Gentoo Archives: gentoo-security

From: Daniel Brandt <daniel.brandt@××××.se>
To: gentoo-security@l.g.o
Subject: [gentoo-security] Profiting on the Community (wasTCP vulnerability)
Date: Thu, 22 Apr 2004 10:56:20
1 I don't think jealosy has anything to do with it. But seeing how some
2 in the industry profit out of freely available exploit code and
3 original research, without giving either credit or some of the profit
4 back to the originators, I understand them.
6 Not all knowledgeable in the computer security field are employed by a
7 security company (and, speaking of my self, some are even unemployed),
8 some do their stuff for the fun of it. How fun do you think it would
9 be for a guy hacking away at some exploit code in his dormroom for
10 free, only to discover it the next day in an advisory. That would piss
11 me off badly.
13 In '98 things were a bit different, there weren't the same amount of
14 money to be made, and people with good skills could still be self
15 employed and decide for their self wether or not to make money on
16 their stuff. Also, the research was welcomed, if only as an eyeopener
17 for those who thought they were safe with their chice of software.
19 Today more than ever, vendors are moving towards secrecy when it comes
20 to security problems. Closed trusted-parties-only mailinglists and
21 patching software in secret are examples of this. Full disclosure has
22 become a place where leeches feed, and ironically, you can be accused
23 of irresponibility if you publish truly orignial stuff.
25 Full disclosure is however the best way to spread the word of
26 problems (IMO). When security companies get tired of trying to be the
27 first to announce an advisory, it might even become a nice place again.
29 -----Original Message-----
30 From: Devon <devon@×××××.org>
31 To: gentoo-security@l.g.o
32 Date: Thu, 22 Apr 2004 03:10:18 -0400
33 Subject: Re: [gentoo-security] TCP vulnerability
35 On Thursday 22 April 2004 02:34 am, Daniel Brandt wrote:
36 > It sure looks like another silly attempt to make a name in the security
37 > industry by publishing old research; profiting on the community if you
38 > will.
39 >
40 > Nothing new, only the same thing that has been pushing more and more people
41 > to not release their research to the public.
43 Perhaps I am missing something obvious, but how do others rehashing prior
44 research make one not want to publish their new original research? If no one
45 spoke publically about the TCP ISN problems back in '98 (or whatever), we
46 couldn't sit here today and say we knew about this issue already.
48 Are these people afraid that when they release their research they will not
49 get credited and then someone else comes later, states the same thing, and
50 gets the whole Internet in an up roar? Jealousy?
52 Devon
54 --
55 gentoo-security@g.o mailing list
61 --
62 gentoo-security@g.o mailing list