-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That is what full-disclosure was created for!?
Due to the massive influx of media attention, it has come to this. Mary Landesman wrote: > I think the concerns you're raised about profiteering/marketing on the list > are valid. I hadn't thought of it from that perspective, frankly. > > It can be helpful to have a central resource/calendar to be informed about > them. I would subscribe to a specific list for that. > > -- Mary > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v > Sent: Thursday, April 03, 2008 5:39 PM > To: Garrett M. Groff; n3td3v; [email protected] > Subject: Re: [Full-disclosure] Fwd: Let's outlaw > masssecurityconferencespamming its f****** gay > > On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <[EMAIL PROTECTED]> > wrote: >> Regarding the particular person in question, I'll defer to others who >> know him (or her, or they, or whomever) better than I do. Instead, >> I'll say that, generally, on lists like FD, there is a minority of >> out-spoken personalities who sadly support the stereotypical hacker >> persona: condescending egoists who are socially inept and emotionally >> charged when discussing topics that relate to their knowledge domain. >> That's unfortunate, since the broader IT security community is poorly > represented due to attention-seeking zealots. >> Regarding the idea of "oulawing security conference spamming," I'd say >> the literal idea of outlawing cross-posts to multiple security mailing >> lists is a bad idea. The idea that the legislature should write into >> law legislation that reduces our freedom in such a sense is a slippery >> slope borne of emotionalism and narrowness. What else should the >> government do to curtail our freedoms? I tend to side with libertarian >> types (though I don't call myself a "libertarian" un-qualified) on >> what the government should do and what they should not do. And >> micro-manage security mailing lists is something they should not do. >> It's a bad idea and would make a dreadful precedent. > > Full-Disclosure is ment to be about free source, not making money. I'm > against people who make money come on the mailing lists, its commerical > spam. We can't allow this to continue, here are what I don't like: > > - Come to our conference - profit... buy our ticket, get a macbook prize. > > - Hacking challenge prize - profit... they give you $5000 and sell it to the > vendor for a lot more. > > - Train to use our software -profit... over priced training for software... > not interested. > > On the issue of how much a vulnerability is worth, the prices are not > regulated, we need regulation into how much a vulnerability costs, because > the prices right now are wild. We need to take vulnerability pricing off the > blackmarket and onto a legitimate central website for selling > vulnerabilities, or cash rewards for disclosing a vulnerability to a > particular company or organisation. I don't like sites like digital > armaments which when i visited it, the content and answers they gave were > questionable, and people have complained about digital armaments in the > past. Its time to get pricing regulated and defined, so everyone knows whos > being joe jobbed and who isn't. > > Can someone post to full-disclosure a price list of what they think a > bufferoverflow should be worth etc, and we can vote if we agree. > > So what i'm calling for is someone to post up a hackers price list per > vulnerability type. > > XSS/SQL should be worth something as well, so Morning_Wood can buy milk and > a news paper in the mornings after he's taken care of his wood. > > Sorry i've ended this e-mail with slightly off-topicness, but I do think > pricing needs to be defined. > > We can't dress up cash prizes/contests as something else as well, if a > website is offering a $5,000 reward for a vulnerability, we need to know if > we're being ripped off with the cash reward and how much can be potentially > made after its sold on. > > Robert Lemos even http://www.securityfocus.com/news/11510 talked about > vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash reward > might not be enough money, compared to what a vulnerability > *should* be worth, and taking into consideration how much profit CanSecWest > make overall from people attending the conference. > > So you take into consideration how much a vulnerability should be worth, > then the added worth because its a security conference of how much should be > added on to counter the profit being made by the event. > > A vulnerability should be worth more if its disclosed at a security > conference than if its bought privately, because you've got to take in > profit and free advertsing to calculate. > > However, to round off, we can't allow the mailing lists to turn into a > vulnerability market place, full-disclosure should be for free stuff, and > other websites and mailing lists can be setup for *money making schemes and > auctions*. > > We shouldn't allow the money makers directly to market X... if a link is put > on Full-Disclosure by a member of the public on the fly then thats ok, but I > think its cheeky for the particular conference, contest runner or software > trainer to be on the list themselves spamming everyone, for a profiteering > agenda. > > You mention cross-posting, thats not the issue here, its the people making > the money posting to make the money that offends me so much. > > And not even the lonely hacker offends me who posts i've got a vulnerability > for sale for X, I don't mind that on Full-Disclosure, but what I do mind is > if its a company or organisation doing it that is directly the ones making > the money via vulnerability for sale, prize contest, security conference or > train to use our software!!!, thats the height of spam I just think is > utterly wrong and unethical on any scale of acceptability. > > If a lonley hacker who works in a supermarket has a vulnerabilty to sell i'm > all for it being post on full-disclosure, but not the big money conferences, > prize hacking contests and software training guys. > > I come under the bracket as supermarket worker with nothing much going for > me in life, so I should be allowed to sell a vulnerability on what's ment to > be a mailing list for non-profit disclosure. > > If we tolerate the money making schemes much longer, eventually > full-disclosure will be a wash with conference,training,cash prize spam, etc > once everyone realises the full value of vulnerabilities and the huge > amounts of money to be made from setting up a cash prize contest, the huge > amounts of money to be made from setting up a security conference and the > huge amounts of money to be made from training people to use your hax0r > software. > > You will find it easy to shout me down and say n3td3v's an idiot, but wait > to the vulnerability market really takes off and the prices of > vulnerabilities are properly defined and regulated, you're going to see a > huge increase in commercial spam on the mailing lists, like the > full-disclosure mailing list. so we've got to define what's fair play e-mail > and what's a company or organisation blatantly profiteering with X method of > extracting money out of people and using skilled hackers to make money, and > to promote a security conference, training etc. > > All the best, > > n3td3v > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH9bDds+9h2X0fCGcRAmD+AJ4/2PF87IAmuQDZJ4hZB6ZEGtgIMgCfWJJm FJ+rbr0tUqoFTJ1PoIi8I+c= =Z3O6 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
