lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <3D4A78CA.9030801@core.gen.tr> From: evrim at core.gen.tr (Evrim ULU) Subject: it's all about timing Hi, I really don't understand why we'r discussing RFPolicy. It's not the main subject of HP/Snosoft DMCA topic. Here is why: My knowledge says that there are two major things in engineering: Laws & Ethical Issues. First of all observe the following case: - Assume that a window of a grocery is broken. - Anyone can get something inside without paying at midnight since there is no glass over there. Normally one would call the police and say to police that the window is broken and ask for taking precaution otherwise somebody may take all the banana's and run away. - Laws says that: u'r guilty if u steal something. - Laws also says that : u'r not guilty if u don't call police after realizing that window is broken. Let's look what ethic says: - U'r not ethical if u steal something. - U'r not ethical if u don't call the police. See? The second line is not ethical but legal. In DMCA/HP/Snosoft case, the problem is the LAW not the ethical issues. We must consider these ethical issues later like RFPolicy because HP already sued SnoSoft according to laws not ethics. Here is my thoughts about the topic: There are no laws that states "If it is done at 7 oclock it is legal and if u do it on 11 o'clock u'll be punished with a ten thousand years in prison." This law can't be applied to the real world sorry. We can't prove that we've already talked with hp at 7 oclock, they didn't answered until 11 clock so I published the exploit code. Unless all vendors are govermental no legal proof can be stated to court about these conversations between Vendors and Hackers. Remember they'v got lots of bucks to give advocates. We'r alone. I propose two ways to get around: i. Publish zero-day exploits. Forget about vendor. Since hacking is illegal, assume police will catch the hacker since he/she's doing illegal. This is why there are cybercops am I right? Nobody can be punished if he/she didn't call police in case of a broken window. ii. Hackers are unallowed to publish any exploits. They just can send the exploit code/bug report to vendor. Vendor publishes proof of concept code to public with the fix when available if they want of course. I think, DMCA will grant this since Vendor's hold the copyright about the product. Also, we know that no vendor wants to publish that their product is insecure. Another topic that i want to discuss is i'm living in Turkiye and here we don't have any DMCA super duper laws. We have a simple copyright law which do not include DMCA. Who's gonna stop me publishing 0 day exploits? Obviously No-One. Right? USA may cancel Turkiye's connection to USA but i don't think that this is impossible for now. Also, they may prevent me entering the US frontiers but i really don't care about it. As a result, only US programmers will suffer from this law not me. They are going to think it twice before publishing anything. This is of course unfair. US goverment just makes their own programmers suffer from this law by saying "We are protecting the vendors". They are just missing the statement that "Hackers make their product more secure-more reliable". I think that they are assuming every vendor has enough skilled "Hacker" employee to check their products. Heh:-)) As Kurt said, they don't have. In the future, i think, only vendors can publish such exploits, fixes and proof of concepts in USA. Hackers gonna just take small credit at the end of the message. For the rest of the world, game is not over and ppl will continue to publish exploits. Besides, Vendor's will make money using the works of hackers. This is what we call capitalism in fact and it is coming over us again. Beware:-)) PS: Heh maybe we should buy a small island and found our "Country of Secure Systems" and publish exploits from there. Any island suggestions? King regards, -- Evrim ULU evrim@...y.com.tr / evrim@...e.gen.tr sysadm http://www.core.gen.tr
Powered by blists - more mailing lists