Re: BugTraq Speed

[Raj Mathur <raju () linux-delhi org>]

Dave Ahmad picked up on my post and responded privately.  He doesn't
have any objections to my forwarding his messages to FD, hence
forwarding without prejudice.

-- Raju
-- 
Raj Mathur                raju () kandalaya org      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                  All your domain are belong to us.
                      It is the mind that moves

[Message from Dave Ahmad]

Return-Path: <da () securityfocus com>
In-Reply-To: <16242.22041.486674.791277 () mail linux-delhi org>
Message-ID: <Pine.LNX.4.58.0309250950310.22182 () mail securityfocus com>
References: <28915501A44DBA4587FE1019D675F983093D79 () grfint intern adiscon com>
 <3F71F6C4.1060708 () dylanic de> <16242.22041.486674.791277 () mail linux-delhi org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
From: Dave Ahmad <da () securityfocus com>
To: Raj Mathur <raju () linux-delhi org>
Subject: Re: [Full-disclosure] BugTraq Speed
Date: Thu, 25 Sep 2003 10:19:31 -0600 (MDT)


Raj,

I appreciate you being the voice of reason.  I can offer you a simple
explanation, off-list.  Bugtraq is a moderated list, Full-Disclosure is
not.  Of course Full-Disclosure is going to be faster.  It takes me some
time read through all of the submissions to Bugtraq and decide which ones
are to be on the list.  Unfortunately, Bugtraq is not my only responsibility
here.  I have to balance trying to moderate as quickly as
possible with managing my team and maintaining/supporting some of the
products here which depend on the vulnerability database.
Despite all of this, I believe, Bugtraq is consistently faster than the
other moderated lists.

There's no conspiracy to withhold messages while our customers get priority.
That is absurd, all one has to do is monitor the list during regular
business hours.  For example, the FreeBSD advisory mentioned by
Rainer:  I approved it as soon as I was at my desk, before 9AM here.
It hit my mail spool about 30 minutes later (50,000 users on the list
means 50,000 SMTP transactions -- there's some latency in delivery,
though we try to improve performance by using QMQP with concurrent
outgoing servers).

During the day I approve messages as they arrive.  Once in a while messages
slip.  It happens.  I have hundreds of messages in the queue.
Sometimes a single message is surrounded by OOTO replies, A/V bounces,
spam, virus/worm mails, etc, and I don't see it until I review the queue
when I have time.  Follow-up messages sometimes take a little longer
because there are so many of them, many of which say the same things.  To
keep the noise down, I read over them all and select the best messages for
approval.  It takes me hours of my time both at work and outside of the
office.

I'm not asking that anyone take my word for it.  The Bugtraq delivery
times are available to anyone on the list.  With all of the speculation
I'm surprised nobody has actually put in the effort to try and prove
we are withholding information.  I assure that any such investigation
would show that the pattern of message approval is not consistent with us
withholding the precious zero-day of the community.  There's not really
any commercial advantage anyways, since there are so many lists now
and much of what goes to Bugtraq is sent everywhere else as well.  Most
importantly, it's simply not ethical and I would have no part in doing
that.  But again, don't take my word for it.

Thanks again.

[Personal stuff snipped -- Raju]

David Mirza Ahmad
Symantec

PGP: 0x26005712
8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
--
The battle for the past is for the future.
We must be the winners of the memory war.

> Uh, has anyone bothered asking DMA the reason for the delay?  You may
> not get any reasonable explanation, but at least give the man a chance
> to defend himself before condemning him.
>
> - -- Raju
> - --
> Raj Mathur                raju () kandalaya org      http://kandalaya.org/
>        GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
>                   All your domain are belong to us.
>                       It is the mind that moves


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html