Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Censorship Security

Full-Disclosure Security List Suspended Indefinitely 162

An anonymous reader writes with news that John Cartwright has been forced to shut down the full disclosure list. The list was created in 2002 in response to the perception that Bugtraq was too heavily moderated, allowing security issues to remain unpublished and unpatched for too long. Quoting: "When Len and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise. However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.

I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself. However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.

I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.

I'm suspending service indefinitely. Thanks for playing."
The archives are still up on seclists.org, gmane, and Mail Archive. For now at least.
This discussion has been archived. No new comments can be posted.

Full-Disclosure Security List Suspended Indefinitely

Comments Filter:
  • Who? (Score:5, Interesting)

    by Anonymous Coward on Wednesday March 19, 2014 @07:52AM (#46523367)

    Come on then, let's have full disclosure. WHO made the threats?

    • by JJBSr ( 832011 )
      C'mon AC we don't want to feed trolls here
      • Re:Who? (Score:5, Insightful)

        by erikkemperman ( 252014 ) on Wednesday March 19, 2014 @08:07AM (#46523483)

        Perhaps without fingering individuals, it would be good to find about a bit more about what the hell happened here. This is not a guy who quits at the drop of a hat, right?

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          Fuck that. My torch is already burning.

      • by Anonymous Coward

        "we don't want to feed trolls here"

        What?

        SlashDot is Trolls. Don't you ever bother to read this mush?

      • Re: Who? (Score:2, Informative)

        by Anonymous Coward

        Twitter seems to agree (!!!!) that it was Nicholas Lemonias.

    • Re: (Score:2, Redundant)

      by nitehawk214 ( 222219 )

      Come on then, let's have full disclosure. WHO made the threats?

      Why would the World Health Organisation do this?

      • Come on then, let's have full disclosure. WHO made the threats?

        Why would the World Health Organisation do this?

        Perhaps he meant the CDC. I didn't think the Cult of the Dead Cow were still active.

        Obligatory full disclosure: http://www.bash.org/?4780 [bash.org]

  • A tragedy (Score:5, Insightful)

    by jbmartin6 ( 1232050 ) on Wednesday March 19, 2014 @08:02AM (#46523437)
    I think the changes brewing in the wake of Target breach and Snowden's leak show the power of full disclosure. It seemed to me that "responsible disclosure" was just another way of saying "no consequences." And we see time and time again how no consequences equals no action.
    • Re:A tragedy (Score:5, Insightful)

      by jbmartin6 ( 1232050 ) on Wednesday March 19, 2014 @08:07AM (#46523481)
      Additional thought: responsible disclosure only works because of the threat of full disclosure.
      • Additional thought: responsible disclosure only works because of the threat of full disclosure.

        No, often it works because if one person outside your organisation discovers something then when you get that issue raised with you it is pretty easy to take that to management and show them why the bug needs fixing. If one person can find it so can someone else who is less honest and hence might use it for fraud.

        So responsible disclosure works because even if the threat is never disclosed fully by the person who found it, it might be discovered by some one else independently.

        • I don't agree. Well, ok, yes this might be what happens in some cases. However, there are plenty of cases, especially in the earlier years, where owners declined to fix anything until full details were disclosed. Excuses like no one else would ever use this, it can't be exploited, etc. were all over the place.
        • Re:A tragedy (Score:5, Insightful)

          by BVis ( 267028 ) on Wednesday March 19, 2014 @09:28AM (#46523997)

          No, often it works because if one person outside your organisation discovers something then when you get that issue raised with you it is pretty easy to take that to management and show them why the bug needs fixing. If one person can find it so can someone else who is less honest and hence might use it for fraud.

          Seriously?

          First of all, you can bring whatever you want to management; the pointy haired bosses who control resource allocation likewise can ignore whatever they want. All they hear is "computer shit I don't understand blah blah blah security problem I don't understand blah blah OH MY GOD IT WILL COST MONEY TO FIX blah blah". I used to think "oh, nobody will do that" was just a joke.. then I worked for a small company that did e-commerce. I could stand on my head giving example after example and potential disaster scenarios all I wanted, they would not change anything. The only things that really got fixed were things I found myself and fixed silently without telling anyone. If I told you what info they had been storing you would be sick to your stomach.

          Second of all, this: "Has anyone found $problem yet?" "No, but they could" "OK so it's not a problem right now, go do $stupidshitthatdumbassclientwants instead."

          When you're dealing with non-technical management that nevertheless is given authority to make technical decisions with or without considering problems raised by people who actually know what the fuck they're doing, security problems will exist no matter how blatant. You can spend all the time you want teaching pigs to sing, but in the end you're wasting your time and annoying the pigs.. who sign your paychecks.

          • by Minupla ( 62455 )

            I agree there are companies out there like that. I'll say though, if a developer comes to me with security issue, it'll get addressed in my company. We (the security dept) has a seat at the decision making table when we select which tickets get worked on, and the power to red ticket a release until a security bug gets addressed.

            That being said, one could argue that the reason we have that authority links back to the full disclosure movement and the impact of incidents like the Targets and the TJ Maxx ("Wh

        • Additional thought: responsible disclosure only works because of the threat of full disclosure.

          No, often it works because if one person outside your organisation discovers something then when you get that issue raised with you it is pretty easy to take that to management and show them why the bug needs fixing. If one person can find it so can someone else who is less honest and hence might use it for fraud.

          So responsible disclosure works because even if the threat is never disclosed fully by the person who found it, it might be discovered by some one else independently.

          This just encourages management to cover it up. Only the thread of the vulnerability becoming public incentivises management to fix it.

        • by kasperd ( 592156 )

          So responsible disclosure works because even if the threat is never disclosed fully by the person who found it, it might be discovered by some one else independently.

          Not all companies think this way. Some seem to think that threats about legal action against the finder, will keep not only the finder from publishing, but everybody else as well. Or they seem to think that such threats can give the finder sufficient incentive to ensure, that nobody else will find the problem.

          I am not entirely sure how such

      • Additional thought: responsible disclosure only works because of the threat of full disclosure.

        And completely fails if the definition of "responsible" is defined by the party that would have to suffer the consequences.

      • Additional thought: responsible disclosure only works because of the threat of full disclosure.

        Sometimes. Other times the vendor threatens the researcher. Other times the researcher never takes it public. In all of those cases, there is a problem the community doesn't know about for some period of time.

        I've advocated for Informed Disclosure [bfccomputing.com] in the past. In a nut shell, you tell the public that there is a problem, that the problem is related to X, that to work around it you can do Y, and that there will

    • by shuz ( 706678 )

      The only change top down management at Target care about is the stock price and which levers when pulled affect that price. Target already has a very distributed development and IT model where any one person doesn't know much about anything other than the very specific system they work on. Furthermore their infrastructure is highly locked down but clearly there was a fault that was exploited. People feel emotionally violated by any ID theft, which makes sense. However the protections given by credit compani

  • by hsmith ( 818216 ) on Wednesday March 19, 2014 @08:10AM (#46523503)
    Name the names. Sorry, I simply don't buy the reasoning at all. If the problems were so bad you want to "stop it all together" then you indicate who that person is.
    • Seconded (Score:3, Funny)

      by drinkypoo ( 153816 )

      "I believe in full disclosure! And I'm not going to tell you why I'm doing this!" Fail, fail. Name and shame or fuck off, we have no time for your enabling bullshit. You have served your purpose, and are now useless. Er, not you, you know who I mean.

    • by Zocalo ( 252965 ) on Wednesday March 19, 2014 @08:20AM (#46523561) Homepage
      Perhaps. By not applying Full Disclosure to the identity of the "insider" that has resulting in this you could accuse John Cartright of breaching his and the list's principles, but without knowing the details of the threat (and the list has resistant many such threats in the past) it's difficult to know what the consequence of that might be. Or maybe there is no really significant threat other than some inconvenience, but this is just the straw that broke the camel's back. If not taking down this list would result in the breach of a court order, then this is almost certainly the right tack to take, regardless of how painful it might seem, unless we are expecting John to potentially become another fugitive from justice, like Edward Snowden?

      Sure,it's a sad day for freedom of information, and will no doubt have negative consequences due to more information being known only those with malicious intentions and companies sweeping issues under the rug due to lack of exposure, but even so I don't think it's ont that is worth compromising your life over, let alone expecting someone else to do so.
      • by Anonymous Coward

        Perhaps. By not applying Full Disclosure to the identity of the "insider" that has resulting in this you could accuse John Cartright of breaching his and the list's principles, but without knowing the details of the threat (and the list has resistant many such threats in the past) it's difficult to know what the consequence of that might be....

        So, "full disclosure no matter what" is fundamentally flawed because there are situations where it's not appropriate.

        Yeah, you could accuse Cartright of violating his principles. And you'd be right.

      • Barring an injunction / gag order, I dont believe anyone can prevent you from disclosing that their threats are why you are taking the list down.

        • You don't believe in "chilling effects?" Threats regarding non-disclosure often include themselves in their subject matter... "you can't disclose X, Y, and Z, and you also can't disclose that you can't disclose X, Y, and Z"... and the threat can be sufficiently onerous to be credible.

          I think you overrate the intimidating power of nominally legitimate instruments of judicial power, and underestimate the power of simply dragging someone through the courts for years on end. The process is its own punishment, a

          • by davecb ( 6526 )
            Courts overturn those with ease. We once encountered a CP/M program whose license prohibited reverse engineering, but when examined appeared to be a blatant copy of another. After disassembly, it was found to indeed be stolen software. The reverse engineering clause was found unenforceable as contrary to long-standing public policy, as it would have prevented reporting it to the police.
    • And if turns out that the real reason is... "We are tired of fighting trolls and don't want to do it anymore." Fine. That is their right, nobody is forcing them to do it.

      The only thing that makes sense here is they have already been served some legal gag order thing, but I would expect that to come out somehow.

  • by xxxJonBoyxxx ( 565205 ) on Wednesday March 19, 2014 @08:20AM (#46523557)

    As a security guy who has also been on the short end of legal threats too I feel for this guy. He's burned out and could use a year on the beach. Take a year or two at a cushy corporate security job but please keep the list alive - there are plenty of other moderators who would pick up the slack.

  • You know, when you commit a crime and another person is aware of that crime and does nothing, that same person is guilty as well. If theres any legal repercusion to this...shouldn't they be involved...just say'n
    • You know, when you commit a crime and another person is aware of that crime and does nothing, that same person is guilty as well. If theres any legal repercusion to this...

      a) They're not guilty of the same crime
      b) What crime are you talking about?

      • its a reference. If you commit a crime and did nothing your guilty. I'm not an expert at this but by the law at least where I am, (Canada...perhaps USA as well) if someone commits a crime and do nothing, you are obligated to act...not do nothing and ignore. Thats what I meant. To me being aware of bugs and ignoring those bugs and forcing others to to do so is simply wrong.
  • by WOOFYGOOFY ( 1334993 ) on Wednesday March 19, 2014 @08:35AM (#46523645)

    This is what we were talking about yesterday regarding the github brouhaha . Assholism amongst the dev community appears to be so high that, statistically speaking , the odds of being able to run a site like this one, or say have a decent working atmosphere tends to zero once the company is big enough or the site is popular enough.

    For significant public-interest websites, you somehow need a serious source of funding just for maintenance work to counter the effects of assholes. For companies, they're basically pirate ships populated by people who think of themselves as laws unto themselves, as glorious buccaneers . The lesson of git hub and this guy is simple. Software devs are just as bad as anyone in Exxon . They'll drop trou and take a gigantic dump on any aspect of the social contract they want to the moment it suits them.

    I am not saying this is in contrast to some golden bygone era of civility. People have always been like this. Well, for a while in software development, before Bill Gates started sending out cease and desist legal notices to people who were copying the software he copied from CPM , there was s kind of golden era perhaps. But then Lucky Autisim Boy started to make real money at Microsoft and then IBM decided to start getting software patents en masse and civility retreated to the borders of academic research . Now it appears that's gone also.

    We're not better and we're not going to be the ones to usher in a new way of dealing with our fellow humans. What we know for sure now is that just like our most successful exemplars, Jobs and Gates, we're as exploitative, opportunistic amoral and dehumanizing as the next industry. And that's a little sad.

    • ... Lucky Autisim Boy

      Lols. Who is going to play him in the biopic?

      ... started to make real money at Microsoft and then IBM decided to start getting software patents en masse and civility retreated to the borders of academic research . Now it appears that's gone also.

      We're not better and we're not going to be the ones to usher in a new way of dealing with our fellow humans. What we know for sure now is that just like our most successful exemplars, Jobs and Gates, we're as exploitative, opportunistic amoral and dehumanizing as the next industry. And that's a little sad.

      Well, to be fair, "we" (is there a "we"?) are not known for our people skills. I guess about the best I can hope for is that my immediate bosses shield me from most of the assholes. There are pockets of good within the morass of ass. Plus, there are hot women here! (Pro tip: work in life sciences)

    • by PPH ( 736903 )

      People have always been like this.

      Not to this degree. The Internet has made anonymity much easier than in the past. As a result, people can pull a*hole stunts with little risk to their reputation.

      I'm not saying we should get rid of anonymity. But we need to develop the culture to give a statement credibility in line with its possible cost to the speaker. Back in the 'old days', if you didn't confront your opponent publicly, you got laughed out of town.

    • For companies, they're basically pirate ships populated by people who think of themselves as laws unto themselves, as glorious buccaneers .

      Ok. Who else read this sentence and visualized the Crimson Permanent Assurance [wikipedia.org] sailing the Bounding Main (Street)?

      I had to smile, even though the real topic is depressing as hell.

    • by jafac ( 1449 )

      Civility in academic research? LOL!!!!

  • We have easier ways of collecting information. We could even do it in a decentralized manner so there is no one to moderate/sue.

  • by Anonymous Coward on Wednesday March 19, 2014 @09:00AM (#46523815)

    Isn't finding out who made the threats. Where can we find the Furry porn?

    • by Shoten ( 260439 )

      Isn't finding out who made the threats. Where can we find the Furry porn?

      Find a local LARP and ask around. They'll know.

  • by Anonymous Coward

    Ok folks, some dweeb is trying to edit reality so that he looks better. He is probably threatening the list if they don't edit it to make him look less stupid. I think if this person has to bring a few thousand of us to court to edit reality, then it will get very expensive. Here is a copy of my MBox file of Full Disclosure from way back in 2002 to the present. It's quite complete and I'm sure what this idiot is trying to erase is in there. How many of you are willing to do the same?

    http://www.baribault.com [baribault.com]

    • by Anonymous Coward

      Or, just joyfully give him what he asks for.
            Because after a select subset is deleted, a diff with the originals is MUCH easier.

      Why work to figure out what is bugging the gentleman when he is willing to do the work for you?

      So where did you say that archive was ;-)

  • There is no honour amongst hackers any more. There is no real community. There is precious little skill.

    This quote should concern everyone. We have now had an entire generation of programmers raised on walled garden apps, cookie-cutter scripting libraries, and above all a wave of cheap VC funding and hardware. How many people are left out there that can build the likes of Bittorrent, Bitcoin, a language like C, a game like Elite, or even a site like Slashdot? How many people, young people, are there who can write an OS kernel, design a basic circuit, and at a more pertinently serious level, reliably write software to implement mathematical encryption algorithms.

    Reading this I'm inclined to believe that recent meme post about how the programming/silicon valley community has been taken over by "brogrammers", "hipsters" and "neckbeads", which to my mind are simply constitute cultural re-skinnings of the infamous Visual Basic programmers of old.

    I worry that the unglamorous, mostly uncompensated, and largely intellectually driven practice of pure software programming and creation has been left behind in recent years. I personally have noticed little progression and indeed in many areas a general regression in the quality and reliability of software since approximately 2006/7.

    While I would attribute this to my general "civilization is in decline" zeitgeist worries, my frustrations with software, UIs, and websites in particular has undoubtedly increased manifestly in the last 2-3 years or so. Maybe I'm just getting old -- or maybe programmers really are getting worse.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      How many people are left out there that can build the likes of Bittorrent, Bitcoin, a language like C, a game like Elite, or even a site like Slashdot?

      That's a wide range of problems to solve.
      C is special, probably not rateable.
      For the rest, a few percent of focused folks with the right attitude, education, mentoring, experience, and luck.
      The answer hasn't changed in 50 years.

      What has changed is that available tools let the rest of the folks do much more widely

    • They're off doing the more interesting things that are enabled by the high level-languages and tools you decry: designing robotic swarms, writing interactive protein folders, analysing the semantic content of language through the internet. People didn't lose interest when they abandoned the old tools, they abandoned the old tools because they're not the only intellectual game in town.

    • by Burz ( 138833 )

      The explosion of "brogrammers" et al is a reflection of increasing amounts of code and complexity. Maybe this site closure is a just a symptom of that trend going too far... the surface area to be protected, audited and patched has just become to large and the security culture is caving under that weight.

      I think I've mentioned Qubes to you before... I can stuff all sorts of apps and functionality into it without impacting my attack surface and overall risk much. I just have to think about the 'who' and 'wha

  • by Anonymous Coward

    I followed Full Disclosure for years and it was really nothing more than a marketing vehicle for unknown wannabe white hats to get noticed and get a job. Then there were the black hats who used it to brag about their latest criminal activities. And finally there were the trolls, the most consistent (and crazy) of which was "Weev" who was later arrested and jailed for the AT&T iPad user id/email URL guessing thing.

    It was never really anything more than a source of amusement. Twitter and Pastebin have

    • Twitter and Pastebin have really made public mailing lists obsolete.

      I have no opinion of the rest, but this bit needs a +1 Funny.

  • by Opportunist ( 166417 ) on Wednesday March 19, 2014 @10:22AM (#46524459)

    The snakeoil peddlers and smokescreen builders are in full swing. I guess it's the "in the kingdom of the blind, the one eyed is king" thing, where security managers who have no clue hire consultants who have a little bit thereof. I recently handed in my resignation as the CISO of a fairly large logistics giant because I reached the point where I could no longer carry the responsibility, especially for customer data.

    I come from a technical background. Not a business one. I'm neither manager nor beancounter by education, though I now have to pose as one. My security "career" started out with malware analysis and reverse engineering. With time, I ended up in management, eventually shifting over to another job and reaching said CISO position, after digging through the depths and pits of security management, process management and IT-management in general. I learned what makes managers tick and why they're so in love with IT-governance tools: They offer a lot of neat business ratios that allow you to pretend you know what your company is doing without even having to understand it.

    And this is where the problem starts. Because IT-Consulting companies jumped that bandwagon instantly. Their main selling point today is that they deliver you some of those business ratios. That's what is wanted. Nobody gives a shit whether they know what they're doing or whether they have some key pushing monkeys that can barely decypher the output of Nessus. Because that's what 9 out of 10 consultants we hired (I had to, don't look at me like that!) could do, and little more. Fire up some automated analysis tool and have it sit there, collect data, then compile some neat looking report (i.e. copy/paste the output, then write a summary based on the fill-the-gaps crib sheet).

    'scuse me, but I don't need a consultant for a few 100 bucks an hour just to push 3 buttons, and then end up with a "security analysis" that doesn't even find half the problems!

    The least I'd expect from a consultant is that he knows more about a subject than I do. Else, well, why have him? Why should I pay him if he should rather consult me than me him?

    But they get away with that. For two reasons. First, the average security manager knows even LESS than them. The average security manager is first and foremost a manager, not a technical person. He knows the processes, he knows the procedures, he maybe knows the legal stuff it entails. But lacks the intimate knowledge of the inner workings of networks and computer systems. In such a world led by the blind, the one eyed can easily become their king. And because they know processes, procedures and legal foundation, they also know what leads to problem number two: It doesn't matter. They're safe. They did everything ISO27001 demands, they did everything BS7799 requires, they did everything their governance framework expects, they're safe. Their company isn't, but why should they give a shit? Their job is safe, that's what matters. To them, at least.

    And no, I have no idea how to improve that situation. No matter what you change, you're not going to get any better results.

    • Speaking as someone who came into the IT industry in his 30's and is a finance analyst, I can tell you this: business is a game. Your managers and your product managers and your executives (particularly those with MBAs) all know that business is a meta-level game. It doesn't matter what you produce, code, or what market you serve--at a certain level it's all about profit, loss, retooling your resources, and ultimately figuring out what tactics will generate maximum profit while keeping costs as low as possi

    • by swb ( 14022 )

      The least I'd expect from a consultant is that he knows more about a subject than I do. Else, well, why have him? Why should I pay him if he should rather consult me than me him?

      IT consulting is just bluster, a kind of bluffing game. The idea that with a slightly greater variety of experience, the consultant knows more than the fixed-environment guy who only knows his own environment. IT consulting as a business plays on the notion that this is more true than not and that most of the time you will know mo

    • by Burz ( 138833 )

      The whole mess has a lynchpin (perhaps the only one?)....

      Modern computers are vast amalgamations of logic (of varying quality), and we can see only the iceberg tip of the iceberg tip of that content at any given time. Even the experts are left constantly guessing about the doings of all the invisible things [blogspot.com] inside.

      And no, I have no idea how to improve that situation. No matter what you change, you're not going to get any better results.

      Start by creating a creating a desktop OS with a hypervisor ingrained [qubes-os.org] into it (all the risky stuff, even graphics and IP stacks are isolated) to reduce the attack surface to a very small area. The

      • Ok, let me rephrase that.

        I have no idea that could possibly ever see the light of day to improve that situation.

        Your ideas are great, but you won't get one single manager or decision maker to even hear you out to the end. No, not even the TL;DR version. They'll probably interrupt you somewhere when you have to breathe the first time and say "Will $mission_critical_program keep running? No? Thanks for your time."

        • by Burz ( 138833 )

          Well, much of it already exists as Qubes OS, and it runs most Linux and Windows apps just fine.

          You can get CoreBoot BIOS for several systems, and they're just getting started. And given that Canonical has the best HCL (with the most compatible systems) and hardware partnership profile in the business (apart from MS), I think Shuttleworth's proposal is credible... Good luck to him!

          • Again, all of that is right but the problem you have to overcome is: Nobody ever got fired for buying MS.

            Corporate world is a VERY conservative one, no matter how "innovative" a company claims to be. Risk is something that is to be avoided. Change is something that happens when every other option has been discarded.

            In other words, a shift from MS Windows will happen if, and only if, staying with MS Windows is not an option anymore.

        • by Burz ( 138833 )

          I should also point out that, from a manager or user perspective, a Qubes system is just a re-mix of Citrix client products. Even if the user runs in only one domain, an exploit against PCs is far less likely to break out of the VM, making cleanup a quicker and much more certain task.

          It also has ways to protect you from physical attacks on boot partitions and BIOS, so travellers with laptops are less vulnerable.

    • People who know what they are doing are dangerous. They are perceived as a threat; either to the status quo or a direct threat to the organization itself.

      I work in security (networks) and I have raised more than a few eyebrows while discussing potential weaknesses and revealing that I know that the threat is more than theoretical by discussing details of how the weakness could be exploited. It terrifies some people that I have actually done "red" team work. And then they go back to arguing with me and telli

      • Someone has a mod point they could toss on that? It's spot on.

        Sad as it is, it simply is exactly what's going on today. I burned through a few jobs before I learned that the only security these people are really interested in is job security. Or, in the words of an ex-superior of mine, "he who writes remains" (it rhymes in German, "wer schreibt der bleibt"), i.e. you needn't do anything, all you have to do is to make sure you waved the "but there's a problem" flag in front of whoever could fire you and as s

  • <sarcasm>...and good riddance. Look guy, Ellison said it - Oracle's database has not been hacked in over a decade.

    *cough*

  • by Kernel Kurtz ( 182424 ) on Wednesday March 19, 2014 @08:41PM (#46530209)

    That's hardly "full disclosure".

    If you can't post it, leak it.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...