openssl exploit code

[hellnbak () nmrc org (hellNbak)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 16 Sep 2002, Solar Eclipse wrote:

> Whose interests is a full disclosure mailing list supposed to serve? Those of
> blackhats who prefer to keep all 0dayz private, or those of system
> administrators and security professionals who need information about the
> latest exploits?

In your code it states something like (dont have it front of me): this is
private code so keep it that way : -- should you not be more concerned as
to how it leaked and not why it was withheld.  What if you had a copyright
in your code?  Could you not have gone after SF legally if they had posted
it without your permission?

A full disclosure mailing list serves the interests of those who are
interested in or require timely security information.  I'm not denying
that your code was worthwhile I am just trying to figure out why you are
more worried about it not hitting a list when you coded it to be private.
Whos interests are you serving with the private code?

> What's next? Checking if if the vendor has been properly notified
> and approves of posting the exploit code? Notifying the vendor
> 6 hours before approving the post? Rejecting certain posts
> alltogether?

Of course not -- at least I hope not.

> The fact is that Dave Ahmad is in a possession of an exploit for
> OpenSSL and is currently withholding it from the security community.
> Maybe his corporate masters fear litigation. Or it could be that
> he is concerned about my feelings. Even TESO didn't get that kind of
> treatment, this makes me feel so special.
>
> Doesn't this make anybody else uncomfortable?

I think the Teso situation is the cause of this.  Teso threatened both SF
and Packetstorm for publishing their so called copyright code.  Would the
threat of legal action not make you a little gun shy?

> Are you going to subscribe to a full disclosure mailing list
> whose moderator puts Intellectual Property or Corporate Interests
> before the security of your system?

We are talking about your intellectual property here.  Its not like he
denied the post, he simply emailed you to ask about it.  Look, I have been
as anti-bugtraq/security focus as the next guy (especially on this list)
but this isn't a specific Bugtraq/SF thing.  This is a making sure you
don't get sued by posting someone else code thing.

In my case especially with VulnWatch being a not-for-profit I have to be
extra careful so yeah I guess I do put intellectual property before the
security of a system.  Are you going to pony up with donations to pay *my*
legal fees if someone sues me for posting their copyrighted code?

A balance has to be found between serving the community, being unbiased,
but also protecting the list so that it can continue to serve a purpose.
A short delay in releasing some exploit code isn't going to end the world.

If it was some sort of zero day that put people at risk then I suppose I
would have to take it uppon myself and write up a summary on the issue
urging people to do whatever they can to mitigate the risks.  This would
prevent me from getting sued.  In the case of you code, there was no
reason to do this as it was a known issue.

Solar, I don't want to get into a pissing match here with you and I mean
no disrespect but I question your motives when you say that the release of
your PRIVATE code to the public was in the best interests of the
community.  You knwo as well as I do that the code was leaked and
probably would not have seen the light of day if it had not been.

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak () nmrc org
http://www.nmrc.org/~hellnbak

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9hoVfueD73xSa+/ARAlovAJ9eqxkpSW/ugFZWb3BqvJFr+1gN3gCdHIGs
YY5+PZ18aPFUfbzsk5MhV+E=
=Jw8F
-----END PGP SIGNATURE-----