lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1028566023.7693.91.camel@localhost.localdomain>
From: simon at snosoft.com (ATD)
Subject: it's all about timing

yeah... these reply-to things....     arg...


On Mon, 2002-08-05 at 12:40, ATD wrote:
> Hey bro, 
> 	Jump on irc.homelien.no #snosoft  ;o)
> 
> 
> On Mon, 2002-08-05 at 15:34, KF wrote:
> > nicely spoken 
> > -KF
> > 
> > ----- Original Message ----- 
> > From: "Evrim ULU" <evrim@...e.gen.tr>
> > To: <full-disclosure@...ts.netsys.com>
> > Sent: Friday, August 02, 2002 5:19 AM
> > Subject: Re: [Full-Disclosure] it's all about timing
> > 
> > 
> > > Hi,
> > > 
> > > I really don't understand why we'r discussing RFPolicy. It's not the 
> > > main subject of HP/Snosoft DMCA topic. Here is why:
> > > 
> > > My knowledge says that there are two major things in engineering: Laws & 
> > > Ethical Issues.
> > > 
> > > First of all observe the following case:
> > > 
> > > - Assume that a window of a grocery is broken.
> > > - Anyone can get something inside without paying at midnight since there 
> > > is no glass over there. Normally one would call the police and say to 
> > > police that the window is broken and ask for taking precaution otherwise 
> > > somebody may take all the banana's and run away.
> > > - Laws says that: u'r guilty if u steal something.
> > > - Laws also says that : u'r not guilty if u don't call police after 
> > > realizing that window is broken.
> > > 
> > > Let's look what ethic says:
> > > 
> > > - U'r not ethical if u steal something.
> > > - U'r not ethical if u don't call the police.
> > > 
> > > See? The second line is not ethical but legal.
> > > 
> > > In DMCA/HP/Snosoft case, the problem is the LAW not the ethical issues. 
> > > We must consider these ethical issues later like RFPolicy because HP 
> > > already sued SnoSoft according to laws not ethics.
> > > 
> > > Here is my thoughts about the topic:
> > > 
> > > There are no laws that states "If it is done at 7 oclock it is legal and 
> > > if u do it on 11 o'clock u'll be punished with a ten thousand years in 
> > > prison."
> > > 
> > > This law can't be applied to the real world sorry. We can't prove that 
> > > we've already talked with hp at 7 oclock, they didn't answered until 11 
> > > clock so I published the exploit code. Unless all vendors are 
> > > govermental no legal proof can be stated to court about these 
> > > conversations between Vendors and Hackers. Remember they'v got lots of 
> > > bucks to give advocates. We'r alone.
> > > 
> > > I propose two ways to get around:
> > > 
> > > i. Publish zero-day exploits. Forget about vendor. Since hacking is 
> > > illegal, assume police will catch the hacker since he/she's doing 
> > > illegal. This is why there are cybercops am I right? Nobody can be 
> > > punished if he/she didn't call police in case of a broken window.
> > > ii. Hackers are unallowed to publish any exploits. They just can send 
> > > the exploit code/bug report to vendor.  Vendor publishes proof of 
> > > concept code to public with the fix when available if they want of 
> > > course. I think, DMCA will grant this since Vendor's hold the copyright 
> > > about the product. Also, we know that no vendor wants to publish that 
> > > their product is insecure.
> > > 
> > > Another topic that i want to discuss is i'm living in Turkiye and here 
> > > we don't have any DMCA super duper laws. We have a simple copyright law 
> > > which do not include DMCA. Who's gonna stop me publishing 0 day 
> > > exploits? Obviously No-One. Right? USA may cancel Turkiye's connection 
> > > to USA but i don't think that this is impossible for now. Also, they may 
> > > prevent me entering the US frontiers but i really don't care about it.
> > > 
> > > As a result, only US programmers will suffer from this law not me.  They 
> > > are going to think it twice before publishing anything. This is of 
> > > course unfair. US goverment just makes their own programmers suffer from 
> > > this law by saying "We are protecting the vendors". They are just 
> > > missing the statement that "Hackers make their product more secure-more 
> > > reliable". I think that they are assuming every vendor has enough 
> > > skilled  "Hacker" employee to check their products. Heh:-)) As Kurt 
> > > said, they don't have.
> > > 
> > > In the future, i think, only vendors can publish such exploits, fixes 
> > > and proof of concepts in USA. Hackers gonna just take small credit at 
> > > the end of the message. For the rest of the world, game is not over and 
> > > ppl will continue to publish exploits. Besides, Vendor's will make money 
> > > using the works of hackers. This is what we call capitalism in fact and 
> > > it is coming over us again. Beware:-))
> > > 
> > > PS: Heh maybe we should buy a small island and found our "Country of 
> > > Secure Systems" and publish exploits from there. Any island suggestions?
> > > 
> > > King regards,
> > > -- 
> > > Evrim ULU
> > > evrim@...y.com.tr / evrim@...e.gen.tr
> > > sysadm
> > > http://www.core.gen.tr
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Full-Disclosure@...ts.netsys.com
> > > http://lists.netsys.com/mailman/listinfo/full-disclosure
> > > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Full-Disclosure@...ts.netsys.com
> > http://lists.netsys.com/mailman/listinfo/full-disclosure
> > 
> -- 
> 
> -------------------------------------------------------
> Secure Network Operations, Inc.| http://www.snosoft.com
> Cerebrum Project               | cerebrum@...soft.com
> Strategic Reconnaissance Team  | recon@...soft.com
> -------------------------------------------------------
> 
> 
-- 

-------------------------------------------------------
Secure Network Operations, Inc.| http://www.snosoft.com
Cerebrum Project               | cerebrum@...soft.com
Strategic Reconnaissance Team  | recon@...soft.com
-------------------------------------------------------


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020805/b623aebb/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ