Slashdot Mirror

← Back to Stories (view on slashdot.org)

Full-Disclosure Security List Suspended Indefinitely

Posted by Unknown on from the poking-the-hornet's-nest-for-12-years dept.

An anonymous reader writes with news that John Cartwright has been forced to shut down the full disclosure list. The list was created in 2002 in response to the perception that Bugtraq was too heavily moderated, allowing security issues to remain unpublished and unpatched for too long. Quoting: "When Len and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise. However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.

I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself. However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.

I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.

I'm suspending service indefinitely. Thanks for playing." The archives are still up on seclists.org, gmane, and Mail Archive. For now at least.

12 of 162 comments (clear)

  1. Who? by Anonymous Coward · · Score: 5, Interesting

    Come on then, let's have full disclosure. WHO made the threats?

    1. Re:Who? by erikkemperman · · Score: 5, Insightful

      Perhaps without fingering individuals, it would be good to find about a bit more about what the hell happened here. This is not a guy who quits at the drop of a hat, right?

      --
      Gosh, thanks. That must be why the other ships call me Meatfucker -- GCU Grey Area (Eccentric)
  2. A tragedy by jbmartin6 · · Score: 5, Insightful

    I think the changes brewing in the wake of Target breach and Snowden's leak show the power of full disclosure. It seemed to me that "responsible disclosure" was just another way of saying "no consequences." And we see time and time again how no consequences equals no action.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:A tragedy by jbmartin6 · · Score: 5, Insightful

      Additional thought: responsible disclosure only works because of the threat of full disclosure.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    2. Re:A tragedy by BVis · · Score: 5, Insightful

      No, often it works because if one person outside your organisation discovers something then when you get that issue raised with you it is pretty easy to take that to management and show them why the bug needs fixing. If one person can find it so can someone else who is less honest and hence might use it for fraud.

      Seriously?

      First of all, you can bring whatever you want to management; the pointy haired bosses who control resource allocation likewise can ignore whatever they want. All they hear is "computer shit I don't understand blah blah blah security problem I don't understand blah blah OH MY GOD IT WILL COST MONEY TO FIX blah blah". I used to think "oh, nobody will do that" was just a joke.. then I worked for a small company that did e-commerce. I could stand on my head giving example after example and potential disaster scenarios all I wanted, they would not change anything. The only things that really got fixed were things I found myself and fixed silently without telling anyone. If I told you what info they had been storing you would be sick to your stomach.

      Second of all, this: "Has anyone found $problem yet?" "No, but they could" "OK so it's not a problem right now, go do $stupidshitthatdumbassclientwants instead."

      When you're dealing with non-technical management that nevertheless is given authority to make technical decisions with or without considering problems raised by people who actually know what the fuck they're doing, security problems will exist no matter how blatant. You can spend all the time you want teaching pigs to sing, but in the end you're wasting your time and annoying the pigs.. who sign your paychecks.

      --
      Never underestimate the power of stupid people in large groups.
  3. Re:He's right. by ledow · · Score: 5, Interesting

    Nor would health & safety, auditing, repair shops, replacement parts, the guy who checks the pitot tube on aircraft is clean, etc. nor countless thousands of other industries. The fact that the industry exists shows you that a) we cannot secure things perfectly but b) we try hard to do so.

    Fact is, you cannot make a secure product, no matter how cocky you are. So you need experts to secure things, whether or not they are forced to do so on sub-standard operating systems, hardware or applications.

    Personally, I think we've come on leaps and bounds in terms of OS security in the time I've been around, but it's application security that's the problem - and the biggest problem comes from OS's not being "allowed" to lock down applications to their bare minimum necessary resources in the first place.

    And now we have a new threat - hardware security where our own machines are being used against us.

    It's like saying that if everyone put rubbish in a bin, we wouldn't need street cleaners. Almost true, not quite, but almost. But it's honestly, never, ever, ever going to happen until we are literally redefining "rubbish", "bin" and "cleaner" (i.e. automated robots running around doing it for us).

    And real life, as shown here, is much more affected by stupid people, making stupid decisions and even enacting stupid laws. In a perfect world we wouldn't have any of those either. But still we have lawyers.

  4. If you believe in full disclosure by hsmith · · Score: 5, Insightful

    Name the names. Sorry, I simply don't buy the reasoning at all. If the problems were so bad you want to "stop it all together" then you indicate who that person is.

    1. Re:If you believe in full disclosure by Zocalo · · Score: 5, Insightful

      Perhaps. By not applying Full Disclosure to the identity of the "insider" that has resulting in this you could accuse John Cartright of breaching his and the list's principles, but without knowing the details of the threat (and the list has resistant many such threats in the past) it's difficult to know what the consequence of that might be. Or maybe there is no really significant threat other than some inconvenience, but this is just the straw that broke the camel's back. If not taking down this list would result in the breach of a court order, then this is almost certainly the right tack to take, regardless of how painful it might seem, unless we are expecting John to potentially become another fugitive from justice, like Edward Snowden?

      Sure,it's a sad day for freedom of information, and will no doubt have negative consequences due to more information being known only those with malicious intentions and companies sweeping issues under the rug due to lack of exposure, but even so I don't think it's ont that is worth compromising your life over, let alone expecting someone else to do so.

      --
      UNIX? They're not even circumcised! Savages!
  5. Nonsense. by johnnys · · Score: 5, Insightful

    There's a meme going around that "Fact is, you cannot make a secure product," is somehow a "Truth" that we all just have to accept.

    This is just BS. Of course you can make a secure product. You just have to commit the time and resources to make security your top priority.

    If you want to securely control your HVAC systems in your data centre, don't connect it to the Internet: Hire a person to operate it. If you want to securely control your nuclear reactor, don't connect it to the Internet but hire a staff to operate it using air-gapped systems.

    If you want to save money on salaries by connecting your critical systems to the Internet using commodity CPUs that don't separate writable RAM from executable RAM, and operating systems designed for single user with poor security built in, and software written by the lowest bidder using languages that encourage lazy programmers to write buffer overruns, then you will save money but there's no way you can make a secure product. But don't pretend it's a universal fact that security is not possible: Recognize it's your own penny-pinching that is causing the problem.

    --
    Sometimes the "writing on the wall" is blood spatter...
    1. Re:Nonsense. by Travis+Mansbridge · · Score: 5, Insightful

      Didn't stuxnet make it through air-gapped systems? Seems like for every step forward white-hats take, black-hats take one as well.

  6. The real priority here... by Anonymous Coward · · Score: 5, Funny

    Isn't finding out who made the threats. Where can we find the Furry porn?

  7. Skills Levels of Hacking Community by ObsessiveMathsFreak · · Score: 5, Interesting

    There is no honour amongst hackers any more. There is no real community. There is precious little skill.

    This quote should concern everyone. We have now had an entire generation of programmers raised on walled garden apps, cookie-cutter scripting libraries, and above all a wave of cheap VC funding and hardware. How many people are left out there that can build the likes of Bittorrent, Bitcoin, a language like C, a game like Elite, or even a site like Slashdot? How many people, young people, are there who can write an OS kernel, design a basic circuit, and at a more pertinently serious level, reliably write software to implement mathematical encryption algorithms.

    Reading this I'm inclined to believe that recent meme post about how the programming/silicon valley community has been taken over by "brogrammers", "hipsters" and "neckbeads", which to my mind are simply constitute cultural re-skinnings of the infamous Visual Basic programmers of old.

    I worry that the unglamorous, mostly uncompensated, and largely intellectually driven practice of pure software programming and creation has been left behind in recent years. I personally have noticed little progression and indeed in many areas a general regression in the quality and reliability of software since approximately 2006/7.

    While I would attribute this to my general "civilization is in decline" zeitgeist worries, my frustrations with software, UIs, and websites in particular has undoubtedly increased manifestly in the last 2-3 years or so. Maybe I'm just getting old -- or maybe programmers really are getting worse.

    --
    May the Maths Be with you!