lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: solareclipse at phreedom.org (Solar Eclipse)
Subject: openssl exploit code

On Mon, Sep 16, 2002 at 05:28:47PM -0400, hellNbak wrote:
> While I have nothing to do with Bugtraq I do moderate another full
> disclosure list out there - VulnWatch.  The nature of a moderated lists
> in general means that the moderator, in this case Dave Ahmad, must first
> read then approve the message and hopefully do so in a timely manner.
> 
> I don't know the actual content of the message sent to Bugtraq but from
> the sounds of it it contained code written by you but was not sent by you.
> As a moderator I too would have first checked with the author of the code
> to ensure that I wasn't assisting someone in leaking someone elses code.
> 
> How does this have anything to do with full disclosure?  Would you not
> want someone to notify you if someone got a hold of your zero day and was
> distributing it?

Whose interests is a full disclosure mailing list supposed to serve? Those of
blackhats who prefer to keep all 0dayz private, or those of system
administrators and security professionals who need information about the
latest exploits? 

What's next? Checking if if the vendor has been properly notified
and approves of posting the exploit code? Notifying the vendor
6 hours before approving the post? Rejecting certain posts
alltogether?

The fact is that Dave Ahmad is in a possession of an exploit for
OpenSSL and is currently withholding it from the security community.
Maybe his corporate masters fear litigation. Or it could be that
he is concerned about my feelings. Even TESO didn't get that kind of
treatment, this makes me feel so special.

Doesn't this make anybody else uncomfortable?

Are you going to subscribe to a full disclosure mailing list
whose moderator puts Intellectual Property or Corporate Interests
before the security of your system?

After a few more corporate mergers and takeovers, are you going to
send your 0dayz to bugtraq@...rosoft.com ? And wait 45 days for
moderator approval?


Solar Eclipse

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ