When the Full Disclosure mailing list closed down last week, many in the security community wondered what, if anything, would fill the void. As it turns out, Full Disclosure will fill that void.
John Cartwright, one of the creators of the list, announced on March 19 that he was shutting it down after growing tired of requests from a particular user to remove some archived messages. Cartwright said he had endured years of legal threats from vendors and other issues associated with maintaining a list that often included zero day vulnerability information and exploit code, and he had had enough of it.
“I’m not willing to fight this fight any longer. It’s getting harder to operate an open forum in today’s legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry,” Cartwright wrote.
But now, Fyodor, the creator of the Nmap network scanner, has stepped in and started a new version of Full Disclosure that will carry on in the same vein as the original list. Fyodor, whose real name is Gordon Lyon, said in an announcement of the new list that he had talked with Cartwright about starting a new list, and Cartwright had told him to go ahead if he so desired.
When I mailed John recently asking how I could help, he said he was through with the list but “if you want to start a replacement, go for it.” So here we are. I already deal with (or ignore) many legal threats and removal demands since I’ve long run the most popular Full Disclosure web archive, and I already run mail servers and Mailman software for my other lists (like Nmap dev and Nmap announce). I love the Full Disclosure philosophy and movement, so I’ve started a new list!” Fyodor wrote in the announcement of the new list.
Users will need to re-subscribe to the new Full Disclosure list, but Fyodor said that he envisions the new list being a successor in spirit to the original one and being a resource for the security community.
“The new list must be run by and for the security community in a vendor-neutral fashion. It will be lightly moderated like the old list, and a volunteer moderation team will be chosen from the active users. As before, this will be a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community,” Fyodor wrote. “FD differs from other security lists in its open nature, light (versus restrictive) moderation, and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts won’t be tolerated!”
Photo by Jacob Appelbaum.