Full Disclosure mailing list archives

Symantec Buys SecurityFocus, among others.

From: full-disclosure () lists netsys com (Brian Hatch)
Date: Thu, 18 Jul 2002 19:57:18 -0700

--xo44VMWPx7vlQ2+2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Release exploits with the vaguest of descriptions as to how they work=20
(lost for examples -- just copy'n'paste the "technical bits" of some=20
of the security bulletins from MS...).  Have the _only_ PoC code a=20
compiled binary loaded with copyright notices forbidding reversing,=20
etc.  Be sure to use some "encryption" (extremely trivial is OK as=20
complexity doesn't matter; can you say XOR?) in the PoC to "protect"=20
the important secret (generally the overflow "string" itself).  Be=20
capricious in who you prosecute under the DMCA for incoporating=20
vulnerability detection of this flaw into their products.  (Many=20
other "pro-reversing" laws allow reversing if doing so is the only=20
(practical) way to ensure compatibility or system inter-operation --=20
this should not be a defense against reversing a security=20
vulnerability exploit...)


This and other 'Protect your code with the DMCA' ideas are interesting.
So we lock down our exploits with crappy encryption, hope someone uses
them, and sue.  Hopefully we win, and we get a nice check.

        And the DMCA has just been upheld in court.

We establish case law that indicates the DMCA is valid law, that
it's even supported by Open Source / Full Disclosure advocates.
Next time another Dimitry gets slapped with it, what are we going
to fall back on?

Although amusing to use the 'tools of the enemy', by using them
successfully you strengthen how they can be used against you.
I think this is a bad idea...


--
Brian Hatch                  Friends help you move.
   Systems and                Real friends help
   Security Engineer          you move bodies.
www.buildinglinuxvpns.net

Every message PGP signed

--xo44VMWPx7vlQ2+2
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj03gA4ACgkQp6D9AhxzHxBQwgCfR76Kz5KRhmCMn6LfRo7AnQiy
a/sAmwSNqF7delt8UVu86igxZvWnexQ/
=8etZ
-----END PGP SIGNATURE-----

--xo44VMWPx7vlQ2+2--

Current thread:

Symantec Buys SecurityFocus, among others...., (continued)
- - Symantec Buys SecurityFocus, among others.... martin f krafft (Jul 18)
- Symantec Buys SecurityFocus, among others.... Nexus (Jul 18)
  - Symantec Buys SecurityFocus, among others.... martin f krafft (Jul 18)
    - Symantec Buys SecurityFocus, among others.... full-disclosure () lists netsys com (Jul 18)
    - Symantec Buys SecurityFocus, among others.... martin f krafft (Jul 23)
- Symantec Buys SecurityFocus, among others.... Blue Boar (Jul 18)
- Symantec Buys SecurityFocus, among others.... Eric Nelson (Jul 18)
- Symantec Buys SecurityFocus, among others.... Blue Boar (Jul 18)
  - Symantec Buys SecurityFocus, among others. Nick FitzGerald (Jul 18)
    - Symantec Buys SecurityFocus, among others. Steve (Jul 18)
    - Symantec Buys SecurityFocus, among others. Brian Hatch (Jul 18)
- Symantec Buys SecurityFocus, among others.... Chris Wysopal (Jul 19)
- Symantec Buys SecurityFocus, among others.... full-disclosure () lists netsys com (Jul 19)
  - Symantec Buys SecurityFocus, among others.... hellNbak (Jul 19)
  - Symantec Buys SecurityFocus, among others.... Chris Wysopal (Jul 19)
- Symantec Buys SecurityFocus, among others.... Christopher Meiklejohn (Jul 19)
- Symantec Buys SecurityFocus, among others.... full-disclosure () lists netsys com (Jul 19)
  - Symantec Buys SecurityFocus, among others.... Nexus (Jul 20)
    - 99% Peter van den Heuvel (Jul 20)
  - Symantec Buys SecurityFocus, among others.... Chris Wysopal (Jul 20)
- Symantec Buys SecurityFocus, among others.... Bela Lubkin (Jul 20)

(Thread continues...)