[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Fwd: Let's outlaw mass securityconferencespamming its f****** gay
- To: "Garrett M. Groff" <groffg@xxxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Fwd: Let's outlaw mass securityconferencespamming its f****** gay
- From: scott <redhowlingwolves@xxxxxxxxx>
- Date: Fri, 04 Apr 2008 00:36:06 -0400
Hash: SHA1
He has no clue what it means to live in a democracy, much less a federation.
Let's let the comedy go on, shall we? Definitely breaks the monotony of
everyday BS.
Garrett M. Groff wrote:
> netdev, I'll begin by confessing that I merely skimmed your email and did
> not peruse it. Having said that, the buying and selling of vulnerabilities
> is subject to the trading of anything else, be it commidities, products,
> services, securities (such as stocks), or other tradeable assets.
> What you proposed is economic in nature and not unique or specific to
> geekdom. Specifically, what you're suggesting is more in line with Marxism,
> where a "fair" price is dictated by a central authority. Instead, our system
> of free-market capitalism is such that vulnerabilities can be bought and
> sold by whomever wishes to buy them and sell them. (Furthermore, evidence
> suggests that black market activity would *increase* in cases where trading
> of a given item is highly restricted on the legitimate market (relegating
> the trading to the black market); for eg, the trading of illicit drugs
> exists and is a multi-billion dollar industry in the US despite laws that
> proscribe the trading and possession of those drugs).
> --
> Regarding the information on conferences and such that are touted on this
> list (and others), it's something that we'll just have to deal with. This
> list is un-moderated and, perhaps, there are people who appreciate the
> information.
> - G
> ----- Original Message -----
> From: "n3td3v" <xploitable@xxxxxxxxx>
> To: "Garrett M. Groff" <groffg@xxxxxxxxxxxxx>; "n3td3v"
> <n3td3v@xxxxxxxxxxxxxxxx>; <full-disclosure@xxxxxxxxxxxxxxxxx>
> Sent: Thursday, April 03, 2008 5:38 PM
> Subject: Re: [Full-disclosure] Fwd: Let's outlaw mass
> securityconferencespamming its f****** gay
>> On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <groffg@xxxxxxxxxxxxx>
>> wrote:
>>> Regarding the particular person in question, I'll defer to others who
>>> know
>>> him (or her, or they, or whomever) better than I do. Instead, I'll say
>>> that,
>>> generally, on lists like FD, there is a minority of out-spoken
>>> personalities
>>> who sadly support the stereotypical hacker persona: condescending egoists
>>> who are socially inept and emotionally charged when discussing topics
>>> that
>>> relate to their knowledge domain. That's unfortunate, since the broader
>>> IT
>>> security community is poorly represented due to attention-seeking
>>> zealots.
>>> Regarding the idea of "oulawing security conference spamming," I'd say
>>> the
>>> literal idea of outlawing cross-posts to multiple security mailing lists
>>> is
>>> a bad idea. The idea that the legislature should write into law
>>> legislation
>>> that reduces our freedom in such a sense is a slippery slope borne of
>>> emotionalism and narrowness. What else should the government do to
>>> curtail
>>> our freedoms? I tend to side with libertarian types (though I don't call
>>> myself a "libertarian" un-qualified) on what the government should do and
>>> what they should not do. And micro-manage security mailing lists is
>>> something they should not do. It's a bad idea and would make a dreadful
>>> precedent.
>> Full-Disclosure is ment to be about free source, not making money. I'm
>> against people who make money come on the mailing lists, its
>> commerical spam. We can't allow this to continue, here are what I
>> don't like:
>> - Come to our conference - profit... buy our ticket, get a macbook prize.
>> - Hacking challenge prize - profit... they give you $5000 and sell it
>> to the vendor for a lot more.
>> - Train to use our software -profit... over priced training for
>> software... not interested.
>> On the issue of how much a vulnerability is worth, the prices are not
>> regulated, we need regulation into how much a vulnerability costs,
>> because the prices right now are wild. We need to take vulnerability
>> pricing off the blackmarket and onto a legitimate central website for
>> selling vulnerabilities, or cash rewards for disclosing a
>> vulnerability to a particular company or organisation. I don't like
>> sites like digital armaments which when i visited it, the content and
>> answers they gave were questionable, and people have complained about
>> digital armaments in the past. Its time to get pricing regulated and
>> defined, so everyone knows whos being joe jobbed and who isn't.
>> Can someone post to full-disclosure a price list of what they think a
>> bufferoverflow should be worth etc, and we can vote if we agree.
>> So what i'm calling for is someone to post up a hackers price list per
>> vulnerability type.
>> XSS/SQL should be worth something as well, so Morning_Wood can buy
>> milk and a news paper in the mornings after he's taken care of his
>> wood.
>> Sorry i've ended this e-mail with slightly off-topicness, but I do
>> think pricing needs to be defined.
>> We can't dress up cash prizes/contests as something else as well, if a
>> website is offering a $5,000 reward for a vulnerability, we need to
>> know if we're being ripped off with the cash reward and how much can
>> be potentially made after its sold on.
>> Robert Lemos even http://www.securityfocus.com/news/11510 talked about
>> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
>> reward might not be enough money, compared to what a vulnerability
>> *should* be worth, and taking into consideration how much profit
>> CanSecWest make overall from people attending the conference.
>> So you take into consideration how much a vulnerability should be
>> worth, then the added worth because its a security conference of how
>> much should be added on to counter the profit being made by the event.
>> A vulnerability should be worth more if its disclosed at a security
>> conference than if its bought privately, because you've got to take in
>> profit and free advertsing to calculate.
>> However, to round off, we can't allow the mailing lists to turn into a
>> vulnerability market place, full-disclosure should be for free stuff,
>> and other websites and mailing lists can be setup for *money making
>> schemes and auctions*.
>> We shouldn't allow the money makers directly to market X... if a link
>> is put on Full-Disclosure by a member of the public on the fly then
>> thats ok, but I think its cheeky for the particular conference,
>> contest runner or software trainer to be on the list themselves
>> spamming everyone, for a profiteering agenda.
>> You mention cross-posting, thats not the issue here, its the people
>> making the money posting to make the money that offends me so much.
>> And not even the lonely hacker offends me who posts i've got a
>> vulnerability for sale for X, I don't mind that on Full-Disclosure,
>> but what I do mind is if its a company or organisation doing it that
>> is directly the ones making the money via vulnerability for sale,
>> prize contest, security conference or train to use our software!!!,
>> thats the height of spam I just think is utterly wrong and unethical
>> on any scale of acceptability.
>> If a lonley hacker who works in a supermarket has a vulnerabilty to
>> sell i'm all for it being post on full-disclosure, but not the big
>> money conferences, prize hacking contests and software training guys.
>> I come under the bracket as supermarket worker with nothing much going
>> for me in life, so I should be allowed to sell a vulnerability on
>> what's ment to be a mailing list for non-profit disclosure.
>> If we tolerate the money making schemes much longer, eventually
>> full-disclosure will be a wash with conference,training,cash prize
>> spam, etc once everyone realises the full value of vulnerabilities and
>> the huge amounts of money to be made from setting up a cash prize
>> contest, the huge amounts of money to be made from setting up a
>> security conference and the huge amounts of money to be made from
>> training people to use your hax0r software.
>> You will find it easy to shout me down and say n3td3v's an idiot, but
>> wait to the vulnerability market really takes off and the prices of
>> vulnerabilities are properly defined and regulated, you're going to
>> see a huge increase in commercial spam on the mailing lists, like the
>> full-disclosure mailing list. so we've got to define what's fair play
>> e-mail and what's a company or organisation blatantly profiteering
>> with X method of extracting money out of people and using skilled
>> hackers to make money, and to promote a security conference, training
>> etc.
>> All the best,
>> n3td3v
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/