-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 He has no clue what it means to live in a democracy, much less a federation.
Let's let the comedy go on, shall we? Definitely breaks the monotony of everyday BS. Garrett M. Groff wrote: > netdev, I'll begin by confessing that I merely skimmed your email and did > not peruse it. Having said that, the buying and selling of vulnerabilities > is subject to the trading of anything else, be it commidities, products, > services, securities (such as stocks), or other tradeable assets. > > What you proposed is economic in nature and not unique or specific to > geekdom. Specifically, what you're suggesting is more in line with Marxism, > where a "fair" price is dictated by a central authority. Instead, our system > of free-market capitalism is such that vulnerabilities can be bought and > sold by whomever wishes to buy them and sell them. (Furthermore, evidence > suggests that black market activity would *increase* in cases where trading > of a given item is highly restricted on the legitimate market (relegating > the trading to the black market); for eg, the trading of illicit drugs > exists and is a multi-billion dollar industry in the US despite laws that > proscribe the trading and possession of those drugs). > > -- > > Regarding the information on conferences and such that are touted on this > list (and others), it's something that we'll just have to deal with. This > list is un-moderated and, perhaps, there are people who appreciate the > information. > > - G > > > ----- Original Message ----- > From: "n3td3v" <[EMAIL PROTECTED]> > To: "Garrett M. Groff" <[EMAIL PROTECTED]>; "n3td3v" > <[EMAIL PROTECTED]>; <[email protected]> > Sent: Thursday, April 03, 2008 5:38 PM > Subject: Re: [Full-disclosure] Fwd: Let's outlaw mass > securityconferencespamming its f****** gay > > >> On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <[EMAIL PROTECTED]> >> wrote: >>> Regarding the particular person in question, I'll defer to others who >>> know >>> him (or her, or they, or whomever) better than I do. Instead, I'll say >>> that, >>> generally, on lists like FD, there is a minority of out-spoken >>> personalities >>> who sadly support the stereotypical hacker persona: condescending egoists >>> who are socially inept and emotionally charged when discussing topics >>> that >>> relate to their knowledge domain. That's unfortunate, since the broader >>> IT >>> security community is poorly represented due to attention-seeking >>> zealots. >>> >>> Regarding the idea of "oulawing security conference spamming," I'd say >>> the >>> literal idea of outlawing cross-posts to multiple security mailing lists >>> is >>> a bad idea. The idea that the legislature should write into law >>> legislation >>> that reduces our freedom in such a sense is a slippery slope borne of >>> emotionalism and narrowness. What else should the government do to >>> curtail >>> our freedoms? I tend to side with libertarian types (though I don't call >>> myself a "libertarian" un-qualified) on what the government should do and >>> what they should not do. And micro-manage security mailing lists is >>> something they should not do. It's a bad idea and would make a dreadful >>> precedent. >> Full-Disclosure is ment to be about free source, not making money. I'm >> against people who make money come on the mailing lists, its >> commerical spam. We can't allow this to continue, here are what I >> don't like: >> >> - Come to our conference - profit... buy our ticket, get a macbook prize. >> >> - Hacking challenge prize - profit... they give you $5000 and sell it >> to the vendor for a lot more. >> >> - Train to use our software -profit... over priced training for >> software... not interested. >> >> On the issue of how much a vulnerability is worth, the prices are not >> regulated, we need regulation into how much a vulnerability costs, >> because the prices right now are wild. We need to take vulnerability >> pricing off the blackmarket and onto a legitimate central website for >> selling vulnerabilities, or cash rewards for disclosing a >> vulnerability to a particular company or organisation. I don't like >> sites like digital armaments which when i visited it, the content and >> answers they gave were questionable, and people have complained about >> digital armaments in the past. Its time to get pricing regulated and >> defined, so everyone knows whos being joe jobbed and who isn't. >> >> Can someone post to full-disclosure a price list of what they think a >> bufferoverflow should be worth etc, and we can vote if we agree. >> >> So what i'm calling for is someone to post up a hackers price list per >> vulnerability type. >> >> XSS/SQL should be worth something as well, so Morning_Wood can buy >> milk and a news paper in the mornings after he's taken care of his >> wood. >> >> Sorry i've ended this e-mail with slightly off-topicness, but I do >> think pricing needs to be defined. >> >> We can't dress up cash prizes/contests as something else as well, if a >> website is offering a $5,000 reward for a vulnerability, we need to >> know if we're being ripped off with the cash reward and how much can >> be potentially made after its sold on. >> >> Robert Lemos even http://www.securityfocus.com/news/11510 talked about >> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash >> reward might not be enough money, compared to what a vulnerability >> *should* be worth, and taking into consideration how much profit >> CanSecWest make overall from people attending the conference. >> >> So you take into consideration how much a vulnerability should be >> worth, then the added worth because its a security conference of how >> much should be added on to counter the profit being made by the event. >> >> A vulnerability should be worth more if its disclosed at a security >> conference than if its bought privately, because you've got to take in >> profit and free advertsing to calculate. >> >> However, to round off, we can't allow the mailing lists to turn into a >> vulnerability market place, full-disclosure should be for free stuff, >> and other websites and mailing lists can be setup for *money making >> schemes and auctions*. >> >> We shouldn't allow the money makers directly to market X... if a link >> is put on Full-Disclosure by a member of the public on the fly then >> thats ok, but I think its cheeky for the particular conference, >> contest runner or software trainer to be on the list themselves >> spamming everyone, for a profiteering agenda. >> >> You mention cross-posting, thats not the issue here, its the people >> making the money posting to make the money that offends me so much. >> >> And not even the lonely hacker offends me who posts i've got a >> vulnerability for sale for X, I don't mind that on Full-Disclosure, >> but what I do mind is if its a company or organisation doing it that >> is directly the ones making the money via vulnerability for sale, >> prize contest, security conference or train to use our software!!!, >> thats the height of spam I just think is utterly wrong and unethical >> on any scale of acceptability. >> >> If a lonley hacker who works in a supermarket has a vulnerabilty to >> sell i'm all for it being post on full-disclosure, but not the big >> money conferences, prize hacking contests and software training guys. >> >> I come under the bracket as supermarket worker with nothing much going >> for me in life, so I should be allowed to sell a vulnerability on >> what's ment to be a mailing list for non-profit disclosure. >> >> If we tolerate the money making schemes much longer, eventually >> full-disclosure will be a wash with conference,training,cash prize >> spam, etc once everyone realises the full value of vulnerabilities and >> the huge amounts of money to be made from setting up a cash prize >> contest, the huge amounts of money to be made from setting up a >> security conference and the huge amounts of money to be made from >> training people to use your hax0r software. >> >> You will find it easy to shout me down and say n3td3v's an idiot, but >> wait to the vulnerability market really takes off and the prices of >> vulnerabilities are properly defined and regulated, you're going to >> see a huge increase in commercial spam on the mailing lists, like the >> full-disclosure mailing list. so we've got to define what's fair play >> e-mail and what's a company or organisation blatantly profiteering >> with X method of extracting money out of people and using skilled >> hackers to make money, and to promote a security conference, training >> etc. >> >> All the best, >> >> n3td3v >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH9bA1s+9h2X0fCGcRAq+9AJ0dieUgKq4pya6mF/oWclEBqj2z3gCgjYEr uoq2+8AfO1q+TyFj9Fts6z8= =3d9e -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
