lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 28 May 2014 22:29:31 -0400
From: "Brian M. Waters" <brian@...anmwaters.net>
To: fulldisclosure@...lists.org
Subject: Re: [FD] What do you think of Trollc?

So far the thread of discussion here has focused on whether or not
Weev's plan would /actually work/. But lets take a step back.

If I understand it, the plan is to facilitate "ethical vulnerability
disclosure" by
1) Finding security vulnerabilities in live sites
2) Disclosing them to the public before notifying the site operators
3) Thereby causing the stock price to drop
 and
4) Making money by short-selling on knowledge only the developer has

I could distill that to layman's terms:
"Hurting someone else and making money at their expense."

So, how is that ethical, again? Did I miss something?

BW


On Tue, 27 May 2014 20:49:45 +0200
Philip Cheong <isctsf@...il.com> wrote:
> From https://www.startjoin.com/trollc
> 
> *Right now if you're a software exploit developer and you want to
> monetize your craft to pay your rent, there's only one consistent way
> to do so: sell your software exploits. The major customer for these
> are oppressive governments, chiefly that of the United States. We
> know what the United States does with software exploits: it uses them
> to illegally spy on its own citizens, and attack peaceful nations
> around the world.*
> 
> *I need your help to create a company that will ethically disclose
> software vulnerabilities to the public. For this I need help getting
> the filing fees necessary to incorporate a hedge fund. I want to
> continue bringing issues in companies that put you at risk to light,
> and short the stocks of those companies when I do so. I will only get
> paid when large corporations being negligent get punished. This will
> create a structure by which security researchers including myself
> will still make a living, only now by disclosing problems instead of
> selling them in secret to criminal governments.*
> 
> What say you? Is this brilliant? Or stupid? Awesome? But never going
> to work?
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/


-- 
Brian M. Waters
Burlington, Vermont, USA
+1 (908) 380-8214
brian@...anmwaters.net
https://brianmwaters.net/

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ