lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Jan 2013 14:19:53 +0400
From: gremlin@...mlin.ru
To: full-disclosure@...ts.grok.org.uk
Subject: Re: how to sell and get a fair price

On 15-Jan-2013 06:28:53 -0500, Jeffrey Walton wrote:

 > > > > After all, a vulnerability and an exploit are intellectual
 > > > > products. Not sure copyright could be claimed, but why not?
 > > > More interesting is the question of how to enforce a copyright
 > > > claim while remaining anonymous...
 > > Is it really necessary to stay anonymous? Writing hmmm... articles
 > > about vulnerabilities for some (very specific) media and getting a
 > > hmmm... fee for that is mostly legal.
 > > Opposed to the use of that information...
 > I think its a slippery slope in the US.

I'm happy to reside outside of the US...

 > On one hand, you have, for example, Computer Fraud and Abuse Act
 > (FCAA), Digital Millennium Copyright Act (DMCA), and Unlawful
 > Intercept. US corporations are rarely prosecuted under the law
 > [...] but individuals are regularly prosecuted

That means, all these activities should not be performed in the US
(and other countries with similar Draconian laws)...

In general, this problem may be solved using the international division
of labour, when people do only what is legal in their country. Example:
reverse engineering is legal in Russia (unless it is used to create the
competing product), so I can perform it and share the results. Someone
else may then find suspicious code, other people may prove that code is
vulnerable by writing an exploit... In this case, everyone performs in
legal manner - except, obviously, the script kiddies who will use the
ready tool to break something.

 > If I had copyright over material used for security testing and
 > evaluations, I would probably assert my copyright. If I wrote
 > malware, I would likely want to stay anonymous

I'd simply not bother at all, as releasing materials to public domain
is the best protection against both plagiarism and "piracy".


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net
GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ