openssl exploit code

[BlueBoar () thievco com (Blue Boar)]

Solar Eclipse wrote:
> Whose interests is a full disclosure mailing list supposed to serve? Those of
> blackhats who prefer to keep all 0dayz private, or those of system
> administrators and security professionals who need information about the
> latest exploits? 

Bugtraq has always tried to do the latter.

> The fact is that Dave Ahmad is in a possession of an exploit for
> OpenSSL and is currently withholding it from the security community.
> Maybe his corporate masters fear litigation. Or it could be that
> he is concerned about my feelings. Even TESO didn't get that kind of
> treatment, this makes me feel so special.

TESO got that kind of treatment once, and they whined and threatened, and 
therefore the list moderators were obliged to check when it was obvious 
that someone besides the author was posting some code.  The vuln-dev list 
had to do the same.

> Doesn't this make anybody else uncomfortable?

That's what anonymous remailers and unmoderated forums are for.

> Are you going to subscribe to a full disclosure mailing list
> whose moderator puts Intellectual Property or Corporate Interests
> before the security of your system?

Heh.  Dave is protecting your interests and respecting your wishes in this 
case.  Seems strange to fault him for that. :)

> After a few more corporate mergers and takeovers, are you going to
> send your 0dayz to bugtraq () microsoft com ? And wait 45 days for
> moderator approval?

It wouldn't matter.  The people who use Bugtraq would simply go elsewhere.

Far be it from me to suggest that people not try to keep Symantec honest, 
but I think it's a little unreasonable to cry censorship for this 
particular reason.

                                        BB