Search the Community
Showing results for tags 'Full Disclosure'.
Reefa posted a topic in Security & Privacy NewsWhen the Full Disclosure mailing list closed down last week, many in the security community wondered what, if anything, would fill the void. As it turns out, Full Disclosure will fill that void. John Cartwright, one of the creators of the list, announced on March 19 that he was shutting it down after growing tired of requests from a particular user to remove some archived messages. Cartwright said he had endured years of legal threats from vendors and other issues associated with maintaining a list that often included zero day vulnerability information and exploit code, and he had had enough of it. “I’m not willing to fight this fight any longer. It’s getting harder to operate an open forum in today’s legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry,” Cartwright wrote. But now, Fyodor, the creator of the Nmap network scanner, has stepped in and started a new version of Full Disclosure that will carry on in the same vein as the original list. Fyodor, whose real name is Gordon Lyon, said in an announcement of the new list that he had talked with Cartwright about starting a new list, and Cartwright had told him to go ahead if he so desired. When I mailed John recently asking how I could help, he said he was through with the list but “if you want to start a replacement, go for it.” So here we are. I already deal with (or ignore) many legal threats and removal demands since I’ve long run the most popular Full Disclosure web archive, and I already run mail servers and Mailman software for my other lists (like Nmap dev and Nmap announce). I love the Full Disclosure philosophy and movement, so I’ve started a new list!” Fyodor wrote in the announcement of the new list. Users will need to re-subscribe to the new Full Disclosure list, but Fyodor said that he envisions the new list being a successor in spirit to the original one and being a resource for the security community. “The new list must be run by and for the security community in a vendor-neutral fashion. It will be lightly moderated like the old list, and a volunteer moderation team will be chosen from the active users. As before, this will be a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community,” Fyodor wrote. “FD differs from other security lists in its open nature, light (versus restrictive) moderation, and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts won’t be tolerated!” Source
The Full Disclosure security mailing list, which has been one of the main discussion forums for vulnerability and exploit information for 12 years, is shutting down because “‘one of our own’ would undermine the efforts of the last 12 years”, one of the creators said. John Cartwright, one of the creators of the Full Disclosure list, posted a message on the list saying that he was suspending the list immediately because someone in the security community had asked that a large number of messages be removed from the list’s archive for an unspecified reason. Cartwright did not name the person who made the request, but said he was unwilling to take a “virtual hatchet to the list archives on the whim of an individual”. When it began in 2002, Full Disclosure was an alternative to the Bugtraq list, which was moderated, something that annoyed some of the members. The new list was meant to be a more free-form discussion and it often included information on zero day vulnerabilities, along with exploit code, especially in the early days. Many software vendors were not too happy to have data on bugs in their products published on a mailing list, but in 2002, most of those vendors didn’t have established security response processes, bug-reporting guidelines or even email addresses to accept vulnerability advisories. Full Disclosure was a valuable source of information on vulnerabilities in all manner of software and hardware and many vendors over the years began posting their own advisories to the list. The list had more than its share of trolls and troublemakers and it got the occasional legal threat from vendors. But Cartwright said he never thought that the reason he’d have to shut Full Disclosure down would be the actions of a member of the list and not a vendor. “I never imagined that request might come from a researcher within the ’community’ itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I’m done,” Cartwright wrote in his message. “I’m not willing to fight this fight any longer. It’s getting harder to operate an open forum in today’s legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.” Full Disclosure appeared on the scene at a time when many vendors were not paying a whole lot of attention to security and security researchers who found flaws in their products. Posting full details of a new bug for the world to see on the mailing list was one of the few methods researchers had to get vendors to pay attention and fix their software. Now, most major vendors have formal security response processes and deal directly with researchers on a regular basis, and some have lucrative bug bounty programs to reward them for their work. And, for researchers who would rather go another route, they can simply post a link on Twitter or write a blog post and get the word out more quickly than sending a message to a mailing list. “Most people I know unsubscribed from Full Disclosure a long time ago. The signal-to-noise ratio is very low, and these days vulnerability researchers have no need for traditional mailing lists to publish their findings. We have blogs and Twitter, not to mention hundreds of security conferences. I think many will be nostalgic about the early days of Full Disclosure, but closing the list will have no noticeable impact on the industry or our ability to share information,” said Chris Eng, VP of security research at Veracode. The end of Full Disclosure puts a period at the end of that chapter in the security industry. “I’m suspending service indefinitely. Thanks for playing,” Cartwright wrote. Source