Full Disclosure mailing list archives
Re: Global HIGH Security Risk
From: "yossarian" <yossarian () planet nl>
Date: Mon, 3 Feb 2003 19:52:34 +0100
Basically you can't post any vuln without some risk attached, court rulings worldwide being unpredictable and considering the interests at stake, my best guess would be - go completely anonymus, if it doesn't interfere with any of your other interests, or wait till our workfield becomes less erratic.If ever. Consider that in Finland, hosting providers are being held responsible for the contents of chat sessions over their network - the case being that people had discussed how to make bombs was enough. You might say that this would mean that every Telco is accountable for anything said on the telephone - well you may be right, but it does not change the risks you'll be taking nor the ruling. Are you certain that your disclosure will not find its way to or pass through a Finnish server? Consider the KaZaa cases, in which courts ruled that the software makers were guilty of copyright infringements, since their product was mainly used for this goal. You might say that the inventors of Internet or HTML are guilty of copyright infringements, since you can download from indexes. You might argue that Google is guilty, since using google to find these indexes with the well known parent directory search, enables copyright infringement. Or Microsoft, for suppliyng the browser you might use to download. Any of this does not change the rulings. Transpose the issue to the handgun industry, well you may be right, but does that help you? Courts in other countries ruled the opposite way - in international law their is no common denominator, hence no legal certainty. Posting vulns is a legal minefield, or better said, it is like playing russian roulette with a changing number of chambers and bullets. Consider that the situation does not have a single legal court to face - but any court worldwide that bothers - in spite of US court rulings that the Internet is bound by US law. This means international travel you might want to take will become hazardous at least, meaning you'll have to check extradiction treaties. The international cybercrime treaty was meant to standardize, but all it does is prescribe the minimum set of legislation - so any country can still do as it likes. as long it is more strict than the treaty. AFAIK argentina is a relaxed country for the legalities of cyberrelated issues, but the international pressure will become heavy when this relative freedom is used to post real vulns. Consider that in certain German states, pr0n on the Internet is deemed illegal except at night. Providers have been given the burden to filter. For legal issue related to the Internet, law is still in it infancy, and consider the wisdom and expertise of Governments on this topic, and the interests at stake, well you can figure it out. Well, anyway, this applies to minor and bigger risks alike. The only difference I see, is that as long that there is no vendor or consortium involved, chances are it will just be let go - no commercial interest directly hit by this disclosue means no one to investigate and file charges. Maybe. good luck with it, Yossarian ----- Original Message ----- From: "^Shadown^" <shadown () bariloche com ar> To: <full-disclosure () lists netsys com> Sent: Monday, February 03, 2003 4:12 PM Subject: [Full-disclosure] Global HIGH Security Risk
Dear Folks, I'm sorry if anybody didn't like the subject, but is *that* important. While a research I've developed a technique to literaly bypass *every*
security network software and device (*every* firewall, ids, etc), which become an unstopable security risk for the hole security community, but I don't know the legal term on how to post something like this.
And I need help on this, need people who may advice me on how to share
this information.
I'm really scared, because i.e "The arrest that happends after the DEFCON
X conference because of the *PDF security*", and I swear that this is a large *mayor* security risk.
I will *NOT* answer any question about the new technique (the one I've
developed and applied) until I get adviced on how to post it *without* getting in trouble, so please don't write to me because I'll delete them all.
I hope for your help. Best Regards. ^Shadown^ PD: As this mail was sent to SecurityFocus, Vuln-Watch and Cert lists
(last Friday) and It wasn't posted, this msg and the information I'm gonna release will *not* be allow to post or referenced on other lists but Full-Disclosure. (except by myself).
Thnx. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Global HIGH Security Risk ^Shadown^ (Feb 03)
- Re: Global HIGH Security Risk yossarian (Feb 03)
- Message not available
- Re: Global HIGH Security Risk yossarian (Feb 03)
- Message not available
- Re: Global HIGH Security Risk yossarian (Feb 03)
- Re: Global HIGH Security Risk Jonathan Rickman (Feb 03)
- Re: Global HIGH Security Risk Benjamin Keller (Feb 03)
- Re: Global HIGH Security Risk Michael Renzmann (Feb 04)
- Re: Global HIGH Security Risk Benjamin Keller (Feb 03)
- <Possible follow-ups>
- RE: Global HIGH Security Risk bugtraq (Feb 03)
- Re: Global HIGH Security Risk David Howe (Feb 04)
- Global HIGH Security Risk phenethyl (Feb 03)
- re: Global HIGH Security Risk ^Shadown^ (Feb 03)
- Re: re: Global HIGH Security Risk David Howe (Feb 04)
- Re: re: Global HIGH Security Risk Jonathan Rickman (Feb 04)