lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 4 Apr 2008 16:34:47 -0400
From: Ureleet <ureleet@...il.com>
To: n3td3v@...glegroups.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay

see:
> - Come to our conference - profit... buy our ticket, get a macbook prize.

> - Hacking challenge prize - profit... they give you $5000 and sell it
> to the vendor for a lot more.

ZDI provides the money for this.  and they don't sell it back to vendor

> - Train to use our software -profit... over priced training for
> software... not interested.

dont' get angry at remote-exploit because they are making money from their
work .  how much money do you make from posting to fd?

> On the issue of how much a vulnerability is worth, the prices are not
> regulated, we need regulation into how much a vulnerability costs,
> because the prices right now are wild. We need to take vulnerability
> pricing off the blackmarket and onto a legitimate central website for
> selling vulnerabilities, or cash rewards for disclosing a
> vulnerability to a particular company or organisation.

wabisabilabi?  zdi...  etc.

> Can someone post to full-disclosure a price list of what they think a
> bufferoverflow should be worth etc, and we can vote if we agree.

feel free to take that as a todo item.  however, i would think it would
depend on the bo.

> We can't dress up cash prizes/contests as something else as well, if a
> website is offering a $5,000 reward for a vulnerability, we need to
> know if we're being ripped off with the cash reward and how much can
> be potentially made after its sold on.

zdi doesn't sell their exploits afaik.

> Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
> reward might not be enough money, compared to what a vulnerability
> *should* be worth, and taking into consideration how much profit
> CanSecWest make overall from people attending the conference.

the pwn2own cash is supplied by zdi.  that's what you arent' realizing.

> So you take into consideration how much a vulnerability should be
> worth, then the added worth because its a security conference of how
> much should be added on to counter the profit being made by the event.

you already said this. twice.

> However, to round off, we can't allow the mailing lists to turn into a
> vulnerability market place, full-disclosure should be for free stuff,
> and other websites and mailing lists can be setup for *money making
> schemes and auctions*.

there are.  however how are the people going to know about the websites if
you don't allow people to 'spam' lists with this sort of thing, mr
unofficial-fd moderator?

> We shouldn't allow the money makers directly to market X... if a link
> is put on Full-Disclosure by a member of the public on the fly then
> thats ok, but I think its cheeky for the particular conference,
> contest runner or software trainer to be on the list themselves
> spamming everyone, for a profiteering agenda.

that's why its called free enterprise, it's an unmoderated list.  feel free
to unsubscribe if you dont like it much..

> You mention cross-posting, thats not the issue here, its the people
> making the money posting to make the money that offends me so much.

we know, its the third time youve said it in one email.

> And not even the lonely hacker offends me who posts i've got a
> vulnerability for sale for X, I don't mind that on Full-Disclosure,
> but what I do mind is if its a company or organisation doing it that
> is directly the ones making the money via vulnerability for sale,
> prize contest, security conference or train to use our software!!!,
> thats the height of spam I just think is utterly wrong and unethical
> on any scale of acceptability.

again, free market, and you are directly talking about zdi.

> If a lonley hacker who works in a supermarket has a vulnerabilty to
> sell i'm all for it being post on full-disclosure, but not the big
> money conferences, prize hacking contests and software training guys.

fourth time.

> I come under the bracket as supermarket worker with nothing much going
> for me in life, so I should be allowed to sell a vulnerability on
> what's ment to be a mailing list for non-profit disclosure.

you work at a supermarket?  so you know about the under cash drawer switch
that pops open the drawer exploit?


> You will find it easy to shout me down and say n3td3v's an idiot, but
> wait to the vulnerability market really takes off and the prices of
> vulnerabilities are properly defined and regulated, you're going to
> see a huge increase in commercial spam on the mailing lists, like the
> full-disclosure mailing list. so we've got to define what's fair play
> e-mail and what's a company or organisation blatantly profiteering
> with X method of extracting money out of people and using skilled
> hackers to make money, and to promote a security conference, training
> etc.

again, unmoderated list.  the door is over there.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ