Re: Exploit Brokering

[jf <jf () danglingpointers net>]

> SNOsoft

When the first word in the first sentence in a communique is a company
name, you should take that as a warning everything that follows is a SNOsoft.


> People posting emails in public forums in an attempt to sell exploits is
> not only careless and irresponsible,

It's called the free-market.

> but is also a testament to that
> persons immaturity and lack of experience.

What you think that when you add the variables up that the only potential
answer is the what you've come up with? Employing the free-market is not a
testament to anything, much less a persons level of maturity or
experience.

> Do they ever stop to think
> about the potential liability? What happens if they sell to a hostile
> foreign party, what could happen to them, etc...?

Sure of course, you don't sell 0day to the organizations that the enemy of
your country, thats common sense- however you put a breach of contract
provision into your agreement that disallows transfer of content to third
parties and then dont sell them to people from guangdong, its not
stupidity, immaturity or lack of experience, its called due dilligence.


> I think that there is a legitimate market for Exploit Brokering when it
> is done properly (ethically and legally).

I wish you people would stop putting your opinions on ethics to other
people. I mean even business ethics does not follow the whats commonly
associated with being ethical, thats why there is a special class for it
in college and largely amounts to the questions 'is it legal?' and 'can i
get away with it?'.

In reality all your bantering about ethics and legality will result in is
that bug information and exploits become subject to restricted export/sale
legislation and then we'll be stuck with companies like yours.

I mean seriously, has it not occurred to you that not everyone in the
world is American and wants to sell their 0day to the NSA via SNOSoft?
That perhaps the conjecture that they want to do that is against their
morals and in turn does that not make you obtuse for expecting they abide
by your own personal set of ethics?


> I think

I don't care what you think, don't try to enforce your set of morals on
me; im sure plenty of others agree with this sentiment.

> The solution to that problem is not to sell exploits to just anyone in a
> public forum. That introduces too much liability to the developer,
> especially if the buyer is illegitimate or hostile. The solution is to
> work with legitimate established businesses in a confidential and
> responsible manner.

Not the solution is not to be stupid with your sales, you can meet people
in public forums, just be able to show due dilligence that the parties you
sold to are not enemies of your country and that their intentions are not
to violate the law. Guns don't kill people, ...

By responsible, you mean doing it the way you do?


> Its just a matter of time till
> laws get passed and they end up getting thrown in jail for selling
> weaponized exploits to the wrong people.

Which is exactly what you want. Look almost everything is legal somewhere,
that means you can't stop people who wish to conduct private business.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/