Dave Ahmad picked up on my post and responded privately. He doesn't have any objections to my forwarding his messages to FD, hence forwarding without prejudice.
-- Raju -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F All your domain are belong to us. It is the mind that moves [Message from Dave Ahmad] Return-Path: <[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII From: Dave Ahmad <[EMAIL PROTECTED]> To: Raj Mathur <[EMAIL PROTECTED]> Subject: Re: [Full-Disclosure] BugTraq Speed Date: Thu, 25 Sep 2003 10:19:31 -0600 (MDT) Raj, I appreciate you being the voice of reason. I can offer you a simple explanation, off-list. Bugtraq is a moderated list, Full-Disclosure is not. Of course Full-Disclosure is going to be faster. It takes me some time read through all of the submissions to Bugtraq and decide which ones are to be on the list. Unfortunately, Bugtraq is not my only responsibility here. I have to balance trying to moderate as quickly as possible with managing my team and maintaining/supporting some of the products here which depend on the vulnerability database. Despite all of this, I believe, Bugtraq is consistently faster than the other moderated lists. There's no conspiracy to withhold messages while our customers get priority. That is absurd, all one has to do is monitor the list during regular business hours. For example, the FreeBSD advisory mentioned by Rainer: I approved it as soon as I was at my desk, before 9AM here. It hit my mail spool about 30 minutes later (50,000 users on the list means 50,000 SMTP transactions -- there's some latency in delivery, though we try to improve performance by using QMQP with concurrent outgoing servers). During the day I approve messages as they arrive. Once in a while messages slip. It happens. I have hundreds of messages in the queue. Sometimes a single message is surrounded by OOTO replies, A/V bounces, spam, virus/worm mails, etc, and I don't see it until I review the queue when I have time. Follow-up messages sometimes take a little longer because there are so many of them, many of which say the same things. To keep the noise down, I read over them all and select the best messages for approval. It takes me hours of my time both at work and outside of the office. I'm not asking that anyone take my word for it. The Bugtraq delivery times are available to anyone on the list. With all of the speculation I'm surprised nobody has actually put in the effort to try and prove we are withholding information. I assure that any such investigation would show that the pattern of message approval is not consistent with us withholding the precious zero-day of the community. There's not really any commercial advantage anyways, since there are so many lists now and much of what goes to Bugtraq is sent everywhere else as well. Most importantly, it's simply not ethical and I would have no part in doing that. But again, don't take my word for it. Thanks again. [Personal stuff snipped -- Raju] David Mirza Ahmad Symantec PGP: 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 -- The battle for the past is for the future. We must be the winners of the memory war. > > Uh, has anyone bothered asking DMA the reason for the delay? You may > not get any reasonable explanation, but at least give the man a chance > to defend himself before condemning him. > > - -- Raju > - -- > Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ > GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F > All your domain are belong to us. > It is the mind that moves _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
