who are you and why do we care about your opinion? On Fri, Jul 25, 2008 at 7:00 AM, Exibar <[EMAIL PROTECTED]> wrote:
> I think we should have "n3td3v's law" where n3td3v and all his aliases > (professor, uleet, <insert troll douche's name here>, etc) are required to > get signed written authorization from the community before he can post a > single message....anywhere.... if it's not a unanimous agreement that he > can post, and he does so anyway, he goes to jail.... > > > ----- Original Message ----- > From: "n3td3v" <[EMAIL PROTECTED]> > To: <full-disclosure@lists.grok.org.uk> > Sent: Friday, July 25, 2008 6:56 AM > Subject: [Full-disclosure] Kaminsky's Law > > > > So what you're saying is HD Moore and |)ruid are exploiting a loop > > hole in the law to do what they do... looks like we need to get the > > law tightened. > > > > I say a "Responsible Disclosure Act" is drawn up, and anyone who > > breaks it goes to jail. > > > > That will mean: > > > > - People will think twice before hitting send on blog entries, > > > > - People will think twice about releasing code early, > > > > - That the decided time line for disclosure can be enforced, > > > > - That the people who release information and/or code early, they get > > fined for every computer system compromised because of the > > vulnerability information and/or code disclosure, on top of the jail > > sentence. > > > > So instead for the future its not just a verbal contract for > > responsible disclosure, its a legally binding contract as well meaning > > if the Responsible Disclosure Act has been signed by the security > > researcher and its affected vendors, then ass hats like HD Moore and > > |)ruid are breaking the law. > > > > The details are a bit fuzzy right now, but i'm sure the big guys in > > the industry can draw up proper rules for a Responsible Disclosure > > Act. > > > > Its likely the Responsible Disclosure Act would only be used in > > exceptional circumstances like this DNS caching vulnerability, and the > > approval of the act per vulnerability case has to be decided on by a > > judge in a court of law, so that the Responsible Disclosure Act can't > > be over used and abused, to keep the use of the act fair and > > proportional in relation to the level of the threat. > > > > That means, Full-Disclosure of vulnerability information and/or > > wouldn't be illegal all the time, just in exceptional circumstances > > that has to be OK'd by a judge. > > > > This safe guards the deployment of a patch or patches while telling > > what the importance of patching is to the public, while disallowing > > security researchers to release information and/or code before the > > time line for responsible disclosure. > > > > So the scenario would be, > > > > jake: hey did you hear about the patches being deployed and the news > > reports about the flaw and why the patch is critical? > > > > joe: yes, but the responsible disclosure act has been signed so we > > need to wait until it expires before we can share info. > > > > jake: no way, whats the assigned disclosure date? > > > > joe: the standard 4 weeks, although with the responsible disclosure > > act, after the 4 weeks, the security researcher and vendors can go > > back to the judge to ask for an extra 4 week extension onto that, so > > it could be eight weeks bro before we can become famous for five > > minutes by releasing attack code. > > > > jake: ah, sucks for us, but yeah if the judge has approved the signing > > there isn't alot we can do unless we want to be labeled criminals, and > > hunted down by interpol. > > > > What has to be told to the community under the act: > > > > - The community must be told the Responsible Disclosure Act has been > > signed and OK'd by a judge. > > > > - The community must be told the date the Responsible Disclosure Act > > expires and disclosure can be made. > > > > - The community must be told that security researcher and vendor can > > go back to the judge after 4 weeks and ask for extension of the act if > > extra time is needed, this must be announced to the community again > > with notice. > > > > All members of the community who break the Responsible Disclosure Act > > are breaking the law and face charges. > > > > Obviously this is just an email I rattled up in five minutes during a > > water machine break, so the big guys in the industry can take these > > ideas and throw them into a properly put together act. > > > > I think Dan Kaminsky should lobby the industry and the government to > > get something like this drawn up, since he is the one who has inspired > > me to come up with the Responsible Disclosure Act. > > > > I kind of feel sorry for Dan Kaminsky, and that HD Moore and |)ruid > > had to be dick heads about releasing code on purpose against his > > request of Dan Kaminsky, the vendors and people who agree with > > responsible disclosure, especially in exceptional circumstances like > > the DNS flaw. > > > > Maybe we should name it "Kaminsky's Law" out of Solidarity for Dan. > > > > All the best, > > > > n3td3v > > > > > > ---------- Forwarded message ---------- > > From: <[EMAIL PROTECTED]> > > Date: Thu, Jul 24, 2008 at 5:56 PM > > Subject: Re: [Full-disclosure] Comments on: DNS exploit code is in the > > wild > > To: n3td3v <[EMAIL PROTECTED]> > > Cc: full-disclosure@lists.grok.org.uk > > > > > > On Thu, 24 Jul 2008 16:17:08 BST, n3td3v said: > > > >> This whole HD Moore savior of info sec thing has gone on long enough, > >> its time to see him for what he is and get him slammed up in jail > >> along with his counterpart |)ruid. > > > > I'll point out that you happen to live in the country that invented the > > concept of "habeus corpus". In other words, you cant slam him in jail > > unless you actually *charge* him with something. > > > > Please tell us which countr(y|ies) you intend to have him charged, and > > what > > offense. Specific references to statutes would be appreciated (for > > starters, > > I'll help you out and point out that in the US, he probably could *not* > be > > charged under 17 USC 1201 (the DMCA anti-circumvention clause), nor under > > 18 > > USC 1030 (the primary federal anti-hacking statute), unless you have > > actual > > evidence that HD personally hacked into a computer covered by 18 USC > 1030. > > You > > run into similar issue with 18 USC 2701 (access to stored communication). > > > > You *might* be able to make a case under 18 USC 2512 (dealing in devices > > for > > intercepting communications), except that there's the nasty clause > > "knowing or > > having reason to know that the design of such device renders it primarily > > useful for the purpose of the surreptitious interception of wire, oral, > or > > electronic communications;" - and you'd fail on the "primarily" because > > there's > > lots of *other* uses for Metasploit. > > > > He *is* probably in violation of 36 USC 117, 7 USC 411b, and 26 USC > > 7523(a)(1), > > however. > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
