[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3D4A78CA.9030801@core.gen.tr>
From: evrim at core.gen.tr (Evrim ULU)
Subject: it's all about timing
Hi,
I really don't understand why we'r discussing RFPolicy. It's not the
main subject of HP/Snosoft DMCA topic. Here is why:
My knowledge says that there are two major things in engineering: Laws &
Ethical Issues.
First of all observe the following case:
- Assume that a window of a grocery is broken.
- Anyone can get something inside without paying at midnight since there
is no glass over there. Normally one would call the police and say to
police that the window is broken and ask for taking precaution otherwise
somebody may take all the banana's and run away.
- Laws says that: u'r guilty if u steal something.
- Laws also says that : u'r not guilty if u don't call police after
realizing that window is broken.
Let's look what ethic says:
- U'r not ethical if u steal something.
- U'r not ethical if u don't call the police.
See? The second line is not ethical but legal.
In DMCA/HP/Snosoft case, the problem is the LAW not the ethical issues.
We must consider these ethical issues later like RFPolicy because HP
already sued SnoSoft according to laws not ethics.
Here is my thoughts about the topic:
There are no laws that states "If it is done at 7 oclock it is legal and
if u do it on 11 o'clock u'll be punished with a ten thousand years in
prison."
This law can't be applied to the real world sorry. We can't prove that
we've already talked with hp at 7 oclock, they didn't answered until 11
clock so I published the exploit code. Unless all vendors are
govermental no legal proof can be stated to court about these
conversations between Vendors and Hackers. Remember they'v got lots of
bucks to give advocates. We'r alone.
I propose two ways to get around:
i. Publish zero-day exploits. Forget about vendor. Since hacking is
illegal, assume police will catch the hacker since he/she's doing
illegal. This is why there are cybercops am I right? Nobody can be
punished if he/she didn't call police in case of a broken window.
ii. Hackers are unallowed to publish any exploits. They just can send
the exploit code/bug report to vendor. Vendor publishes proof of
concept code to public with the fix when available if they want of
course. I think, DMCA will grant this since Vendor's hold the copyright
about the product. Also, we know that no vendor wants to publish that
their product is insecure.
Another topic that i want to discuss is i'm living in Turkiye and here
we don't have any DMCA super duper laws. We have a simple copyright law
which do not include DMCA. Who's gonna stop me publishing 0 day
exploits? Obviously No-One. Right? USA may cancel Turkiye's connection
to USA but i don't think that this is impossible for now. Also, they may
prevent me entering the US frontiers but i really don't care about it.
As a result, only US programmers will suffer from this law not me. They
are going to think it twice before publishing anything. This is of
course unfair. US goverment just makes their own programmers suffer from
this law by saying "We are protecting the vendors". They are just
missing the statement that "Hackers make their product more secure-more
reliable". I think that they are assuming every vendor has enough
skilled "Hacker" employee to check their products. Heh:-)) As Kurt
said, they don't have.
In the future, i think, only vendors can publish such exploits, fixes
and proof of concepts in USA. Hackers gonna just take small credit at
the end of the message. For the rest of the world, game is not over and
ppl will continue to publish exploits. Besides, Vendor's will make money
using the works of hackers. This is what we call capitalism in fact and
it is coming over us again. Beware:-))
PS: Heh maybe we should buy a small island and found our "Country of
Secure Systems" and publish exploits from there. Any island suggestions?
King regards,
--
Evrim ULU
evrim@...y.com.tr / evrim@...e.gen.tr
sysadm
http://www.core.gen.tr
Powered by blists - more mailing lists