Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

Szekeres Dani
Just read:

https://www.bleepingcomputer.com/news/security/rewards-of-up-to-500-000-offered-for-freebsd-openbsd-netbsd-linux-zero-days/




Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux Zero-Days

Exploit broker Zerodium is offering rewards of up to $500,000 for zero-days in UNIX-based operating systems like OpenBSD, FreeBSD, NetBSD, but also for Linux distros such as Ubuntu, CentOS, Debian, and Tails.

The offer, first advertised via Twitter earlier this week, is available as part of the company's latest zero-day acquisition drive. Zerodium is known for buying zero-days and selling them to government agencies and law enforcement.



https://twitter.com/Zerodium/status/1012007051466162177

Reply | Threaded
Open this post in threaded view
|

Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

Marko Cupać
On Sat, 30 Jun 2018 23:11:15 +0200
"Szekeres Dani" <[hidden email]> wrote:

> Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux
> Zero-Days

Seen this comment on /.

http://dilbert.com/strip/1995-11-13

:D
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Reply | Threaded
Open this post in threaded view
|

Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

Reyk Floeter-2
In reply to this post by Szekeres Dani
Are you advertising this crap on our list?

I hope somebody steps up and donates $500,000 to the OpenBSD foundation instead.

> Am 30.06.2018 um 23:11 schrieb Szekeres Dani <[hidden email]>:
>
> Just read:
>
> https://www.bleepingcomputer.com/news/security/rewards-of-up-to-500-000-offered-for-freebsd-openbsd-netbsd-linux-zero-days/
>
>
>
>
> Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux Zero-Days
>
> Exploit broker Zerodium is offering rewards of up to $500,000 for zero-days in UNIX-based operating systems like OpenBSD, FreeBSD, NetBSD, but also for Linux distros such as Ubuntu, CentOS, Debian, and Tails.
>
> The offer, first advertised via Twitter earlier this week, is available as part of the company's latest zero-day acquisition drive. Zerodium is known for buying zero-days and selling them to government agencies and law enforcement.
>
>
>
> https://twitter.com/Zerodium/status/1012007051466162177
>

Reply | Threaded
Open this post in threaded view
|

Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

Marko Cupać
On Wed, 4 Jul 2018 18:06:04 +0200
Reyk Floeter <[hidden email]> wrote:

> I hope somebody steps up and donates $500,000 to the OpenBSD
> foundation instead.

... while not requiring from OpenBSD to introduce Code od Conduct

:D

--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Reply | Threaded
Open this post in threaded view
|

Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

Tom Smyth
Hello Marko /Sekeres

I dont mean to start a flame war as it is counterproductive but Idont fully
get what you mean / imply by

>.".. while not requiring from OpenBSD to introduce Code of Conduct"

I think to anyone who has been on the mailing list for a number of years
anyone who has read the project goals
it is clear what the projects goals are and one of the  most important
is increase security

users are not in anyway bound to a code of conduct. it is not in the license

based on technical discussions and safeguards and talks about risks bugs
and their mitigations

I don't think any one @openbsd.org would sell the project out

suffice to say that the anyone following the Selective Disclosure Controversies
would understand that the OpenBSD project is does not endorse them
or advocate them.

selling zeroday bugs to anyone and  deliberately withholding information from
the developers of the software
is probably the antithesis of what this project stands for.


Regards,

Tom Smyth




On 4 July 2018 at 18:23, Marko Cupać <[hidden email]> wrote:

> On Wed, 4 Jul 2018 18:06:04 +0200
> Reyk Floeter <[hidden email]> wrote:
>
>> I hope somebody steps up and donates $500,000 to the OpenBSD
>> foundation instead.
>
> ... while not requiring from OpenBSD to introduce Code od Conduct
>
> :D
>
> --
> Before enlightenment - chop wood, draw water.
> After  enlightenment - chop wood, draw water.
>
> Marko Cupać
> https://www.mimar.rs/
>

Reply | Threaded
Open this post in threaded view
|

Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

Marko Cupać
On Wed, 4 Jul 2018 19:02:56 +0100
Tom Smyth <[hidden email]> wrote:

> Hello Marko /Sekeres
>
> I dont mean to start a flame war as it is counterproductive but Idont
> fully get what you mean / imply by
>
> >.".. while not requiring from OpenBSD to introduce Code of Conduct"  

I'm just trolling around :)

At the same time I'm relatively long-time *BSD user, thankful to anyone
and everyone who is making them possible. Specially to OpenBSD who still
appears to stick to simple "Don't be an asshole" CoC, as opposed to
some who took the different path, probably partly as a result of
accepting large "generous" "contributions".

As The Smiths sang, "Some BSDs are bigger than the others".

Once again, I'm just trolling around, I hope noone takes my posts on
this topic seriously.
--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Reply | Threaded
Open this post in threaded view
|

Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

Tom Smyth
Ok sorry ididnt get it woops  ;)

On Wed 4 Jul 2018, 19:21 Marko Cupać, <[hidden email]> wrote:

> On Wed, 4 Jul 2018 19:02:56 +0100
> Tom Smyth <[hidden email]> wrote:
>
> > Hello Marko /Sekeres
> >
> > I dont mean to start a flame war as it is counterproductive but Idont
> > fully get what you mean / imply by
> >
> > >.".. while not requiring from OpenBSD to introduce Code of Conduct"
>
> I'm just trolling around :)
>
> At the same time I'm relatively long-time *BSD user, thankful to anyone
> and everyone who is making them possible. Specially to OpenBSD who still
> appears to stick to simple "Don't be an asshole" CoC, as opposed to
> some who took the different path, probably partly as a result of
> accepting large "generous" "contributions".
>
> As The Smiths sang, "Some BSDs are bigger than the others".
>
> Once again, I'm just trolling around, I hope noone takes my posts on
> this topic seriously.
> --
> Before enlightenment - chop wood, draw water.
> After  enlightenment - chop wood, draw water.
>
> Marko Cupać
> https://www.mimar.rs/
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

Eric-2
In reply to this post by Reyk Floeter-2
On Wed, 4 Jul 2018 18:06:04 +0200
Reyk Floeter <[hidden email]> wrote:

> I hope somebody steps up and donates $500,000 to the OpenBSD foundation instead.

The solution is obvious.  If there are any bug fixes of sufficient importance, report the bug, collect the $500,000 for the foundation, and then fix it.

Eric

Reply | Threaded
Open this post in threaded view
|

Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

Ingo Schwarze
Hi,

Eric wrote on Wed, Jul 04, 2018 at 01:55:17PM -0500:

> The solution is obvious.  If there are any bug fixes of sufficient
> importance, report the bug, collect the $500,000 for the foundation,
> and then fix it.

i can hardly believe this needs to be said, but given the lack of
any smiley, and given the presence of several purportedly "humorous"
postings in this thread:

Given that the very *purpose* of the company trying to buy these
exploits is to earn money from COVERTLY BREACHING THE PRIVACY OF
SOFTWARE USERS, i'm calling out that company, and any other company
with a similar business plan, as a particularly bad instance of
ORGANIZED CYBERCRIME according to any reasonable moral standard.
For example, i believe that this kind of criminal activity is
SUBSTANTIALLY WORSE than ordinary credit card fraud because such
companies put hundreds of millions of people at risk who do not
even learn that they were harmed, not even after the fact, whereas
with ordinary fraud, the victim at least knows about the completed
crime.  Besides, what this company does is life-threatening, whereas
credit card fraud only puts your money in danger.

So i'm adamant that anybody even remotely considering to do any kind
of business with such a company must be instantly expelled from any
kind of free software project.

Besides, you can't be so naive as to think that you will see any
money from such a criminal enterprise without signing an NDA to NOT
DISCLOSE THE VULNERABILITY TO THE SOFTWARE AUTHOR (or anyone else)?

Besides, even if you could retain the right to publish the vulnerability
you reported, it is an obvious requirement of basic ethics that you
report potentially dangerous bugs as soon as possible TO THE SOFTWARE
AUTHOR, in particular, before talking to anybody else about them,
and that you do not disclose the problem to third parties before
the vulnerability is fixed, unless the author fails to fix the
problem within reasonable time, typically a few days, sometimes
maybe a few weeks.

So the order of actions you are proposing is close to criminal as well.


Now, can we please stop this thread?

Even joking about these matters is hardly funny because it implies
an insinuation that there might be anybody involved in OpenBSD who
might remotely consider doing business with such criminal organizations,
or that there might be any bribable or corrupt people in the vicinity
of the project.  Such insinuations are not funny.


The question how such criminal organizations could be abolished
might be considered politically interesting by some, but even that
question is totally off-topic on misc@.  It is simply and plainly
unrelated to OpenBSD.

The only on-topic aspect is the fact that state agencies exist that
actively and systematically attempt to compromise the security of
any kind of software, including free software, including OpenBSD.
But that is not news.

Reply | Threaded
Open this post in threaded view
|

Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

Eric-2
On Wed, 4 Jul 2018 23:11:35 +0200
Ingo Schwarze <[hidden email]> wrote:

> Hi,
>
> Eric wrote on Wed, Jul 04, 2018 at 01:55:17PM -0500:
>
> > The solution is obvious.  If there are any bug fixes of sufficient
> > importance, report the bug, collect the $500,000 for the foundation,
> > and then fix it.
>
> i can hardly believe this needs to be said, but given the lack of
> any smiley, and given the presence of several purportedly "humorous"
> postings in this thread:

It was only meant to be humorous, nothing more.  That obviously failed.