lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 5 Apr 2008 01:19:50 +0300
From: "Razi Shaban" <razishaban@...il.com>
To: n3td3v <xploitable@...il.com>
Cc: n3td3v@...glegroups.com, full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay

You say "serious debate" as if you are attempting to partake in such a
debate. You are not. You are flaming.

Now, please stop flaming.
Note for fairness: This is not intended exclusively for netdev, but
for everyone who is flaming.


--
Razi

On 4/5/08, n3td3v <xploitable@...il.com> wrote:
> On Fri, Apr 4, 2008 at 9:34 PM, Ureleet <ureleet@...il.com> wrote:
>  > see:
>  >
>  > > - Come to our conference - profit... buy our ticket, get a macbook prize.
>  >
>  > > - Hacking challenge prize - profit... they give you $5000 and sell it
>  > > to the vendor for a lot more.
>  >
>  > ZDI provides the money for this.  and they don't sell it back to vendor
>  >
>  >
>  > > - Train to use our software -profit... over priced training for
>  > > software... not interested.
>  >
>  > dont' get angry at remote-exploit because they are making money from their
>  > work .  how much money do you make from posting to fd?
>  >
>  >
>  > > On the issue of how much a vulnerability is worth, the prices are not
>  > > regulated, we need regulation into how much a vulnerability costs,
>  > > because the prices right now are wild. We need to take vulnerability
>  > > pricing off the blackmarket and onto a legitimate central website for
>  > > selling vulnerabilities, or cash rewards for disclosing a
>  > > vulnerability to a particular company or organisation.
>  >
>  > wabisabilabi?  zdi...  etc.
>  >
>  > > Can someone post to full-disclosure a price list of what they think a
>  > > bufferoverflow should be worth etc, and we can vote if we agree.
>  >
>  > feel free to take that as a todo item.  however, i would think it would
>  > depend on the bo.
>  >
>  > > We can't dress up cash prizes/contests as something else as well, if a
>  > > website is offering a $5,000 reward for a vulnerability, we need to
>  > > know if we're being ripped off with the cash reward and how much can
>  > > be potentially made after its sold on.
>  >
>  > zdi doesn't sell their exploits afaik.
>  >
>  >
>  > > Robert Lemos even http://www.securityfocus.com/news/11510 talked about
>  > > vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
>  > > reward might not be enough money, compared to what a vulnerability
>  > > *should* be worth, and taking into consideration how much profit
>  > > CanSecWest make overall from people attending the conference.
>  >
>  > the pwn2own cash is supplied by zdi.  that's what you arent' realizing.
>  >
>  >
>  > > So you take into consideration how much a vulnerability should be
>  > > worth, then the added worth because its a security conference of how
>  > > much should be added on to counter the profit being made by the event.
>  >
>  > you already said this. twice.
>  >
>  >
>  > > However, to round off, we can't allow the mailing lists to turn into a
>  > > vulnerability market place, full-disclosure should be for free stuff,
>  > > and other websites and mailing lists can be setup for *money making
>  > > schemes and auctions*.
>  >
>  > there are.  however how are the people going to know about the websites if
>  > you don't allow people to 'spam' lists with this sort of thing, mr
>  > unofficial-fd moderator?
>  >
>  >
>  > > We shouldn't allow the money makers directly to market X... if a link
>  > > is put on Full-Disclosure by a member of the public on the fly then
>  > > thats ok, but I think its cheeky for the particular conference,
>  > > contest runner or software trainer to be on the list themselves
>  > > spamming everyone, for a profiteering agenda.
>  >
>  > that's why its called free enterprise, it's an unmoderated list.  feel free
>  > to unsubscribe if you dont like it much..
>  >
>  >
>  > > You mention cross-posting, thats not the issue here, its the people
>  > > making the money posting to make the money that offends me so much.
>  >
>  > we know, its the third time youve said it in one email.
>  >
>  >
>  > > And not even the lonely hacker offends me who posts i've got a
>  > > vulnerability for sale for X, I don't mind that on Full-Disclosure,
>  > > but what I do mind is if its a company or organisation doing it that
>  > > is directly the ones making the money via vulnerability for sale,
>  > > prize contest, security conference or train to use our software!!!,
>  > > thats the height of spam I just think is utterly wrong and unethical
>  > > on any scale of acceptability.
>  >
>  > again, free market, and you are directly talking about zdi.
>  >
>  >
>  > > If a lonley hacker who works in a supermarket has a vulnerabilty to
>  > > sell i'm all for it being post on full-disclosure, but not the big
>  > > money conferences, prize hacking contests and software training guys.
>  >
>  > fourth time.
>  >
>  >
>  > > I come under the bracket as supermarket worker with nothing much going
>  > > for me in life, so I should be allowed to sell a vulnerability on
>  > > what's ment to be a mailing list for non-profit disclosure.
>  >
>  > you work at a supermarket?  so you know about the under cash drawer switch
>  > that pops open the drawer exploit?
>  >
>  >
>  >
>  > > You will find it easy to shout me down and say n3td3v's an idiot, but
>  > > wait to the vulnerability market really takes off and the prices of
>  > > vulnerabilities are properly defined and regulated, you're going to
>  > > see a huge increase in commercial spam on the mailing lists, like the
>  > > full-disclosure mailing list. so we've got to define what's fair play
>  > > e-mail and what's a company or organisation blatantly profiteering
>  > > with X method of extracting money out of people and using skilled
>  > > hackers to make money, and to promote a security conference, training
>  > > etc.
>  >
>  > again, unmoderated list.  the door is over there.
>
>
> * i * * never * mentioned * ZDI * you * complete * jerk * off *
>
>  * read * * the * * e-mail * properly * and * you * will * understand *
>  what * I * don't * like *
>
>  Overview:
>
>  FIRST
>
>  I said let's have a debate about how much a vulnerability is worth per
>  vulnerability type, so everyone knows if we're being ripped off by joe
>  jobs and to stop any blackmarkets, prices needs to be defined and
>  regulated, so everyone knows where they stand in the security
>  community as far as prices are concerned.
>
>  ^^^^You bypassed this completely.
>
>  SECOND
>
>  Those on the list who don't disclose a vulnerability *but* are trying
>  to sell a product should be outlawed.
>
>  ^^^^do you know the difference between disclosure and profiteering?
>
>  You're losing my rag and the lack of intellectual debate on this from
>  non-retards is shocking, these are two serious topics that need
>  debating and all i've got is some lamer called "Ureleet" trying to
>  wind me up.
>
>  Is anyone who can have a serious debate on this list?
>
>
>  n3td3v
>
>  _______________________________________________
>  Full-Disclosure - We believe in it.
>  Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>  Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ