lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 04 Apr 2008 00:36:06 -0400
From: scott <redhowlingwolves@...rr.com>
To: "Garrett M. Groff" <groffg@...design.com>, 
	full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Let's outlaw
 mass	securityconferencespamming its f****** gay

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

He has no clue what it means to live in a democracy, much less a federation.

Let's let the comedy go on, shall we? Definitely breaks the monotony of
everyday BS.


Garrett M. Groff wrote:
> netdev, I'll begin by confessing that I merely skimmed your email and did 
> not peruse it. Having said that, the buying and selling of vulnerabilities 
> is subject to the trading of anything else, be it commidities, products, 
> services, securities (such as stocks), or other tradeable assets.
> 
> What you proposed is economic in nature and not unique or specific to 
> geekdom. Specifically, what you're suggesting is more in line with Marxism, 
> where a "fair" price is dictated by a central authority. Instead, our system 
> of free-market capitalism is such that vulnerabilities can be bought and 
> sold by whomever wishes to buy them and sell them. (Furthermore, evidence 
> suggests that black market activity would *increase* in cases where trading 
> of a given item is highly restricted on the legitimate market (relegating 
> the trading to the black market); for eg, the trading of illicit drugs 
> exists and is a multi-billion dollar industry in the US despite laws that 
> proscribe the trading and possession of those drugs).
> 
> --
> 
> Regarding the information on conferences and such that are touted on this 
> list (and others), it's something that we'll just have to deal with. This 
> list is un-moderated and, perhaps, there are people who appreciate the 
> information.
> 
> - G
> 
> 
> ----- Original Message ----- 
> From: "n3td3v" <xploitable@...il.com>
> To: "Garrett M. Groff" <groffg@...design.com>; "n3td3v" 
> <n3td3v@...glegroups.com>; <full-disclosure@...ts.grok.org.uk>
> Sent: Thursday, April 03, 2008 5:38 PM
> Subject: Re: [Full-disclosure] Fwd: Let's outlaw mass 
> securityconferencespamming its f****** gay
> 
> 
>> On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <groffg@...design.com> 
>> wrote:
>>> Regarding the particular person in question, I'll defer to others who 
>>> know
>>> him (or her, or they, or whomever) better than I do. Instead, I'll say 
>>> that,
>>> generally, on lists like FD, there is a minority of out-spoken 
>>> personalities
>>> who sadly support the stereotypical hacker persona: condescending egoists
>>> who are socially inept and emotionally charged when discussing topics 
>>> that
>>> relate to their knowledge domain. That's unfortunate, since the broader 
>>> IT
>>> security community is poorly represented due to attention-seeking 
>>> zealots.
>>>
>>> Regarding the idea of "oulawing security conference spamming," I'd say 
>>> the
>>> literal idea of outlawing cross-posts to multiple security mailing lists 
>>> is
>>> a bad idea. The idea that the legislature should write into law 
>>> legislation
>>> that reduces our freedom in such a sense is a slippery slope borne of
>>> emotionalism and narrowness. What else should the government do to 
>>> curtail
>>> our freedoms? I tend to side with libertarian types (though I don't call
>>> myself a "libertarian" un-qualified) on what the government should do and
>>> what they should not do. And micro-manage security mailing lists is
>>> something they should not do. It's a bad idea and would make a dreadful
>>> precedent.
>> Full-Disclosure is ment to be about free source, not making money. I'm
>> against people who make money come on the mailing lists, its
>> commerical spam. We can't allow this to continue, here are what I
>> don't like:
>>
>> - Come to our conference - profit... buy our ticket, get a macbook prize.
>>
>> - Hacking challenge prize - profit... they give you $5000 and sell it
>> to the vendor for a lot more.
>>
>> - Train to use our software -profit... over priced training for
>> software... not interested.
>>
>> On the issue of how much a vulnerability is worth, the prices are not
>> regulated, we need regulation into how much a vulnerability costs,
>> because the prices right now are wild. We need to take vulnerability
>> pricing off the blackmarket and onto a legitimate central website for
>> selling vulnerabilities, or cash rewards for disclosing a
>> vulnerability to a particular company or organisation. I don't like
>> sites like digital armaments which when i visited it, the content and
>> answers they gave were questionable, and people have complained about
>> digital armaments in the past. Its time to get pricing regulated and
>> defined, so everyone knows whos being joe jobbed and who isn't.
>>
>> Can someone post to full-disclosure a price list of what they think a
>> bufferoverflow should be worth etc, and we can vote if we agree.
>>
>> So what i'm calling for is someone to post up a hackers price list per
>> vulnerability type.
>>
>> XSS/SQL should be worth something as well, so Morning_Wood can buy
>> milk and a news paper in the mornings after he's taken care of his
>> wood.
>>
>> Sorry i've ended this e-mail with slightly off-topicness, but I do
>> think pricing needs to be defined.
>>
>> We can't dress up cash prizes/contests as something else as well, if a
>> website is offering a $5,000 reward for a vulnerability, we need to
>> know if we're being ripped off with the cash reward and how much can
>> be potentially made after its sold on.
>>
>> Robert Lemos even http://www.securityfocus.com/news/11510 talked about
>> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
>> reward might not be enough money, compared to what a vulnerability
>> *should* be worth, and taking into consideration how much profit
>> CanSecWest make overall from people attending the conference.
>>
>> So you take into consideration how much a vulnerability should be
>> worth, then the added worth because its a security conference of how
>> much should be added on to counter the profit being made by the event.
>>
>> A vulnerability should be worth more if its disclosed at a security
>> conference than if its bought privately, because you've got to take in
>> profit  and free advertsing to calculate.
>>
>> However, to round off, we can't allow the mailing lists to turn into a
>> vulnerability market place, full-disclosure should be for free stuff,
>> and other websites and mailing lists can be setup for *money making
>> schemes and auctions*.
>>
>> We shouldn't allow the money makers directly to market X... if a link
>> is put on Full-Disclosure by a member of the public on the fly then
>> thats ok, but I think its cheeky for the particular conference,
>> contest runner or software trainer to be on the list themselves
>> spamming everyone, for a profiteering agenda.
>>
>> You mention cross-posting, thats not the issue here, its the people
>> making the money posting to make the money that offends me so much.
>>
>> And not even the lonely hacker offends me who posts i've got a
>> vulnerability for sale for X, I don't mind that on Full-Disclosure,
>> but what I do mind is if its a company or organisation doing it that
>> is directly the ones making the money via vulnerability for sale,
>> prize contest, security conference or train to use our software!!!,
>> thats the height of spam I just think is utterly wrong and unethical
>> on any scale of acceptability.
>>
>> If a lonley hacker who works in a supermarket has a vulnerabilty to
>> sell i'm all for it being post on full-disclosure, but not the big
>> money conferences, prize hacking contests and software training guys.
>>
>> I come under the bracket as supermarket worker with nothing much going
>> for me in life, so I should be allowed to sell a vulnerability on
>> what's ment to be a mailing list for non-profit disclosure.
>>
>> If we tolerate the money making schemes much longer, eventually
>> full-disclosure will be a wash with conference,training,cash prize
>> spam, etc once everyone realises the full value of vulnerabilities and
>> the huge amounts of money to be made from setting up a cash prize
>> contest, the huge amounts of money to be made from setting up a
>> security conference and the huge amounts of money to be made from
>> training people to use your hax0r software.
>>
>> You will find it easy to shout me down and say n3td3v's an idiot, but
>> wait to the vulnerability market really takes off and the prices of
>> vulnerabilities are properly defined and regulated, you're going to
>> see a huge increase in commercial spam on the mailing lists, like the
>> full-disclosure mailing list. so we've got to define what's fair play
>> e-mail and what's a company or organisation blatantly profiteering
>> with X method of extracting money out of people and using skilled
>> hackers to make money, and to promote a security conference, training
>> etc.
>>
>> All the best,
>>
>> n3td3v
>>
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH9bA1s+9h2X0fCGcRAq+9AJ0dieUgKq4pya6mF/oWclEBqj2z3gCgjYEr
uoq2+8AfO1q+TyFj9Fts6z8=
=3d9e
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ