lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <509000851.20071109221118@Zoller.lu>
Date: Fri, 9 Nov 2007 22:11:18 +0100
From: Thierry Zoller <Thierry@...ler.lu>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Exploit Brokering

Dear Simon,

Well if it wasn't obvious enough let me rephrase.

>> SS> What happens if they sell to a hostile
>> SS> foreign party, what could happen to them, etc...?
>> Maybe they pereive your party as a hostile foreign party, this list is
>> obviously not based in the US.
SS> What's your point?
I think my point is very clear, those trying to find a buyer on this
list (who you are directly speaking to in your post) are
maybe not interested in selling to US based parties. You assume they
are.

To make this even clearer :
SS>Do they ever stop to think
SS> about the potential liability? What happens if they sell to a hostile
SS>foreign party, what, what could happen to them, etc...?
Maybe the hostile foreign party for them is the USA.

>>> The solution is to work with legitimate established businesses
>>> in a confidential and responsible manner.
>> If you are responsible you surely can disclose who you are selling
>> them too ? 
SS> That would be irresponsible.
Why would disclosing who you are selling them to be irresponsible ?
You argue that those seeking to sell over FD are "carelss and
irresponsible". Now why if they sell them to you makes them less
"careless and irresponsible" since they still don't know with
whom the information will end up with.

>> Are you even disclosing this to the person that you
>> bought them from ? When not does this make you any better than
>> the "others" ?
SS> I have no idea what you are asking me here.
Are you disclosing _to the person_ you bought the bugs from, to whom
you are going to sell them ? If not I don't see the interest why they
should choose you over others for ethical reasons.

-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ