lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 4 Apr 2008 23:11:01 +0100
From: n3td3v <xploitable@...il.com>
To: n3td3v@...glegroups.com, full-disclosure@...ts.grok.org.uk
Subject: Re: Fwd: Let's outlaw mass
	securityconferencespamming its f****** gay

On Fri, Apr 4, 2008 at 9:34 PM, Ureleet <ureleet@...il.com> wrote:
> see:
>
> > - Come to our conference - profit... buy our ticket, get a macbook prize.
>
> > - Hacking challenge prize - profit... they give you $5000 and sell it
> > to the vendor for a lot more.
>
> ZDI provides the money for this.  and they don't sell it back to vendor
>
>
> > - Train to use our software -profit... over priced training for
> > software... not interested.
>
> dont' get angry at remote-exploit because they are making money from their
> work .  how much money do you make from posting to fd?
>
>
> > On the issue of how much a vulnerability is worth, the prices are not
> > regulated, we need regulation into how much a vulnerability costs,
> > because the prices right now are wild. We need to take vulnerability
> > pricing off the blackmarket and onto a legitimate central website for
> > selling vulnerabilities, or cash rewards for disclosing a
> > vulnerability to a particular company or organisation.
>
> wabisabilabi?  zdi...  etc.
>
> > Can someone post to full-disclosure a price list of what they think a
> > bufferoverflow should be worth etc, and we can vote if we agree.
>
> feel free to take that as a todo item.  however, i would think it would
> depend on the bo.
>
> > We can't dress up cash prizes/contests as something else as well, if a
> > website is offering a $5,000 reward for a vulnerability, we need to
> > know if we're being ripped off with the cash reward and how much can
> > be potentially made after its sold on.
>
> zdi doesn't sell their exploits afaik.
>
>
> > Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> > vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
> > reward might not be enough money, compared to what a vulnerability
> > *should* be worth, and taking into consideration how much profit
> > CanSecWest make overall from people attending the conference.
>
> the pwn2own cash is supplied by zdi.  that's what you arent' realizing.
>
>
> > So you take into consideration how much a vulnerability should be
> > worth, then the added worth because its a security conference of how
> > much should be added on to counter the profit being made by the event.
>
> you already said this. twice.
>
>
> > However, to round off, we can't allow the mailing lists to turn into a
> > vulnerability market place, full-disclosure should be for free stuff,
> > and other websites and mailing lists can be setup for *money making
> > schemes and auctions*.
>
> there are.  however how are the people going to know about the websites if
> you don't allow people to 'spam' lists with this sort of thing, mr
> unofficial-fd moderator?
>
>
> > We shouldn't allow the money makers directly to market X... if a link
> > is put on Full-Disclosure by a member of the public on the fly then
> > thats ok, but I think its cheeky for the particular conference,
> > contest runner or software trainer to be on the list themselves
> > spamming everyone, for a profiteering agenda.
>
> that's why its called free enterprise, it's an unmoderated list.  feel free
> to unsubscribe if you dont like it much..
>
>
> > You mention cross-posting, thats not the issue here, its the people
> > making the money posting to make the money that offends me so much.
>
> we know, its the third time youve said it in one email.
>
>
> > And not even the lonely hacker offends me who posts i've got a
> > vulnerability for sale for X, I don't mind that on Full-Disclosure,
> > but what I do mind is if its a company or organisation doing it that
> > is directly the ones making the money via vulnerability for sale,
> > prize contest, security conference or train to use our software!!!,
> > thats the height of spam I just think is utterly wrong and unethical
> > on any scale of acceptability.
>
> again, free market, and you are directly talking about zdi.
>
>
> > If a lonley hacker who works in a supermarket has a vulnerabilty to
> > sell i'm all for it being post on full-disclosure, but not the big
> > money conferences, prize hacking contests and software training guys.
>
> fourth time.
>
>
> > I come under the bracket as supermarket worker with nothing much going
> > for me in life, so I should be allowed to sell a vulnerability on
> > what's ment to be a mailing list for non-profit disclosure.
>
> you work at a supermarket?  so you know about the under cash drawer switch
> that pops open the drawer exploit?
>
>
>
> > You will find it easy to shout me down and say n3td3v's an idiot, but
> > wait to the vulnerability market really takes off and the prices of
> > vulnerabilities are properly defined and regulated, you're going to
> > see a huge increase in commercial spam on the mailing lists, like the
> > full-disclosure mailing list. so we've got to define what's fair play
> > e-mail and what's a company or organisation blatantly profiteering
> > with X method of extracting money out of people and using skilled
> > hackers to make money, and to promote a security conference, training
> > etc.
>
> again, unmoderated list.  the door is over there.

* i * * never * mentioned * ZDI * you * complete * jerk * off *

* read * * the * * e-mail * properly * and * you * will * understand *
what * I * don't * like *

Overview:

FIRST

I said let's have a debate about how much a vulnerability is worth per
vulnerability type, so everyone knows if we're being ripped off by joe
jobs and to stop any blackmarkets, prices needs to be defined and
regulated, so everyone knows where they stand in the security
community as far as prices are concerned.

^^^^You bypassed this completely.

SECOND

Those on the list who don't disclose a vulnerability *but* are trying
to sell a product should be outlawed.

^^^^do you know the difference between disclosure and profiteering?

You're losing my rag and the lack of intellectual debate on this from
non-retards is shocking, these are two serious topics that need
debating and all i've got is some lamer called "Ureleet" trying to
wind me up.

Is anyone who can have a serious debate on this list?

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ