lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3D4A78CA.9030801@core.gen.tr>
From: evrim at core.gen.tr (Evrim ULU)
Subject: it's all about timing

Hi,

I really don't understand why we'r discussing RFPolicy. It's not the 
main subject of HP/Snosoft DMCA topic. Here is why:

My knowledge says that there are two major things in engineering: Laws & 
Ethical Issues.

First of all observe the following case:

- Assume that a window of a grocery is broken.
- Anyone can get something inside without paying at midnight since there 
is no glass over there. Normally one would call the police and say to 
police that the window is broken and ask for taking precaution otherwise 
somebody may take all the banana's and run away.
- Laws says that: u'r guilty if u steal something.
- Laws also says that : u'r not guilty if u don't call police after 
realizing that window is broken.

Let's look what ethic says:

- U'r not ethical if u steal something.
- U'r not ethical if u don't call the police.

See? The second line is not ethical but legal.

In DMCA/HP/Snosoft case, the problem is the LAW not the ethical issues. 
We must consider these ethical issues later like RFPolicy because HP 
already sued SnoSoft according to laws not ethics.

Here is my thoughts about the topic:

There are no laws that states "If it is done at 7 oclock it is legal and 
if u do it on 11 o'clock u'll be punished with a ten thousand years in 
prison."

This law can't be applied to the real world sorry. We can't prove that 
we've already talked with hp at 7 oclock, they didn't answered until 11 
clock so I published the exploit code. Unless all vendors are 
govermental no legal proof can be stated to court about these 
conversations between Vendors and Hackers. Remember they'v got lots of 
bucks to give advocates. We'r alone.

I propose two ways to get around:

i. Publish zero-day exploits. Forget about vendor. Since hacking is 
illegal, assume police will catch the hacker since he/she's doing 
illegal. This is why there are cybercops am I right? Nobody can be 
punished if he/she didn't call police in case of a broken window.
ii. Hackers are unallowed to publish any exploits. They just can send 
the exploit code/bug report to vendor.  Vendor publishes proof of 
concept code to public with the fix when available if they want of 
course. I think, DMCA will grant this since Vendor's hold the copyright 
about the product. Also, we know that no vendor wants to publish that 
their product is insecure.

Another topic that i want to discuss is i'm living in Turkiye and here 
we don't have any DMCA super duper laws. We have a simple copyright law 
which do not include DMCA. Who's gonna stop me publishing 0 day 
exploits? Obviously No-One. Right? USA may cancel Turkiye's connection 
to USA but i don't think that this is impossible for now. Also, they may 
prevent me entering the US frontiers but i really don't care about it.

As a result, only US programmers will suffer from this law not me.  They 
are going to think it twice before publishing anything. This is of 
course unfair. US goverment just makes their own programmers suffer from 
this law by saying "We are protecting the vendors". They are just 
missing the statement that "Hackers make their product more secure-more 
reliable". I think that they are assuming every vendor has enough 
skilled  "Hacker" employee to check their products. Heh:-)) As Kurt 
said, they don't have.

In the future, i think, only vendors can publish such exploits, fixes 
and proof of concepts in USA. Hackers gonna just take small credit at 
the end of the message. For the rest of the world, game is not over and 
ppl will continue to publish exploits. Besides, Vendor's will make money 
using the works of hackers. This is what we call capitalism in fact and 
it is coming over us again. Beware:-))

PS: Heh maybe we should buy a small island and found our "Country of 
Secure Systems" and publish exploits from there. Any island suggestions?

King regards,
-- 
Evrim ULU
evrim@...y.com.tr / evrim@...e.gen.tr
sysadm
http://www.core.gen.tr




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ