lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 04 Apr 2008 00:38:54 -0400
From: scott <redhowlingwolves@...rr.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Let's
 outlaw	masssecurityconferencespamming its f****** gay

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That is what full-disclosure was created for!?

Due to the massive influx of media attention, it has come to this.


Mary Landesman wrote:
> I think the concerns you're raised about profiteering/marketing on the list
> are valid. I hadn't thought of it from that perspective, frankly. 
> 
> It can be helpful to have a central resource/calendar to be informed about
> them. I would subscribe to a specific list for that.
> 
> -- Mary
> 
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of n3td3v
> Sent: Thursday, April 03, 2008 5:39 PM
> To: Garrett M. Groff; n3td3v; full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] Fwd: Let's outlaw
> masssecurityconferencespamming its f****** gay
> 
> On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <groffg@...design.com>
> wrote:
>> Regarding the particular person in question, I'll defer to others who 
>> know him (or her, or they, or whomever) better than I do. Instead, 
>> I'll say that, generally, on lists like FD, there is a minority of 
>> out-spoken personalities who sadly support the stereotypical hacker 
>> persona: condescending egoists who are socially inept and emotionally 
>> charged when discussing topics that relate to their knowledge domain. 
>> That's unfortunate, since the broader IT security community is poorly
> represented due to attention-seeking zealots.
>> Regarding the idea of "oulawing security conference spamming," I'd say 
>> the literal idea of outlawing cross-posts to multiple security mailing 
>> lists is a bad idea. The idea that the legislature should write into 
>> law legislation that reduces our freedom in such a sense is a slippery 
>> slope borne of emotionalism and narrowness. What else should the 
>> government do to curtail our freedoms? I tend to side with libertarian 
>> types (though I don't call myself a "libertarian" un-qualified) on 
>> what the government should do and what they should not do. And 
>> micro-manage security mailing lists is something they should not do. 
>> It's a bad idea and would make a dreadful precedent.
> 
> Full-Disclosure is ment to be about free source, not making money. I'm
> against people who make money come on the mailing lists, its commerical
> spam. We can't allow this to continue, here are what I don't like:
> 
> - Come to our conference - profit... buy our ticket, get a macbook prize.
> 
> - Hacking challenge prize - profit... they give you $5000 and sell it to the
> vendor for a lot more.
> 
> - Train to use our software -profit... over priced training for software...
> not interested.
> 
> On the issue of how much a vulnerability is worth, the prices are not
> regulated, we need regulation into how much a vulnerability costs, because
> the prices right now are wild. We need to take vulnerability pricing off the
> blackmarket and onto a legitimate central website for selling
> vulnerabilities, or cash rewards for disclosing a vulnerability to a
> particular company or organisation. I don't like sites like digital
> armaments which when i visited it, the content and answers they gave were
> questionable, and people have complained about digital armaments in the
> past. Its time to get pricing regulated and defined, so everyone knows whos
> being joe jobbed and who isn't.
> 
> Can someone post to full-disclosure a price list of what they think a
> bufferoverflow should be worth etc, and we can vote if we agree.
> 
> So what i'm calling for is someone to post up a hackers price list per
> vulnerability type.
> 
> XSS/SQL should be worth something as well, so Morning_Wood can buy milk and
> a news paper in the mornings after he's taken care of his wood.
> 
> Sorry i've ended this e-mail with slightly off-topicness, but I do think
> pricing needs to be defined.
> 
> We can't dress up cash prizes/contests as something else as well, if a
> website is offering a $5,000 reward for a vulnerability, we need to know if
> we're being ripped off with the cash reward and how much can be potentially
> made after its sold on.
> 
> Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash reward
> might not be enough money, compared to what a vulnerability
> *should* be worth, and taking into consideration how much profit CanSecWest
> make overall from people attending the conference.
> 
> So you take into consideration how much a vulnerability should be worth,
> then the added worth because its a security conference of how much should be
> added on to counter the profit being made by the event.
> 
> A vulnerability should be worth more if its disclosed at a security
> conference than if its bought privately, because you've got to take in
> profit  and free advertsing to calculate.
> 
> However, to round off, we can't allow the mailing lists to turn into a
> vulnerability market place, full-disclosure should be for free stuff, and
> other websites and mailing lists can be setup for *money making schemes and
> auctions*.
> 
> We shouldn't allow the money makers directly to market X... if a link is put
> on Full-Disclosure by a member of the public on the fly then thats ok, but I
> think its cheeky for the particular conference, contest runner or software
> trainer to be on the list themselves spamming everyone, for a profiteering
> agenda.
> 
> You mention cross-posting, thats not the issue here, its the people making
> the money posting to make the money that offends me so much.
> 
> And not even the lonely hacker offends me who posts i've got a vulnerability
> for sale for X, I don't mind that on Full-Disclosure, but what I do mind is
> if its a company or organisation doing it that is directly the ones making
> the money via vulnerability for sale, prize contest, security conference or
> train to use our software!!!, thats the height of spam I just think is
> utterly wrong and unethical on any scale of acceptability.
> 
> If a lonley hacker who works in a supermarket has a vulnerabilty to sell i'm
> all for it being post on full-disclosure, but not the big money conferences,
> prize hacking contests and software training guys.
> 
> I come under the bracket as supermarket worker with nothing much going for
> me in life, so I should be allowed to sell a vulnerability on what's ment to
> be a mailing list for non-profit disclosure.
> 
> If we tolerate the money making schemes much longer, eventually
> full-disclosure will be a wash with conference,training,cash prize spam, etc
> once everyone realises the full value of vulnerabilities and the huge
> amounts of money to be made from setting up a cash prize contest, the huge
> amounts of money to be made from setting up a security conference and the
> huge amounts of money to be made from training people to use your hax0r
> software.
> 
> You will find it easy to shout me down and say n3td3v's an idiot, but wait
> to the vulnerability market really takes off and the prices of
> vulnerabilities are properly defined and regulated, you're going to see a
> huge increase in commercial spam on the mailing lists, like the
> full-disclosure mailing list. so we've got to define what's fair play e-mail
> and what's a company or organisation blatantly profiteering with X method of
> extracting money out of people and using skilled hackers to make money, and
> to promote a security conference, training etc.
> 
> All the best,
> 
> n3td3v
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH9bDds+9h2X0fCGcRAmD+AJ4/2PF87IAmuQDZJ4hZB6ZEGtgIMgCfWJJm
FJ+rbr0tUqoFTJ1PoIi8I+c=
=Z3O6
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ