Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)
On Wed, 4 Jul 2018 23:11:35 +0200 Ingo Schwarze wrote: > Hi, > > Eric wrote on Wed, Jul 04, 2018 at 01:55:17PM -0500: > > > The solution is obvious. If there are any bug fixes of sufficient > > importance, report the bug, collect the $500,000 for the foundation, > > and then fix it. > > i can hardly believe this needs to be said, but given the lack of > any smiley, and given the presence of several purportedly "humorous" > postings in this thread: It was only meant to be humorous, nothing more. That obviously failed.
Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)
Hi, Eric wrote on Wed, Jul 04, 2018 at 01:55:17PM -0500: > The solution is obvious. If there are any bug fixes of sufficient > importance, report the bug, collect the $500,000 for the foundation, > and then fix it. i can hardly believe this needs to be said, but given the lack of any smiley, and given the presence of several purportedly "humorous" postings in this thread: Given that the very *purpose* of the company trying to buy these exploits is to earn money from COVERTLY BREACHING THE PRIVACY OF SOFTWARE USERS, i'm calling out that company, and any other company with a similar business plan, as a particularly bad instance of ORGANIZED CYBERCRIME according to any reasonable moral standard. For example, i believe that this kind of criminal activity is SUBSTANTIALLY WORSE than ordinary credit card fraud because such companies put hundreds of millions of people at risk who do not even learn that they were harmed, not even after the fact, whereas with ordinary fraud, the victim at least knows about the completed crime. Besides, what this company does is life-threatening, whereas credit card fraud only puts your money in danger. So i'm adamant that anybody even remotely considering to do any kind of business with such a company must be instantly expelled from any kind of free software project. Besides, you can't be so naive as to think that you will see any money from such a criminal enterprise without signing an NDA to NOT DISCLOSE THE VULNERABILITY TO THE SOFTWARE AUTHOR (or anyone else)? Besides, even if you could retain the right to publish the vulnerability you reported, it is an obvious requirement of basic ethics that you report potentially dangerous bugs as soon as possible TO THE SOFTWARE AUTHOR, in particular, before talking to anybody else about them, and that you do not disclose the problem to third parties before the vulnerability is fixed, unless the author fails to fix the problem within reasonable time, typically a few days, sometimes maybe a few weeks. So the order of actions you are proposing is close to criminal as well. Now, can we please stop this thread? Even joking about these matters is hardly funny because it implies an insinuation that there might be anybody involved in OpenBSD who might remotely consider doing business with such criminal organizations, or that there might be any bribable or corrupt people in the vicinity of the project. Such insinuations are not funny. The question how such criminal organizations could be abolished might be considered politically interesting by some, but even that question is totally off-topic on misc@. It is simply and plainly unrelated to OpenBSD. The only on-topic aspect is the fact that state agencies exist that actively and systematically attempt to compromise the security of any kind of software, including free software, including OpenBSD. But that is not news.
Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)
On Wed, 4 Jul 2018 18:06:04 +0200 Reyk Floeter wrote: > I hope somebody steps up and donates $500,000 to the OpenBSD foundation > instead. The solution is obvious. If there are any bug fixes of sufficient importance, report the bug, collect the $500,000 for the foundation, and then fix it. Eric
Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)
Ok sorry ididnt get it woops ;) On Wed 4 Jul 2018, 19:21 Marko Cupać, wrote: > On Wed, 4 Jul 2018 19:02:56 +0100 > Tom Smyth wrote: > > > Hello Marko /Sekeres > > > > I dont mean to start a flame war as it is counterproductive but Idont > > fully get what you mean / imply by > > > > >.".. while not requiring from OpenBSD to introduce Code of Conduct" > > I'm just trolling around :) > > At the same time I'm relatively long-time *BSD user, thankful to anyone > and everyone who is making them possible. Specially to OpenBSD who still > appears to stick to simple "Don't be an asshole" CoC, as opposed to > some who took the different path, probably partly as a result of > accepting large "generous" "contributions". > > As The Smiths sang, "Some BSDs are bigger than the others". > > Once again, I'm just trolling around, I hope noone takes my posts on > this topic seriously. > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko Cupać > https://www.mimar.rs/ > >
Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)
On Wed, 4 Jul 2018 19:02:56 +0100 Tom Smyth wrote: > Hello Marko /Sekeres > > I dont mean to start a flame war as it is counterproductive but Idont > fully get what you mean / imply by > > >.".. while not requiring from OpenBSD to introduce Code of Conduct" I'm just trolling around :) At the same time I'm relatively long-time *BSD user, thankful to anyone and everyone who is making them possible. Specially to OpenBSD who still appears to stick to simple "Don't be an asshole" CoC, as opposed to some who took the different path, probably partly as a result of accepting large "generous" "contributions". As The Smiths sang, "Some BSDs are bigger than the others". Once again, I'm just trolling around, I hope noone takes my posts on this topic seriously. -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)
Hello Marko /Sekeres I dont mean to start a flame war as it is counterproductive but Idont fully get what you mean / imply by >.".. while not requiring from OpenBSD to introduce Code of Conduct" I think to anyone who has been on the mailing list for a number of years anyone who has read the project goals it is clear what the projects goals are and one of the most important is increase security users are not in anyway bound to a code of conduct. it is not in the license based on technical discussions and safeguards and talks about risks bugs and their mitigations I don't think any one @openbsd.org would sell the project out suffice to say that the anyone following the Selective Disclosure Controversies would understand that the OpenBSD project is does not endorse them or advocate them. selling zeroday bugs to anyone and deliberately withholding information from the developers of the software is probably the antithesis of what this project stands for. Regards, Tom Smyth On 4 July 2018 at 18:23, Marko Cupać wrote: > On Wed, 4 Jul 2018 18:06:04 +0200 > Reyk Floeter wrote: > >> I hope somebody steps up and donates $500,000 to the OpenBSD >> foundation instead. > > ... while not requiring from OpenBSD to introduce Code od Conduct > > :D > > -- > Before enlightenment - chop wood, draw water. > After enlightenment - chop wood, draw water. > > Marko Cupać > https://www.mimar.rs/ >
Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)
On Wed, 4 Jul 2018 18:06:04 +0200 Reyk Floeter wrote: > I hope somebody steps up and donates $500,000 to the OpenBSD > foundation instead. ... while not requiring from OpenBSD to introduce Code od Conduct :D -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)
Are you advertising this crap on our list? I hope somebody steps up and donates $500,000 to the OpenBSD foundation instead. > Am 30.06.2018 um 23:11 schrieb Szekeres Dani : > > Just read: > > https://www.bleepingcomputer.com/news/security/rewards-of-up-to-500-000-offered-for-freebsd-openbsd-netbsd-linux-zero-days/ > > > > > Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux > Zero-Days > > Exploit broker Zerodium is offering rewards of up to $500,000 for zero-days > in UNIX-based operating systems like OpenBSD, FreeBSD, NetBSD, but also for > Linux distros such as Ubuntu, CentOS, Debian, and Tails. > > The offer, first advertised via Twitter earlier this week, is available as > part of the company's latest zero-day acquisition drive. Zerodium is known > for buying zero-days and selling them to government agencies and law > enforcement. > > > > https://twitter.com/Zerodium/status/1012007051466162177 >
Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)
On Sat, 30 Jun 2018 23:11:15 +0200 "Szekeres Dani" wrote: > Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux > Zero-Days Seen this comment on /. http://dilbert.com/strip/1995-11-13 :D -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/