it's all about timing

[full-disclosure () lists netsys com (KF)]

nicely spoken 
-KF

----- Original Message ----- 
From: "Evrim ULU" <evrim () core gen tr>
To: <full-disclosure () lists netsys com>
Sent: Friday, August 02, 2002 5:19 AM
Subject: Re: [Full-disclosure] it's all about timing


> Hi,
>
> I really don't understand why we'r discussing RFPolicy. It's not the 
> main subject of HP/Snosoft DMCA topic. Here is why:
>
> My knowledge says that there are two major things in engineering: Laws & 
> Ethical Issues.
>
> First of all observe the following case:
>
> - Assume that a window of a grocery is broken.
> - Anyone can get something inside without paying at midnight since there 
> is no glass over there. Normally one would call the police and say to 
> police that the window is broken and ask for taking precaution otherwise 
> somebody may take all the banana's and run away.
> - Laws says that: u'r guilty if u steal something.
> - Laws also says that : u'r not guilty if u don't call police after 
> realizing that window is broken.
>
> Let's look what ethic says:
>
> - U'r not ethical if u steal something.
> - U'r not ethical if u don't call the police.
>
> See? The second line is not ethical but legal.
>
> In DMCA/HP/Snosoft case, the problem is the LAW not the ethical issues. 
> We must consider these ethical issues later like RFPolicy because HP 
> already sued SnoSoft according to laws not ethics.
>
> Here is my thoughts about the topic:
>
> There are no laws that states "If it is done at 7 oclock it is legal and 
> if u do it on 11 o'clock u'll be punished with a ten thousand years in 
> prison."
>
> This law can't be applied to the real world sorry. We can't prove that 
> we've already talked with hp at 7 oclock, they didn't answered until 11 
> clock so I published the exploit code. Unless all vendors are 
> govermental no legal proof can be stated to court about these 
> conversations between Vendors and Hackers. Remember they'v got lots of 
> bucks to give advocates. We'r alone.
>
> I propose two ways to get around:
>
> i. Publish zero-day exploits. Forget about vendor. Since hacking is 
> illegal, assume police will catch the hacker since he/she's doing 
> illegal. This is why there are cybercops am I right? Nobody can be 
> punished if he/she didn't call police in case of a broken window.
> ii. Hackers are unallowed to publish any exploits. They just can send 
> the exploit code/bug report to vendor.  Vendor publishes proof of 
> concept code to public with the fix when available if they want of 
> course. I think, DMCA will grant this since Vendor's hold the copyright 
> about the product. Also, we know that no vendor wants to publish that 
> their product is insecure.
>
> Another topic that i want to discuss is i'm living in Turkiye and here 
> we don't have any DMCA super duper laws. We have a simple copyright law 
> which do not include DMCA. Who's gonna stop me publishing 0 day 
> exploits? Obviously No-One. Right? USA may cancel Turkiye's connection 
> to USA but i don't think that this is impossible for now. Also, they may 
> prevent me entering the US frontiers but i really don't care about it.
>
> As a result, only US programmers will suffer from this law not me.  They 
> are going to think it twice before publishing anything. This is of 
> course unfair. US goverment just makes their own programmers suffer from 
> this law by saying "We are protecting the vendors". They are just 
> missing the statement that "Hackers make their product more secure-more 
> reliable". I think that they are assuming every vendor has enough 
> skilled  "Hacker" employee to check their products. Heh:-)) As Kurt 
> said, they don't have.
>
> In the future, i think, only vendors can publish such exploits, fixes 
> and proof of concepts in USA. Hackers gonna just take small credit at 
> the end of the message. For the rest of the world, game is not over and 
> ppl will continue to publish exploits. Besides, Vendor's will make money 
> using the works of hackers. This is what we call capitalism in fact and 
> it is coming over us again. Beware:-))
>
> PS: Heh maybe we should buy a small island and found our "Country of 
> Secure Systems" and publish exploits from there. Any island suggestions?
>
> King regards,
> -- 
> Evrim ULU
> evrim () envy com tr / evrim () core gen tr
> sysadm
> http://www.core.gen.tr
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure () lists netsys com
> http://lists.netsys.com/mailman/listinfo/full-disclosure