Google Offers $1 Million For Chrome Exploits 63
PatPending writes with news that Google will be offering up to $1 million for the discovery of new exploits in their Chrome browser. This comes as part of the CanSecWest security conference, and the rewards will be broken down into categories: $60,000 for an exploit using only Chrome bugs, $40,000 for an exploit using a Chrome bug in conjunction with other bugs, and $20,000 for exploits that affect Chrome (and other browsers) but are due to bugs in other software, like Flash, Windows, or drivers. Google had originally planned to offer rewards through the Pwn2Own competition, but they were concerned by the contest rules: "Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors. Full exploits have been handed over in previous years, but it’s an explicit non-requirement in this year’s contest, and that’s worrisome. ... We guarantee to send non-Chrome bugs to the appropriate vendor immediately."
What Google doesn't like, it replaces... (Score:5, Insightful)
GOOG is pretty smart when it comes to these things. If there's a solution out there that has a problem with it's TOS, it simply rewrites the TOS to their liking and launch a competitor. This is Pwn2Own's loss and Google's gain. Bug finders now still get paid. but those who don't reveal everything Google wants do not.
Re:What Google doesn't like, it replaces... (Score:5, Insightful)
Bug finders now still get paid. but those who don't reveal everything Google wants do not.
True, and I don't think they are unreasonable to demand the full exploit when they are paying for it. I don't necessarily always agree with Google's approach but I think it's good that they man up and pay for the bugs. I wish more companies would do that.
Re: (Score:3)
Never could fathom the approach they took tho,
They released Vista, plugging years worth of holes, and were promptly tar and feathered for it.
(Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security)
Re: (Score:3)
Never could fathom the approach they took tho,
They released Vista, plugging years worth of holes, and were promptly tar and feathered for it.
(Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security)
What I was alluding to was Microsoft's attempt to have people who identified security holes in Windows reported to Department of Homeland Security as potential threats to national security, because as anyone knows, if you're looking for those kinds of things, you're a security risk because everyone runs everything on Windows.
Re: (Score:1)
Actually, if you have an actual working relationship with Microsoft they dutifully review any reported security flaw. What they get mad at is when you release those flaws to the wild under the claim of open disclosure. Basically, if you tell Microsoft of a security flaw they look into it. If you tell the world they get pissed.
Re: (Score:2)
Re: (Score:1)
You need to research this and then come back. The issue revolves around responsible disclosure. There are numerous cases of Microsoft refusing to fix a bug for years, sitting on it until the researcher gets frustrated and releases it to the public. Microsoft then tries to ruin the researcher's life in the name of "responsible disclosure."
Microsoft doesn't seem to understand that the definition of responsible disclosure includes giving the vendor a reasonable amount of time before releasing. They believe tha
Re:What Google doesn't like, it replaces... (Score:5, Insightful)
Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security
Removing all of the wheels makes a car much more secure. It just makes for a shitty car.
Re:What Google doesn't like, it replaces... (Score:4, Funny)
Yes, Vista did have honest to goodness suckage, but most of the complaints centered around the fact that they actually fixed their security
Removing all of the wheels makes a car much more secure. It just makes for a shitty car.
Unless it's a flying car, which would be cool.
Unless the flying car had bugs in the code which made it able to fly, which would be uncool.
But reporting these bugs for money, so you could buy another flying car would be cool.
i see a vicious cycle developing
Re: (Score:1)
Removing all of the wheels makes a car much more secure. It just makes for a shitty car.
Unless it's a flying car, which would be cool.
Until you need to land it, then the lack of wheels would suck, and everyone would laugh at you went you talked about your wheel-less "flying car".
Re: (Score:2)
So, weld boats where the wheels should be!
Re: (Score:2)
My helicopter seems to fly just fine without wheels. Just sayin'
Re: (Score:1)
I can't see how there could not be a possible downside. [dilbert.com] Note to employers, do not hire anyone with the ethics (including work ethic) of Wally.
Re: (Score:2)
But of course when its implented in Linux as sudo / su / gksudo, and in Mac (whatever its called), its not "removing the wheels", its called "principle of least privilege".
I see, that seems terribly fair and balanced.
Re: (Score:2)
Re: (Score:2)
They didn't fix it, they improved it... There are still all manner of security weaknesses
Re: (Score:2)
...in all operating systems, yes, there are.
Re: (Score:2)
Some moreso than others...
There is still huge amounts of legacy cruft and dirty workarounds and huge insecurities due to bad design, just because they removed some doesn't mean its now "fixed".
Re: (Score:2)
Apparently you moonlight as an OS architect.
Do tell, what are these "huge insecurities due to bad design" in Windows NT 6.x? What are these dirty workarounds in Win7? What legacy cruft is there in Win7 x64?
I would love to hear this.
Re: (Score:2)
Network protocols which allow authentication using password hashes...
Said hashes using a weak non salted algorithm (not that you need to bother cracking them due to the above)...
Excessively complex network services, want to enable file sharing? You've now opened up a service port which does a lot more than file sharing... This makes it much harder to quantify the risks involved of having a particular service open, and makes it much harder to write sensible firewall rules.
The many libraries which retain mult
Re: (Score:2)
Excessively complex network services, want to enable file sharing? You've now opened up a service port which does a lot more than file sharing...
SSH can be used for a heck of a lot more than secure shell (tunneling, file transfer, etc), but that doesnt mean its "hard to quantify the risks".
sure there is much less of this in the 64bit libs, but you also have all the 32bit compatibility libs present on your system and i'm not aware of any way to uninstall them - hence more cruft since you cant have a pure 64bit system.
API and x86 vs x64 issues dont magically go away because you use Linux instead of Windows. Different systems have different levels of "difficulty" when dealing with mismatches between installed libraries and expected libraries.
Fair enough if you want to call it "legacy cruft", it just occurs to me that its not a terribly helpful term: being able to deal with mul
Re: (Score:2)
You've not addressed the issues of the hashing algorithms, does this mean you accept these design flaws?
SSH can indeed be used for many things, however... What ssh really does is give you interactive shell access, the fact that you can do additional things with it is down to the inherent flexibility of being able to pipe arbitrary data over a TTY... It's more analogous to remote desktop, in that you'd only provide access to administrative users or those who you intended to have interactive access.
The protoc
Re: (Score:2)
The hashes should be salted, but Im not sure what to make of the accusation that the network protocols send hashes for authentication. What would you rather have them send? The plaintext password?
Regardless, AD login uses Kerberos AFAIK.
Again, no excuse for not using a salt, Im not really clear why they dont do that.
32/64 issues - on linux you can choose between a 32, hybrid 32/64 or pure 64bit system as your needs dictate, with windows its necessary to have the 32bit libraries present wether you intend to use them or not, which makes it cruft.
I believe you can remove WindowsOnWindows if you dont need 32-bit compatibility on the server. That may only be for the upcoming version, I cannot find the reference at the moment.
"File and Registry Virtualization" is a lot more than symlinks, it is more of an overlay filesystem more similar to unionfs if you're familiar with that.
Ive heard t
Re: (Score:2)
The hashes should be salted, but Im not sure what to make of the accusation that the network protocols send hashes for authentication. What would you rather have them send? The plaintext password?
The plaintext password, when sent over an appropriately encrypted channel would actually be a much better option for a number of reasons.
By allowing the hash to be used, it effectively becomes the plaintext as you can use it for authentication, the actual plaintext becomes irrelevant since you never actually need it. Google for "pass the hash".
If you acquire the hash database, then you now have _ALL_ the (plaintext equivalent) hashes ready for immediate use... Also in such a scheme every client has to imple
Re: (Score:2)
To the government, everyone is a terrorist.
Re:What Google doesn't like, it replaces... (Score:5, Interesting)
>> Google's approach but I think it's good that they man up and pay for the bugs. I wish more companies would do that.
Most companies cannot afford it because the market dictates that a majority of users prefer to buy software with bugs if they can get the software for less. I think the rationale of most users is that the company will eventually patch the software so why pay more when eventually it will cost the same in the end (although we know how this turns out).
That's the remarkable way of modern rationalizing - A few bugs can't hurt. Dang. When I came up through school you wrote code which accounted for every exception - yes, it was time consuming, but you got exception messages which helped tidy your code, rather than, "Gee. I dunno why it did that. Probably won't do that again. Just one of those things", which I'm shocked to see management adopt as an attitude towards software.
Re: (Score:3)
No, it's about the cost of the bugs vs the cost of fixing the bugs. Suppose that a smartphone costs $400 in its current state. It has a few bugs here and there, not always noticeable, and when they show up they're annoying, but in general the device works fine. Now suppose that fixing those bugs and preventing new bugs from occurring costs the company $700 million in additional developer expenses (training, hiring ever better developers, improving Q&A) etc which causes the price of the device to jump to
Re:remarkable way of modern rationalizing (Score:2)
"Responder's" post below has half the answer, but I'm replying to you.
A new wrinkle is that computing is getting so complex that "general users" don't even understand existing features and designs, let alone bugs. So that "a few bugs" blends in with "I never understood computers anyway".
So yes, with that $700,000,000 savings in fixing bugs, an Executive with a good poker face at $100,000 a year is priceless - he just deflects it all and the "troublesome users" go away. It leaves Help Desks to find slightly
Re: (Score:2)
Just because you catch every exception doesn't prevent the software from spectacularly failing to perform as desired. The code has bugs that aren't exceptions (and if you think you can prevent that with tests, the tests have bugs), the specifications have "bugs", the design has "bugs", hell even the functional requirements have "bugs". In school you pretty much have end-to-end transparency, your code does everything start to finish and the requirements are as given by the professor.
For example, say you desi
Re: (Score:2)
When I came up through school you wrote code which accounted for every exception
Well, in the business world they could be paying you to code for EVERY exception. Or they could pay you to code for the ones that come up most often and have you add 3 more features. Or, they could pay you to only code for the ones that come up most often and then have you spend the time you saved doing the work that the guy next to you used to do before they canned him.
If you're telling me that if I write buggy software I could end up like Microsoft, then I'm going to get out there and start writing bugg
Re: (Score:2)
I don't think any of the bugs used for exploits throws an exception. Catching all exceptions isn't too hard: put a catch-all at the end of the code or so, whatever. Throwing an exception is an intended part of normal execution, while exploits revolve around unintended behaviour of software.
Bug finders don't reveal everything? (Score:1)
If you're paying people to find bugs then why would you pay them no to reveal the full exploit, kinda defeats the whole purpose of the exercise.
The question is, do you fell lucky? (Score:2)
Do ya punk?
So you found a gap in Chrome, which you could do awful, mean, nasty, devious, despicable, evil, stinky, bad things with. You could turn it in for a stack of cash now ... or you could try your luck exploiting it for profit, your won island fortress and dozens of minions.
So do you turn it in or not?
How lucky do you feel?
Re: (Score:1)
how lucky do you feel?
do you feel lucky?
ftfy.
Re: (Score:2)
how lucky do you feel?
do you feel lucky?
ftfy.
(same goes for 'won' where it should have been 'own') I blame my Chrome spell checker which is making me spell correct, but utterly wrong words.
I wonder if there's any money in revealing that?
Re: (Score:2)
Re:The question is, do you fell lucky? (Score:5, Insightful)
It definitely makes it an easy decision for anyone not already in contact with organized crime, anyway. If you don't already know who to talk to, the odds that you can find someone to pay you money substantially topping $20-60k for an exploit without it being a cop or a fraudster are pretty low. You might find some random local spammer to pay you a few $k, but the people who would pay you $100k+ for an exploit aren't just hanging around everywhere.
Re: (Score:2)
It definitely makes it an easy decision for anyone not already in contact with organized crime, anyway. If you don't already know who to talk to, the odds that you can find someone to pay you money substantially topping $20-60k for an exploit without it being a cop or a fraudster are pretty low. You might find some random local spammer to pay you a few $k, but the people who would pay you $100k+ for an exploit aren't just hanging around everywhere.
Probably have their own team of employees, R & D department of sorts.
Re:The question is, do you fell lucky? (Score:5, Interesting)
Well, say you're a crackin' smart 17 year old Russian programmer, stuck in a small town in the Urals. Now, for some money on the side you've written some parts of a botnet and you're pulling a steady check from that - $200 a month or so. Enough to buy a new offbrand motorcycle and make the internet connection pay for itself. You have no formal education and no way to attend university in Moscow or globally.
You've found a major exploit. You could sell it to your boss, who might give you $5,000 and additional work for another eight months -- OR -- you could sell it to Google for $10,000 and suddenly you have a major bullet point on your resume where you can go work for a legitimate security firm in a city somewhere. You've just gotten double what you could ever hope to make in the black trade, and a major leg up on getting out of the backwater shithole you grew up in. If you work in computers, most anyone would kill to have their name mentioned in the same breath as Google, especially when talking about money and collaboration. It's nice to walk in to an interview and say "yeah, I did some work for Google, did you search my name already?".
Re: (Score:2)
Actually I think if that exploit is so major then the black market is where you can get the bigger bucks (if only because they compete against Google, and want you to sell it to them, instead of disclosing it to Google).
Rest of your argument I agree with. Selling the information to Google is still profitable in the long run.
Re:Return On Investment (Score:5, Funny)
Probably, but full disclosure of vulnerabilities has a substantially lower chance of lower chance of leading to you getting repeatedly anally raped. I can't put an exact dollar amount on what that's worth, but it's pretty damn high.
Re: (Score:3)
...why? Are you selling it?
Seems like it could be a useful tool for analysis. But when the conclusion of the author selling the thing states themselves the following...
PVS-Studio was defeated. Chromium's source code is one of the best we have ever analyzed. We have found almost nothing in Chromium. To be more exact, we have found a lot of errors and this article demonstrates only a few of them. But if we keep in mind that all these errors are spread throughout the source code with the size of 460 Mbytes, i
Re: (Score:2)
[citation needed]
What? No Pwn2Own? (Score:2)