lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: full-disclosure at ifokr.org (Brian Hatch)
Subject: Symantec Buys SecurityFocus, among others.



> Release exploits with the vaguest of descriptions as to how they work 
> (lost for examples -- just copy'n'paste the "technical bits" of some 
> of the security bulletins from MS...).  Have the _only_ PoC code a 
> compiled binary loaded with copyright notices forbidding reversing, 
> etc.  Be sure to use some "encryption" (extremely trivial is OK as 
> complexity doesn't matter; can you say XOR?) in the PoC to "protect" 
> the important secret (generally the overflow "string" itself).  Be 
> capricious in who you prosecute under the DMCA for incoporating 
> vulnerability detection of this flaw into their products.  (Many 
> other "pro-reversing" laws allow reversing if doing so is the only 
> (practical) way to ensure compatibility or system inter-operation -- 
> this should not be a defense against reversing a security 
> vulnerability exploit...)

This and other 'Protect your code with the DMCA' ideas are interesting.
So we lock down our exploits with crappy encryption, hope someone uses
them, and sue.  Hopefully we win, and we get a nice check.

	And the DMCA has just been upheld in court.

We establish case law that indicates the DMCA is valid law, that
it's even supported by Open Source / Full Disclosure advocates.
Next time another Dimitry gets slapped with it, what are we going
to fall back on?

Although amusing to use the 'tools of the enemy', by using them
successfully you strengthen how they can be used against you.
I think this is a bad idea...


--
Brian Hatch                  Friends help you move.
   Systems and                Real friends help
   Security Engineer          you move bodies.
www.buildinglinuxvpns.net

Every message PGP signed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020718/75acb4aa/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ