lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Apr 2008 22:21:17 -0400
From: "Mary Landesman" <mlande@...lsouth.net>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: Fwd: Let's outlaw
	masssecurityconferencespamming its f****** gay

I think the concerns you're raised about profiteering/marketing on the list
are valid. I hadn't thought of it from that perspective, frankly. 

It can be helpful to have a central resource/calendar to be informed about
them. I would subscribe to a specific list for that.

-- Mary

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of n3td3v
Sent: Thursday, April 03, 2008 5:39 PM
To: Garrett M. Groff; n3td3v; full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Fwd: Let's outlaw
masssecurityconferencespamming its f****** gay

On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <groffg@...design.com>
wrote:
> Regarding the particular person in question, I'll defer to others who 
> know him (or her, or they, or whomever) better than I do. Instead, 
> I'll say that, generally, on lists like FD, there is a minority of 
> out-spoken personalities who sadly support the stereotypical hacker 
> persona: condescending egoists who are socially inept and emotionally 
> charged when discussing topics that relate to their knowledge domain. 
> That's unfortunate, since the broader IT security community is poorly
represented due to attention-seeking zealots.
>
> Regarding the idea of "oulawing security conference spamming," I'd say 
> the literal idea of outlawing cross-posts to multiple security mailing 
> lists is a bad idea. The idea that the legislature should write into 
> law legislation that reduces our freedom in such a sense is a slippery 
> slope borne of emotionalism and narrowness. What else should the 
> government do to curtail our freedoms? I tend to side with libertarian 
> types (though I don't call myself a "libertarian" un-qualified) on 
> what the government should do and what they should not do. And 
> micro-manage security mailing lists is something they should not do. 
> It's a bad idea and would make a dreadful precedent.

Full-Disclosure is ment to be about free source, not making money. I'm
against people who make money come on the mailing lists, its commerical
spam. We can't allow this to continue, here are what I don't like:

- Come to our conference - profit... buy our ticket, get a macbook prize.

- Hacking challenge prize - profit... they give you $5000 and sell it to the
vendor for a lot more.

- Train to use our software -profit... over priced training for software...
not interested.

On the issue of how much a vulnerability is worth, the prices are not
regulated, we need regulation into how much a vulnerability costs, because
the prices right now are wild. We need to take vulnerability pricing off the
blackmarket and onto a legitimate central website for selling
vulnerabilities, or cash rewards for disclosing a vulnerability to a
particular company or organisation. I don't like sites like digital
armaments which when i visited it, the content and answers they gave were
questionable, and people have complained about digital armaments in the
past. Its time to get pricing regulated and defined, so everyone knows whos
being joe jobbed and who isn't.

Can someone post to full-disclosure a price list of what they think a
bufferoverflow should be worth etc, and we can vote if we agree.

So what i'm calling for is someone to post up a hackers price list per
vulnerability type.

XSS/SQL should be worth something as well, so Morning_Wood can buy milk and
a news paper in the mornings after he's taken care of his wood.

Sorry i've ended this e-mail with slightly off-topicness, but I do think
pricing needs to be defined.

We can't dress up cash prizes/contests as something else as well, if a
website is offering a $5,000 reward for a vulnerability, we need to know if
we're being ripped off with the cash reward and how much can be potentially
made after its sold on.

Robert Lemos even http://www.securityfocus.com/news/11510 talked about
vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash reward
might not be enough money, compared to what a vulnerability
*should* be worth, and taking into consideration how much profit CanSecWest
make overall from people attending the conference.

So you take into consideration how much a vulnerability should be worth,
then the added worth because its a security conference of how much should be
added on to counter the profit being made by the event.

A vulnerability should be worth more if its disclosed at a security
conference than if its bought privately, because you've got to take in
profit  and free advertsing to calculate.

However, to round off, we can't allow the mailing lists to turn into a
vulnerability market place, full-disclosure should be for free stuff, and
other websites and mailing lists can be setup for *money making schemes and
auctions*.

We shouldn't allow the money makers directly to market X... if a link is put
on Full-Disclosure by a member of the public on the fly then thats ok, but I
think its cheeky for the particular conference, contest runner or software
trainer to be on the list themselves spamming everyone, for a profiteering
agenda.

You mention cross-posting, thats not the issue here, its the people making
the money posting to make the money that offends me so much.

And not even the lonely hacker offends me who posts i've got a vulnerability
for sale for X, I don't mind that on Full-Disclosure, but what I do mind is
if its a company or organisation doing it that is directly the ones making
the money via vulnerability for sale, prize contest, security conference or
train to use our software!!!, thats the height of spam I just think is
utterly wrong and unethical on any scale of acceptability.

If a lonley hacker who works in a supermarket has a vulnerabilty to sell i'm
all for it being post on full-disclosure, but not the big money conferences,
prize hacking contests and software training guys.

I come under the bracket as supermarket worker with nothing much going for
me in life, so I should be allowed to sell a vulnerability on what's ment to
be a mailing list for non-profit disclosure.

If we tolerate the money making schemes much longer, eventually
full-disclosure will be a wash with conference,training,cash prize spam, etc
once everyone realises the full value of vulnerabilities and the huge
amounts of money to be made from setting up a cash prize contest, the huge
amounts of money to be made from setting up a security conference and the
huge amounts of money to be made from training people to use your hax0r
software.

You will find it easy to shout me down and say n3td3v's an idiot, but wait
to the vulnerability market really takes off and the prices of
vulnerabilities are properly defined and regulated, you're going to see a
huge increase in commercial spam on the mailing lists, like the
full-disclosure mailing list. so we've got to define what's fair play e-mail
and what's a company or organisation blatantly profiteering with X method of
extracting money out of people and using skilled hackers to make money, and
to promote a security conference, training etc.

All the best,

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists