it's all about timing

[full-disclosure () lists netsys com (ATD)]

--=-UsUZ9jPdC3OEAYx5Ja4p
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hey bro,=20
        Jump on irc.homelien.no #snosoft  ;o)


On Mon, 2002-08-05 at 15:34, KF wrote:
> nicely spoken=20
> -KF
> =20
> ----- Original Message -----=20
> From: "Evrim ULU" <evrim () core gen tr>
> To: <full-disclosure () lists netsys com>
> Sent: Friday, August 02, 2002 5:19 AM
> Subject: Re: [Full-disclosure] it's all about timing
> =20
> =20
> > Hi,
> > =20
> > I really don't understand why we'r discussing RFPolicy. It's not the=20
> > main subject of HP/Snosoft DMCA topic. Here is why:
> > =20
> > My knowledge says that there are two major things in engineering: Laws =
&=20
> > Ethical Issues.
> > =20
> > First of all observe the following case:
> > =20
> > - Assume that a window of a grocery is broken.
> > - Anyone can get something inside without paying at midnight since ther=
e=20
> > is no glass over there. Normally one would call the police and say to=20
> > police that the window is broken and ask for taking precaution otherwis=
e=20
> > somebody may take all the banana's and run away.
> > - Laws says that: u'r guilty if u steal something.
> > - Laws also says that : u'r not guilty if u don't call police after=20
> > realizing that window is broken.
> > =20
> > Let's look what ethic says:
> > =20
> > - U'r not ethical if u steal something.
> > - U'r not ethical if u don't call the police.
> > =20
> > See? The second line is not ethical but legal.
> > =20
> > In DMCA/HP/Snosoft case, the problem is the LAW not the ethical issues.=
=20
> > We must consider these ethical issues later like RFPolicy because HP=20
> > already sued SnoSoft according to laws not ethics.
> > =20
> > Here is my thoughts about the topic:
> > =20
> > There are no laws that states "If it is done at 7 oclock it is legal an=
d=20
> > if u do it on 11 o'clock u'll be punished with a ten thousand years in=20
> > prison."
> > =20
> > This law can't be applied to the real world sorry. We can't prove that=20
> > we've already talked with hp at 7 oclock, they didn't answered until 11=
=20
> > clock so I published the exploit code. Unless all vendors are=20
> > govermental no legal proof can be stated to court about these=20
> > conversations between Vendors and Hackers. Remember they'v got lots of=20
> > bucks to give advocates. We'r alone.
> > =20
> > I propose two ways to get around:
> > =20
> > i. Publish zero-day exploits. Forget about vendor. Since hacking is=20
> > illegal, assume police will catch the hacker since he/she's doing=20
> > illegal. This is why there are cybercops am I right? Nobody can be=20
> > punished if he/she didn't call police in case of a broken window.
> > ii. Hackers are unallowed to publish any exploits. They just can send=20
> > the exploit code/bug report to vendor.  Vendor publishes proof of=20
> > concept code to public with the fix when available if they want of=20
> > course. I think, DMCA will grant this since Vendor's hold the copyright=
=20
> > about the product. Also, we know that no vendor wants to publish that=20
> > their product is insecure.
> > =20
> > Another topic that i want to discuss is i'm living in Turkiye and here=20
> > we don't have any DMCA super duper laws. We have a simple copyright law=
=20
> > which do not include DMCA. Who's gonna stop me publishing 0 day=20
> > exploits? Obviously No-One. Right? USA may cancel Turkiye's connection=20
> > to USA but i don't think that this is impossible for now. Also, they ma=
y=20
> > prevent me entering the US frontiers but i really don't care about it.
> > =20
> > As a result, only US programmers will suffer from this law not me.  The=
y=20
> > are going to think it twice before publishing anything. This is of=20
> > course unfair. US goverment just makes their own programmers suffer fro=
m=20
> > this law by saying "We are protecting the vendors". They are just=20
> > missing the statement that "Hackers make their product more secure-more=
=20
> > reliable". I think that they are assuming every vendor has enough=20
> > skilled  "Hacker" employee to check their products. Heh:-)) As Kurt=20
> > said, they don't have.
> > =20
> > In the future, i think, only vendors can publish such exploits, fixes=20
> > and proof of concepts in USA. Hackers gonna just take small credit at=20
> > the end of the message. For the rest of the world, game is not over and=
=20
> > ppl will continue to publish exploits. Besides, Vendor's will make mone=
y=20
> > using the works of hackers. This is what we call capitalism in fact and=
=20
> > it is coming over us again. Beware:-))
> > =20
> > PS: Heh maybe we should buy a small island and found our "Country of=20
> > Secure Systems" and publish exploits from there. Any island suggestions=
?
> > =20
> > King regards,
> > --=20
> > Evrim ULU
> > evrim () envy com tr / evrim () core gen tr
> > sysadm
> > http://www.core.gen.tr
> > =20
> > =20
> > =20
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Full-Disclosure () lists netsys com
> > http://lists.netsys.com/mailman/listinfo/full-disclosure
> > =20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure () lists netsys com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
> =20
--=20

-------------------------------------------------------
Secure Network Operations, Inc.| http://www.snosoft.com
Cerebrum Project               | cerebrum () snosoft com
Strategic Reconnaissance Team  | recon () snosoft com
-------------------------------------------------------



--=-UsUZ9jPdC3OEAYx5Ja4p
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA9TqqbHs/COEe/P4cRAt5uAKDmBdFX654zudzHNeiDqhYRvqGexgCgp4Rt
jDaqp6jf6zcKFmnPEqjTtv0=
=4m36
-----END PGP SIGNATURE-----

--=-UsUZ9jPdC3OEAYx5Ja4p--