Full Disclosure mailing list archives
openssl exploit code
From: hellnbak () nmrc org (hellNbak)
Date: Mon, 16 Sep 2002 21:29:00 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 16 Sep 2002, Solar Eclipse wrote:
Whose interests is a full disclosure mailing list supposed to serve? Those of blackhats who prefer to keep all 0dayz private, or those of system administrators and security professionals who need information about the latest exploits?
In your code it states something like (dont have it front of me): this is private code so keep it that way : -- should you not be more concerned as to how it leaked and not why it was withheld. What if you had a copyright in your code? Could you not have gone after SF legally if they had posted it without your permission? A full disclosure mailing list serves the interests of those who are interested in or require timely security information. I'm not denying that your code was worthwhile I am just trying to figure out why you are more worried about it not hitting a list when you coded it to be private. Whos interests are you serving with the private code?
What's next? Checking if if the vendor has been properly notified and approves of posting the exploit code? Notifying the vendor 6 hours before approving the post? Rejecting certain posts alltogether?
Of course not -- at least I hope not.
The fact is that Dave Ahmad is in a possession of an exploit for OpenSSL and is currently withholding it from the security community. Maybe his corporate masters fear litigation. Or it could be that he is concerned about my feelings. Even TESO didn't get that kind of treatment, this makes me feel so special. Doesn't this make anybody else uncomfortable?
I think the Teso situation is the cause of this. Teso threatened both SF and Packetstorm for publishing their so called copyright code. Would the threat of legal action not make you a little gun shy?
Are you going to subscribe to a full disclosure mailing list whose moderator puts Intellectual Property or Corporate Interests before the security of your system?
We are talking about your intellectual property here. Its not like he denied the post, he simply emailed you to ask about it. Look, I have been as anti-bugtraq/security focus as the next guy (especially on this list) but this isn't a specific Bugtraq/SF thing. This is a making sure you don't get sued by posting someone else code thing. In my case especially with VulnWatch being a not-for-profit I have to be extra careful so yeah I guess I do put intellectual property before the security of a system. Are you going to pony up with donations to pay *my* legal fees if someone sues me for posting their copyrighted code? A balance has to be found between serving the community, being unbiased, but also protecting the list so that it can continue to serve a purpose. A short delay in releasing some exploit code isn't going to end the world. If it was some sort of zero day that put people at risk then I suppose I would have to take it uppon myself and write up a summary on the issue urging people to do whatever they can to mitigate the risks. This would prevent me from getting sued. In the case of you code, there was no reason to do this as it was a known issue. Solar, I don't want to get into a pissing match here with you and I mean no disrespect but I question your motives when you say that the release of your PRIVATE code to the public was in the best interests of the community. You knwo as well as I do that the code was leaked and probably would not have seen the light of day if it had not been. - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "I don't intend to offend, I offend with my intent" hellNbak () nmrc org http://www.nmrc.org/~hellnbak - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9hoVfueD73xSa+/ARAlovAJ9eqxkpSW/ugFZWb3BqvJFr+1gN3gCdHIGs YY5+PZ18aPFUfbzsk5MhV+E= =Jw8F -----END PGP SIGNATURE-----
Current thread:
- openssl exploit code Solar Eclipse (Sep 16)
- openssl exploit code hellNbak (Sep 16)
- openssl exploit code Solar Eclipse (Sep 16)
- openssl exploit code hellNbak (Sep 16)
- openssl exploit code Solar Eclipse (Sep 16)
- openssl exploit code Blue Boar (Sep 16)
- openssl exploit code Florian Weimer (Sep 17)
- openssl exploit code hellNbak (Sep 17)
- openssl exploit code Florian Weimer (Sep 17)
- openssl exploit code Isaak Bloodlore (Sep 17)
- openssl exploit code Ken Pfeil (Sep 17)
- openssl exploit code Solar Eclipse (Sep 16)
- openssl exploit code Jonathan Rickman (Sep 17)
- openssl exploit code hellNbak (Sep 17)
- openssl exploit code Georgi Guninski (Sep 17)
- openssl exploit code hellNbak (Sep 16)