netdev, I'll begin by confessing that I merely skimmed your email and did 
not peruse it. Having said that, the buying and selling of vulnerabilities 
is subject to the trading of anything else, be it commidities, products, 
services, securities (such as stocks), or other tradeable assets.

What you proposed is economic in nature and not unique or specific to 
geekdom. Specifically, what you're suggesting is more in line with Marxism, 
where a "fair" price is dictated by a central authority. Instead, our system 
of free-market capitalism is such that vulnerabilities can be bought and 
sold by whomever wishes to buy them and sell them. (Furthermore, evidence 
suggests that black market activity would *increase* in cases where trading 
of a given item is highly restricted on the legitimate market (relegating 
the trading to the black market); for eg, the trading of illicit drugs 
exists and is a multi-billion dollar industry in the US despite laws that 
proscribe the trading and possession of those drugs).

--

Regarding the information on conferences and such that are touted on this 
list (and others), it's something that we'll just have to deal with. This 
list is un-moderated and, perhaps, there are people who appreciate the 
information.

- G


----- Original Message ----- 
From: "n3td3v" <[EMAIL PROTECTED]>
To: "Garrett M. Groff" <[EMAIL PROTECTED]>; "n3td3v" 
<[EMAIL PROTECTED]>; <full-disclosure@lists.grok.org.uk>
Sent: Thursday, April 03, 2008 5:38 PM
Subject: Re: [Full-disclosure] Fwd: Let's outlaw mass 
securityconferencespamming its f****** gay


> On Thu, Apr 3, 2008 at 3:02 PM, Garrett M. Groff <[EMAIL PROTECTED]> 
> wrote:
>> Regarding the particular person in question, I'll defer to others who 
>> know
>> him (or her, or they, or whomever) better than I do. Instead, I'll say 
>> that,
>> generally, on lists like FD, there is a minority of out-spoken 
>> personalities
>> who sadly support the stereotypical hacker persona: condescending egoists
>> who are socially inept and emotionally charged when discussing topics 
>> that
>> relate to their knowledge domain. That's unfortunate, since the broader 
>> IT
>> security community is poorly represented due to attention-seeking 
>> zealots.
>>
>> Regarding the idea of "oulawing security conference spamming," I'd say 
>> the
>> literal idea of outlawing cross-posts to multiple security mailing lists 
>> is
>> a bad idea. The idea that the legislature should write into law 
>> legislation
>> that reduces our freedom in such a sense is a slippery slope borne of
>> emotionalism and narrowness. What else should the government do to 
>> curtail
>> our freedoms? I tend to side with libertarian types (though I don't call
>> myself a "libertarian" un-qualified) on what the government should do and
>> what they should not do. And micro-manage security mailing lists is
>> something they should not do. It's a bad idea and would make a dreadful
>> precedent.
>
> Full-Disclosure is ment to be about free source, not making money. I'm
> against people who make money come on the mailing lists, its
> commerical spam. We can't allow this to continue, here are what I
> don't like:
>
> - Come to our conference - profit... buy our ticket, get a macbook prize.
>
> - Hacking challenge prize - profit... they give you $5000 and sell it
> to the vendor for a lot more.
>
> - Train to use our software -profit... over priced training for
> software... not interested.
>
> On the issue of how much a vulnerability is worth, the prices are not
> regulated, we need regulation into how much a vulnerability costs,
> because the prices right now are wild. We need to take vulnerability
> pricing off the blackmarket and onto a legitimate central website for
> selling vulnerabilities, or cash rewards for disclosing a
> vulnerability to a particular company or organisation. I don't like
> sites like digital armaments which when i visited it, the content and
> answers they gave were questionable, and people have complained about
> digital armaments in the past. Its time to get pricing regulated and
> defined, so everyone knows whos being joe jobbed and who isn't.
>
> Can someone post to full-disclosure a price list of what they think a
> bufferoverflow should be worth etc, and we can vote if we agree.
>
> So what i'm calling for is someone to post up a hackers price list per
> vulnerability type.
>
> XSS/SQL should be worth something as well, so Morning_Wood can buy
> milk and a news paper in the mornings after he's taken care of his
> wood.
>
> Sorry i've ended this e-mail with slightly off-topicness, but I do
> think pricing needs to be defined.
>
> We can't dress up cash prizes/contests as something else as well, if a
> website is offering a $5,000 reward for a vulnerability, we need to
> know if we're being ripped off with the cash reward and how much can
> be potentially made after its sold on.
>
> Robert Lemos even http://www.securityfocus.com/news/11510 talked about
> vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash
> reward might not be enough money, compared to what a vulnerability
> *should* be worth, and taking into consideration how much profit
> CanSecWest make overall from people attending the conference.
>
> So you take into consideration how much a vulnerability should be
> worth, then the added worth because its a security conference of how
> much should be added on to counter the profit being made by the event.
>
> A vulnerability should be worth more if its disclosed at a security
> conference than if its bought privately, because you've got to take in
> profit  and free advertsing to calculate.
>
> However, to round off, we can't allow the mailing lists to turn into a
> vulnerability market place, full-disclosure should be for free stuff,
> and other websites and mailing lists can be setup for *money making
> schemes and auctions*.
>
> We shouldn't allow the money makers directly to market X... if a link
> is put on Full-Disclosure by a member of the public on the fly then
> thats ok, but I think its cheeky for the particular conference,
> contest runner or software trainer to be on the list themselves
> spamming everyone, for a profiteering agenda.
>
> You mention cross-posting, thats not the issue here, its the people
> making the money posting to make the money that offends me so much.
>
> And not even the lonely hacker offends me who posts i've got a
> vulnerability for sale for X, I don't mind that on Full-Disclosure,
> but what I do mind is if its a company or organisation doing it that
> is directly the ones making the money via vulnerability for sale,
> prize contest, security conference or train to use our software!!!,
> thats the height of spam I just think is utterly wrong and unethical
> on any scale of acceptability.
>
> If a lonley hacker who works in a supermarket has a vulnerabilty to
> sell i'm all for it being post on full-disclosure, but not the big
> money conferences, prize hacking contests and software training guys.
>
> I come under the bracket as supermarket worker with nothing much going
> for me in life, so I should be allowed to sell a vulnerability on
> what's ment to be a mailing list for non-profit disclosure.
>
> If we tolerate the money making schemes much longer, eventually
> full-disclosure will be a wash with conference,training,cash prize
> spam, etc once everyone realises the full value of vulnerabilities and
> the huge amounts of money to be made from setting up a cash prize
> contest, the huge amounts of money to be made from setting up a
> security conference and the huge amounts of money to be made from
> training people to use your hax0r software.
>
> You will find it easy to shout me down and say n3td3v's an idiot, but
> wait to the vulnerability market really takes off and the prices of
> vulnerabilities are properly defined and regulated, you're going to
> see a huge increase in commercial spam on the mailing lists, like the
> full-disclosure mailing list. so we've got to define what's fair play
> e-mail and what's a company or organisation blatantly profiteering
> with X method of extracting money out of people and using skilled
> hackers to make money, and to promote a security conference, training
> etc.
>
> All the best,
>
> n3td3v
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to