said bug.

3. Profit!

Why?

[slavemowgli]

Maybe it's just me, but I really am wondering why they're doing this. Mozilla is *full* of bugs already, many of them significant [mozilla.org] (albeit not security-related), that aren't fixed; and users that encounter security issues are likely to report them anyway, I think, no matter whether they get paid for it or not.

Re:Why?

[interJ]

1. Users don't accidentally run into buffer overflows (or many other security bug types). It's something you have to actively search for. The money is supposed to motivate more people to do this.

2. You may think that MNG support is more important than sites that can take over your computer or steal your credit card number. However, most people (including Mozilla developers) would disagree.

Re:Why?

[slavemowgli]

You may have to copy and paste it in that case - or manually search for bug #18574.

Re:Why?

[slavemowgli]

Think again (and read it all). It is a bug.

ARGHHHHHHHHHH~!!!!

[Ex Machina]

why did I submit those bugs in the past :(((

Quick $500

[Bill, Shooter of Bul]

I've found a serious flaw in Mozilla. It allows itself to run on Windows, an inherintly insecure platform.

good call

[Bill, Shooter of Bul]

Lame joke, i'll admit. I happen to be a lover of lame jokes. The ppropriate response to such a joke is not laughter, but collective groan from the audince. I guess you post counts.

Hopefully better than the old Netscape version

[Maestro4k]

IIRC, Netscape had a bug bounty of sorts and it was pretty much ignored. There was a lot of annoyance from people reporting bugs to see them either never fixed or fixed and no one given credit for the bounty. (This was all pre-AOL buying Netscape.) I know the Mozilla foundation's different, but there's a lot of people with long memories and they'll need to be prepared to show they're different in this aspect too.

Obligatory Dilbert

[AbbyNormal]

quote: "Alright! I'm coding me a mini-van!"

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:We will probably never get to see them

[RadioheadKid]

It prevents bugzilla from becoming a handbook for script kiddies.

Funny

[rd_syringe]

That's the argument used by Microsoft to avoid announcing critical flaws before they're patched.

Re:We will probably never get to see them

[crafteh]

If the public doesn't know about them, they won't be able to take advantage of them. If it is a tough problem to solve, like the browser spoofing with xul, they can make the bug confidential until the public finds out about it or they solve it.

Re:We will probably never get to see them

[pavon]

You are correct.

Whats up with that mozilla?

It is a good idea. Mozilla is a very large codebase with a reletively small number of developers. Therefore they don't have the fast turn around time for fixing critcal bugs that other projects do. They are already fixing bugs as fast as they can get around to it. If you wan't this process to go faster join the development team.

Security through obscurity is not completely worthless - it does one thing and that is to buy you more time, and that is all this is

Re:We will probably never get to see them

[hiroko]

Some security through obscurity is a reasonable precaution here IMHO, as part of a wider security policy. Principally, it may protect people using the browser from the scriptkiddies which full disclosure might bring (as others have noted).

One of the main arguments for full disclosure is that, if a vendor isn't fixing a bug (in a reasonable period after you have notified them of it), you can force the issue by making it public.

If security by obscurity was the core of the security policy then I wouldn't b

Re:We will probably never get to see them

[HadMatter]

So what, you'd rather give the black hats every courtesy to help them come up with an exploit before the developers can come up with a fix?

Quoting from the Mozilla Security Bug Bounty FAQ [mozilla.org],

If I report the bug directly to you, do I have to keep the bug confidential and not publish information about it in order to receive a reward?

No. We're rewarding you for finding a bug, not trying to buy your silence. However if you report the bug through the standard Mozilla process and haven't already published

Re:We will probably never get to see them

[zsau]

Mozilla lives and breathes because Microsoft does exactly the same. People don't feel safe running Microsoft software, because they aren't told of security vulnerabilities. So why should we be using Mozilla software?

Recently, I have decided to boycott all Mozilla software. Instead of using Galeon, I'm now using Konqueror (but it doesn't seem to have nearly as good a UI). I'm currently using Evolution, but the distance between Moz Mail/Thunderbird and the UI of it's nearest competitor is a lot bigger than t

Re:We will probably never get to see them

[wfberg]

Ditto what the other respondants said. Security through obscurity is better than no security. It gives the coders a chance to fix the problem _right_, not just plug it with a blacklist or something. Once the problem is fixed (or after the next release after the fix), security bugs are opened up.

On the one hand, it prevents some blackhats from thinking "OMG! That's a pretty serious bug right there! I'm gonna write an exploit for it!".

On the other hand, no non-mozilla developer who happens to be looking

Known for five years

[rd_syringe]

Given the fact that that XUL bug was know for, what, a year,

It was known since 1999 but was marked as "confidential." Very disappointing. I'm not sure why there's not more outcry over this.

Mozilla was the big-news, major OSS project. As it gets bigger, it's exhibiting the very signs that people profess to hate about Microsoft. It's interesting to see the tables turned.

Re:We will probably never get to see them

[Saeed al-Sahaf]

It's just so funny to read people's comments here that as for Mozilla, "Security through obscurity" is better than nothing, yet down the line, hear them rake MS over the coals for the same thing.

If you *do* find a bug...

[Anonymous Coward]

...and get $500 for your effort, you may want to keep it (as opposed to donating it to charity or giving it back to the foundation, as others have suggested here) because you're going to need it when you get sued for your service to the community.

Thank you, DMCA and anything that protects big businesses which had their servers infect their customers' computers, but nobody got to know which businesses because they might lose money if their IT carelessness was made public.

This is just marketing spin...

[xxxJonBoyxxx]

The $500 bounty is just marketing spin. It's not as bad as the BS "crack the code" contests spun by snake oil cryptographers, but a low bounty like this isn't going to attract new white-hatters.

Think about it...this story will headline in tech rags (including this one) for free. Even if Mozilla pays out a couple bounties (say $3000), they get the message that "Mozilla is secure" out there fast and cheaply.

On the other hand, for most of us in the security community, $500 is maybe a half-day of work. So...there isn't a whole lot in terms of risk/reward if you are primarily motivated by money.

"Significant"

[Neutronix]

Perhaps I've been living too long on a cynic world...

But defining what is "Significant bug" will be extremely important, since this is not an unbiased concept, who will decide what is significant or not? Certainly it will not be who reports the bug, but it shouldn't be the one that pays the bill either.

Re:"Significant"

[SimplexO]

From the faq [mozilla.org]:

What types of security bugs do you consider to be "critical"?

In general we consider critical security bugs to be those that allow execution of arbitrary code on users' systems or that otherwise allow access to users' confidential information. In the latter case we consider bugs to be critical only if they potentially expose high-value personal information (e.g., passwords, credit card numbers, and the like); in the context of the bug bounty program we do not consider bugs to be critical if t

Many eyes?

[Yankovic]

What happened to the open source axiom "with many eyes, all bugs are shallow"? Shouldn't it render a program like this unnecessary?

Re:Many eyes?

[tiger99]

Yes and no, yes because with sufficient eyes, all bugs are indeed shallow, and no because probably not so many eyes bother to look at the Mozilla source, as the Linux kernel, for example. This encourages more eyes to look.

Ideology versus reality

[rd_syringe]

The truth is that the "many eyes" idea doesn't actually work. It's not like coders sit there all night poring through the code line by line. People miss things in the code just like a company's developers miss things in their code. The Linux kernel has had plenty of system-killing bugs in its time, and Mozilla has already had several major critical flaws. What's particularly disturbing is that the XUL flaw was known since 1999 but marked "confidential."

What we're witnessing is an OSS project struggling

Re:Many eyes?

[/dev/trash]

No.

It just makes sure the eyes stay opened and focused longer.

Lousy deal

[Animats]

Under the new program, users reporting critical security bugs - as judged by the Mozilla Foundation staff - will collect a $500 cash prize.

Unless applications are evaluated by some pro-consumer third party (something like Consumer's Union), it's not much of an offer. The proposed "bounty" gives the staff too much wiggle room.

Re:Lousy deal

[jesser]

I don't like the wording in the press release either. The Bug Bounty FAQ [mozilla.org] makes it more clear, but still leaves a lot of information out.

Bugs that will get the bounty:

* Arbitrary code execution without user interaction.
* Reading files with known names from the user's hard drive without user interaction.
* Reading cookies or stored passwords for other sites without user interaction.

For bugs that require some user interaction to exploit, human judgement is required, hence contest judges.

Bugs that will not

Mark Shuttleworth

[FleaPlus]

As a reminder, Mark Shuttleworth [wikipedia.org] is the Internet entrepreneur who was the second space tourist. It's really quite cool to see him taking an interest in helping Mozilla.

Woohoo!

[unsigned integer]

I'm going to write me a new minivan this afternoon!

Alright!

[Noose For A Neck]

It's only a matter of time before someone steals their confidential list of security bugs and cashes in big time.

Re:Let Me Get This Straight...

[tiger99]

Find two bugs and you will have $401 to spend on whatever you want, even after the Darl Tax. But if you do decide to pay the SCOundrel anything, you are a bigger moron than Dubya.