it's all about timing

[full-disclosure () lists netsys com (ATD)]

--=-Y6gVDrbu/R3hrEKqkJFD
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

yeah... these reply-to things....     arg...


On Mon, 2002-08-05 at 12:40, ATD wrote:
> Hey bro,=20
>       Jump on irc.homelien.no #snosoft  ;o)
> =20
> =20
> On Mon, 2002-08-05 at 15:34, KF wrote:
> > nicely spoken=20
> > -KF
> > =20
> > ----- Original Message -----=20
> > From: "Evrim ULU" <evrim () core gen tr>
> > To: <full-disclosure () lists netsys com>
> > Sent: Friday, August 02, 2002 5:19 AM
> > Subject: Re: [Full-disclosure] it's all about timing
> > =20
> > =20
> > > Hi,
> > > =20
> > > I really don't understand why we'r discussing RFPolicy. It's not the=20
> > > main subject of HP/Snosoft DMCA topic. Here is why:
> > > =20
> > > My knowledge says that there are two major things in engineering: Law=
s &=20
> > > Ethical Issues.
> > > =20
> > > First of all observe the following case:
> > > =20
> > > - Assume that a window of a grocery is broken.
> > > - Anyone can get something inside without paying at midnight since th=
ere=20
> > > is no glass over there. Normally one would call the police and say to=
=20
> > > police that the window is broken and ask for taking precaution otherw=
ise=20
> > > somebody may take all the banana's and run away.
> > > - Laws says that: u'r guilty if u steal something.
> > > - Laws also says that : u'r not guilty if u don't call police after=20
> > > realizing that window is broken.
> > > =20
> > > Let's look what ethic says:
> > > =20
> > > - U'r not ethical if u steal something.
> > > - U'r not ethical if u don't call the police.
> > > =20
> > > See? The second line is not ethical but legal.
> > > =20
> > > In DMCA/HP/Snosoft case, the problem is the LAW not the ethical issue=
s.=20
> > > We must consider these ethical issues later like RFPolicy because HP=20
> > > already sued SnoSoft according to laws not ethics.
> > > =20
> > > Here is my thoughts about the topic:
> > > =20
> > > There are no laws that states "If it is done at 7 oclock it is legal =
and=20
> > > if u do it on 11 o'clock u'll be punished with a ten thousand years i=
n=20
> > > prison."
> > > =20
> > > This law can't be applied to the real world sorry. We can't prove tha=
t=20
> > > we've already talked with hp at 7 oclock, they didn't answered until =
11=20
> > > clock so I published the exploit code. Unless all vendors are=20
> > > govermental no legal proof can be stated to court about these=20
> > > conversations between Vendors and Hackers. Remember they'v got lots o=
f=20
> > > bucks to give advocates. We'r alone.
> > > =20
> > > I propose two ways to get around:
> > > =20
> > > i. Publish zero-day exploits. Forget about vendor. Since hacking is=20
> > > illegal, assume police will catch the hacker since he/she's doing=20
> > > illegal. This is why there are cybercops am I right? Nobody can be=20
> > > punished if he/she didn't call police in case of a broken window.
> > > ii. Hackers are unallowed to publish any exploits. They just can send=
=20
> > > the exploit code/bug report to vendor.  Vendor publishes proof of=20
> > > concept code to public with the fix when available if they want of=20
> > > course. I think, DMCA will grant this since Vendor's hold the copyrig=
ht=20
> > > about the product. Also, we know that no vendor wants to publish that=
=20
> > > their product is insecure.
> > > =20
> > > Another topic that i want to discuss is i'm living in Turkiye and her=
e=20
> > > we don't have any DMCA super duper laws. We have a simple copyright l=
aw=20
> > > which do not include DMCA. Who's gonna stop me publishing 0 day=20
> > > exploits? Obviously No-One. Right? USA may cancel Turkiye's connectio=
n=20
> > > to USA but i don't think that this is impossible for now. Also, they =
may=20
> > > prevent me entering the US frontiers but i really don't care about it=
.
> > > =20
> > > As a result, only US programmers will suffer from this law not me.  T=
hey=20
> > > are going to think it twice before publishing anything. This is of=20
> > > course unfair. US goverment just makes their own programmers suffer f=
rom=20
> > > this law by saying "We are protecting the vendors". They are just=20
> > > missing the statement that "Hackers make their product more secure-mo=
re=20
> > > reliable". I think that they are assuming every vendor has enough=20
> > > skilled  "Hacker" employee to check their products. Heh:-)) As Kurt=20
> > > said, they don't have.
> > > =20
> > > In the future, i think, only vendors can publish such exploits, fixes=
=20
> > > and proof of concepts in USA. Hackers gonna just take small credit at=
=20
> > > the end of the message. For the rest of the world, game is not over a=
nd=20
> > > ppl will continue to publish exploits. Besides, Vendor's will make mo=
ney=20
> > > using the works of hackers. This is what we call capitalism in fact a=
nd=20
> > > it is coming over us again. Beware:-))
> > > =20
> > > PS: Heh maybe we should buy a small island and found our "Country of=20
> > > Secure Systems" and publish exploits from there. Any island suggestio=
ns?
> > > =20
> > > King regards,
> > > --=20
> > > Evrim ULU
> > > evrim () envy com tr / evrim () core gen tr
> > > sysadm
> > > http://www.core.gen.tr
> > > =20
> > > =20
> > > =20
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Full-Disclosure () lists netsys com
> > > http://lists.netsys.com/mailman/listinfo/full-disclosure
> > > =20
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Full-Disclosure () lists netsys com
> > http://lists.netsys.com/mailman/listinfo/full-disclosure
> > =20
> --=20
> =20
> -------------------------------------------------------
> Secure Network Operations, Inc.| http://www.snosoft.com
> Cerebrum Project               | cerebrum () snosoft com
> Strategic Reconnaissance Team  | recon () snosoft com
> -------------------------------------------------------
> =20
> =20
--=20

-------------------------------------------------------
Secure Network Operations, Inc.| http://www.snosoft.com
Cerebrum Project               | cerebrum () snosoft com
Strategic Reconnaissance Team  | recon () snosoft com
-------------------------------------------------------



--=-Y6gVDrbu/R3hrEKqkJFD
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA9TqwBHs/COEe/P4cRAimbAJ4ic0sORnY7wIS2s0Mw6zYHJantqACg2wS0
vZWSSGZwm8yZD4IZmiBkVAk=
=jRy8
-----END PGP SIGNATURE-----

--=-Y6gVDrbu/R3hrEKqkJFD--