| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 10 Nov 2007 04:37:48 +0000 (UTC) From: jf <jf@...glingpointers.net> To: Simon Smith <simon@...soft.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Exploit Brokering > SNOsoft When the first word in the first sentence in a communique is a company name, you should take that as a warning everything that follows is a SNOsoft. > People posting emails in public forums in an attempt to sell exploits is > not only careless and irresponsible, It's called the free-market. > but is also a testament to that > persons immaturity and lack of experience. What you think that when you add the variables up that the only potential answer is the what you've come up with? Employing the free-market is not a testament to anything, much less a persons level of maturity or experience. > Do they ever stop to think > about the potential liability? What happens if they sell to a hostile > foreign party, what could happen to them, etc...? Sure of course, you don't sell 0day to the organizations that the enemy of your country, thats common sense- however you put a breach of contract provision into your agreement that disallows transfer of content to third parties and then dont sell them to people from guangdong, its not stupidity, immaturity or lack of experience, its called due dilligence. > I think that there is a legitimate market for Exploit Brokering when it > is done properly (ethically and legally). I wish you people would stop putting your opinions on ethics to other people. I mean even business ethics does not follow the whats commonly associated with being ethical, thats why there is a special class for it in college and largely amounts to the questions 'is it legal?' and 'can i get away with it?'. In reality all your bantering about ethics and legality will result in is that bug information and exploits become subject to restricted export/sale legislation and then we'll be stuck with companies like yours. I mean seriously, has it not occurred to you that not everyone in the world is American and wants to sell their 0day to the NSA via SNOSoft? That perhaps the conjecture that they want to do that is against their morals and in turn does that not make you obtuse for expecting they abide by your own personal set of ethics? > I think I don't care what you think, don't try to enforce your set of morals on me; im sure plenty of others agree with this sentiment. > The solution to that problem is not to sell exploits to just anyone in a > public forum. That introduces too much liability to the developer, > especially if the buyer is illegitimate or hostile. The solution is to > work with legitimate established businesses in a confidential and > responsible manner. Not the solution is not to be stupid with your sales, you can meet people in public forums, just be able to show due dilligence that the parties you sold to are not enemies of your country and that their intentions are not to violate the law. Guns don't kill people, ... By responsible, you mean doing it the way you do? > Its just a matter of time till > laws get passed and they end up getting thrown in jail for selling > weaponized exploits to the wrong people. Which is exactly what you want. Look almost everything is legal somewhere, that means you can't stop people who wish to conduct private business. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists