| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2d792fb20804041519q2f9bea81j9304ae9446414a03@mail.gmail.com> Date: Sat, 5 Apr 2008 01:19:50 +0300 From: "Razi Shaban" <razishaban@...il.com> To: n3td3v <xploitable@...il.com> Cc: n3td3v@...glegroups.com, full-disclosure@...ts.grok.org.uk Subject: Re: Fwd: Let's outlaw mass securityconferencespamming its f****** gay You say "serious debate" as if you are attempting to partake in such a debate. You are not. You are flaming. Now, please stop flaming. Note for fairness: This is not intended exclusively for netdev, but for everyone who is flaming. -- Razi On 4/5/08, n3td3v <xploitable@...il.com> wrote: > On Fri, Apr 4, 2008 at 9:34 PM, Ureleet <ureleet@...il.com> wrote: > > see: > > > > > - Come to our conference - profit... buy our ticket, get a macbook prize. > > > > > - Hacking challenge prize - profit... they give you $5000 and sell it > > > to the vendor for a lot more. > > > > ZDI provides the money for this. and they don't sell it back to vendor > > > > > > > - Train to use our software -profit... over priced training for > > > software... not interested. > > > > dont' get angry at remote-exploit because they are making money from their > > work . how much money do you make from posting to fd? > > > > > > > On the issue of how much a vulnerability is worth, the prices are not > > > regulated, we need regulation into how much a vulnerability costs, > > > because the prices right now are wild. We need to take vulnerability > > > pricing off the blackmarket and onto a legitimate central website for > > > selling vulnerabilities, or cash rewards for disclosing a > > > vulnerability to a particular company or organisation. > > > > wabisabilabi? zdi... etc. > > > > > Can someone post to full-disclosure a price list of what they think a > > > bufferoverflow should be worth etc, and we can vote if we agree. > > > > feel free to take that as a todo item. however, i would think it would > > depend on the bo. > > > > > We can't dress up cash prizes/contests as something else as well, if a > > > website is offering a $5,000 reward for a vulnerability, we need to > > > know if we're being ripped off with the cash reward and how much can > > > be potentially made after its sold on. > > > > zdi doesn't sell their exploits afaik. > > > > > > > Robert Lemos even http://www.securityfocus.com/news/11510 talked about > > > vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash > > > reward might not be enough money, compared to what a vulnerability > > > *should* be worth, and taking into consideration how much profit > > > CanSecWest make overall from people attending the conference. > > > > the pwn2own cash is supplied by zdi. that's what you arent' realizing. > > > > > > > So you take into consideration how much a vulnerability should be > > > worth, then the added worth because its a security conference of how > > > much should be added on to counter the profit being made by the event. > > > > you already said this. twice. > > > > > > > However, to round off, we can't allow the mailing lists to turn into a > > > vulnerability market place, full-disclosure should be for free stuff, > > > and other websites and mailing lists can be setup for *money making > > > schemes and auctions*. > > > > there are. however how are the people going to know about the websites if > > you don't allow people to 'spam' lists with this sort of thing, mr > > unofficial-fd moderator? > > > > > > > We shouldn't allow the money makers directly to market X... if a link > > > is put on Full-Disclosure by a member of the public on the fly then > > > thats ok, but I think its cheeky for the particular conference, > > > contest runner or software trainer to be on the list themselves > > > spamming everyone, for a profiteering agenda. > > > > that's why its called free enterprise, it's an unmoderated list. feel free > > to unsubscribe if you dont like it much.. > > > > > > > You mention cross-posting, thats not the issue here, its the people > > > making the money posting to make the money that offends me so much. > > > > we know, its the third time youve said it in one email. > > > > > > > And not even the lonely hacker offends me who posts i've got a > > > vulnerability for sale for X, I don't mind that on Full-Disclosure, > > > but what I do mind is if its a company or organisation doing it that > > > is directly the ones making the money via vulnerability for sale, > > > prize contest, security conference or train to use our software!!!, > > > thats the height of spam I just think is utterly wrong and unethical > > > on any scale of acceptability. > > > > again, free market, and you are directly talking about zdi. > > > > > > > If a lonley hacker who works in a supermarket has a vulnerabilty to > > > sell i'm all for it being post on full-disclosure, but not the big > > > money conferences, prize hacking contests and software training guys. > > > > fourth time. > > > > > > > I come under the bracket as supermarket worker with nothing much going > > > for me in life, so I should be allowed to sell a vulnerability on > > > what's ment to be a mailing list for non-profit disclosure. > > > > you work at a supermarket? so you know about the under cash drawer switch > > that pops open the drawer exploit? > > > > > > > > > You will find it easy to shout me down and say n3td3v's an idiot, but > > > wait to the vulnerability market really takes off and the prices of > > > vulnerabilities are properly defined and regulated, you're going to > > > see a huge increase in commercial spam on the mailing lists, like the > > > full-disclosure mailing list. so we've got to define what's fair play > > > e-mail and what's a company or organisation blatantly profiteering > > > with X method of extracting money out of people and using skilled > > > hackers to make money, and to promote a security conference, training > > > etc. > > > > again, unmoderated list. the door is over there. > > > * i * * never * mentioned * ZDI * you * complete * jerk * off * > > * read * * the * * e-mail * properly * and * you * will * understand * > what * I * don't * like * > > Overview: > > FIRST > > I said let's have a debate about how much a vulnerability is worth per > vulnerability type, so everyone knows if we're being ripped off by joe > jobs and to stop any blackmarkets, prices needs to be defined and > regulated, so everyone knows where they stand in the security > community as far as prices are concerned. > > ^^^^You bypassed this completely. > > SECOND > > Those on the list who don't disclose a vulnerability *but* are trying > to sell a product should be outlawed. > > ^^^^do you know the difference between disclosure and profiteering? > > You're losing my rag and the lack of intellectual debate on this from > non-retards is shocking, these are two serious topics that need > debating and all i've got is some lamer called "Ureleet" trying to > wind me up. > > Is anyone who can have a serious debate on this list? > > > n3td3v > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists