[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Fwd: Let's outlaw mass securityconferencespamming its f****** gay
- To: n3td3v@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Fwd: Let's outlaw mass securityconferencespamming its f****** gay
- From: Ureleet <ureleet@xxxxxxxxx>
- Date: Fri, 4 Apr 2008 16:34:47 -0400
see:
> - Come to our conference - profit... buy our ticket, get a macbook prize.
> - Hacking challenge prize - profit... they give you $5000 and sell it
> to the vendor for a lot more.
ZDI provides the money for this. and they don't sell it back to vendor
> - Train to use our software -profit... over priced training for
> software... not interested.
dont' get angry at remote-exploit because they are making money from their
work . how much money do you make from posting to fd?
> On the issue of how much a vulnerability is worth, the prices are not
> regulated, we need regulation into how much a vulnerability costs,
> because the prices right now are wild. We need to take vulnerability
> pricing off the blackmarket and onto a legitimate central website for
> selling vulnerabilities, or cash rewards for disclosing a
> vulnerability to a particular company or organisation.
wabisabilabi? zdi... etc.
> Can someone post to full-disclosure a price list of what they think a
> bufferoverflow should be worth etc, and we can vote if we agree.
feel free to take that as a todo item. however, i would think it would
depend on the bo.
> We can't dress up cash prizes/contests as something else as well, if a
> website is offering a $5,000 reward for a vulnerability, we need to
> know if we're being ripped off with the cash reward and how much can
> be potentially made after its sold on.
zdi doesn't sell their exploits afaik.
> Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
> reward might not be enough money, compared to what a vulnerability
> *should* be worth, and taking into consideration how much profit
> CanSecWest make overall from people attending the conference.
the pwn2own cash is supplied by zdi. that's what you arent' realizing.
> So you take into consideration how much a vulnerability should be
> worth, then the added worth because its a security conference of how
> much should be added on to counter the profit being made by the event.
you already said this. twice.
> However, to round off, we can't allow the mailing lists to turn into a
> vulnerability market place, full-disclosure should be for free stuff,
> and other websites and mailing lists can be setup for *money making
> schemes and auctions*.
there are. however how are the people going to know about the websites if
you don't allow people to 'spam' lists with this sort of thing, mr
unofficial-fd moderator?
> We shouldn't allow the money makers directly to market X... if a link
> is put on Full-Disclosure by a member of the public on the fly then
> thats ok, but I think its cheeky for the particular conference,
> contest runner or software trainer to be on the list themselves
> spamming everyone, for a profiteering agenda.
that's why its called free enterprise, it's an unmoderated list. feel free
to unsubscribe if you dont like it much..
> You mention cross-posting, thats not the issue here, its the people
> making the money posting to make the money that offends me so much.
we know, its the third time youve said it in one email.
> And not even the lonely hacker offends me who posts i've got a
> vulnerability for sale for X, I don't mind that on Full-Disclosure,
> but what I do mind is if its a company or organisation doing it that
> is directly the ones making the money via vulnerability for sale,
> prize contest, security conference or train to use our software!!!,
> thats the height of spam I just think is utterly wrong and unethical
> on any scale of acceptability.
again, free market, and you are directly talking about zdi.
> If a lonley hacker who works in a supermarket has a vulnerabilty to
> sell i'm all for it being post on full-disclosure, but not the big
> money conferences, prize hacking contests and software training guys.
fourth time.
> I come under the bracket as supermarket worker with nothing much going
> for me in life, so I should be allowed to sell a vulnerability on
> what's ment to be a mailing list for non-profit disclosure.
you work at a supermarket? so you know about the under cash drawer switch
that pops open the drawer exploit?
> You will find it easy to shout me down and say n3td3v's an idiot, but
> wait to the vulnerability market really takes off and the prices of
> vulnerabilities are properly defined and regulated, you're going to
> see a huge increase in commercial spam on the mailing lists, like the
> full-disclosure mailing list. so we've got to define what's fair play
> e-mail and what's a company or organisation blatantly profiteering
> with X method of extracting money out of people and using skilled
> hackers to make money, and to promote a security conference, training
> etc.
again, unmoderated list. the door is over there.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/