lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 23 May 2007 13:27:17 +0200
From: Amit Klein <aksecurity@...il.com>
To: "Arian J. Evans" <arian.evans@...chronic.com>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>,
	Web Security <websecurity@...appsec.org>
Subject: Re: [WEB SECURITY] noise about full-width
	encoding bypass?

Arian J. Evans wrote:
>
> On 5/22/07, *Amit Klein* <aksecurity@...il.com 
> <mailto:aksecurity@...il.com>> wrote:
>
>
>     Fair enough. Still, I expect at least the websecurity mailing list to
>     give credit where credit is due...
>
>
> Hmm, good point, No argument, but...as we see more of this
> character encoding set awareness I wonder:
>
> 1. Where do you draw the line on what is "new"?
>

The way I see it, and I think it addresses the rest of your points (in 
your original email) is that the researcher should attempt to find the 
most similar/relevant prior art, and then discuss how (if at all...) 
his/her findings differ. This provides the public with:
- Acknowledgment (and credit) of prior art
- Explanation of what is "really" new

So if say the web-app-sec researcher applies techniques from the AV 
world to the web-app-sec world, he/she should credit the AV prior-art, 
and explain that those techniques are applied in the paper to the 
web-app-sec world, with the twists X, Y and Z.
Or you can say something like: In this research I combine evasion 
techniques A (credit to...), B (credit to...) and C (credit to...) to 
bypass system X.

By subscribing to this scheme, the author makes it much easier to 
evaluate his/her paper. The author does most of the work (finding prior 
art, comparing their findings to prior art), and the readers judge 
whether this is new enough/interesting.

As for research in non-English languages - that's where *I* draw the 
line. I assume that everyone can (and should) read English nowadays, and 
I do not expect anyone to be aware of non-English prior art. However, if 
such prior art becomes known to the author, it's his/her duty to credit 
the authors of such text, of course.

-Amit


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ