Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Interesting how Java was pwned thee times in spite of the lowest reward.


Everyone is sitting on a java 0day now. They have lost a lot of value in the market since there is literally as much supply as demand. I keep reading CVEs waiting for the one I have to be discovered by someone.


I have a friend who tells me that good (windows) zero days, with remote execution, are worth about $50K on the market that transacts these things, with a contract to increase that value if their is no open disclosure. I.E. If your zero day remains a zero day for another six months, there is an opportunity to see further reward.

I've always wondered if it's intelligence agencies, criminal organizations, police organizations, or commercial endeavors that sell services to those three bodies that are paying that kind of money for zero days.

I also don't understand why people give good zero days away for free, if is really the case that there is a market in these types of properties. Anybody have actual insight into this?


Maybe because they don't want people's computers to be abused by people with lots of cash to spare? One can only assume they're getting more than $50k worth of value from the zero day, so something pretty dodgy must be going on


>I've always wondered if it's intelligence agencies, criminal organizations, police organizations, or commercial endeavors that sell services to those three bodies that are paying that kind of money for zero days.

According to this article: 3rd party middlemen, small security firms and large defense contractors are the ones paying for 0-days. There's also has a nice price list for Chrome, IOS, etc.

http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppin...


$50k sounds like a lot, but if you can weather the current storm of every firm and researcher digging into Java and finding all the low hanging fruit, it could be worth $300k+ when nobody else has an undisclosed Java vulnerability.

Usually the way it works is 6 monthly payments, so you get a wire for $8,500 every month that it is not disclosed.


people have ethics.


They also have to eat.


You're assuming that they have to make their living 'hacking'. If instead they have an oil well in the back yard providing a steady paycheck (I live in Texas, and know people just like this), they have plenty time for non-profit endeavors.


"I also don't understand why people give good zero days away for free..."

Quite some hackers are a really special (in a good way) kind of people who are in it only for the intellectual challenge.

Now food for thoughts:

Rudyard Kipling once warned students against an over-concern for money, position or glory, he said: “Some day you will meet a man who cares for none of these things. Then you will know how poor you are..."


Why sit on it? Why not disclose it and have it be your name on that CVE, and not someone else?


a cve is not worth that much. (nothing?)


Maybe not as cash. But on a resume?


I get the impression that dsl is a pretty successful person IRL already.


All the more reason to disclose the 0day.

If not for money or recognition, just plain simply for the users.


We've seen Java bugs in the news lately for use in co-ordinated attacks against large companies.

A nameless firm (not the one I'm working with now) that happens to be one of Europes largest banks has insainly locked down versions windows, everything disabled, some custom thing that has hooked NT kernel functiosn to check which image is being loaded to be executed.

And then it has Java. A very old, un-patched version running a vendor risk system (yes it is that french one your thinking of).

This means that despite the frankly anoying parinoid security there, you can pwn any of the machines easily. As we see more targeted attacking, remember that Java is heavily used by a lot of rich, often inept due to size, firms.


IIRC, the instances in the news were attacks on the Java applet, not necessarily the runtime. Even if it was against the runtime, without the applet, it would have to be a trojan.


The federal government agency i deal with has similarly locked down computers but, as you say, java, old versions of browsers, and many unsigned applets.


Do these "insanely locked down" Windows have a browser and does that browser enable Java applets?

The 0-days affecting Java lately have all been using Java applets and drive-by exploits. I'm not saying it's not pathetic and lame for Java's security track records but it's not either as if your company was vulnerable to remote exploits in the case Java applets are not allowed in browsers.

I'm running Java webapp servers and I've been really pissed off that I needed to patch to remote Denial of Service exploits (the hashmap / URL query parameters degenerating to O(n) instead of O(1) SNAFU and the "endless loop" while parsing a certain floating-point number) in late 2011 / early 2012 IIRC but basically that's it.

The JVM is still incredibly secure on the server side (and can be installed on Unx systems in a user account, without needing to be root -- meaning that you can then lock down like mad that user account and have an even more secure setup).

Now to be honest if your company was truly paranoid they wouldn't be using old version of Windows with in-house brittle hacks supposedly bringing "more security".

I know that all too well (at Dexxia for example): some people somewhere decide on a shitty technology (Dexxia was at one point using shitty Java applets to allow clients to do online banking) and then says "We're going to have the most secure system ever".

So these guys think* they're paranoid but they're using: a) Windows and b) Java applets.

And at this point you have to wonder if you should laugh or cry at their definition of "paranoid".

People really paranoid about security ain't letting Windows in (unless they like NSA backdoors and consider patch-tuesday to be a reliable way to execute) and ain't letting Java applets in.


Guess how they distrabute the Java application.

However I really don't want to go too far into a former clients site details, just to say it was a laughably big gaping hole, that is really quite common in a lot of large enterprises. It was also completely seperate from my domain there)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: