Full Disclosure mailing list archives

Re: Announcing new security mailing list

From: full-disclosure () lists netsys com (Matthew S. Hallacy)
Date: Thu, 11 Jul 2002 23:34:39 -0500

On Thu, Jul 11, 2002 at 06:00:25PM -0700, Blue Boar wrote:

"You", meaning who?  Not I.. it went to my list:
http://online.securityfocus.com/archive/82/261280

I have my own set of (often harsher) standards for what posts I allow on 
vuln-dev... but that has nothing to do with Bugtraq.

I assume you mean Dave, whose reply is here:
http://online.securityfocus.com/archive/82/261454


Sorry, it was Dave, I kind of see securityfocus as one large group..


I suppose you can accuse him of not stating his standards well enough up 
front for what kinds of messages he considers fraud instructions.


How is it any different from someone writing an exploit and posting it to
the list? I didn't even include any scripts for it, I merely explained
the process (I did have people, such as 3Com (who still claim there is
no problem) say that it was not an issue with their product(s)).


I might not have approved the original message either.  For messages like 
that, I'm often torn between my policy of not allowing posts that tell that 
a particular site is vulnerable to a hole only they can fix, and allowing 
the poster to implicate themself for the poking around they've done.  It 
kinda depends if I feel like I've been made an accessory.  If so, I'll 
usually approve it for the world to see.  Or, maybe forward to the FBI.  I 
haven't had occasion to do the latter yet.


I didn't view it as illegal, I had been repeatedly informed by AT&T that
any speed limitations were due to hardware limitations, and that I should
feel free to download all the 'tweaks' available online, etc etc. Never
would they admit to having capped the service (I have the emails to/from
the AT&T tech support rep stating this)


The point being, that has nothing to do with the Bugtraq moderator holding 
posts so he can warn a vendor to make a fix.


It's about censoring valid content based on a single persons feelings.


In your case, if I'm reading the headers correctly, there were only about 6 
hours between when you sent the note to Bugtraq, and decided it wasn't 
going to be posted?


Actually I had posted it that Friday, I waited until Monday ~2pm and 
re-sent it (thus the 'lets try this again' comment), only at that point
did I recieve a message back from the moderator that he was not going
to allow it through, with no explanation. 6 hours later I posted it to
vuln-dev

BB


-- 
Matthew S. Hallacy                            FUBAR, LART, BOFH Certified
http://www.poptix.net                           GPG public key 0x01938203

Current thread:

Re:Flares and personal opinions, (continued)
- - - Re:Flares and personal opinions Nick FitzGerald (Jul 13)
    - Re:Flares and personal opinions David Benfell (Jul 14)
    - Re: Announcing new security mailing list martin f krafft (Jul 13)
    - Re: Announcing new security mailing list Ulf H{rnhammar (Jul 13)
  - Re: Announcing new security mailing list Matthew S. Hallacy (Jul 11)
    - Re: Announcing new security mailing list Blue Boar (Jul 11)
    - Re: Announcing new security mailing list Steve (Jul 11)
    - Flare Berend-Jan Wever (Jul 11)
    - Message not available
    - Flare Vanja Hrustic (Jul 12)
    - Re: Announcing new security mailing list Ron DuFresne (Jul 12)
    - Re: Announcing new security mailing list Matthew S. Hallacy (Jul 11)