openssl exploit code

[solareclipse () phreedom org (Solar Eclipse)]

On Mon, Sep 16, 2002 at 09:29:00PM -0400, hellNbak wrote:
> In your code it states something like (dont have it front of me): this is
> private code so keep it that way : -- should you not be more concerned as
> to how it leaked and not why it was withheld.

> A full disclosure mailing list serves the interests of those who are
> interested in or require timely security information.  I'm not denying
> that your code was worthwhile I am just trying to figure out why you are
> more worried about it not hitting a list when you coded it to be private.
> Whos interests are you serving with the private code?

Whos interests is Bugtraq serving by not violating my copyright?

I am not concerned about how the code was leaked because this issues has
been resolved already. I am however concerned with the fact that Bugtraq
seems to care more about intellectual propery and the potential lawsuits
than the interests of the security community.

I don't care about keeping my code private anymore. Not only is it all
over IRC, but every machine infected with the apache worm has a working
version of my exploit in /tmp/.bugtraq.c There is nothing I can do to
revert this situation.

The blackhat part of my soul is happy that hackers can use the DMCA to
prevent full disclosure lists from informing the community. Often
servers will stay unpatched until an exploit is published. I'll even
admit that I looked at the OpenSSL bug the day it was announced,
decided that it's not exploitable and didn't bother to patch the
servers I was responsible for until a week after that.

The whitehat in me is concerned that copyright issues might prevent
the free discussion of vulnerabilities and sharing of source code.
The threat of a group of kids with names like _Master_Of_Disaster_
suing Symantec doesn't concern me as much as the threat of corporations
suing Snosoft, Secfocus, Len Rose and you over an exploit that caught them
with their pants down.

You know that MS-SQL EULA prohibits you from disclosing any benchmark data
without Microsoft's approval. Can you see it coming?

If we have to operate in such a litigious environment, our only option
would be to move our mailing lists and servers to a country with more lax
copyright laws or use anonymous remailers.

> Solar, I don't want to get into a pissing match here with you and I mean
> no disrespect but I question your motives when you say that the release of
> your PRIVATE code to the public was in the best interests of the
> community.  You knwo as well as I do that the code was leaked and
> probably would not have seen the light of day if it had not been.

I hope the above few paragraphs make my motivation more clear.

I enjoy playing devil's advocate :-)

Solar Eclipse