i love how you like to make everything so confrontational. insecure much?<div><br></div><div>i am no longer talking about this, you obviously didnt read my email, nor did you read michael cottinghams.</div><div><br></div>
<div>stop trolling.<br><br><div class="gmail_quote">On Fri, Apr 4, 2008 at 6:11 PM, n3td3v <<a href="mailto:xploitable@gmail.com">xploitable@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="Wj3C7c"><br>
On Fri, Apr 4, 2008 at 9:34 PM, Ureleet <<a href="mailto:ureleet@gmail.com">ureleet@gmail.com</a>> wrote:<br>
> see:<br>
><br>
> > - Come to our conference - profit... buy our ticket, get a macbook prize.<br>
><br>
> > - Hacking challenge prize - profit... they give you $5000 and sell it<br>
> > to the vendor for a lot more.<br>
><br>
> ZDI provides the money for this. and they don't sell it back to vendor<br>
><br>
><br>
> > - Train to use our software -profit... over priced training for<br>
> > software... not interested.<br>
><br>
> dont' get angry at remote-exploit because they are making money from their<br>
> work . how much money do you make from posting to fd?<br>
><br>
><br>
> > On the issue of how much a vulnerability is worth, the prices are not<br>
> > regulated, we need regulation into how much a vulnerability costs,<br>
> > because the prices right now are wild. We need to take vulnerability<br>
> > pricing off the blackmarket and onto a legitimate central website for<br>
> > selling vulnerabilities, or cash rewards for disclosing a<br>
> > vulnerability to a particular company or organisation.<br>
><br>
> wabisabilabi? zdi... etc.<br>
><br>
> > Can someone post to full-disclosure a price list of what they think a<br>
> > bufferoverflow should be worth etc, and we can vote if we agree.<br>
><br>
> feel free to take that as a todo item. however, i would think it would<br>
> depend on the bo.<br>
><br>
> > We can't dress up cash prizes/contests as something else as well, if a<br>
> > website is offering a $5,000 reward for a vulnerability, we need to<br>
> > know if we're being ripped off with the cash reward and how much can<br>
> > be potentially made after its sold on.<br>
><br>
> zdi doesn't sell their exploits afaik.<br>
><br>
><br>
> > Robert Lemos even <a href="http://www.securityfocus.com/news/11510" target="_blank">http://www.securityfocus.com/news/11510</a> talked about<br>
> > vulnerability pricing when Pwn2Own was on, and even Pwn2Own cash<br>
> > reward might not be enough money, compared to what a vulnerability<br>
> > *should* be worth, and taking into consideration how much profit<br>
> > CanSecWest make overall from people attending the conference.<br>
><br>
> the pwn2own cash is supplied by zdi. that's what you arent' realizing.<br>
><br>
><br>
> > So you take into consideration how much a vulnerability should be<br>
> > worth, then the added worth because its a security conference of how<br>
> > much should be added on to counter the profit being made by the event.<br>
><br>
> you already said this. twice.<br>
><br>
><br>
> > However, to round off, we can't allow the mailing lists to turn into a<br>
> > vulnerability market place, full-disclosure should be for free stuff,<br>
> > and other websites and mailing lists can be setup for *money making<br>
> > schemes and auctions*.<br>
><br>
> there are. however how are the people going to know about the websites if<br>
> you don't allow people to 'spam' lists with this sort of thing, mr<br>
> unofficial-fd moderator?<br>
><br>
><br>
> > We shouldn't allow the money makers directly to market X... if a link<br>
> > is put on Full-Disclosure by a member of the public on the fly then<br>
> > thats ok, but I think its cheeky for the particular conference,<br>
> > contest runner or software trainer to be on the list themselves<br>
> > spamming everyone, for a profiteering agenda.<br>
><br>
> that's why its called free enterprise, it's an unmoderated list. feel free<br>
> to unsubscribe if you dont like it much..<br>
><br>
><br>
> > You mention cross-posting, thats not the issue here, its the people<br>
> > making the money posting to make the money that offends me so much.<br>
><br>
> we know, its the third time youve said it in one email.<br>
><br>
><br>
> > And not even the lonely hacker offends me who posts i've got a<br>
> > vulnerability for sale for X, I don't mind that on Full-Disclosure,<br>
> > but what I do mind is if its a company or organisation doing it that<br>
> > is directly the ones making the money via vulnerability for sale,<br>
> > prize contest, security conference or train to use our software!!!,<br>
> > thats the height of spam I just think is utterly wrong and unethical<br>
> > on any scale of acceptability.<br>
><br>
> again, free market, and you are directly talking about zdi.<br>
><br>
><br>
> > If a lonley hacker who works in a supermarket has a vulnerabilty to<br>
> > sell i'm all for it being post on full-disclosure, but not the big<br>
> > money conferences, prize hacking contests and software training guys.<br>
><br>
> fourth time.<br>
><br>
><br>
> > I come under the bracket as supermarket worker with nothing much going<br>
> > for me in life, so I should be allowed to sell a vulnerability on<br>
> > what's ment to be a mailing list for non-profit disclosure.<br>
><br>
> you work at a supermarket? so you know about the under cash drawer switch<br>
> that pops open the drawer exploit?<br>
><br>
><br>
><br>
> > You will find it easy to shout me down and say n3td3v's an idiot, but<br>
> > wait to the vulnerability market really takes off and the prices of<br>
> > vulnerabilities are properly defined and regulated, you're going to<br>
> > see a huge increase in commercial spam on the mailing lists, like the<br>
> > full-disclosure mailing list. so we've got to define what's fair play<br>
> > e-mail and what's a company or organisation blatantly profiteering<br>
> > with X method of extracting money out of people and using skilled<br>
> > hackers to make money, and to promote a security conference, training<br>
> > etc.<br>
><br>
> again, unmoderated list. the door is over there.<br>
<br>
</div></div>* i * * never * mentioned * ZDI * you * complete * jerk * off *<br>
<br>
* read * * the * * e-mail * properly * and * you * will * understand *<br>
what * I * don't * like *<br>
<br>
Overview:<br>
<br>
FIRST<br>
<br>
I said let's have a debate about how much a vulnerability is worth per<br>
vulnerability type, so everyone knows if we're being ripped off by joe<br>
jobs and to stop any blackmarkets, prices needs to be defined and<br>
regulated, so everyone knows where they stand in the security<br>
community as far as prices are concerned.<br>
<br>
^^^^You bypassed this completely.<br>
<br>
SECOND<br>
<br>
Those on the list who don't disclose a vulnerability *but* are trying<br>
to sell a product should be outlawed.<br>
<br>
^^^^do you know the difference between disclosure and profiteering?<br>
<br>
You're losing my rag and the lack of intellectual debate on this from<br>
non-retards is shocking, these are two serious topics that need<br>
debating and all i've got is some lamer called "Ureleet" trying to<br>
wind me up.<br>
<br>
Is anyone who can have a serious debate on this list?<br>
<font color="#888888"><br>
n3td3v<br>
</font></blockquote></div><br></div>