openssl exploit code

[solareclipse () phreedom org (Solar Eclipse)]

On Mon, Sep 16, 2002 at 05:28:47PM -0400, hellNbak wrote:
> While I have nothing to do with Bugtraq I do moderate another full
> disclosure list out there - VulnWatch.  The nature of a moderated lists
> in general means that the moderator, in this case Dave Ahmad, must first
> read then approve the message and hopefully do so in a timely manner.
>
> I don't know the actual content of the message sent to Bugtraq but from
> the sounds of it it contained code written by you but was not sent by you.
> As a moderator I too would have first checked with the author of the code
> to ensure that I wasn't assisting someone in leaking someone elses code.
>
> How does this have anything to do with full disclosure?  Would you not
> want someone to notify you if someone got a hold of your zero day and was
> distributing it?

Whose interests is a full disclosure mailing list supposed to serve? Those of
blackhats who prefer to keep all 0dayz private, or those of system
administrators and security professionals who need information about the
latest exploits? 

What's next? Checking if if the vendor has been properly notified
and approves of posting the exploit code? Notifying the vendor
6 hours before approving the post? Rejecting certain posts
alltogether?

The fact is that Dave Ahmad is in a possession of an exploit for
OpenSSL and is currently withholding it from the security community.
Maybe his corporate masters fear litigation. Or it could be that
he is concerned about my feelings. Even TESO didn't get that kind of
treatment, this makes me feel so special.

Doesn't this make anybody else uncomfortable?

Are you going to subscribe to a full disclosure mailing list
whose moderator puts Intellectual Property or Corporate Interests
before the security of your system?

After a few more corporate mergers and takeovers, are you going to
send your 0dayz to bugtraq () microsoft com ? And wait 45 days for
moderator approval?


Solar Eclipse