1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What Would You Do In This Situation?

Discussion in 'BlackHat Lounge' started by Elliot305, Feb 18, 2014.

  1. Elliot305

    Elliot305 Jr. VIP Jr. VIP

    Joined:
    Jul 21, 2010
    Messages:
    511
    Likes Received:
    1,338
    Occupation:
    Loophole/Exploit Specialist
    Location:
    In The Sun
    I've had some situations arise throughout the years and am wondering what people here in BHW would do. So without going into detail on each situation I've been in, I'll simply pose a question to you in a broad sense. My forte is exploiting online advertising systems/platforms. As I continue to find and successfully exploit new things, I grow a stronger belief in myself and abilities...so much so that I've actually considered offering my consulting services to these companies in order for them to "patch up" the weaknesses I've found.

    So here is my question:

    Would you NOT take advantage of a weakness you found in a system and instead, contact the company and submit a proposition to where they pay you a consulting fee in exchange for your services/expertise?

    If you answered, Yes, you wouldn't take advantage and would try to work something out with the company directly, here is my next question: How about if you knew the exploit would make you a ton of cash very quickly and carried little to no risk?

    So if you had these two options laying on a table, what would you do?:

    Option 1: NOT exploiting it and offering your services to the company and maybe getting below $10k for your fee. (That's if they believe you in the first place, think your consultation will help them, and think a fee is justifiable for the info.)

    Option 2: Go dark, take full advantage of it until it gets patched and make a lot of money with it ($100k+). Risks are only civil in nature but being that you went dark they wouldn't find you anyway.

    Each time I come up against this scenario I never can justify going to the company because, frankly, it just isn't profitable enough for me to do so. I do however, envision myself becoming some sort of risk management consultant in the future and putting my skills to use in that capacity. But I really don't know how a company would put a value on something like that. It's weird because I almost needed to do Option 2 for years like I have to give me the experience and ego for me to even consider doing Option 1.

    So what would you guys do in this type of situation?
     
    • Thanks Thanks x 1
    Last edited by a moderator: Jun 18, 2014
  2. ice_jay2000

    ice_jay2000 Registered Member

    Joined:
    Apr 12, 2013
    Messages:
    88
    Likes Received:
    24
    Occupation:
    Full time money maker
    Location:
    Vancouver
    Take advantage of it and bank!
     
  3. Stoner

    Stoner Junior Member

    Joined:
    Feb 4, 2014
    Messages:
    115
    Likes Received:
    27
    I'd take advantage of it to an extent then let them know after I'm satisfied with my earnings.
     
  4. abhi007

    abhi007 Jr. VIP Jr. VIP

    Joined:
    Aug 31, 2010
    Messages:
    5,305
    Likes Received:
    3,741
    Location:
    snip.li/TubH
    I have been though your methods nd all i can say is wow, you have exploited some really cool ways of making money so why not bank of them nd once we know its of no use just move on....
     
    • Thanks Thanks x 1
  5. bullsbears

    bullsbears Regular Member

    Joined:
    Feb 17, 2014
    Messages:
    477
    Likes Received:
    128
    Occupation:
    Derivatives Trader
    Location:
    Wall Street
    Being opportunist & making full use of it looks better.
     
  6. Elliot305

    Elliot305 Jr. VIP Jr. VIP

    Joined:
    Jul 21, 2010
    Messages:
    511
    Likes Received:
    1,338
    Occupation:
    Loophole/Exploit Specialist
    Location:
    In The Sun
    I doubt they would take kindly to the fact if I exploited them and then tried to consult for them. I would have to just find the weakness and not exploit it if I wanted to offer my services, etc...
     
  7. Pipewrench

    Pipewrench Newbie

    Joined:
    Jan 15, 2014
    Messages:
    10
    Likes Received:
    2
    Occupation:
    Web Design, Programmer
    Location:
    Calgary, Alberta
    Capitalism and Competition shouts this quote:

    "In fact, to gull a fool seems to me an exploit worthy of a witty man."
    Giacomo Casanova
     
  8. Laughing-Man

    Laughing-Man Regular Member

    Joined:
    Jan 30, 2012
    Messages:
    317
    Likes Received:
    122
    Gender:
    Male
    Raise your price and make them know how serious the exploit is. I mean, if you can make that much money with the exploit, I think they would value patching it more.
     
    • Thanks Thanks x 1
  9. Dagreyon

    Dagreyon Jr. VIP Jr. VIP

    Joined:
    Dec 1, 2011
    Messages:
    1,688
    Likes Received:
    1,276
    Location:
    Missouri
    Home Page:
    This is black hat world. Go dark imo... ;)
     
  10. Web Echo

    Web Echo Regular Member

    Joined:
    Apr 5, 2012
    Messages:
    328
    Likes Received:
    125
    Location:
    Online
    If option 2 is illegal that may put you behind bar then ONLY go with option 1. Else always go with option 2.

    Watch 'Catch Me If You Can' movie. You may enjoy it!
     
  11. ArtVandelay

    ArtVandelay Power Member

    Joined:
    Jan 15, 2013
    Messages:
    568
    Likes Received:
    392
    Sounds like your question is just an overstated "should I make $2k or $100k?"

    If you have enough avenues to work with, I say do both. Find the more profitable ones and abuse them until they're dry, and relegate the less profitable ones to resume stuffing material (assuming that's what you're going for when you say you want to eventually get into risk management consultancy).
     
  12. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,148
    Grow the balls and go for #2 - and don't forget to send me my consulting fee.
     
  13. lancis

    lancis Elite Member

    Joined:
    Jul 31, 2010
    Messages:
    1,632
    Likes Received:
    2,384
    Occupation:
    Entrepreneur
    Location:
    Milky Way
    Home Page:
    Why not do both?

    The 1st will give you the reputation you're looking for, the 2nd will fill your pockets. For example:

    Alter ego 1 - has a website that publicly lists every new exploit out there for companies A, B, C. First free of charge, thus forcing companies to act fast, because the information becomes available to a large group of people, who can then exploit them. Next, as a consultant, posting the explot only after it has been already fixed.

    Alter ego 2 - banks on companies D, E, F.
     
    • Thanks Thanks x 1
  14. tony andrew

    tony andrew Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 19, 2012
    Messages:
    884
    Likes Received:
    69
    Gender:
    Male
    Occupation:
    Web Media Strategist, Entrepreneur
    Location:
    Near to success
  15. Bestindabiz

    Bestindabiz Regular Member

    Joined:
    Dec 29, 2012
    Messages:
    348
    Likes Received:
    142
    Gender:
    Male
    Occupation:
    I have many
    Location:
    United States
    Home Page:
    I think youre focusing on this way too hard, seems like youve found an excellent money maker dont overthink things to the point you paralyze yourself.
     
    Last edited: Feb 18, 2014
  16. t5o1m

    t5o1m Jr. VIP Jr. VIP

    Joined:
    Apr 16, 2012
    Messages:
    288
    Likes Received:
    116
    Occupation:
    social media marketing websites
    Location:
    USA
    I have good friends who do both options and have told me in detail about them.

    My friend who tells the company the methods usually makes 5-10k per exploit.

    My friend who exploits it like crazy became a millionaire this past year making over 600k alone from exploiting methods.

    Obviously my 2nd friend probably is at more risk, but hey theirs a whole lotta money to be made!
     
  17. bk071

    bk071 Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    Nov 24, 2010
    Messages:
    3,105
    Likes Received:
    7,917
    Occupation:
    I don't have a job
    Location:
    .............
    #2 for sure. Who says no to money?
     
  18. MasterMillionaire

    MasterMillionaire Junior Member

    Joined:
    Jun 23, 2013
    Messages:
    118
    Likes Received:
    52
    $100k vs 2k (MAYBE) i think there is no questions
     
  19. cryptopsy

    cryptopsy Registered Member

    Joined:
    Jan 25, 2013
    Messages:
    81
    Likes Received:
    26
    Definitely option #2. My reputation can go to hell.
     
    • Thanks Thanks x 1
  20. akacash

    akacash Jr. VIP Jr. VIP

    Joined:
    Jan 16, 2010
    Messages:
    806
    Likes Received:
    575
    Location:
    The Beach, USA
    I've often wrestled with this myself. I've hammered certain sites and networks in ways I'm sure they would've rather avoided, but as you said, at what cost? I might've made $25k-$50k from that method, and the company certainly wasn't going to pay that to me. What I was thinking about doing, although it's a bit of a risk as well, is keeping some sort of notes on my expeditions. It could be a bad idea as you'd essentially be incriminating yourself with the "diary", but there's point to it. If you were serious about becoming a consultant of sorts, the money wouldn't be made from 1 company alone, but rather by working with numerous companies. What I would do is look at charging a consulting fee to analyze a company's setup, and then go from there if action is needed.

    Your diary then becomes your portfolio of sorts. I'm going to try and tiptoe around this, but here's an example. About a year ago, I rocked one of the biggest sites/networks on the net so hard they had to temp disable certain portions of their network. It wasn't anything that I could face any real legal issues from, but as in your case mentioned above, I could be held civilly liable I'm sure. I have at times revealed this and other exploits to prospective business partners where I felt it was warranted to show them I'm not just Joe Blow talking out of his ass. Because I can point to plenty of articles that detail what happened, and then show them the screen shots of things in action, it's a lot easier for them to see I know what I'm doing.

    The reason I bring this up is you could do something similar but in a more public fashion. You continue right now just taking a wrecking ball to methods, build your "portfolio" then after a few years you compile all of your exploits into a very vague advertising campaign in which you introduce yourself as a "new" and "special" type of security consultant. There's a lot of ways to go about it from there, and I'm sure you're the last one I would need to try and explain that to, but if it were me I'd continue on the path you are now until you're comfortable with taking a little time off and setting yourself up. The reason I say to advertise yourself is, as I mentioned before you might not get the huge payout for closing a single door for them, but it will add to your reputation, and build help build credibility. The goal would be to manage a number of different companies. Then you can either charge a 1-time fee, or a monthly "monitoring" fee.

    Sorry, sometimes I get to rambling in these things and cant' stop myself. To sum it all up though, I very much understand and think about the same thing, often. Have a great day, and happy hunting ;)
     
    • Thanks Thanks x 1