Full Disclosure mailing list archives
it's all about timing
From: full-disclosure () lists netsys com (ATD)
Date: 05 Aug 2002 12:46:57 -0400
--=-Y6gVDrbu/R3hrEKqkJFD Content-Type: text/plain Content-Transfer-Encoding: quoted-printable yeah... these reply-to things.... arg... On Mon, 2002-08-05 at 12:40, ATD wrote:
Hey bro,=20 Jump on irc.homelien.no #snosoft ;o) =20 =20 On Mon, 2002-08-05 at 15:34, KF wrote:nicely spoken=20 -KF =20 ----- Original Message -----=20 From: "Evrim ULU" <evrim () core gen tr> To: <full-disclosure () lists netsys com> Sent: Friday, August 02, 2002 5:19 AM Subject: Re: [Full-disclosure] it's all about timing =20 =20Hi, =20 I really don't understand why we'r discussing RFPolicy. It's not the=20 main subject of HP/Snosoft DMCA topic. Here is why: =20 My knowledge says that there are two major things in engineering: Law=
s &=20
Ethical Issues. =20 First of all observe the following case: =20 - Assume that a window of a grocery is broken. - Anyone can get something inside without paying at midnight since th=
ere=20
is no glass over there. Normally one would call the police and say to=
=20
police that the window is broken and ask for taking precaution otherw=
ise=20
somebody may take all the banana's and run away. - Laws says that: u'r guilty if u steal something. - Laws also says that : u'r not guilty if u don't call police after=20 realizing that window is broken. =20 Let's look what ethic says: =20 - U'r not ethical if u steal something. - U'r not ethical if u don't call the police. =20 See? The second line is not ethical but legal. =20 In DMCA/HP/Snosoft case, the problem is the LAW not the ethical issue=
s.=20
We must consider these ethical issues later like RFPolicy because HP=20 already sued SnoSoft according to laws not ethics. =20 Here is my thoughts about the topic: =20 There are no laws that states "If it is done at 7 oclock it is legal =
and=20
if u do it on 11 o'clock u'll be punished with a ten thousand years i=
n=20
prison." =20 This law can't be applied to the real world sorry. We can't prove tha=
t=20
we've already talked with hp at 7 oclock, they didn't answered until =
11=20
clock so I published the exploit code. Unless all vendors are=20 govermental no legal proof can be stated to court about these=20 conversations between Vendors and Hackers. Remember they'v got lots o=
f=20
bucks to give advocates. We'r alone. =20 I propose two ways to get around: =20 i. Publish zero-day exploits. Forget about vendor. Since hacking is=20 illegal, assume police will catch the hacker since he/she's doing=20 illegal. This is why there are cybercops am I right? Nobody can be=20 punished if he/she didn't call police in case of a broken window. ii. Hackers are unallowed to publish any exploits. They just can send=
=20
the exploit code/bug report to vendor. Vendor publishes proof of=20 concept code to public with the fix when available if they want of=20 course. I think, DMCA will grant this since Vendor's hold the copyrig=
ht=20
about the product. Also, we know that no vendor wants to publish that=
=20
their product is insecure. =20 Another topic that i want to discuss is i'm living in Turkiye and her=
e=20
we don't have any DMCA super duper laws. We have a simple copyright l=
aw=20
which do not include DMCA. Who's gonna stop me publishing 0 day=20 exploits? Obviously No-One. Right? USA may cancel Turkiye's connectio=
n=20
to USA but i don't think that this is impossible for now. Also, they =
may=20
prevent me entering the US frontiers but i really don't care about it=
.
=20 As a result, only US programmers will suffer from this law not me. T=
hey=20
are going to think it twice before publishing anything. This is of=20 course unfair. US goverment just makes their own programmers suffer f=
rom=20
this law by saying "We are protecting the vendors". They are just=20 missing the statement that "Hackers make their product more secure-mo=
re=20
reliable". I think that they are assuming every vendor has enough=20 skilled "Hacker" employee to check their products. Heh:-)) As Kurt=20 said, they don't have. =20 In the future, i think, only vendors can publish such exploits, fixes=
=20
and proof of concepts in USA. Hackers gonna just take small credit at=
=20
the end of the message. For the rest of the world, game is not over a=
nd=20
ppl will continue to publish exploits. Besides, Vendor's will make mo=
ney=20
using the works of hackers. This is what we call capitalism in fact a=
nd=20
it is coming over us again. Beware:-)) =20 PS: Heh maybe we should buy a small island and found our "Country of=20 Secure Systems" and publish exploits from there. Any island suggestio=
ns?
=20 King regards, --=20 Evrim ULU evrim () envy com tr / evrim () core gen tr sysadm http://www.core.gen.tr =20 =20 =20 _______________________________________________ Full-Disclosure - We believe in it. Full-Disclosure () lists netsys com http://lists.netsys.com/mailman/listinfo/full-disclosure =20_______________________________________________ Full-Disclosure - We believe in it. Full-Disclosure () lists netsys com http://lists.netsys.com/mailman/listinfo/full-disclosure =20--=20 =20 ------------------------------------------------------- Secure Network Operations, Inc.| http://www.snosoft.com Cerebrum Project | cerebrum () snosoft com Strategic Reconnaissance Team | recon () snosoft com ------------------------------------------------------- =20 =20
--=20 ------------------------------------------------------- Secure Network Operations, Inc.| http://www.snosoft.com Cerebrum Project | cerebrum () snosoft com Strategic Reconnaissance Team | recon () snosoft com ------------------------------------------------------- --=-Y6gVDrbu/R3hrEKqkJFD Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA9TqwBHs/COEe/P4cRAimbAJ4ic0sORnY7wIS2s0Mw6zYHJantqACg2wS0 vZWSSGZwm8yZD4IZmiBkVAk= =jRy8 -----END PGP SIGNATURE----- --=-Y6gVDrbu/R3hrEKqkJFD--
Current thread:
- it's all about timing, (continued)
- it's all about timing Don (Aug 01)
- it's all about timing Dunbar, Gregory (Aug 01)
- it's all about timing Steven M. Christey (Aug 01)
- it's all about timing Steven M. Christey (Aug 01)
- it's all about timing Kurt Seifried (Aug 02)
- it's all about timing Steven M. Christey (Aug 01)
- it's all about timing Evrim ULU (Aug 02)
- it's all about timing Juliao Duartenn (Aug 02)
- it's all about timing KF (Aug 05)
- it's all about timing ATD (Aug 05)
- it's all about timing ATD (Aug 05)
- it's all about timing KF (Aug 05)
- it's all about timing Evrim ULU (Aug 02)