Full Disclosure mailing list archives
Re: (:
From: Sergio 'shadown' Alvarez <shadown () gmail com>
Date: Fri, 13 Jun 2008 11:16:44 +0200
hi silky, It depends what the purpose of your hashes is. Whenever I post hashes I always also post to what each hash belongs to. My hashes always belong to a file that triggers a vulnerability or a PoC exploit that I'm about to submit to a vendor, just in case the vendor plays dirty. If the vendor communication goes well then there's a advisory after the vendor fixes the problems, otherwise I have the elements to demonstrate that the vendor fixes silently the problems without giving the proper credits to the researcher that reported the problem. The 'see i told you so' in my opinion is an act of coward that is willing to take the credits of someone else without communicating anything to anybody, the same thing when a hash is posted and not what it is about, at least that's how I think about it. Once 'sowhat' released an advisory of a vulnerability for one of the hashes that I've posted in the past (I've even demo it at CCC Camp 2007), and I've never claimed it because he found it and he was able to get in touch with the vendor. I wasn't able even to get an answer from the vendor and of course I've never sent the file to them, what I did was to congratulate sowhat for his finding and ask him how did he manage to get the right contact. That's how I handle this hashes. Different mindset different approach. Cheers, Sergio silky wrote:
On Fri, Jun 13, 2008 at 2:37 PM, I)ruid <druid () caughq org> wrote:MD5: 89ec9df95c1315dcb1a668e35b051b07 SHA1: 9f351ae9a3fbbbadaf10fea91384a32ed9836d36 SHA256: 02acfbfe892a47de50273f367f98cc2b5023dec34e668ca3ffbaa42c7dcbd5ebi'm yet to see anyone actually claim one of these posted hashes yet. like in the "see i told you so" fashion. maybe i've missed it.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/