lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: yossarian at planet.nl (yossarian)
Subject: Global HIGH Security Risk

Basically you can't post any vuln without some risk attached, court rulings
worldwide being unpredictable and considering the interests at stake, my
best guess would be - go completely anonymus, if it doesn't interfere with
any of your other interests, or wait till our workfield becomes less
erratic.If ever.

Consider that in Finland, hosting providers are being held responsible for
the contents of chat sessions over their network - the case being that
people had discussed how to make bombs was enough. You might say that this
would mean that every Telco is accountable for anything said on the
telephone - well you may be right, but it does not change the risks you'll
be taking nor the ruling. Are you certain that your disclosure will not find
its way to or pass through a Finnish server?

Consider the KaZaa cases, in which courts ruled that the software makers
were guilty of copyright infringements, since their product was mainly used
for this goal. You might say that the inventors of Internet or HTML are
guilty of copyright infringements, since you can download from indexes. You
might argue that Google is guilty, since using google to find these indexes
with the well known parent directory search, enables copyright infringement.
Or Microsoft, for suppliyng the browser you might use to download. Any of
this does not change the rulings. Transpose the issue to the handgun
industry, well you may be right, but does that help you? Courts in other
countries ruled the opposite way - in international law their is no common
denominator, hence no legal certainty. Posting vulns is a legal minefield,
or better said, it is like playing russian roulette with a changing number
of chambers and bullets.

Consider that the situation does not have a single legal court to face - but
any court worldwide that bothers - in spite of US court rulings that the
Internet is bound by US law. This means international travel you might want
to take will become hazardous at least, meaning you'll have to check
extradiction treaties. The international cybercrime treaty was meant to
standardize, but all it does is prescribe the minimum set of legislation -
so any country can still do as it likes. as long it is more strict than the
treaty. AFAIK argentina is a relaxed country for the legalities of
cyberrelated issues, but the international pressure will become heavy when
this relative freedom is used to post real vulns.

Consider that in certain German states, pr0n on the Internet is deemed
illegal except at night. Providers have been given the burden to filter. For
legal issue related to the Internet, law is still in it infancy, and
consider the wisdom and expertise of Governments on this topic, and the
interests at stake, well you can figure it out.

Well, anyway, this applies to minor and bigger risks alike. The only
difference I see, is that as long that there is no vendor  or consortium
involved, chances are it will just be let go - no commercial interest
directly hit by this disclosue means no one to investigate and file charges.
Maybe.

good luck with it,

Yossarian

----- Original Message -----
From: "^Shadown^" <shadown@...iloche.com.ar>
To: <full-disclosure@...ts.netsys.com>
Sent: Monday, February 03, 2003 4:12 PM
Subject: [Full-Disclosure] Global HIGH Security Risk


> Dear Folks,
>
> I'm sorry if anybody didn't like the subject, but is *that* important.
> While a research I've developed a technique to literaly bypass *every*
security network software and device (*every* firewall, ids, etc), which
become an unstopable security risk for the hole security community, but I
don't know the legal term on how to post something like this.
> And I need help on this, need people who may advice me on how to share
this information.
> I'm really scared, because i.e "The arrest that happends after the DEFCON
X conference because of the *PDF security*", and I swear that this is a
large *mayor* security risk.
> I will *NOT* answer any question about the new technique (the one I've
developed and applied) until I get adviced on how to post it *without*
getting in trouble, so please don't write to me because I'll delete them
all.
> I hope for your help.
> Best Regards.
>
> ^Shadown^
>
> PD: As this mail was sent to SecurityFocus, Vuln-Watch and Cert lists
(last Friday) and It wasn't posted, this msg and the information I'm gonna
release will *not* be allow to post or referenced on other lists but
Full-Disclosure. (except by myself).
> Thnx.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ