[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-security
Subject:    Re: [gentoo-security] Profiting on the Community (wasTCP vulnerability)
From:       Devon <devon () noved ! org>
Date:       2004-04-22 17:13:20
Message-ID: 4087FD30.3000604 () noved ! org
[Download RAW message or body]

[multiple replies here]

Daniel Brandt wrote:

> I don't think jealosy has anything to do with it. But seeing how some
> in the industry profit out of freely available exploit code and
> original research, without giving either credit or some of the profit
> back to the originators, I understand them. 

Understood. :)

> How fun do you think it would be for a guy hacking away at some
 > exploit code in his dormroom for free, only to discover it the
 > next day in an advisory. That would piss me off badly.

Are you pissed because someone stole your work? Or are you pissed 
because someone else found the flaw faster than you? In the scenario you 
describe above, it sounds like someone else found the flaw before you 
and there was no mal intent against you.

> When security companies get tired of trying to be the
> first to announce an advisory, it might even become a nice place again.

With the money to be made pushing "security solutions", I wouldn't hold 
my breath. :)

Florian Weimer wrote:

 > However, I'm sure that most of this rediscovery is truly indepedent.

According to NISCC's website, Steve Bellovin and Rob Thomas helped with 
the advisory. I would hope that both people knew about the original ISN 
problems. Why would they help rehash old news? Profit? I would hope not. 
  Fame? Steve and Rob are well known in the network security field.

BTW, I appreciate this discussion with everyone. I have been following 
the same discussions on other mailing list and this one seems to be the 
most level-headed without any ego. :)

Devon

--
gentoo-security@gentoo.org mailing list

[prev in list] [next in list] [prev in thread] [next in thread]