lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: steve at entrenchtech.com (Steve)
Subject: Re: Announcing new security mailing list

> I suppose 
> you can accuse him of not stating his 
> standards well enough up 
> front for what kinds of messages he considers fraud instructions.

Typically Dave (the Bugtraq moderator) will return the rejected post
with comments as to why it was rejected.  I can't speak for Dave or
Security Focus but in my experience I have seen comments come back as to
why a message is being rejected come back from Dave.

 
> I might not have approved the original message either.  For 
> messages like 
> that, I'm often torn between my policy of not allowing posts 
> that tell that 
> a particular site is vulnerable to a hole only they can fix, 
> and allowing 
> the poster to implicate themself for the poking around 
> they've done.  It 
> kinda depends if I feel like I've been made an accessory.  If 
> so, I'll 
> usually approve it for the world to see.  Or, maybe forward 
> to the FBI.  I 
> haven't had occasion to do the latter yet.

I think in the case when you have a post that is clearly something
illegal - ie: "I just hacked XXX Corp and here is how" then of course
you aren't going to post it -- you will probably forward it on to the
proper authorities and hope you don't get implicated.  But in the case
of the DOCSIS post -- it was nothing illegal so why the questions?  Of
course this is just my observation from outside the whole issue.

This reminds me of when I started Win2KSecAdvice - I had some assclown
email me saying that he just "0wn3d Microsoft using RFP's RDS exploit"
which I obviously thought was a false claim and post but I forwarded it
off to the proper people and never let it hit the list.


> In your case, if I'm reading the headers correctly, there 
> were only about 6 
> hours between when you sent the note to Bugtraq, and decided 
> it wasn't 
> going to be posted?

Six hours isn't to out of the question as an expectation but what the
poster needs to understand that the larger the mailing list, the longer
it is going to take mail to be processed.  Also, there is refference in
Mathew's post about his post not being accepted or rejected by Bugtraq
-- just deleted.  Bugtraq runs on the same mailing list software as
VulnWatch and there is no way in only six hours that a poster would know
that his post was simply ignored.  The options to a moderator are,
ACCEPT, DENY, or ignore.  If you ignore, the message must time out
before the poster is notified that it was not acted upon (and in some
cases this notification is never sent).

I am not saying that I agree with this post not being sent to Bugtraq I
am simply trying to give a moderators perspective on how some of the
common mailing list apps work.

Just my .02$ on a subject that is probably getting beaten to death.

Regards;


Steve Manzuik
Founder & Technical Lead
Entrench Technologies
www.entrenchtech.com

Moderator - VulnWatch
www.vulnwatch.org

-=-=-=-=-=-=-=-=-=-=-=- www.csicon.net -=-=-=-=-=-=-=-=-=-=-=-

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ