Re: Exploit Brokering

[Simon Smith <simon () snosoft com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thierry, my comments are below.

Thierry Zoller wrote:
> Dear Simon,
>
> Well if it wasn't obvious enough let me rephrase.
>
> > > SS> What happens if they sell to a hostile
> > > SS> foreign party, what could happen to them, etc...?
> > > Maybe they pereive your party as a hostile foreign party, this list is
> > > obviously not based in the US.
> SS> What's your point?
> I think my point is very clear, those trying to find a buyer on this
> list (who you are directly speaking to in your post) are
> maybe not interested in selling to US based parties. You assume they
> are.

Right, I did make that assumption and that was purely based on my
perspective as a US based broker. There is no reason why the same kind
of business can't be done in other countries. I was thinking strictly
about "my" liabilities as a US based person and "my" restrictions only.
The US is only one country out of many.
> To make this even clearer :
> SS>Do they ever stop to think
> SS> about the potential liability? What happens if they sell to a hostile
> SS>foreign party, what, what could happen to them, etc...?
> Maybe the hostile foreign party for them is the USA.

Quite possibly and I could think of many reasons why people would think
so, especially with our current president in office.

> > > > The solution is to work with legitimate established businesses
> > > > in a confidential and responsible manner.
> > > If you are responsible you surely can disclose who you are selling
> > > them too ? 
> SS> That would be irresponsible.
> Why would disclosing who you are selling them to be irresponsible ?
> You argue that those seeking to sell over FD are "carelss and
> irresponsible". Now why if they sell them to you makes them less
> "careless and irresponsible" since they still don't know with
> whom the information will end up with.

Again from my perspective it would be irresponsible as we have
confidentiality agreements in place with partners. It might not be
irresponsible for others to disclose that information.

> > > Are you even disclosing this to the person that you
> > > bought them from ? When not does this make you any better than
> > > the "others" ?
> SS> I have no idea what you are asking me here.
> Are you disclosing _to the person_ you bought the bugs from, to whom
> you are going to sell them ? If not I don't see the interest why they
> should choose you over others for ethical reasons.

Same answer as above.

I should apologize because the initial email sounded very arrogant. With
that said, there is still responsible brokering and irresponsible
brokering. Selling exploits to just anyone is irresponsible.





- --

- - simon

- ----------------------
http://www.snosoft.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFHNNNaf3Elv1PhzXgRAsIRAKDHzj0Z6jMQk+A6Qkl1cWoQdzMApQCgjCI9
DD1lLw2QWmAVKC/7J/XmQTk=
=enDt
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/