lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: hellnbak at nmrc.org (hellNbak)
Subject: openssl exploit code

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Solar,

While I have nothing to do with Bugtraq I do moderate another full
disclosure list out there - VulnWatch.  The nature of a moderated lists
in general means that the moderator, in this case Dave Ahmad, must first
read then approve the message and hopefully do so in a timely manner.

I don't know the actual content of the message sent to Bugtraq but from
the sounds of it it contained code written by you but was not sent by you.
As a moderator I too would have first checked with the author of the code
to ensure that I wasn't assisting someone in leaking someone elses code.

How does this have anything to do with full disclosure?  Would you not
want someone to notify you if someone got a hold of your zero day and was
distributing it?

It seems that a lot of people are confused about what full disclosure
really is.  Checking if the credited author of code meant to post it to a
list is common sense and not anything to do with full disclosure.
Moderated full disclosure, in most cases, does not mean censorship at
least on any list that I have a hand in.

Just my $.02..........

On Mon, 16 Sep 2002, Solar Eclipse wrote:

> Date: Mon, 16 Sep 2002 16:08:54 -0500
> From: Solar Eclipse <solareclipse@...eedom.org>
> To: Dave Ahmad <da@...urityfocus.com>
> Cc: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] openssl exploit code
>
> On Mon, Sep 16, 2002 at 02:16:05PM -0600, Dave Ahmad wrote:
> > An exploit code that lists you as the author has been posted to Bugtraq.
> > I would like to request your permission before approving it for
> > distribution on the list.
>
> And you call Bugtraq a full disclosure list?
>
> Weak.
>
> Since you asked, my answer is no. You do not have my permission
> to post my source code to Bugtraq or anywhere on SecurityFocus,
> Symantec or any affiliated site.
>
> This also covers the source of the apache-ssl worm, which includes
> substantial stolen parts of my exploit code, unless those parts are
> properly removed.
>
>
> Solar Eclipse
>

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@...c.org
http://www.nmrc.org/~hellnbak

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9hk0SueD73xSa+/ARAkhOAJ4gBJIMgCMybqNXQvyT7P2f58+C4gCeJ/8U
vnlFZc5gdLICxJNZ/RqurFU=
=+9Rj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ