Kada, I believe Czech has to abide by European law, and cybercrimes are well defined in that. All member states are bound by those laws.
BBO@BSR: It's not that easy, http://en.wikipedia.org/wiki/Computer_Misuse_Act_1990
SamH: I would never use the term "well defined", when talking about the law
.
SamH: I would never use the term "well defined", when talking about the law
.SamH
What you have to remember is people release working poc codes on a daily basis all over the place on some trusted well known security sites.We have guide lines we follow also.
What you have to remember is people release working poc codes on a daily basis all over the place on some trusted well known security sites.We have guide lines we follow also.
Uhhhh that was back in 2005/2006. You're behind the times.
http://en.wikipedia.org/wiki/Police_and_Justice_Act_2006
And I say you're in the UK.
Doesn't really matter what page you link to. I imagine every country has it's own version of the same law that basically says "Don't hack stuff" alongside subclauses about cracks and copyright theft.
People commit murder all over the world every day too, does that make it legal now?
People commit murder all over the world every day too, does that make it legal now?
What do you mean? this wiki link is not up to date afaik the law has gained Royal Assent in Nov. 2006.
Man, the point is not the "high level" ethics of it - the point is the "right here right now" situation of things.
You have not made the world safer.
You have not forced some gargantuan software house that mindlessly follows it's capitalistic ways to cover up it's act and serve it's customers better.
You have only kicked one person on the shin because he didn't wear a shin-guard. That's all.
Correct, sir. Nov 8th. Wednesday
Wow common your blowing this way out of perportion.First of all i never set out to do any thing like make lfs developers look bad.
I want the game i payed the money for secured i want the people who use the software know the problems with the software.
And i wanted to let the security industry know of the problem
that is it.
And as for the legal side of things it would cost a company as small as this alot more money to take me to court,Than it would cost me,for a start ive found some bugs in huge company like opera fire fox.Did they start shouting where going to take legal action against you no do you know why it would cost thousands of pounds to.But hey they would have a tiny if not slim or none existing chance of actually getting criminal conviction.
I want the game i payed the money for secured i want the people who use the software know the problems with the software.
And i wanted to let the security industry know of the problem
that is it.
And as for the legal side of things it would cost a company as small as this alot more money to take me to court,Than it would cost me,for a start ive found some bugs in huge company like opera fire fox.Did they start shouting where going to take legal action against you no do you know why it would cost thousands of pounds to.But hey they would have a tiny if not slim or none existing chance of actually getting criminal conviction.
Criminal offences are for the Cybercrime squad to prosecute, not the company. It wouldn't cost a penny of any individual's or company's money to see a cybercriminal through the system. We're talking about criminal offences, not civil offences, here.
Like has already been said, countless times now.
Finding and reporting a bug to the company in charge is a good thing.
Reporting the bug to a community - a community in your case which shares hacking info, don't try and pretend you're so naiive you believe they do it for the good of the software - encourages people to exploit these vulnerabilities.
And not only that, it's probably a violation of the EULA. Rule 1.5 might be applicable, but I'm not sure.
Finding and reporting a bug to the company in charge is a good thing.
Reporting the bug to a community - a community in your case which shares hacking info, don't try and pretend you're so naiive you believe they do it for the good of the software - encourages people to exploit these vulnerabilities.
And not only that, it's probably a violation of the EULA. Rule 1.5 might be applicable, but I'm not sure.
Security industry. There it is again. Bull.
Never said that. What I said is that you KNOW who they are by name and you KNOW it's only one person coding it and you KNOW you can contact them and that they DO take things seriously. You are not up against a faceless company. All of these are facts.
Yet when confronted with these facts you talk about ethics and guidelines. Look at the bigger and real picture, don't abstract it so much.
We've already been down this path and you recognized that you made a mistake in releasing it so soon.
NEWSFLASH: The Security Industry(tm) doesn't give a flying **** about LFS.
So you like to:
a. pick on smaller companies that can't afford the budget
b. compare large companies that provide service-crucial software to three-person outfits that provide entertainment software
Wtf you know what why am even spending my time here talking to people who don't even understand what im talking about.Just discuss it amongst your selfs im not interested any more.
Its amazing how so many people can twist things.It must make your ego feel big to attack some one as a pack strength in numbers and all.
Look ive put my points across what way you chose to take them is up to you.If you want any more answer to your questions ill be more than happy to answer them via pm.
I didn't pick on a smaller company see what i mean about twisting things i was wrong or naive to think i could actually discuss this with people.
Its amazing how so many people can twist things.It must make your ego feel big to attack some one as a pack strength in numbers and all.
Look ive put my points across what way you chose to take them is up to you.If you want any more answer to your questions ill be more than happy to answer them via pm.
I didn't pick on a smaller company see what i mean about twisting things i was wrong or naive to think i could actually discuss this with people.
Now the facts:
30th July 2007, 10:50 UTC
The MPR exploit was posted on the 1st of August:
That's two days.
No i dont think so at all from the time of getting in touch with the developers to actually release the exploit was 1 week nearly 2,Dont take any notice of the dates on the exploit.Hold on ill get the exact dates.
Date : August 1 2007 the date it was wrote.
2007-08-06
2007-08-06
2007-08-01
the actual dates of the release.It was about a week if not more.You have no idea on what date the bugs where actually found or when the developers where told about these issue.
Date : August 1 2007 the date it was wrote.
2007-08-06
2007-08-06
2007-08-01
the actual dates of the release.It was about a week if not more.You have no idea on what date the bugs where actually found or when the developers where told about these issue.
Alright Sam, you know I respect your ideas. But let's get a fact straight: there may be black, grey and white hats out there, but there isn't any sure border.
You quote a page in zone-h, a defacement database site. They teach security, they enforce security, they warn about criminal activities. They MUST be good, after all...
Well, not all of them. One of the two founders, Ghioni, is in jail. He's involved in breaching into the computer of the president of Rizzoli - Corriere della Sera, he was the leader of the tiger team of Telecom Italia, he's presumably involved in the illegal wiretapping of thousands of persons, there are pending investigations that tie him to the Italian military secret service and to the persons who were responsible for the kidnap of an imam in Milan, who was abducted by CIA agents who were subsequently investigated.
This is an international scandal involving someone who's presumed to be a white hat. He's been rotting in jail for months, and probably he's safer there than out, given the number of secrets he knows. He talks very little to investigators, and it's easy to understand why.
If you want different examples (Mitnick anyone?) there are tons of not so good people turning bad, and tons of not so bad people turning good. That's the norm.
My position is generally for full disclosure, but I do not condone any kind of attack, disruptive or not. I'm for research in a controlled environment, or after having obtained permission to do so. I respect the job of the people who disclose their discoveries and don't keep their knowledge for themselves for illegal activities.
Edit: full disclosure after an acceptable amount of time. Read the story about Robin Hood and Friar Tuck here:
http://www.retrologic.com/jargon/meaning-of-hack.html
Your country is set to UK - YOU did that - and your IP traces there.
For me the point with the LFS exploits is (I make it very short):
It's a sim game and exploit searching people using parts (i.e the replays) of the software in a way it shouldn't be used.
It's a replay of a race nothing more. Not a code example to play with.
No one told them to do it and it's not made by the devs for things like this.
But they dig in the code of the replays till they find something that allows i.e. a buffer overflow.
Which doesn't do anything to anyone nor is it a real security hole except
till the day these people write code to use the software part in a way the software wasn't made for.
An imo illegal way.
Then the LFS community/the devs have a problem were no problem was before,
and it wouldn't be there if they would use the software like it should be used:
For playing and having fun while racing.
So these "security holes" are only there because people searching for gaps to use the software
or parts of it in an illegal way or to show others how they can perform illegal things on other people computers with it etc.
In the end it's not making the software more secure but it steals my time, your time, and especially the devs time and delays the release of LFS final.
Thx a lot you (insert your bad words here)
It's a sim game and exploit searching people using parts (i.e the replays) of the software in a way it shouldn't be used.
It's a replay of a race nothing more. Not a code example to play with.
No one told them to do it and it's not made by the devs for things like this.
But they dig in the code of the replays till they find something that allows i.e. a buffer overflow.
Which doesn't do anything to anyone nor is it a real security hole except
till the day these people write code to use the software part in a way the software wasn't made for.
An imo illegal way.
Then the LFS community/the devs have a problem were no problem was before,
and it wouldn't be there if they would use the software like it should be used:
For playing and having fun while racing.
So these "security holes" are only there because people searching for gaps to use the software
or parts of it in an illegal way or to show others how they can perform illegal things on other people computers with it etc.
In the end it's not making the software more secure but it steals my time, your time, and especially the devs time and delays the release of LFS final.
Thx a lot you (insert your bad words here)
Lol Bob.
Omfg what are you talking about a buffer over flow is not a serious bug..Wake up!!
the point is people do open replay files on this forum i have on many ocasions.By simply opening a modified replay file can take over your computer but don't worry its not serious.
The problem would always be there and some one would find it i can ensure you that it would have been only a matter of time they could have used it for illegal activities or sold it on the black market.
You have no idea on what your actualy talking about atleast put some good input across.
Omfg what are you talking about a buffer over flow is not a serious bug..Wake up!!
the point is people do open replay files on this forum i have on many ocasions.By simply opening a modified replay file can take over your computer but don't worry its not serious.
The problem would always be there and some one would find it i can ensure you that it would have been only a matter of time they could have used it for illegal activities or sold it on the black market.
You have no idea on what your actualy talking about atleast put some good input across.
So, in essence, that makes it safer for you. Otherwise what is your point of putting up this argument about the economic cost of legal action?
Opera and the Mozilla Foundation would not shout or take legal action because they have a big team to work on fixing issues. They'll weigh the importance of the issue and decide when to fix it. Crash-causing issues like a malformed torrent file or a dozen nested marquees are not that important because they can be avoided by the user. It's also likely that they didn't react within a day or two or even a week when you informed them. So just cut the lone indy game developer some slack.
Maybe this is a good article to read about bug disclosure:
Mozilla: Hackers control bug disclosure
Also, the main vibe I get from people like Sam is that you guys hate public disclosure. I do hope that you guys also realize what that actually means. Let's see what a ban on PD does:
There will indeed be a decrease in script kiddie activity, so hooray for that, but what will happen to all the POC's people write? Will the POC's still reach the devs of the software or even the anti-virus industry? And if the dev's and anti-virus firms no longer receive information about software weaknesses, how secure will the world be as a whole, and where do the exploits actually end up?
There is 1 thing I need to say to muhaa though. Releasing the POC code after only 2 days of notification is way too short, and scawen should've gotten more time. I hope you'll tell your friend that.
Mozilla: Hackers control bug disclosure
Also, the main vibe I get from people like Sam is that you guys hate public disclosure. I do hope that you guys also realize what that actually means. Let's see what a ban on PD does:
There will indeed be a decrease in script kiddie activity, so hooray for that, but what will happen to all the POC's people write? Will the POC's still reach the devs of the software or even the anti-virus industry? And if the dev's and anti-virus firms no longer receive information about software weaknesses, how secure will the world be as a whole, and where do the exploits actually end up?
There is 1 thing I need to say to muhaa though. Releasing the POC code after only 2 days of notification is way too short, and scawen should've gotten more time. I hope you'll tell your friend that.
Since when do moderators need to do ip traces?
Well, seeing this realistically - both people I know and myself have at times informed developers of software we use of security issues and in some cases of open-source software we supplied the patch as well.
Was there any public disclosure and release of a ready exploit? No.
Did the software become safer? Yes, I suppose. More stable for sure.
Did anyone exploit the vulnerability found in the meantime? No.
Did we hold anyone hostage demanding they do it within the timespan we, in our great wisdom, thought was appropriate? No.
Did anyone get credit someplace? Maybe - never followed up - it wasn't the issue.
well, kudos for you, but I think you'll agree on the fact that you're part of a minority doing that.
This thread is closed
Software Exploits discussion
(121 posts, closed, started )
FGED GREDG RDFGDR GSFDG