lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 16 Jan 2013 06:37:30 -0500
From: Jeffrey Walton <noloader@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: how to sell and get a fair price

On Wed, Jan 16, 2013 at 5:19 AM,  <gremlin@...mlin.ru> wrote:
> On 15-Jan-2013 06:28:53 -0500, Jeffrey Walton wrote:
>
> ...
>  > > Is it really necessary to stay anonymous? Writing hmmm... articles
>  > > about vulnerabilities for some (very specific) media and getting a
>  > > hmmm... fee for that is mostly legal.
>  > > Opposed to the use of that information...
>  > I think its a slippery slope in the US.
>
> I'm happy to reside outside of the US...
>
>  > On one hand, you have, for example, Computer Fraud and Abuse Act
>  > (FCAA), Digital Millennium Copyright Act (DMCA), and Unlawful
>  > Intercept. US corporations are rarely prosecuted under the law
>  > [...] but individuals are regularly prosecuted
>
> That means, all these activities should not be performed in the US
> (and other countries with similar Draconian laws)...
Its not so much Draconian laws as it is greedy politicians who take
bribes from corporate america to grow their wealth, and then spend the
rest of their careers performing fellatio on industry and their
special interests (just an observation :).

> In general, this problem may be solved using the international division
> of labour, when people do only what is legal in their country. Example:
> reverse engineering is legal in Russia (unless it is used to create the
> competing product), so I can perform it and share the results. Someone
> else may then find suspicious code, other people may prove that code is
> vulnerable by writing an exploit... In this case, everyone performs in
> legal manner - except, obviously, the script kiddies who will use the
> ready tool to break something.
Its legal in the US, too. Dr. Jon Callas (one of PGP's co-founders)
was fortunate (persistent?) enough to have the provisions added to
DMCA (PUBLIC LAW 105–304). It has exceptions for reverse engineering
and security testing and evaluation. The RE exemption is in Section
1205 (f) REVERSE ENGINEERING. The ST&E exemption is in Section 1205
(i) SECURITY TESTING.

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists