Full Disclosure mailing list archives

openssl exploit code

From: hellnbak () nmrc org (hellNbak)
Date: Mon, 16 Sep 2002 17:28:47 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Solar,

While I have nothing to do with Bugtraq I do moderate another full
disclosure list out there - VulnWatch.  The nature of a moderated lists
in general means that the moderator, in this case Dave Ahmad, must first
read then approve the message and hopefully do so in a timely manner.

I don't know the actual content of the message sent to Bugtraq but from
the sounds of it it contained code written by you but was not sent by you.
As a moderator I too would have first checked with the author of the code
to ensure that I wasn't assisting someone in leaking someone elses code.

How does this have anything to do with full disclosure?  Would you not
want someone to notify you if someone got a hold of your zero day and was
distributing it?

It seems that a lot of people are confused about what full disclosure
really is.  Checking if the credited author of code meant to post it to a
list is common sense and not anything to do with full disclosure.
Moderated full disclosure, in most cases, does not mean censorship at
least on any list that I have a hand in.

Just my $.02..........

On Mon, 16 Sep 2002, Solar Eclipse wrote:

Date: Mon, 16 Sep 2002 16:08:54 -0500
From: Solar Eclipse <solareclipse () phreedom org>
To: Dave Ahmad <da () securityfocus com>
Cc: full-disclosure () lists netsys com
Subject: [Full-disclosure] openssl exploit code

On Mon, Sep 16, 2002 at 02:16:05PM -0600, Dave Ahmad wrote:

An exploit code that lists you as the author has been posted to Bugtraq.
I would like to request your permission before approving it for
distribution on the list.


And you call Bugtraq a full disclosure list?

Weak.

Since you asked, my answer is no. You do not have my permission
to post my source code to Bugtraq or anywhere on SecurityFocus,
Symantec or any affiliated site.

This also covers the source of the apache-ssl worm, which includes
substantial stolen parts of my exploit code, unless those parts are
properly removed.


Solar Eclipse


- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak () nmrc org
http://www.nmrc.org/~hellnbak

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9hk0SueD73xSa+/ARAkhOAJ4gBJIMgCMybqNXQvyT7P2f58+C4gCeJ/8U
vnlFZc5gdLICxJNZ/RqurFU=
=+9Rj
-----END PGP SIGNATURE-----

Current thread:

openssl exploit code Solar Eclipse (Sep 16)
- openssl exploit code hellNbak (Sep 16)
  - openssl exploit code Solar Eclipse (Sep 16)
    - openssl exploit code hellNbak (Sep 16)
    - openssl exploit code Solar Eclipse (Sep 16)
    - openssl exploit code Blue Boar (Sep 16)
    - openssl exploit code Florian Weimer (Sep 17)
    - openssl exploit code hellNbak (Sep 17)
    - openssl exploit code Florian Weimer (Sep 17)
    - openssl exploit code Isaak Bloodlore (Sep 17)
    - openssl exploit code Ken Pfeil (Sep 17)
    - openssl exploit code Jonathan Rickman (Sep 17)

(Thread continues...)