lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 5 Apr 2008 18:59:42 -0400
From: Ureleet <ureleet@...il.com>
To: n3td3v@...glegroups.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay

i love how you like to make everything so confrontational.  insecure much?
i am no longer talking about this, you obviously didnt read my email, nor
did you read michael cottinghams.

stop trolling.

On Fri, Apr 4, 2008 at 6:11 PM, n3td3v <xploitable@...il.com> wrote:

>
> On Fri, Apr 4, 2008 at 9:34 PM, Ureleet <ureleet@...il.com> wrote:
> > see:
> >
> > > - Come to our conference - profit... buy our ticket, get a macbook
> prize.
> >
> > > - Hacking challenge prize - profit... they give you $5000 and sell it
> > > to the vendor for a lot more.
> >
> > ZDI provides the money for this.  and they don't sell it back to vendor
> >
> >
> > > - Train to use our software -profit... over priced training for
> > > software... not interested.
> >
> > dont' get angry at remote-exploit because they are making money from
> their
> > work .  how much money do you make from posting to fd?
> >
> >
> > > On the issue of how much a vulnerability is worth, the prices are not
> > > regulated, we need regulation into how much a vulnerability costs,
> > > because the prices right now are wild. We need to take vulnerability
> > > pricing off the blackmarket and onto a legitimate central website for
> > > selling vulnerabilities, or cash rewards for disclosing a
> > > vulnerability to a particular company or organisation.
> >
> > wabisabilabi?  zdi...  etc.
> >
> > > Can someone post to full-disclosure a price list of what they think a
> > > bufferoverflow should be worth etc, and we can vote if we agree.
> >
> > feel free to take that as a todo item.  however, i would think it would
> > depend on the bo.
> >
> > > We can't dress up cash prizes/contests as something else as well, if a
> > > website is offering a $5,000 reward for a vulnerability, we need to
> > > know if we're being ripped off with the cash reward and how much can
> > > be potentially made after its sold on.
> >
> > zdi doesn't sell their exploits afaik.
> >
> >
> > > Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> > > vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
> > > reward might not be enough money, compared to what a vulnerability
> > > *should* be worth, and taking into consideration how much profit
> > > CanSecWest make overall from people attending the conference.
> >
> > the pwn2own cash is supplied by zdi.  that's what you arent' realizing.
> >
> >
> > > So you take into consideration how much a vulnerability should be
> > > worth, then the added worth because its a security conference of how
> > > much should be added on to counter the profit being made by the event.
> >
> > you already said this. twice.
> >
> >
> > > However, to round off, we can't allow the mailing lists to turn into a
> > > vulnerability market place, full-disclosure should be for free stuff,
> > > and other websites and mailing lists can be setup for *money making
> > > schemes and auctions*.
> >
> > there are.  however how are the people going to know about the websites
> if
> > you don't allow people to 'spam' lists with this sort of thing, mr
> > unofficial-fd moderator?
> >
> >
> > > We shouldn't allow the money makers directly to market X... if a link
> > > is put on Full-Disclosure by a member of the public on the fly then
> > > thats ok, but I think its cheeky for the particular conference,
> > > contest runner or software trainer to be on the list themselves
> > > spamming everyone, for a profiteering agenda.
> >
> > that's why its called free enterprise, it's an unmoderated list.  feel
> free
> > to unsubscribe if you dont like it much..
> >
> >
> > > You mention cross-posting, thats not the issue here, its the people
> > > making the money posting to make the money that offends me so much.
> >
> > we know, its the third time youve said it in one email.
> >
> >
> > > And not even the lonely hacker offends me who posts i've got a
> > > vulnerability for sale for X, I don't mind that on Full-Disclosure,
> > > but what I do mind is if its a company or organisation doing it that
> > > is directly the ones making the money via vulnerability for sale,
> > > prize contest, security conference or train to use our software!!!,
> > > thats the height of spam I just think is utterly wrong and unethical
> > > on any scale of acceptability.
> >
> > again, free market, and you are directly talking about zdi.
> >
> >
> > > If a lonley hacker who works in a supermarket has a vulnerabilty to
> > > sell i'm all for it being post on full-disclosure, but not the big
> > > money conferences, prize hacking contests and software training guys.
> >
> > fourth time.
> >
> >
> > > I come under the bracket as supermarket worker with nothing much going
> > > for me in life, so I should be allowed to sell a vulnerability on
> > > what's ment to be a mailing list for non-profit disclosure.
> >
> > you work at a supermarket?  so you know about the under cash drawer
> switch
> > that pops open the drawer exploit?
> >
> >
> >
> > > You will find it easy to shout me down and say n3td3v's an idiot, but
> > > wait to the vulnerability market really takes off and the prices of
> > > vulnerabilities are properly defined and regulated, you're going to
> > > see a huge increase in commercial spam on the mailing lists, like the
> > > full-disclosure mailing list. so we've got to define what's fair play
> > > e-mail and what's a company or organisation blatantly profiteering
> > > with X method of extracting money out of people and using skilled
> > > hackers to make money, and to promote a security conference, training
> > > etc.
> >
> > again, unmoderated list.  the door is over there.
>
> * i * * never * mentioned * ZDI * you * complete * jerk * off *
>
> * read * * the * * e-mail * properly * and * you * will * understand *
> what * I * don't * like *
>
> Overview:
>
> FIRST
>
> I said let's have a debate about how much a vulnerability is worth per
> vulnerability type, so everyone knows if we're being ripped off by joe
> jobs and to stop any blackmarkets, prices needs to be defined and
> regulated, so everyone knows where they stand in the security
> community as far as prices are concerned.
>
> ^^^^You bypassed this completely.
>
> SECOND
>
> Those on the list who don't disclose a vulnerability *but* are trying
> to sell a product should be outlawed.
>
> ^^^^do you know the difference between disclosure and profiteering?
>
> You're losing my rag and the lack of intellectual debate on this from
> non-retards is shocking, these are two serious topics that need
> debating and all i've got is some lamer called "Ureleet" trying to
> wind me up.
>
> Is anyone who can have a serious debate on this list?
>
> n3td3v
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ