| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 04 Apr 2008 00:28:07 -0400 From: scott <redhowlingwolves@...rr.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Fwd: Let's outlaw mass securityconferencespamming its f****** gay -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 O how I love your posts. They're all over the place, and at the same time, primitive. I would normally filter such a troll as you, but you keep me in stitches!! N3td3v rocks!! Just not in the way he thinks!! n3td3v wrote: > On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <groffg@...design.com> wrote: >> Regarding the particular person in question, I'll defer to others who know >> him (or her, or they, or whomever) better than I do. Instead, I'll say that, >> generally, on lists like FD, there is a minority of out-spoken personalities >> who sadly support the stereotypical hacker persona: condescending egoists >> who are socially inept and emotionally charged when discussing topics that >> relate to their knowledge domain. That's unfortunate, since the broader IT >> security community is poorly represented due to attention-seeking zealots. >> >> Regarding the idea of "oulawing security conference spamming," I'd say the >> literal idea of outlawing cross-posts to multiple security mailing lists is >> a bad idea. The idea that the legislature should write into law legislation >> that reduces our freedom in such a sense is a slippery slope borne of >> emotionalism and narrowness. What else should the government do to curtail >> our freedoms? I tend to side with libertarian types (though I don't call >> myself a "libertarian" un-qualified) on what the government should do and >> what they should not do. And micro-manage security mailing lists is >> something they should not do. It's a bad idea and would make a dreadful >> precedent. > > Full-Disclosure is ment to be about free source, not making money. I'm > against people who make money come on the mailing lists, its > commerical spam. We can't allow this to continue, here are what I > don't like: > > - Come to our conference - profit... buy our ticket, get a macbook prize. > > - Hacking challenge prize - profit... they give you $5000 and sell it > to the vendor for a lot more. > > - Train to use our software -profit... over priced training for > software... not interested. > > On the issue of how much a vulnerability is worth, the prices are not > regulated, we need regulation into how much a vulnerability costs, > because the prices right now are wild. We need to take vulnerability > pricing off the blackmarket and onto a legitimate central website for > selling vulnerabilities, or cash rewards for disclosing a > vulnerability to a particular company or organisation. I don't like > sites like digital armaments which when i visited it, the content and > answers they gave were questionable, and people have complained about > digital armaments in the past. Its time to get pricing regulated and > defined, so everyone knows whos being joe jobbed and who isn't. > > Can someone post to full-disclosure a price list of what they think a > bufferoverflow should be worth etc, and we can vote if we agree. > > So what i'm calling for is someone to post up a hackers price list per > vulnerability type. > > XSS/SQL should be worth something as well, so Morning_Wood can buy > milk and a news paper in the mornings after he's taken care of his > wood. > > Sorry i've ended this e-mail with slightly off-topicness, but I do > think pricing needs to be defined. > > We can't dress up cash prizes/contests as something else as well, if a > website is offering a $5,000 reward for a vulnerability, we need to > know if we're being ripped off with the cash reward and how much can > be potentially made after its sold on. > > Robert Lemos even http://www.securityfocus.com/news/11510 talked about > vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash > reward might not be enough money, compared to what a vulnerability > *should* be worth, and taking into consideration how much profit > CanSecWest make overall from people attending the conference. > > So you take into consideration how much a vulnerability should be > worth, then the added worth because its a security conference of how > much should be added on to counter the profit being made by the event. > > A vulnerability should be worth more if its disclosed at a security > conference than if its bought privately, because you've got to take in > profit and free advertsing to calculate. > > However, to round off, we can't allow the mailing lists to turn into a > vulnerability market place, full-disclosure should be for free stuff, > and other websites and mailing lists can be setup for *money making > schemes and auctions*. > > We shouldn't allow the money makers directly to market X... if a link > is put on Full-Disclosure by a member of the public on the fly then > thats ok, but I think its cheeky for the particular conference, > contest runner or software trainer to be on the list themselves > spamming everyone, for a profiteering agenda. > > You mention cross-posting, thats not the issue here, its the people > making the money posting to make the money that offends me so much. > > And not even the lonely hacker offends me who posts i've got a > vulnerability for sale for X, I don't mind that on Full-Disclosure, > but what I do mind is if its a company or organisation doing it that > is directly the ones making the money via vulnerability for sale, > prize contest, security conference or train to use our software!!!, > thats the height of spam I just think is utterly wrong and unethical > on any scale of acceptability. > > If a lonley hacker who works in a supermarket has a vulnerabilty to > sell i'm all for it being post on full-disclosure, but not the big > money conferences, prize hacking contests and software training guys. > > I come under the bracket as supermarket worker with nothing much going > for me in life, so I should be allowed to sell a vulnerability on > what's ment to be a mailing list for non-profit disclosure. > > If we tolerate the money making schemes much longer, eventually > full-disclosure will be a wash with conference,training,cash prize > spam, etc once everyone realises the full value of vulnerabilities and > the huge amounts of money to be made from setting up a cash prize > contest, the huge amounts of money to be made from setting up a > security conference and the huge amounts of money to be made from > training people to use your hax0r software. > > You will find it easy to shout me down and say n3td3v's an idiot, but > wait to the vulnerability market really takes off and the prices of > vulnerabilities are properly defined and regulated, you're going to > see a huge increase in commercial spam on the mailing lists, like the > full-disclosure mailing list. so we've got to define what's fair play > e-mail and what's a company or organisation blatantly profiteering > with X method of extracting money out of people and using skilled > hackers to make money, and to promote a security conference, training > etc. > > All the best, > > n3td3v > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH9a5Xs+9h2X0fCGcRAqokAJ0SlqW+YckeRwdGtR2U8KoNu8pyUACgtCub 1jKptMdCec2P6fpyfFR4eAI= =RqWO -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists