[Full-Disclosure] openssl exploit code

From: hellNbak (hellnbak@nmrc.org)
Date: 09/16/02


From: hellnbak@nmrc.org (hellNbak)
Date: Mon, 16 Sep 2002 17:28:47 -0400 (EDT)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Solar,

While I have nothing to do with Bugtraq I do moderate another full
disclosure list out there - VulnWatch. The nature of a moderated lists
in general means that the moderator, in this case Dave Ahmad, must first
read then approve the message and hopefully do so in a timely manner.

I don't know the actual content of the message sent to Bugtraq but from
the sounds of it it contained code written by you but was not sent by you.
As a moderator I too would have first checked with the author of the code
to ensure that I wasn't assisting someone in leaking someone elses code.

How does this have anything to do with full disclosure? Would you not
want someone to notify you if someone got a hold of your zero day and was
distributing it?

It seems that a lot of people are confused about what full disclosure
really is. Checking if the credited author of code meant to post it to a
list is common sense and not anything to do with full disclosure.
Moderated full disclosure, in most cases, does not mean censorship at
least on any list that I have a hand in.

Just my $.02..........

On Mon, 16 Sep 2002, Solar Eclipse wrote:

> Date: Mon, 16 Sep 2002 16:08:54 -0500
> From: Solar Eclipse <solareclipse@phreedom.org>
> To: Dave Ahmad <da@securityfocus.com>
> Cc: full-disclosure@lists.netsys.com
> Subject: [Full-Disclosure] openssl exploit code
>
> On Mon, Sep 16, 2002 at 02:16:05PM -0600, Dave Ahmad wrote:
> > An exploit code that lists you as the author has been posted to Bugtraq.
> > I would like to request your permission before approving it for
> > distribution on the list.
>
> And you call Bugtraq a full disclosure list?
>
> Weak.
>
> Since you asked, my answer is no. You do not have my permission
> to post my source code to Bugtraq or anywhere on SecurityFocus,
> Symantec or any affiliated site.
>
> This also covers the source of the apache-ssl worm, which includes
> substantial stolen parts of my exploit code, unless those parts are
> properly removed.
>
>
> Solar Eclipse
>

- --
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@nmrc.org
http://www.nmrc.org/~hellnbak

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9hk0SueD73xSa+/ARAkhOAJ4gBJIMgCMybqNXQvyT7P2f58+C4gCeJ/8U
vnlFZc5gdLICxJNZ/RqurFU=
=+9Rj
-----END PGP SIGNATURE-----