[Full-Disclosure] openssl exploit code

From: hellNbak (hellnbak@nmrc.org)
Date: 09/16/02


From: hellnbak@nmrc.org (hellNbak)
Date: Mon, 16 Sep 2002 17:28:47 -0400 (EDT)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Solar,

While I have nothing to do with Bugtraq I do moderate another full
disclosure list out there - VulnWatch. The nature of a moderated lists
in general means that the moderator, in this case Dave Ahmad, must first
read then approve the message and hopefully do so in a timely manner.

I don't know the actual content of the message sent to Bugtraq but from
the sounds of it it contained code written by you but was not sent by you.
As a moderator I too would have first checked with the author of the code
to ensure that I wasn't assisting someone in leaking someone elses code.

How does this have anything to do with full disclosure? Would you not
want someone to notify you if someone got a hold of your zero day and was
distributing it?

It seems that a lot of people are confused about what full disclosure
really is. Checking if the credited author of code meant to post it to a
list is common sense and not anything to do with full disclosure.
Moderated full disclosure, in most cases, does not mean censorship at
least on any list that I have a hand in.

Just my $.02..........

On Mon, 16 Sep 2002, Solar Eclipse wrote:

> Date: Mon, 16 Sep 2002 16:08:54 -0500
> From: Solar Eclipse <solareclipse@phreedom.org>
> To: Dave Ahmad <da@securityfocus.com>
> Cc: full-disclosure@lists.netsys.com
> Subject: [Full-Disclosure] openssl exploit code
>
> On Mon, Sep 16, 2002 at 02:16:05PM -0600, Dave Ahmad wrote:
> > An exploit code that lists you as the author has been posted to Bugtraq.
> > I would like to request your permission before approving it for
> > distribution on the list.
>
> And you call Bugtraq a full disclosure list?
>
> Weak.
>
> Since you asked, my answer is no. You do not have my permission
> to post my source code to Bugtraq or anywhere on SecurityFocus,
> Symantec or any affiliated site.
>
> This also covers the source of the apache-ssl worm, which includes
> substantial stolen parts of my exploit code, unless those parts are
> properly removed.
>
>
> Solar Eclipse
>

- --
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

"I don't intend to offend, I offend with my intent"

hellNbak@nmrc.org
http://www.nmrc.org/~hellnbak

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9hk0SueD73xSa+/ARAkhOAJ4gBJIMgCMybqNXQvyT7P2f58+C4gCeJ/8U
vnlFZc5gdLICxJNZ/RqurFU=
=+9Rj
-----END PGP SIGNATURE-----



Relevant Pages

  • [Full-Disclosure] openssl exploit code
    ... > disclosure list out there - VulnWatch. ... The nature of a moderated lists ... > read then approve the message and hopefully do so in a timely manner. ... > As a moderator I too would have first checked with the author of the code ...
    (Full-Disclosure)
  • [Full-disclosure] Critical Vulnerability in [Full-Disclosure]
    ... The problem with full disclosure is that everyone feels the need to ... minded lists) forces the vendors to patch or die and eventually ... The funnies and the opinions. ... Full-Disclosure - We believe in it. ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] BugTraq Speed
    ... Dave Ahmad picked up on my post and responded privately. ... Subject: [Full-Disclosure] BugTraq Speed ... other moderated lists. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Critical Vulnerability in [Full-Disclosure]
    ... So you included me in here because my name has something to do with farm ... My version of full disclosure is calling out idiots with Cissps and Phds who ... minded lists) forces the vendors to patch or die and eventually ... Skids (I did this, aren't I great, everyone else sucks?) ...
    (Full-Disclosure)
  • RE: [Full-Disclosure] OT but related.
    ... I subscribed to bugtraq before this list was created. ... between the lists, such that I receive at least six copies of every Red Hat ... does anyone subscribe to full-disclosure BUT NOT ... The information contained in this email and any attachments is ...
    (Full-Disclosure)