Full-Disclosure Security List Suspended Indefinitely

← Back to Stories (view on slashdot.org)

Full-Disclosure Security List Suspended Indefinitely

Posted by Unknown on Wednesday March 19, 2014 @12:48AM from the poking-the-hornet's-nest-for-12-years dept.

An anonymous reader writes with news that John Cartwright has been forced to shut down the full disclosure list. The list was created in 2002 in response to the perception that Bugtraq was too heavily moderated, allowing security issues to remain unpublished and unpatched for too long. Quoting: "When Len and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise. However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.

I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself. However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.

I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.

I'm suspending service indefinitely. Thanks for playing." The archives are still up on seclists.org, gmane, and Mail Archive. For now at least.

37 of 162 comments (clear)

Min score:

Reason:

Sort:

Who? by Anonymous Coward · 2014-03-19 00:52 · Score: 5, Interesting

Come on then, let's have full disclosure. WHO made the threats?
1. Re:Who? by erikkemperman · 2014-03-19 01:07 · Score: 5, Insightful
  
  Perhaps without fingering individuals, it would be good to find about a bit more about what the hell happened here. This is not a guy who quits at the drop of a hat, right?
  
  --
  Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
2. Re:Who? by Anonymous Coward · 2014-03-19 01:37 · Score: 2, Interesting
  
  Fuck that. My torch is already burning.
3. Re: Who? by Anonymous Coward · 2014-03-19 02:17 · Score: 2, Informative
  
  Twitter seems to agree (!!!!) that it was Nicholas Lemonias.
4. Re:Who? by OolimPhon · 2014-03-19 03:41 · Score: 3, Funny
  
  Snoden,
  I believe this was a result of your efforts,
  And now Insiders are attacking the lists,
  Amoung many other things - I have seen, heard and witnessed many IT 9-to-5ers, Unlike thy,
  Whom are all whining now, about NSA hacking, Infiltrations, Etc. Its happening 10 fold.
  Tell the world the truth before Anonymous is forced to: That you are still working with the NSA and you are a giant psyop.
  Not a haiku!
A tragedy by jbmartin6 · 2014-03-19 01:02 · Score: 5, Insightful

I think the changes brewing in the wake of Target breach and Snowden's leak show the power of full disclosure. It seemed to me that "responsible disclosure" was just another way of saying "no consequences." And we see time and time again how no consequences equals no action.

--
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
1. Re:A tragedy by jbmartin6 · 2014-03-19 01:07 · Score: 5, Insightful
  
  Additional thought: responsible disclosure only works because of the threat of full disclosure.
  
  --
  This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
2. Re:A tragedy by Ash+Vince · 2014-03-19 01:21 · Score: 2
  
  Additional thought: responsible disclosure only works because of the threat of full disclosure.
  No, often it works because if one person outside your organisation discovers something then when you get that issue raised with you it is pretty easy to take that to management and show them why the bug needs fixing. If one person can find it so can someone else who is less honest and hence might use it for fraud.
  So responsible disclosure works because even if the threat is never disclosed fully by the person who found it, it might be discovered by some one else independently.
  
  --
  I dont read /. to RTFA, I read /. to offend people in ignorance.
3. Re:A tragedy by jbmartin6 · 2014-03-19 01:37 · Score: 2
  
  I don't agree. Well, ok, yes this might be what happens in some cases. However, there are plenty of cases, especially in the earlier years, where owners declined to fix anything until full details were disclosed. Excuses like no one else would ever use this, it can't be exploited, etc. were all over the place.
  
  --
  This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
4. Re:A tragedy by BVis · 2014-03-19 02:28 · Score: 5, Insightful
  
  No, often it works because if one person outside your organisation discovers something then when you get that issue raised with you it is pretty easy to take that to management and show them why the bug needs fixing. If one person can find it so can someone else who is less honest and hence might use it for fraud.
  Seriously?
  First of all, you can bring whatever you want to management; the pointy haired bosses who control resource allocation likewise can ignore whatever they want. All they hear is "computer shit I don't understand blah blah blah security problem I don't understand blah blah OH MY GOD IT WILL COST MONEY TO FIX blah blah". I used to think "oh, nobody will do that" was just a joke.. then I worked for a small company that did e-commerce. I could stand on my head giving example after example and potential disaster scenarios all I wanted, they would not change anything. The only things that really got fixed were things I found myself and fixed silently without telling anyone. If I told you what info they had been storing you would be sick to your stomach.
  Second of all, this: "Has anyone found $problem yet?" "No, but they could" "OK so it's not a problem right now, go do $stupidshitthatdumbassclientwants instead."
  When you're dealing with non-technical management that nevertheless is given authority to make technical decisions with or without considering problems raised by people who actually know what the fuck they're doing, security problems will exist no matter how blatant. You can spend all the time you want teaching pigs to sing, but in the end you're wasting your time and annoying the pigs.. who sign your paychecks.
  
  --
  Never underestimate the power of stupid people in large groups.
5. Re:A tragedy by BVis · 2014-03-19 04:14 · Score: 4, Insightful
  
  If you don't have a security dept that will back you on these things, then someone hired the wrong ppl for the security dept.
  Problem: What is a security department?
  
  --
  Never underestimate the power of stupid people in large groups.
6. Re:A tragedy by BVis · 2014-03-19 04:16 · Score: 2
  
  Which, unfortunately, doesn't get the problem addressed. CYA is not a substitute for good decisions.
  
  --
  Never underestimate the power of stupid people in large groups.
7. Re:A tragedy by Minupla · 2014-03-19 04:19 · Score: 4, Funny
  
  Security dept: (n) A deptartment in a company that if it doesn't exist will cause the development department to be directly blamed for anything that goes wrong. See also: (n) scapegoat.
  Seriously, my IT dept calls us "the latex department" because if we're involved they're protected. Otherwise they get the blame.
  Min
  
  --
  On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Re:He's right. by ledow · 2014-03-19 01:02 · Score: 5, Interesting

Nor would health & safety, auditing, repair shops, replacement parts, the guy who checks the pitot tube on aircraft is clean, etc. nor countless thousands of other industries. The fact that the industry exists shows you that a) we cannot secure things perfectly but b) we try hard to do so.
Fact is, you cannot make a secure product, no matter how cocky you are. So you need experts to secure things, whether or not they are forced to do so on sub-standard operating systems, hardware or applications.
Personally, I think we've come on leaps and bounds in terms of OS security in the time I've been around, but it's application security that's the problem - and the biggest problem comes from OS's not being "allowed" to lock down applications to their bare minimum necessary resources in the first place.
And now we have a new threat - hardware security where our own machines are being used against us.
It's like saying that if everyone put rubbish in a bin, we wouldn't need street cleaners. Almost true, not quite, but almost. But it's honestly, never, ever, ever going to happen until we are literally redefining "rubbish", "bin" and "cleaner" (i.e. automated robots running around doing it for us).
And real life, as shown here, is much more affected by stupid people, making stupid decisions and even enacting stupid laws. In a perfect world we wouldn't have any of those either. But still we have lawyers.
If you believe in full disclosure by hsmith · 2014-03-19 01:10 · Score: 5, Insightful

Name the names. Sorry, I simply don't buy the reasoning at all. If the problems were so bad you want to "stop it all together" then you indicate who that person is.
1. Re:If you believe in full disclosure by Zocalo · 2014-03-19 01:20 · Score: 5, Insightful
  
  Perhaps. By not applying Full Disclosure to the identity of the "insider" that has resulting in this you could accuse John Cartright of breaching his and the list's principles, but without knowing the details of the threat (and the list has resistant many such threats in the past) it's difficult to know what the consequence of that might be. Or maybe there is no really significant threat other than some inconvenience, but this is just the straw that broke the camel's back. If not taking down this list would result in the breach of a court order, then this is almost certainly the right tack to take, regardless of how painful it might seem, unless we are expecting John to potentially become another fugitive from justice, like Edward Snowden?
  
  Sure,it's a sad day for freedom of information, and will no doubt have negative consequences due to more information being known only those with malicious intentions and companies sweeping issues under the rug due to lack of exposure, but even so I don't think it's ont that is worth compromising your life over, let alone expecting someone else to do so.
  
  --
  UNIX? They're not even circumcised! Savages!
Seconded by drinkypoo · 2014-03-19 01:16 · Score: 2, Funny

"I believe in full disclosure! And I'm not going to tell you why I'm doing this!" Fail, fail. Name and shame or fuck off, we have no time for your enabling bullshit. You have served your purpose, and are now useless. Er, not you, you know who I mean.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
just switch moderators he's burned out by xxxJonBoyxxx · 2014-03-19 01:20 · Score: 4, Insightful

As a security guy who has also been on the short end of legal threats too I feel for this guy. He's burned out and could use a year on the beach. Take a year or two at a cushy corporate security job but please keep the list alive - there are plenty of other moderators who would pick up the slack.
Nonsense. by johnnys · 2014-03-19 01:28 · Score: 5, Insightful

There's a meme going around that "Fact is, you cannot make a secure product," is somehow a "Truth" that we all just have to accept.
This is just BS. Of course you can make a secure product. You just have to commit the time and resources to make security your top priority.
If you want to securely control your HVAC systems in your data centre, don't connect it to the Internet: Hire a person to operate it. If you want to securely control your nuclear reactor, don't connect it to the Internet but hire a staff to operate it using air-gapped systems.
If you want to save money on salaries by connecting your critical systems to the Internet using commodity CPUs that don't separate writable RAM from executable RAM, and operating systems designed for single user with poor security built in, and software written by the lowest bidder using languages that encourage lazy programmers to write buffer overruns, then you will save money but there's no way you can make a secure product. But don't pretend it's a universal fact that security is not possible: Recognize it's your own penny-pinching that is causing the problem.

--
Sometimes the "writing on the wall" is blood spatter...
1. Re:Nonsense. by mwvdlee · 2014-03-19 01:52 · Score: 4, Funny
  
  If you want to securely control your HVAC systems in your data centre, don't connect it to the Internet: Hire a person to operate it. If you want to securely control your nuclear reactor, don't connect it to the Internet but hire a staff to operate it using air-gapped systems.
  Because we all know humans can be trusted completely instead of often being the weakest link in a security chain.
  This includes the guys that operate the machine, the people that build the machine, the people that supplied to components for the machine, the contractor that build the datacenter, their subcontractors, the people supplying bricks to the builders, etc.
  In theory, it's possible to create a perfectly secure product, in practice there isn't enough money, time and knowledge in the world to do so.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
2. Re:Nonsense. by Travis+Mansbridge · 2014-03-19 01:52 · Score: 5, Insightful
  
  Didn't stuxnet make it through air-gapped systems? Seems like for every step forward white-hats take, black-hats take one as well.
3. Re:Nonsense. by omglolbah · 2014-03-19 02:02 · Score: 4, Informative
  
  Air gaps are fun.
  Engineering workstation on the air-gapped system is connected to the same keyboard and monitor as an office machine.
  Space constraints in the office on an oil rig.
  The same engineer who went around pushing orange 'locks' in all the usb ports on the whole damn plant, including on the switches etc also created this gem.
  Unlock the USb port on the KVM, add a usb stick. That way he could easily 'move files between the systems without looking for a stick'.....
  You cannot fix stupid.
4. Re:Nonsense. by LordLimecat · 2014-03-19 02:28 · Score: 2
  
  This is just BS. Of course you can make a secure product. You just have to commit the time and resources to make security your top priority.
  Clearly Apple, Microsoft, Google, Mozilla, and Red Hat are all too lazy to do so. But Im sure youve got it all figured out.
  I mean Im not a software dev, and I wouldnt claim to be an "expert" in security-- but surely it says something that noone's actually managed to write a "secure" application of any substantial complexity. We've gotten really good at patching bugs quickly (particularly google, various linux coders, and mozilla), but the fact that the applications are getting patched indicates that there are vulnerabilities, and its a bit silly to imply that the aforementioned organizations simply lack the expertise to "do it right".
5. Re:Nonsense. by Nevo · 2014-03-19 02:29 · Score: 2
  
  So, if I don't want an airplane to disappear, I should hire a pilot to fly it instead of network it with external systems, then?
6. Re:Nonsense. by Anonymous Coward · 2014-03-19 02:54 · Score: 2, Informative
  
  This is not true for Windows after XP.
7. Re:Nonsense. by Anonymous Coward · 2014-03-19 03:39 · Score: 2, Funny
  
  You've clearly never had a hammer bounce back and hit you in the head.
8. Re:Nonsense. by ObsessiveMathsFreak · 2014-03-19 03:50 · Score: 2
  
  Insecure systems are merely a corollary to that 1948 proof, and your schoolboy suggestions on how to make systems "secure" just shows you don't understand the problem. Everyone who understands the problem accepts the ultimate futility that underlies attempts to solve it.
  What is this, a rerun of the "security is encryption+verification" No-True Scotsman fallacy that lead to the Firefox self-signed certs debacle.
  An abstract mathematical proof means we cannot make a secure product? And somehow the security community has bought into this? I worry sometimes that the security community is prone to ridiculously levels of dogmatism and groupthink befitting any serious hacking group.
  You can make a secure product. Security does not mean 100% proof perfect security. Security means that it is difficult, very difficult, to break into or even break the product.
  Right now, in a similar way to unencrypted connections, we have a situation where most programs are insecure, and wide open to exploits and worse. And right now, just as with self-signed certs, we have a security community dogma that regards trying to improve things as a step backwards. This is asinine.
  Stop making excuses for bad software, and bad systems designs. We can build a better internet, which is more secure from the ground up. Our efforts will not be futile -- far from it. A better internet for all is waiting to be created out there.
  
  --
  May the Maths Be with you!
9. Re:Nonsense. by EuclideanSilence · 2014-03-19 07:15 · Score: 2
  
  I'll jump into the middle of this AC argument!
  Godel's incompleteness theorems don't mean that you can't make fully verified software. It means that you can make software which can't be verified. Big deal. Verification is coming; in some areas, like medical/aero software and processor design it's already here.
10. Re:Nonsense. by plover · 2014-03-19 08:11 · Score: 2
  
  You've clearly never had a hammer bounce back and hit you in the head.
  After reading *that* randomly ugly formatted text, I'm not so sure that's a given.
  
  --
  John
Because all too often, devs are assholes by WOOFYGOOFY · 2014-03-19 01:35 · Score: 4, Insightful

This is what we were talking about yesterday regarding the github brouhaha . Assholism amongst the dev community appears to be so high that, statistically speaking , the odds of being able to run a site like this one, or say have a decent working atmosphere tends to zero once the company is big enough or the site is popular enough.
For significant public-interest websites, you somehow need a serious source of funding just for maintenance work to counter the effects of assholes. For companies, they're basically pirate ships populated by people who think of themselves as laws unto themselves, as glorious buccaneers . The lesson of git hub and this guy is simple. Software devs are just as bad as anyone in Exxon . They'll drop trou and take a gigantic dump on any aspect of the social contract they want to the moment it suits them.
I am not saying this is in contrast to some golden bygone era of civility. People have always been like this. Well, for a while in software development, before Bill Gates started sending out cease and desist legal notices to people who were copying the software he copied from CPM , there was s kind of golden era perhaps. But then Lucky Autisim Boy started to make real money at Microsoft and then IBM decided to start getting software patents en masse and civility retreated to the borders of academic research . Now it appears that's gone also.
We're not better and we're not going to be the ones to usher in a new way of dealing with our fellow humans. What we know for sure now is that just like our most successful exemplars, Jobs and Gates, we're as exploitative, opportunistic amoral and dehumanizing as the next industry. And that's a little sad.
Re:crime by wonkey_monkey · 2014-03-19 01:40 · Score: 2

You know, when you commit a crime and another person is aware of that crime and does nothing, that same person is guilty as well. If theres any legal repercusion to this...
a) They're not guilty of the same crime
b) What crime are you talking about?

--
systemd is Roko's Basilisk.
The real priority here... by Anonymous Coward · 2014-03-19 02:00 · Score: 5, Funny

Isn't finding out who made the threats. Where can we find the Furry porn?
Skills Levels of Hacking Community by ObsessiveMathsFreak · 2014-03-19 02:40 · Score: 5, Interesting

There is no honour amongst hackers any more. There is no real community. There is precious little skill.
This quote should concern everyone. We have now had an entire generation of programmers raised on walled garden apps, cookie-cutter scripting libraries, and above all a wave of cheap VC funding and hardware. How many people are left out there that can build the likes of Bittorrent, Bitcoin, a language like C, a game like Elite, or even a site like Slashdot? How many people, young people, are there who can write an OS kernel, design a basic circuit, and at a more pertinently serious level, reliably write software to implement mathematical encryption algorithms.
Reading this I'm inclined to believe that recent meme post about how the programming/silicon valley community has been taken over by "brogrammers", "hipsters" and "neckbeads", which to my mind are simply constitute cultural re-skinnings of the infamous Visual Basic programmers of old.
I worry that the unglamorous, mostly uncompensated, and largely intellectually driven practice of pure software programming and creation has been left behind in recent years. I personally have noticed little progression and indeed in many areas a general regression in the quality and reliability of software since approximately 2006/7.
While I would attribute this to my general "civilization is in decline" zeitgeist worries, my frustrations with software, UIs, and websites in particular has undoubtedly increased manifestly in the last 2-3 years or so. Maybe I'm just getting old -- or maybe programmers really are getting worse.

--
May the Maths Be with you!
1. Re:Skills Levels of Hacking Community by Anonymous Coward · 2014-03-19 03:21 · Score: 2, Insightful
  
  How many people are left out there that can build the likes of Bittorrent, Bitcoin, a language like C, a game like Elite, or even a site like Slashdot?
  That's a wide range of problems to solve.
  C is special, probably not rateable.
  For the rest, a few percent of focused folks with the right attitude, education, mentoring, experience, and luck.
  The answer hasn't changed in 50 years.
  What has changed is that available tools let the rest of the folks do much more widely useful work.
  (Except of course for the bug/security thing.)
The whole security world is in a very bad shape by Opportunist · 2014-03-19 03:22 · Score: 4, Insightful

The snakeoil peddlers and smokescreen builders are in full swing. I guess it's the "in the kingdom of the blind, the one eyed is king" thing, where security managers who have no clue hire consultants who have a little bit thereof. I recently handed in my resignation as the CISO of a fairly large logistics giant because I reached the point where I could no longer carry the responsibility, especially for customer data.
I come from a technical background. Not a business one. I'm neither manager nor beancounter by education, though I now have to pose as one. My security "career" started out with malware analysis and reverse engineering. With time, I ended up in management, eventually shifting over to another job and reaching said CISO position, after digging through the depths and pits of security management, process management and IT-management in general. I learned what makes managers tick and why they're so in love with IT-governance tools: They offer a lot of neat business ratios that allow you to pretend you know what your company is doing without even having to understand it.
And this is where the problem starts. Because IT-Consulting companies jumped that bandwagon instantly. Their main selling point today is that they deliver you some of those business ratios. That's what is wanted. Nobody gives a shit whether they know what they're doing or whether they have some key pushing monkeys that can barely decypher the output of Nessus. Because that's what 9 out of 10 consultants we hired (I had to, don't look at me like that!) could do, and little more. Fire up some automated analysis tool and have it sit there, collect data, then compile some neat looking report (i.e. copy/paste the output, then write a summary based on the fill-the-gaps crib sheet).
'scuse me, but I don't need a consultant for a few 100 bucks an hour just to push 3 buttons, and then end up with a "security analysis" that doesn't even find half the problems!
The least I'd expect from a consultant is that he knows more about a subject than I do. Else, well, why have him? Why should I pay him if he should rather consult me than me him?
But they get away with that. For two reasons. First, the average security manager knows even LESS than them. The average security manager is first and foremost a manager, not a technical person. He knows the processes, he knows the procedures, he maybe knows the legal stuff it entails. But lacks the intimate knowledge of the inner workings of networks and computer systems. In such a world led by the blind, the one eyed can easily become their king. And because they know processes, procedures and legal foundation, they also know what leads to problem number two: It doesn't matter. They're safe. They did everything ISO27001 demands, they did everything BS7799 requires, they did everything their governance framework expects, they're safe. Their company isn't, but why should they give a shit? Their job is safe, that's what matters. To them, at least.
And no, I have no idea how to improve that situation. No matter what you change, you're not going to get any better results.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:The whole security world is in a very bad shape by Xaedalus · 2014-03-19 04:04 · Score: 2
  
  Speaking as someone who came into the IT industry in his 30's and is a finance analyst, I can tell you this: business is a game. Your managers and your product managers and your executives (particularly those with MBAs) all know that business is a meta-level game. It doesn't matter what you produce, code, or what market you serve--at a certain level it's all about profit, loss, retooling your resources, and ultimately figuring out what tactics will generate maximum profit while keeping costs as low as possible. Those business ratios you speak of are what businesses live and die by at the Exec/Managerial level. Or, think of it as a MTG game: you have two or more players, with a 60 card deck. Depending on the build of the decks involved, one player could recycle their cards from the graveyard, while the other person has a burn deck. No matter what--the game is going to come to an end at some point. Each player has a win strategy, which also coincidentally happens to be an exit strategy. The game goes on, each player uses their resources as best they can. One person wins, one person loses, and that's it. They then move on to another game. That's exactly what happens in the executive/managerial world, especially in IT. Quality, quantity, reputation, service, sales, they're all just levers. Now, you'll always have the rare company that focuses on a specific reason for its existence that ISN'T primarily to make profit (Pixar, Apple, Google) but those are a rarity. Sturgeon's law applies to business operations just as it does to anything else. Business is a game--and for 90% of the employers out there, you are a replaceable resource who will be kept on as long as your value (technical, social, etc.) exceeds your cost, because that's what business IS. It's a process, a game.
  To me, it's shocking how many product managers I've met who don't really give a damn about their products, they're more focused on developing their products to be -good enough- to sell in the market. But then once I spent enough time around them (and most of them are just MBAs), it made sense. They learned that business is just a game, and they don't take it personally. They have enough connections and networking that they simply move on to the next job and treat it like a game too. The rest of us (non-execs and managers) take this personally--and that's our problem.
  
  --
  Here's to hot beer, cold women, and Glaswegian kisses for all.
Nameless? by Kernel+Kurtz · 2014-03-19 13:41 · Score: 2

That's hardly "full disclosure".
If you can't post it, leak it.