lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3D2E2A29.2000808@thievco.com>
From: BlueBoar at thievco.com (Blue Boar)
Subject: Re: Announcing new security mailing list

Matthew S. Hallacy wrote:
> I disagree, I think my DOCSIS vulnerability posting is a good example of
> something that should have gone out immediately, but was /never/ posted.
> ( I ended up taking it to another list)
> 
> It was valid, the vendors knew, but it was withheld because you deemed it
> 'malicious'.

"You", meaning who?  Not I.. it went to my list:
http://online.securityfocus.com/archive/82/261280

I have my own set of (often harsher) standards for what posts I allow on 
vuln-dev... but that has nothing to do with Bugtraq.

I assume you mean Dave, whose reply is here:
http://online.securityfocus.com/archive/82/261454

I suppose you can accuse him of not stating his standards well enough up 
front for what kinds of messages he considers fraud instructions.

I might not have approved the original message either.  For messages like 
that, I'm often torn between my policy of not allowing posts that tell that 
a particular site is vulnerable to a hole only they can fix, and allowing 
the poster to implicate themself for the poking around they've done.  It 
kinda depends if I feel like I've been made an accessory.  If so, I'll 
usually approve it for the world to see.  Or, maybe forward to the FBI.  I 
haven't had occasion to do the latter yet.

The point being, that has nothing to do with the Bugtraq moderator holding 
posts so he can warn a vendor to make a fix.

In your case, if I'm reading the headers correctly, there were only about 6 
hours between when you sent the note to Bugtraq, and decided it wasn't 
going to be posted?

							BB

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ