Dead Thread 0-Day/$1000

[Blue Boar <BlueBoar () thievco com>]

OK, I think we've had reasonable representation on this topic, and
are now down to name-calling and semantics.

Couple of points: As someone who uses a pseudonym often, I can
say that it's no real barrier to profiting.  I can selectively
reveal who I am to get contracts, jobs, book deals, etc... 
I don't publicly represent a company, but that's obviously
easily changeable.  Meanwhile, I collect "fame" (such as it is)
until such a time as I chose to use it, if I do.  I've got
no reason to think RFP will do any of this, but to say
that he couldn't is wrong.  Again, I'm not trying to
say anything about RFP's character (his defense of himself
is 100% accurate, near as I can tell) just that being
anonymous in this business doesn't stop you from doing 
a thing.

As for the main topic...

Ultimately, if you write an exploit, you may reserve the
right to sell it.  That's what copyright is for.  I wouldn't
expect a lot of sales.  The rest of us would be within our
rights to reverse engineer it, and produce an independently 
written one.  I don't believe it's possible to patent an
exploit.  

The rest of the question is all about "should".  We know for sure
that a number of groups are served by the release of an exploit.
Here's a probably incomplete list:

-Script Kiddies (or whatever you'd like to call people who use them on
systems that they have no permission to)
-Pen Testers
-Vulnerability Database Maintainers
-Remote Vulnerability Assessment Authors
-IDS Signature Authors
-System Administrators
-Security Professionals
-Vulnerability Researchers
-The Publishers of the Vulnerable Software

You can't successfully argue that each of those will use an exploit
if it is available.  I've been most of that list throughout my
career, and I've had a use for exploits each step of the way.

That really only leaves the question of who benefits most from having
exploits, and if you want them to.  Elias had some interesting points
today along those lines:
http://securityfocus.com/news/270
Perhaps unsurprisingly, I agree with him quite a bit.

Given the list I moderate, it's pretty obvious that I support 
publicly releasing exploits.  I hold in contempt those people
who keep exploits private so that only they may use them.  They
have the right to do so, but I fault their character for doing so.
Doesn't really matter if they're a script kiddie or a pen-tester.
I don't believe they are helping if they keep vulnerability 
info private.  That doesn't mean that I expect them to just
publish the vuln with no warning.  My feelings are that RFPolicy
(at least last time I looked at it) is a pretty good standard for that.

Now I understand that some people (such as the anti-security bunch)
have a real problem with people taking someone's exploit work
and publishing it or using it at a profit.  I have no problem with that.
They ultimately help make people more secure.  What do I care if they
make money at it?  As long as we can have the same info so that we
don't *have* to pay them, what harm does it do us?  If you don't like
helping ISS, then go help Renaud with Nessus.

So, that's my opinion on the subject.  It doesn't really affect the list
much.  The list is here to publish as much vulnerability information
as possible.  The only way my opinion affects the list is that when
I find out there's an exploit being used in the wild that the rest of
us don't have access to, I will do whatever I can personally to make
sure the info gets out.

                                        BB