Nexus | 18 Jul 23:25 2002
Picon

Re: Symantec Buys SecurityFocus, among others....


----- Original Message -----
From: "Jay D. Dyson" <jdyson <at> treachery.net>
To: <full-disclosure <at> lists.netsys.com>
Sent: Thursday, July 18, 2002 9:39 PM
Subject: Re: [Full-Disclosure] Symantec Buys SecurityFocus, among others....

[snip]

> Indeed.  And many of us did see this coming...yet few did anything
> about it.  Thankfully, VulnWatch and this list exist and may well help
> break the inevitable stranglehold that's coming our way.

[snip]

I'm also wondering what will happen to the pretty extensive vulnerability
database et al ?
Pay per sploit ?
;-)

Cheers,
            JJ

_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure <at> lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure

Mark Earnest | 18 Jul 23:58 2002
Picon

RE: Symantec Buys SecurityFocus, among others....


On Thu, 18 Jul 2002, Ed Moyle wrote:
> Allow me to recommend the use of a trivial encryption algorithm to protect 
> exploits and advisories such that any for-profit company must circumvent 
> it in order to use it for their own purposes.  Perhaps distribute advisories 
> with the "do not copy" flag set on a .pdf. This would give DMCA protection 
> to the copyright and allow researchers to sue if their "protection measures" 
> are circumvented by companies looking to make money off of the research.  

That sounds good in theory, but in practice any sizable company would 
devour us, regardless of what the law says. The law is immaterial next to 
money. 

--

-- 
Mark Earnest
~~~~~~~~~~~~
Senior Systems Programmer
ASET/Emerging Technologies
Penn State University

Email: mxe20 <at> psu.edu
Office Phone: 814-863-2064
Public Key - http://mearnest.oas.psu.edu/gpgkey.txt

Blue Boar | 19 Jul 00:29 2002

Re: Symantec Buys SecurityFocus, among others....

Jay D. Dyson wrote:
> 	Perhaps the best way to beat these cash hounds at their own game
> is to start using a strictly not-for-profit licensing on all released
> advisories and proof-of-concept code which stipulates that for-profit
> companies may not use said information in any way.

Interesting concept.  How do you propose to copyright an idea?  You can 
decline to let someone mirror your exploit or advisory verbatim, but 
there's nothing you can do to keep someone from reporting about a 
vulnerability.

							BB

_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure <at> lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure

martin f krafft | 19 Jul 00:49 2002
Picon

Re: Symantec Buys SecurityFocus, among others....

also sprach Ed Moyle <emoyle <at> scsnet.csc.com> [2002.07.18.2313 +0200]:
> Allow me to recommend the use of a trivial encryption algorithm to protect 
> exploits and advisories such that any for-profit company must circumvent 
> it in order to use it for their own purposes.  Perhaps distribute advisories 
> with the "do not copy" flag set on a .pdf. This would give DMCA protection 
> to the copyright and allow researchers to sue if their "protection measures" 
> are circumvented by companies looking to make money off of the research.  

Way Symantec were to use such a document, one that I created in the
sweat of my singletude. Do you think I'd have *any* chance on claiming
my rights???

--

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net <at> madduck

1-800-psych: hello, welcome to the psychiatric hotline.
if you have multiple personalities, please press 3, 4, 5 and 6.
martin f krafft | 19 Jul 00:51 2002
Picon

Re: Symantec Buys SecurityFocus, among others....

also sprach Jay D. Dyson <jdyson <at> treachery.net> [2002.07.18.2239 +0200]:
> 	Indeed.  And many of us did see this coming...yet few did anything
> about it.  Thankfully, VulnWatch and this list exist and may well help
> break the inevitable stranglehold that's coming our way.

How many people are we by now?

> 	Look, I have nothing against someone trying to make a buck.  That
> is the cornerstone of the capitalist system.  What burns my biscuits is
> that the monolithic security companies are not making this money off their
> own efforts[1], but by leeching off the egalitarian contributions of those
> who possess a skill set the businesses are not willing to pay for. 

Right on. Let's just stick to this forum and not use Bugtraq anymore.
Or make your vulnerabilities available here 2 days before you post to
bugtraq (moderation only takes a day).

--

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net <at> madduck

if you don't understand or are scared by any of
the above ask your parents or an adult to help you.
martin f krafft | 19 Jul 00:52 2002
Picon

Re: Symantec Buys SecurityFocus, among others....

also sprach Nexus <nexus <at> patrol.i-way.co.uk> [2002.07.18.2325 +0200]:
> I'm also wondering what will happen to the pretty extensive vulnerability
> database et al ?

Is there anyone with the capabilities to extract a mirror?
(I'd notify webmaster <at>  before doing so...)

I can't provide the bandwidth or server space, unfortunately...

--

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net <at> madduck

you're in college. you've made a mistake.
Eric Nelson | 19 Jul 01:29 2002
Picon

RE: Symantec Buys SecurityFocus, among others....

What about publishing and copyrighting the exploit?   It's more legal
ammo to go after whoever uses it for malicious purposes.

Of course this doesn't *stop* the use of the exploit (discourages
perhaps?), it just increases the penalties when one gets caught using
it.

-Eric

On Thu, 18 Jul 2002, Blue Boar wrote: 

> > Perhaps the best way to beat these cash hounds at their own game
> > is to start using a strictly not-for-profit licensing on all
released
> > advisories and proof-of-concept code which stipulates that
for-profit
> > companies may not use said information in any way.
> 
> Interesting concept.  How do you propose to copyright an idea?

	The idea cannot be copyrighted[1], but the code (which includes
the exploit methodology) can be copyrighted with all the cursory terms
and conditions for use.

> You can decline to let someone mirror your exploit or advisory
verbatim,
> but there's nothing you can do to keep someone from reporting about a
> vulnerability. 

	Sure you can...especially under the auspices of the DMCA.  Hell,
(Continue reading)

gdd | 19 Jul 01:42 2002
Picon

Re: Symantec Buys SecurityFocus, among others....

On Fri, Jul 19, 2002 at 12:52:23AM +0200, martin f krafft wrote:
> Is there anyone with the capabilities to extract a mirror?
> (I'd notify webmaster <at>  before doing so...)

A friend of mine already mirrored it. Im not sure as to how well it
turned out since I havent had a chance to look at it yet, but it 
appears that everything is there.

A dump of whatever database its in would be a much nicer method
of doing this.

> I can't provide the bandwidth or server space, unfortunately...

I can provide both the bandwidth and server space, but what would
the legal issues be with mirroring it? My lawyer wont even offer 
any advice on this one. 

Suggestions/advice anyone?

gdd <at> siliconinc.net
_______________________________________________
Full-Disclosure - We believe in it.
Full-Disclosure <at> lists.netsys.com
http://lists.netsys.com/mailman/listinfo/full-disclosure

Blue Boar | 19 Jul 02:02 2002

Re: Symantec Buys SecurityFocus, among others....

Jay D. Dyson wrote:
> 	The idea cannot be copyrighted[1], but the code (which includes
> the exploit methodology) can be copyrighted with all the cursory terms
> and conditions for use.

You can't copyright an algorithm, only an implementation.  You need a 
patent to protect an algorithm.  Good luck patenting buffer overflows.

>>You can decline to let someone mirror your exploit or advisory verbatim,
>>but there's nothing you can do to keep someone from reporting about a
>>vulnerability. 
> 	Sure you can...especially under the auspices of the DMCA.  Hell,
> when you get down to it, all we need is one wild-eyed lawyer[2] on our
> side who'll toss a flurry of lawsuits and we'll pretty much have the
> corporate security firms by the short-and-curlies.

You think you can stop a news agency from reporting that there is a 
vulnerability in product X, that works like Y and Z?  I think you'll find 
you're mistaken.  I'd love to see it play out, though.

> 1.  Ideas, names and phrases can be trademarked, however.

Not ideas.  Names, yes.. but that just means someone has to call their 
version of the exploit something different.  And trademarks are expensive 
to obtain and defend.

> 
> 2.  Maybe one with experience via the Church of Scientology, or the one
>     who brought us McDonald's coffee cups that now read "Allow to cool
>     before applying to genitals"...
(Continue reading)

Nick FitzGerald | 19 Jul 02:23 2002
Picon
Picon

Re: Symantec Buys SecurityFocus, among others.

Blue Boar replied to Jay D. Dyson:

> > 	The idea cannot be copyrighted[1], but the code (which includes
> > the exploit methodology) can be copyrighted with all the cursory terms
> > and conditions for use.
> 
> You can't copyright an algorithm, only an implementation.  You need a 
> patent to protect an algorithm.  Good luck patenting buffer overflows.
> 
> >>You can decline to let someone mirror your exploit or advisory verbatim,
> >>but there's nothing you can do to keep someone from reporting about a
> >>vulnerability. 
> > 	Sure you can...especially under the auspices of the DMCA.  Hell,
> > when you get down to it, all we need is one wild-eyed lawyer[2] on our
> > side who'll toss a flurry of lawsuits and we'll pretty much have the
> > corporate security firms by the short-and-curlies.
> 
> You think you can stop a news agency from reporting that there is a 
> vulnerability in product X, that works like Y and Z?  I think you'll find 
> you're mistaken.  I'd love to see it play out, though.
> 
> > 1.  Ideas, names and phrases can be trademarked, however.
> 
> Not ideas.  Names, yes.. but that just means someone has to call their 
> version of the exploit something different.  And trademarks are expensive 
> to obtain and defend.

Release exploits with the vaguest of descriptions as to how they work 
(lost for examples -- just copy'n'paste the "technical bits" of some 
of the security bulletins from MS...).  Have the _only_ PoC code a 
(Continue reading)


Gmane