lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat May  6 20:09:40 2006
From: degeneracypressure at gmail.com (Eliah Kagan)
Subject: IE7 Information Disclosure - For sale

> You dumb fucking cunt.

It's interesting how you reply with the greatest degree of visceral
hate toward those who, rather than criticizing you personally (until
now) or attacking you, think critically, disagree with what you have
to say, and make intelligent arguments. Has it ever occurred to you
that whether or not I am a dumb fucking cunt is totally irrelevant to
whether or not what I am saying is true?

> >Did you expect that subscribers to the FULL DISCLOSURE mailing
> >list would support your plan to make money off of withholding
> >disclosure?
> Yes I do.  Considering the fact that half these faggots including
> the so called owner of this list make money by not disclosing shit
> until it suits them.

(1) And the other half...? Don't assume that just because some people
on this list do things which you perceive to be like what you're doing
that the whole list will bow down to you and consider your behavior
any less critically than we consider the behavior or any other
individual or organization.

(2) There is a difference between not disclosing a vulnerability for
some amount of time to give the vendor of the vulnerable product a
chance to fix the vulnerability, and not disclosing a vulnerability so
that you can sell it to spyware authors or spammers, in order
simultaneously to (1) make money, and (2) to get back at responsible
people who think that it is the duty of those with knowledge to help
the weak (i.e. all the nontechnical computer users and grandmothers
who would be harmed by the spyware that, by discovering a
vulnerability and selling it to spyware authors, you are materially
helping to develop).

Whether or not there are any good reasons not to disclose a
vulnerability in short order after discovering it is a matter of
substantial debate, although the majority opinion is that there are
good reasons, when waiting protects users and the vendor will actually
issue a fix. However, if you believed that the people on this list
would support nondisclosure for the purpose of benefiting criminals,
you were sadly mistaken.

> Nope.  all of my high bidders are those that use this shit for
> spyware and adware.  I was worried about selling to them until I
> came to this list.

You were worried about hurting end users until you realized that other
people were, so you stopped worrying?

> >How do you intend to enforce the terms of your discount deal? Are
> >you
> >going to require the buyer to sign a nondisclosure agreement to
> >get
> >the discount?
>
> I don't.  Its called being pissed.

Glad we got that cleared up.

> The vulnerabilities are real.  Those that have bid have the proof
> of such.

Actually, the only reason why I indicated that I didn't know if the
vulnerabilities were real was to make clear that I was *not* accusing
you of a crime.

> Oh really?  So lets hear the precidence... lets hear the case and
> court this was proved in.  What criminal behaviour is this?

I said it would be interesting to see. Not being a lawyer, I'm not
sure if it is illegal to sell information to someone for the express
purpose of enabling them to engage in criminal activity. Perhaps some
of the lawyers on the list could clear this up.

> Why would I do anything different?  You so called professionals
> would rather make jokes and call bullshit when the reality is that
> there are people far smarter with way more skills than 99.99% of
> the CISSPs out there.  What you and the rest of your so called
> community need to realize is that you are the scum.. the bottom of
> the fuckin barrel.

Again, but larger scale this time: Whether or not "we" are scum is
also irrelevant to whether or not our arguments and criticisms are
true.

I think the cause of strife here is that the issue from the
perspective of most of the people who have posted, disagreeing with
what you are doing, is one of ethics and social responsibility;
whereas the issue from your perspective is that, God forbid, you are
being criticized publicly for an act that you are engaging in
publicly. You might want to consider that what you are doing is
something that most people think is wrong, and when you open up the
issue for argument by posting on FD, people are going to say that they
think it's wrong. In response to criticism, you act self-righteously,
attacking an entire established industry on the grounds that people in
it disagree with you, and you wonder why the general opinion of you
and your actions on this list doesn't improve.

> That is the point.  They don't oppose.  They make fun and be stupid
> because they are not smart enough to find shit on their own.

In that case, you should be happy to hear what I have to say, because
I oppose what you are doing, and I've been explaining why in an
intelligent, reasoning manner, even if I am a dumb fucking cunt.

-Eliah

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ