lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: lists at onryou.com (Cael Abal)
Subject: Lun_mountd.c vs mounty.c

> It astounds me that so many people on this list (well, two) use the full
> disclosure ethic as an excuse to oblige programmers to give up our privacy
> rights and divulge all their code to a group of strangers.
> 
> Can you *seriously* not see the problem with someone taking credit for
> someone else's work?  That is just exquisite bullshit, regardless of the
> nature of the code itself, or with whom it was initially shared.
> 
> Tobias was right on the money to take issue with this, and some of you
> need to back off and let talented hackers claim a little due credit and
> take pride in their work once in a while.

Hi Person/Devon/[t],

Personal pride and quality of work is important, I'll give you that. 
Also, I am intimately aware of how unpleasant it can be to have someone 
else take credit for ones work.  Now, do I feel a whole lot of pity when 
I see a script kiddie take credit for someone else's exploit?

Nope.

Consider this analogy:  A graffiti artist spends long hours labouring 
over a wall mural, only to come back the next day and see some seven 
year-old surrounded by his friends, proudly taking credit for it.

Know what?  The world at large doesn't give a shit.  I don't give a 
shit.  The end result is still the same either way, one more eyesore in 
a jungle of eyesores.  Realistically, it was only a matter of time 
before that wall was tagged.  The only folks who care about graffiti art 
is graffiti artists -- like any community.

Mr. Brown was exactly right, if a tad terse:  If an exploit writer wants 
privacy, they should not release the code (or release it anonymously). 
If an exploit writer wants fame and fortune, they should release it 
publicly under their real name with much fanfare -- Either of these 
choices quite efficiently prevent some kiddie from taking credit for 
their work.  There's really no in-between to speak of, not one with much 
value to society.

The other alternative -- a limited release amongst friends or colleagues 
-- is really nothing more than self aggrandizement.  Understandable, 
maybe, but not very valuable...  All it does is add one more tool to the 
script kiddie cookbook -- and set up the original author for plagiarism.

Cordially,

Cael

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ