Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Symantec Buys SecurityFocus, among others.
From: full-disclosure () lists netsys com (Brian Hatch)
Date: Thu, 18 Jul 2002 19:57:18 -0700

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Release exploits with the vaguest of descriptions as to how they work=20
(lost for examples -- just copy'n'paste the "technical bits" of some=20
of the security bulletins from MS...).  Have the _only_ PoC code a=20
compiled binary loaded with copyright notices forbidding reversing,=20
etc.  Be sure to use some "encryption" (extremely trivial is OK as=20
complexity doesn't matter; can you say XOR?) in the PoC to "protect"=20
the important secret (generally the overflow "string" itself).  Be=20
capricious in who you prosecute under the DMCA for incoporating=20
vulnerability detection of this flaw into their products.  (Many=20
other "pro-reversing" laws allow reversing if doing so is the only=20
(practical) way to ensure compatibility or system inter-operation --=20
this should not be a defense against reversing a security=20
vulnerability exploit...)

This and other 'Protect your code with the DMCA' ideas are interesting.
So we lock down our exploits with crappy encryption, hope someone uses
them, and sue.  Hopefully we win, and we get a nice check.

        And the DMCA has just been upheld in court.

We establish case law that indicates the DMCA is valid law, that
it's even supported by Open Source / Full Disclosure advocates.
Next time another Dimitry gets slapped with it, what are we going
to fall back on?

Although amusing to use the 'tools of the enemy', by using them
successfully you strengthen how they can be used against you.
I think this is a bad idea...

Brian Hatch                  Friends help you move.
   Systems and                Real friends help
   Security Engineer          you move bodies.

Every message PGP signed

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]