Re: (:

[Sergio 'shadown' Alvarez <shadown () gmail com>]

hi silky,

It depends what the purpose of your hashes is.
Whenever I post hashes I always also post to what each hash belongs to. 
My hashes always belong to a file that triggers a vulnerability or a PoC 
exploit that I'm about to submit to a vendor, just in case the vendor 
plays dirty.
If the vendor communication goes well then there's a advisory after the 
vendor fixes the problems, otherwise I have the elements to demonstrate 
that the vendor fixes silently the problems without giving the proper 
credits to the researcher that reported the problem.
The 'see i told you so' in my opinion is an act of coward that is 
willing to take the credits of someone else without communicating 
anything to anybody, the same thing when a hash is posted and not what 
it is about, at least that's how I think about it.
Once 'sowhat' released an advisory of a vulnerability for one of the 
hashes that I've posted in the past (I've even demo it at CCC Camp 
2007),  and I've never claimed it because he found it and he was able to 
get in touch with the vendor. I wasn't able even to get an answer from 
the vendor and of course I've never sent the file to them, what I did 
was to congratulate sowhat for his finding and ask him how did he manage 
to get the right contact.
That's how I handle this hashes.
Different mindset different approach.

Cheers,
   Sergio

silky wrote:
> On Fri, Jun 13, 2008 at 2:37 PM, I)ruid <druid () caughq org> wrote:
> > MD5:    89ec9df95c1315dcb1a668e35b051b07
> > SHA1:   9f351ae9a3fbbbadaf10fea91384a32ed9836d36
> > SHA256: 02acfbfe892a47de50273f367f98cc2b5023dec34e668ca3ffbaa42c7dcbd5eb
>
> i'm yet to see anyone actually claim one of these posted hashes yet.
>
> like in the "see i told you so" fashion. maybe i've missed it.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/