Full-Disclosure Security List Suspended Indefinitely

An anonymous reader writes with news that John Cartwright has been forced to shut down the full disclosure list. The list was created in 2002 in response to the perception that Bugtraq was too heavily moderated, allowing security issues to remain unpublished and unpatched for too long. Quoting: "When Len and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise. However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.

I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself. However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.

I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.

I'm suspending service indefinitely. Thanks for playing." The archives are still up on seclists.org, gmane, and Mail Archive. For now at least.

He's right.

[Anonymous Coward]

The fact that my living comes from appsec work is reflective of the shit world we live in. In a perfect world, this entire industry shouldn't exist.

A tragedy

[jbmartin6]

I think the changes brewing in the wake of Target breach and Snowden's leak show the power of full disclosure. It seemed to me that "responsible disclosure" was just another way of saying "no consequences." And we see time and time again how no consequences equals no action.

Re:A tragedy

[jbmartin6]

Additional thought: responsible disclosure only works because of the threat of full disclosure.

Re:Who?

[erikkemperman]

Perhaps without fingering individuals, it would be good to find about a bit more about what the hell happened here. This is not a guy who quits at the drop of a hat, right?

If you believe in full disclosure

[hsmith]

Name the names. Sorry, I simply don't buy the reasoning at all. If the problems were so bad you want to "stop it all together" then you indicate who that person is.

just switch moderators he's burned out

[xxxJonBoyxxx]

As a security guy who has also been on the short end of legal threats too I feel for this guy. He's burned out and could use a year on the beach. Take a year or two at a cushy corporate security job but please keep the list alive - there are plenty of other moderators who would pick up the slack.

Re:If you believe in full disclosure

[Zocalo]

Perhaps. By not applying Full Disclosure to the identity of the "insider" that has resulting in this you could accuse John Cartright of breaching his and the list's principles, but without knowing the details of the threat (and the list has resistant many such threats in the past) it's difficult to know what the consequence of that might be. Or maybe there is no really significant threat other than some inconvenience, but this is just the straw that broke the camel's back. If not taking down this list would result in the breach of a court order, then this is almost certainly the right tack to take, regardless of how painful it might seem, unless we are expecting John to potentially become another fugitive from justice, like Edward Snowden?

Sure,it's a sad day for freedom of information, and will no doubt have negative consequences due to more information being known only those with malicious intentions and companies sweeping issues under the rug due to lack of exposure, but even so I don't think it's ont that is worth compromising your life over, let alone expecting someone else to do so.

Nonsense.

[johnnys]

There's a meme going around that "Fact is, you cannot make a secure product," is somehow a "Truth" that we all just have to accept.

This is just BS. Of course you can make a secure product. You just have to commit the time and resources to make security your top priority.

If you want to securely control your HVAC systems in your data centre, don't connect it to the Internet: Hire a person to operate it. If you want to securely control your nuclear reactor, don't connect it to the Internet but hire a staff to operate it using air-gapped systems.

If you want to save money on salaries by connecting your critical systems to the Internet using commodity CPUs that don't separate writable RAM from executable RAM, and operating systems designed for single user with poor security built in, and software written by the lowest bidder using languages that encourage lazy programmers to write buffer overruns, then you will save money but there's no way you can make a secure product. But don't pretend it's a universal fact that security is not possible: Recognize it's your own penny-pinching that is causing the problem.

Because all too often, devs are assholes

[WOOFYGOOFY]

This is what we were talking about yesterday regarding the github brouhaha . Assholism amongst the dev community appears to be so high that, statistically speaking , the odds of being able to run a site like this one, or say have a decent working atmosphere tends to zero once the company is big enough or the site is popular enough.

For significant public-interest websites, you somehow need a serious source of funding just for maintenance work to counter the effects of assholes. For companies, they're basically pirate ships populated by people who think of themselves as laws unto themselves, as glorious buccaneers . The lesson of git hub and this guy is simple. Software devs are just as bad as anyone in Exxon . They'll drop trou and take a gigantic dump on any aspect of the social contract they want to the moment it suits them.

I am not saying this is in contrast to some golden bygone era of civility. People have always been like this. Well, for a while in software development, before Bill Gates started sending out cease and desist legal notices to people who were copying the software he copied from CPM , there was s kind of golden era perhaps. But then Lucky Autisim Boy started to make real money at Microsoft and then IBM decided to start getting software patents en masse and civility retreated to the borders of academic research . Now it appears that's gone also.

We're not better and we're not going to be the ones to usher in a new way of dealing with our fellow humans. What we know for sure now is that just like our most successful exemplars, Jobs and Gates, we're as exploitative, opportunistic amoral and dehumanizing as the next industry. And that's a little sad.

Re:Nonsense.

[Travis Mansbridge]

Didn't stuxnet make it through air-gapped systems? Seems like for every step forward white-hats take, black-hats take one as well.

Re:A tragedy

[BVis]

No, often it works because if one person outside your organisation discovers something then when you get that issue raised with you it is pretty easy to take that to management and show them why the bug needs fixing. If one person can find it so can someone else who is less honest and hence might use it for fraud.

Seriously?

First of all, you can bring whatever you want to management; the pointy haired bosses who control resource allocation likewise can ignore whatever they want. All they hear is "computer shit I don't understand blah blah blah security problem I don't understand blah blah OH MY GOD IT WILL COST MONEY TO FIX blah blah". I used to think "oh, nobody will do that" was just a joke.. then I worked for a small company that did e-commerce. I could stand on my head giving example after example and potential disaster scenarios all I wanted, they would not change anything. The only things that really got fixed were things I found myself and fixed silently without telling anyone. If I told you what info they had been storing you would be sick to your stomach.

Second of all, this: "Has anyone found $problem yet?" "No, but they could" "OK so it's not a problem right now, go do $stupidshitthatdumbassclientwants instead."

When you're dealing with non-technical management that nevertheless is given authority to make technical decisions with or without considering problems raised by people who actually know what the fuck they're doing, security problems will exist no matter how blatant. You can spend all the time you want teaching pigs to sing, but in the end you're wasting your time and annoying the pigs.. who sign your paychecks.

Full Disclosure was just a marketing vehicle

[Anonymous Coward]

I followed Full Disclosure for years and it was really nothing more than a marketing vehicle for unknown wannabe white hats to get noticed and get a job. Then there were the black hats who used it to brag about their latest criminal activities. And finally there were the trolls, the most consistent (and crazy) of which was "Weev" who was later arrested and jailed for the AT&T iPad user id/email URL guessing thing.

It was never really anything more than a source of amusement. Twitter and Pastebin have really made public mailing lists obsolete.

Re:Skills Levels of Hacking Community

[Anonymous Coward]

How many people are left out there that can build the likes of Bittorrent, Bitcoin, a language like C, a game like Elite, or even a site like Slashdot?

That's a wide range of problems to solve.
    C is special, probably not rateable.
    For the rest, a few percent of focused folks with the right attitude, education, mentoring, experience, and luck.
    The answer hasn't changed in 50 years.

What has changed is that available tools let the rest of the folks do much more widely useful work.
      (Except of course for the bug/security thing.)

The whole security world is in a very bad shape

[Opportunist]

The snakeoil peddlers and smokescreen builders are in full swing. I guess it's the "in the kingdom of the blind, the one eyed is king" thing, where security managers who have no clue hire consultants who have a little bit thereof. I recently handed in my resignation as the CISO of a fairly large logistics giant because I reached the point where I could no longer carry the responsibility, especially for customer data.

I come from a technical background. Not a business one. I'm neither manager nor beancounter by education, though I now have to pose as one. My security "career" started out with malware analysis and reverse engineering. With time, I ended up in management, eventually shifting over to another job and reaching said CISO position, after digging through the depths and pits of security management, process management and IT-management in general. I learned what makes managers tick and why they're so in love with IT-governance tools: They offer a lot of neat business ratios that allow you to pretend you know what your company is doing without even having to understand it.

And this is where the problem starts. Because IT-Consulting companies jumped that bandwagon instantly. Their main selling point today is that they deliver you some of those business ratios. That's what is wanted. Nobody gives a shit whether they know what they're doing or whether they have some key pushing monkeys that can barely decypher the output of Nessus. Because that's what 9 out of 10 consultants we hired (I had to, don't look at me like that!) could do, and little more. Fire up some automated analysis tool and have it sit there, collect data, then compile some neat looking report (i.e. copy/paste the output, then write a summary based on the fill-the-gaps crib sheet).

'scuse me, but I don't need a consultant for a few 100 bucks an hour just to push 3 buttons, and then end up with a "security analysis" that doesn't even find half the problems!

The least I'd expect from a consultant is that he knows more about a subject than I do. Else, well, why have him? Why should I pay him if he should rather consult me than me him?

But they get away with that. For two reasons. First, the average security manager knows even LESS than them. The average security manager is first and foremost a manager, not a technical person. He knows the processes, he knows the procedures, he maybe knows the legal stuff it entails. But lacks the intimate knowledge of the inner workings of networks and computer systems. In such a world led by the blind, the one eyed can easily become their king. And because they know processes, procedures and legal foundation, they also know what leads to problem number two: It doesn't matter. They're safe. They did everything ISO27001 demands, they did everything BS7799 requires, they did everything their governance framework expects, they're safe. Their company isn't, but why should they give a shit? Their job is safe, that's what matters. To them, at least.

And no, I have no idea how to improve that situation. No matter what you change, you're not going to get any better results.

Re:A tragedy

[BVis]

If you don't have a security dept that will back you on these things, then someone hired the wrong ppl for the security dept.

Problem: What is a security department?