| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Jan 2013 14:19:53 +0400 From: gremlin@...mlin.ru To: full-disclosure@...ts.grok.org.uk Subject: Re: how to sell and get a fair price On 15-Jan-2013 06:28:53 -0500, Jeffrey Walton wrote: > > > > After all, a vulnerability and an exploit are intellectual > > > > products. Not sure copyright could be claimed, but why not? > > > More interesting is the question of how to enforce a copyright > > > claim while remaining anonymous... > > Is it really necessary to stay anonymous? Writing hmmm... articles > > about vulnerabilities for some (very specific) media and getting a > > hmmm... fee for that is mostly legal. > > Opposed to the use of that information... > I think its a slippery slope in the US. I'm happy to reside outside of the US... > On one hand, you have, for example, Computer Fraud and Abuse Act > (FCAA), Digital Millennium Copyright Act (DMCA), and Unlawful > Intercept. US corporations are rarely prosecuted under the law > [...] but individuals are regularly prosecuted That means, all these activities should not be performed in the US (and other countries with similar Draconian laws)... In general, this problem may be solved using the international division of labour, when people do only what is legal in their country. Example: reverse engineering is legal in Russia (unless it is used to create the competing product), so I can perform it and share the results. Someone else may then find suspicious code, other people may prove that code is vulnerable by writing an exploit... In this case, everyone performs in legal manner - except, obviously, the script kiddies who will use the ready tool to break something. > If I had copyright over material used for security testing and > evaluations, I would probably assert my copyright. If I wrote > malware, I would likely want to stay anonymous I'd simply not bother at all, as releasing materials to public domain is the best protection against both plagiarism and "piracy". -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists