lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4b3a871e05061414124e867014@mail.gmail.com>
Date: Wed, 15 Jun 2005 00:12:25 +0300
From: Ivaylo Zashev <zashev@...il.com>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: RE: Exploits Selling / Buying


 Hello list,

First of all i would like to excuse about answering so late and not
clearing out few important things in the original email.
I would also like to asure you that we are not fraudsters/scammers or
anything of this kind!I saw some posts.. pple jumping to such
conclusions too fast..
Now i will try to answer most questions that arised or at least the
ones i found reasonable.
As usual there is alot small talk and flames but i will try to ignore
this... as far as i can anyway...


stan.bubrouski at gmail.com wrote:

>I think a couple questions about this would definately prudent:
>
>1) What do you have to gain from this?
>2) How do we know your not just selling the exploits to
>DDoSers/Spammers/Extortionists?
>3) Are you just going to keep exploits sold to you private so you can
>sell them to felons and and offer zero benefit to the community
>what-so-ever?
>4) Why do people need to connect to IRC to find out info about this if
>you have a website you could easily post it on?
>
>And on a side note your site is shady and so is this idea.  I only
>hope nobody falls for this and I wonder if there is any liability
>here.
>
>-sb

Well Stan here are some answers for you.

We are dedicated to penetration testing of our servers , we also work
with few hosting companies which names we were asked to keep private
for the time being .
We do NOT resell the exploits we buy to anyone(and i mean _anyone_) we
use them for improving security, we do realise however that gaining
your trust will take time but as for now we are still working on this.
Yes we are going to keep exploits sold to us private and we guarantee
no information leaks.Eventually in time some of the exploits will
naturally be disclosed to the general public.
Regarding the benefits of the community from this service we could
argue all day long but still the fact is - we buy exploits from
security experts and in this way ,admit it or not, those experts are
motivated and awarded for their work so that they can continue
researching and locating bugs/errors and etc.
There is going to be a site but its still in process of developing and
we thought direct communication could provide you with more dynamic
way of communication , this way more answers can be given in a shorter
time.

About the http://exploits.cx site i have to say its not the site
representing irc.exploits.cx whether there will be a part of the site
dedicated to this bussines or there will be a complete new site is
still under concideration.

Thanks for the right questions Stan. 


deeper at gmail.com wrote:
>The line which causes the most amount of interest for me is:
>
>*	- All exploits will be reviewed before sending payments !
>
>hmmm so i send in my l33t qmail sploit, you "review" it, decide its
>not upto standard and say "no"
>In the meantime, my super l33t qmail sploit is currently making its
>rounds across the worlds s-k-a servers after being traded by a group
>claiming to have a new qmail 0hday...
>
>
>Call me old fashioned.. I think this business model needs some working
>here Alexander
>

Hello deeper , maybe the following will clear few things for you and
hopefully for others aswell ...

Yes , we do need to know what we are buying , reviewing your `1337'
sploits is something that has to be done , but by reviewing we dont
necessairly mean taking the source code and leave you waiting for week
and then come back saying "sorry but your shit is not worthed" !
We will provide an appropriate environment where you would be able to
show us your `1337' skills and tools :) we'll be following you every
step of the way and eventually come up with a decision wheter to buy
what you are offering or not.We are still in process of clearing out
how this should work more efficient and easy for both sides !
I agree that what we are doing still needs adjustements and
improvements but every beginning is hard , right ? :)




toddtowles at brookshires.com wrote:
>So...why give you to when iDefense will give me money for exploits. The
>program is proven and used by many. Strange 
>

hello Todd ,
few easy answers for you 
1) We are also buying your exploits (buying in this case involves
money :P ) + we are paying a quite more than they do :)
2)  "The program is proven and used by many. Strange " - their program
is at first glance really very similliar to ours but we like to think
we provide a different more efficient process of doing the same thing
(which is not exactly correct becouse our goals are a bit different.)!
I cant really understand what's so strange? if they are doing it this
means there is no need of anyone else doing it? or anyone could do it
better than them ?


xyberpix at xyberpix.com wrote:
>I love the way that you put this.
>
>"We would like to announce a new service to the security community....."
>
>This is definitely a new service, no one's ever thought of this before, 
>well no one
>wearing a white hat anyway. I can really see this benefitting the 
>security community greatly.
>The more exploits that you manage to sell, the more work it creates for 
>us to go and fix, really good business plan.
>
>Mmm, oh wait, will you be selling to terrorists as well, I hear they 
>have a lot of money to spend on this sort of thing?
>
>/me checks calender, nope it's not April 1st again.
>
>C'mon Alex, be serious.
>

Hello xyberpix,

Here is my reply - 
Yes - thats a new service  , yes - we are not the first to think about
buying exploits , i think you fail to make a difference between having
the idea of something and realising it (and there's a big difference i
think you will agree once you put your mind on it :) ) If u read my
answer to Stan you will see how the community will benefit from this
:) . I'm not really in politics but still I do have some experience
with the communism and i have to say helping everybody and threating
everybody equally is not always the best thing to do.I will repeat
myself once agian we are not reselling the exploits to third parties !
We are no reselling them to anyone!
On a personal note - do you really believe starting flames is
something that is helpful to anyone ? or u just have a lot of free
time to spend ? :) no offense.


ebonzo at libero.it  wrote:
>
>Ehm,
>I joined the irc server to take a look around:
>
>/links
>n0=irc.exploits.cx (0) Exploits Buyers Network
>n1=opensource.arc.nasa.gov (1) DEFEND SYSTEM
>n2=stats.exploits.cx (1) stats.exploits.cx - get stats
>n3=services.exploits.cx (1) Services for IRC Networks
>n4=irc2.exploits.cx (1) BG Exploits Buyers Network
>
>wtf opensource.arc.nasa.gov means ?
>
>Teo

Hello Teo ,

Probably you should read a bit more about the IRC protocol and vhosts
in general :) but i can see you already got your answer from others :)
To clear things out there is a service working on this link called
Void that you may have encountered in other networks.


Valdis.Kletnieks at vt.edu wrote:
>
>>On Tue, 07 Jun 2005 11:15:45 +0300, Georgi Guninski said:
>> On Mon, Jun 06, 2005 at 02:54:49PM -0700, Eric Paynter wrote:
>> > Clearly the original post was either a troll or a fraud. We don't need to
>> > keep telling him how weak the business model is.
>> 
>> you should also tell idefense how weak their business model is (check in
>> their advisories the difference between "clients notified" and
"gone public").
>> 
>> it is strange how people aprove a bloated u$a corp, but flame semianonymous
>> poster :)
>
>The fact that iDefense is doing it as well doesn't make it any less
weak a model.
>
>It may be quite workable when you're the only company doing it - but if another
>company starts doing it as well, you end up with a price war likely to take out
>at least one of the competitors.
>
>If nothing else, the presence of competition will likely soon tell us what the
>*real* value of an exploit is, as opposed to what iDefence has been paying :)
>

I'd like to thanks Mr.Guninski(even having you posting on this topic
makes us excited :) ) and Mr. Valdis Kletnieks for the reasonable
posts I just have to add something, an eventual price war or
competition of any kind could only be a benefit for everyone!

At the end i would like to thank you all for taking interest in this
post and for the questions you asked . I believe most of them would
find their way into the FAQ section of the upcomming site.
Please excuse my imperfect and rough english.


Best regards,
Ivaylo Zashev 
irc.exploits.cx staff.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ