| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: solareclipse at phreedom.org (Solar Eclipse) Subject: openssl exploit code On Mon, Sep 16, 2002 at 09:29:00PM -0400, hellNbak wrote: > In your code it states something like (dont have it front of me): this is > private code so keep it that way : -- should you not be more concerned as > to how it leaked and not why it was withheld. > A full disclosure mailing list serves the interests of those who are > interested in or require timely security information. I'm not denying > that your code was worthwhile I am just trying to figure out why you are > more worried about it not hitting a list when you coded it to be private. > Whos interests are you serving with the private code? Whos interests is Bugtraq serving by not violating my copyright? I am not concerned about how the code was leaked because this issues has been resolved already. I am however concerned with the fact that Bugtraq seems to care more about intellectual propery and the potential lawsuits than the interests of the security community. I don't care about keeping my code private anymore. Not only is it all over IRC, but every machine infected with the apache worm has a working version of my exploit in /tmp/.bugtraq.c There is nothing I can do to revert this situation. The blackhat part of my soul is happy that hackers can use the DMCA to prevent full disclosure lists from informing the community. Often servers will stay unpatched until an exploit is published. I'll even admit that I looked at the OpenSSL bug the day it was announced, decided that it's not exploitable and didn't bother to patch the servers I was responsible for until a week after that. The whitehat in me is concerned that copyright issues might prevent the free discussion of vulnerabilities and sharing of source code. The threat of a group of kids with names like _Master_Of_Disaster_ suing Symantec doesn't concern me as much as the threat of corporations suing Snosoft, Secfocus, Len Rose and you over an exploit that caught them with their pants down. You know that MS-SQL EULA prohibits you from disclosing any benchmark data without Microsoft's approval. Can you see it coming? If we have to operate in such a litigious environment, our only option would be to move our mailing lists and servers to a country with more lax copyright laws or use anonymous remailers. > Solar, I don't want to get into a pissing match here with you and I mean > no disrespect but I question your motives when you say that the release of > your PRIVATE code to the public was in the best interests of the > community. You knwo as well as I do that the code was leaked and > probably would not have seen the light of day if it had not been. I hope the above few paragraphs make my motivation more clear. I enjoy playing devil's advocate :-) Solar Eclipse
Powered by blists - more mailing lists