| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: simon at snosoft.com (ATD) Subject: it's all about timing Hey bro, Jump on irc.homelien.no #snosoft ;o) On Mon, 2002-08-05 at 15:34, KF wrote: > nicely spoken > -KF > > ----- Original Message ----- > From: "Evrim ULU" <evrim@...e.gen.tr> > To: <full-disclosure@...ts.netsys.com> > Sent: Friday, August 02, 2002 5:19 AM > Subject: Re: [Full-Disclosure] it's all about timing > > > > Hi, > > > > I really don't understand why we'r discussing RFPolicy. It's not the > > main subject of HP/Snosoft DMCA topic. Here is why: > > > > My knowledge says that there are two major things in engineering: Laws & > > Ethical Issues. > > > > First of all observe the following case: > > > > - Assume that a window of a grocery is broken. > > - Anyone can get something inside without paying at midnight since there > > is no glass over there. Normally one would call the police and say to > > police that the window is broken and ask for taking precaution otherwise > > somebody may take all the banana's and run away. > > - Laws says that: u'r guilty if u steal something. > > - Laws also says that : u'r not guilty if u don't call police after > > realizing that window is broken. > > > > Let's look what ethic says: > > > > - U'r not ethical if u steal something. > > - U'r not ethical if u don't call the police. > > > > See? The second line is not ethical but legal. > > > > In DMCA/HP/Snosoft case, the problem is the LAW not the ethical issues. > > We must consider these ethical issues later like RFPolicy because HP > > already sued SnoSoft according to laws not ethics. > > > > Here is my thoughts about the topic: > > > > There are no laws that states "If it is done at 7 oclock it is legal and > > if u do it on 11 o'clock u'll be punished with a ten thousand years in > > prison." > > > > This law can't be applied to the real world sorry. We can't prove that > > we've already talked with hp at 7 oclock, they didn't answered until 11 > > clock so I published the exploit code. Unless all vendors are > > govermental no legal proof can be stated to court about these > > conversations between Vendors and Hackers. Remember they'v got lots of > > bucks to give advocates. We'r alone. > > > > I propose two ways to get around: > > > > i. Publish zero-day exploits. Forget about vendor. Since hacking is > > illegal, assume police will catch the hacker since he/she's doing > > illegal. This is why there are cybercops am I right? Nobody can be > > punished if he/she didn't call police in case of a broken window. > > ii. Hackers are unallowed to publish any exploits. They just can send > > the exploit code/bug report to vendor. Vendor publishes proof of > > concept code to public with the fix when available if they want of > > course. I think, DMCA will grant this since Vendor's hold the copyright > > about the product. Also, we know that no vendor wants to publish that > > their product is insecure. > > > > Another topic that i want to discuss is i'm living in Turkiye and here > > we don't have any DMCA super duper laws. We have a simple copyright law > > which do not include DMCA. Who's gonna stop me publishing 0 day > > exploits? Obviously No-One. Right? USA may cancel Turkiye's connection > > to USA but i don't think that this is impossible for now. Also, they may > > prevent me entering the US frontiers but i really don't care about it. > > > > As a result, only US programmers will suffer from this law not me. They > > are going to think it twice before publishing anything. This is of > > course unfair. US goverment just makes their own programmers suffer from > > this law by saying "We are protecting the vendors". They are just > > missing the statement that "Hackers make their product more secure-more > > reliable". I think that they are assuming every vendor has enough > > skilled "Hacker" employee to check their products. Heh:-)) As Kurt > > said, they don't have. > > > > In the future, i think, only vendors can publish such exploits, fixes > > and proof of concepts in USA. Hackers gonna just take small credit at > > the end of the message. For the rest of the world, game is not over and > > ppl will continue to publish exploits. Besides, Vendor's will make money > > using the works of hackers. This is what we call capitalism in fact and > > it is coming over us again. Beware:-)) > > > > PS: Heh maybe we should buy a small island and found our "Country of > > Secure Systems" and publish exploits from there. Any island suggestions? > > > > King regards, > > -- > > Evrim ULU > > evrim@...y.com.tr / evrim@...e.gen.tr > > sysadm > > http://www.core.gen.tr > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Full-Disclosure@...ts.netsys.com > > http://lists.netsys.com/mailman/listinfo/full-disclosure > > > _______________________________________________ > Full-Disclosure - We believe in it. > Full-Disclosure@...ts.netsys.com > http://lists.netsys.com/mailman/listinfo/full-disclosure > -- ------------------------------------------------------- Secure Network Operations, Inc.| http://www.snosoft.com Cerebrum Project | cerebrum@...soft.com Strategic Reconnaissance Team | recon@...soft.com ------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020805/d5f95aaf/attachment.bin
Powered by blists - more mailing lists