lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <16243.15857.351239.644526@mail.linux-delhi.org>
From: raju at linux-delhi.org (Raj Mathur)
Subject: BugTraq Speed

Dave Ahmad picked up on my post and responded privately.  He doesn't
have any objections to my forwarding his messages to FD, hence
forwarding without prejudice.

-- Raju
-- 
Raj Mathur                raju@...dalaya.org      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                  All your domain are belong to us.
                      It is the mind that moves

[Message from Dave Ahmad]

Return-Path: <da@...urityfocus.com>
In-Reply-To: <16242.22041.486674.791277@...l.linux-delhi.org>
Message-ID: <Pine.LNX.4.58.0309250950310.22182@...l.securityfocus.com>
References: <28915501A44DBA4587FE1019D675F983093D79@...int.intern.adiscon.com>
 <3F71F6C4.1060708@...anic.de> <16242.22041.486674.791277@...l.linux-delhi.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
From: Dave Ahmad <da@...urityfocus.com>
To: Raj Mathur <raju@...ux-delhi.org>
Subject: Re: [Full-Disclosure] BugTraq Speed
Date: Thu, 25 Sep 2003 10:19:31 -0600 (MDT)


Raj,

I appreciate you being the voice of reason.  I can offer you a simple
explanation, off-list.  Bugtraq is a moderated list, Full-Disclosure is
not.  Of course Full-Disclosure is going to be faster.  It takes me some
time read through all of the submissions to Bugtraq and decide which ones
are to be on the list.  Unfortunately, Bugtraq is not my only responsibility
here.  I have to balance trying to moderate as quickly as
possible with managing my team and maintaining/supporting some of the
products here which depend on the vulnerability database.
Despite all of this, I believe, Bugtraq is consistently faster than the
other moderated lists.

There's no conspiracy to withhold messages while our customers get priority.
That is absurd, all one has to do is monitor the list during regular
business hours.  For example, the FreeBSD advisory mentioned by
Rainer:  I approved it as soon as I was at my desk, before 9AM here.
It hit my mail spool about 30 minutes later (50,000 users on the list
means 50,000 SMTP transactions -- there's some latency in delivery,
though we try to improve performance by using QMQP with concurrent
outgoing servers).

During the day I approve messages as they arrive.  Once in a while messages
slip.  It happens.  I have hundreds of messages in the queue.
Sometimes a single message is surrounded by OOTO replies, A/V bounces,
spam, virus/worm mails, etc, and I don't see it until I review the queue
when I have time.  Follow-up messages sometimes take a little longer
because there are so many of them, many of which say the same things.  To
keep the noise down, I read over them all and select the best messages for
approval.  It takes me hours of my time both at work and outside of the
office.

I'm not asking that anyone take my word for it.  The Bugtraq delivery
times are available to anyone on the list.  With all of the speculation
I'm surprised nobody has actually put in the effort to try and prove
we are withholding information.  I assure that any such investigation
would show that the pattern of message approval is not consistent with us
withholding the precious zero-day of the community.  There's not really
any commercial advantage anyways, since there are so many lists now
and much of what goes to Bugtraq is sent everywhere else as well.  Most
importantly, it's simply not ethical and I would have no part in doing
that.  But again, don't take my word for it.

Thanks again.

[Personal stuff snipped -- Raju]

David Mirza Ahmad
Symantec

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.

>
> Uh, has anyone bothered asking DMA the reason for the delay?  You may
> not get any reasonable explanation, but at least give the man a chance
> to defend himself before condemning him.
>
> - -- Raju
> - --
> Raj Mathur                raju@...dalaya.org      http://kandalaya.org/
>        GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
>                   All your domain are belong to us.
>                       It is the mind that moves



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ