lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <026601c7c1c8$62b900e0$282b02a0$@net>
Date: Sun, 8 Jul 2007 18:27:58 -0700
From: "George Ou" <george_ou@...architect.net>
To: "'Michal Zalewski'" <lcamtuf@...ne.ids.pl>,
	"'wac'" <waldoalvarez00@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: EXPLOITS FOR SALE (AUCTION SITE)

Michal,

I completely agree with you about the ethics of selling exploits to the
black-market.  However, there needs to be a reasonable alternative to
working for a "thank you" from the vendor.  Very knowledgeable people who
spend their valuable time tracking down bugs deserve to be able to make a
living and they deserve to get paid.  If there were a reasonable finder's
fee paid by the vendor, then a lot of conscionable researchers will go the
legitimate route even if they can make more money selling it to the
black-market.

George
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Michal
Zalewski
Sent: Sunday, July 08, 2007 11:55 AM
To: wac
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] EXPLOITS FOR SALE (AUCTION SITE)

On Sun, 8 Jul 2007, wac wrote:

> Is more noble to reward hard to do work that also requires a lot of
> knowledge which sometimes people does even takes time to even say "thank
> you".

Vulnerability research is good. Getting paid for research is good. Holding
vendors accountable is good.

Yet, secretly trading intellectual property, keeping it under wraps for
months or years to maximize buyer's ROI, and not giving a second thought
as to why would a shady foreigner pay $50,000 for an _exploit_ they have
no legitimate use for, pretty much stands against *all* the core values of
the hacker culture - a culture to which this field of research owes quite
a bit.

Yeah, it can be done. It might be legal by itself, too - though I'm sure
the moment your code is used for malicious purposes (or simply against
your government), if it can be shown you willfully ignored the clearly
dubious nature of the transaction, a charge of being accessory to crime
won't be far off.

Still, legal or not, it's not exactly something to be too proud of on this
list.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ