Home page logo
/

isn logo Information Security News mailing list archives

The Death and Re-birth of the Full-Disclosure Mail List
From: InfoSec News <alerts () infosecnews org>
Date: Thu, 27 Mar 2014 11:58:01 +0000 (UTC)

http://blog.osvdb.org/2014/03/26/the-death-and-re-birth-of-the-full-disclosure-mail-list/

By jerichoattrition
March 26, 2014

After John Cartwright abruptly announced the closure of the Full Disclosure mail list, there was a lot of speculation as to why. I mailed John Cartwright the day after and asked some general questions. In so many words he indicated it was essentially the emotional wear and tear of running the list. While he did not name anyone specifically, the two biggest names being speculated were ‘NetDev’ due to years of being a headache, and the more recent thread started by Nicholas Lemonias. Through other channels, not via Cartwright, I obtained a copy of a legal threat made against at least one hosting provider for having copies of the mails he sent. This mail was no doubt sent to Cartwright among others. As such, I believe this is the “straw that broke the camels back” so to speak. A copy of that mail can be found at the bottom of this post and it should be a stark lesson that disclosure mail list admins are not only facing threats from vendors trying to stifle research, but now security researchers. This includes researchers who openly post to a list, have a full discussion about the issue, desperately attempt to defend their research, and then change their mind and want to erase it all from public record.

As I previously noted, relying on Twitter and Pastebin dumps are not a reliable alternative to a mail list. Others agree with me including Gordon Lyon, the maintainer of seclists.org and author of Nmap. He has launched a replacement Full Disclosure list to pick up the torch. Note that if you were previously subscribed, the list users were not transferred. You will need to subscribe to the new list if you want to continue participating. The new list will be lightly moderated by a small team of volunteers. The community owes great thanks to both John and now Gordon for their service in helping to ensure that researchers have an outlet to disclose. Remember, it is a mail list on the surface; behind the scenes, they deal with an incredible number of trolls, headache, and legal threats. Until you run a list or service like this, you won’t know how emotionally draining it is.

Note: The following mail was voluntarily shared with me and I was granted permission to publish it by a receiving party. It is entirely within my legal right to post this mail.

  From: Nicholas Lemonias. (lem.nikolas () googlemail com)
  Date: Tue, Mar 18, 2014 at 9:11 PM
  Subject: Abuse from $ISP hosts
  To: abuse@

  Dear Sirs,

  I am writing you to launch an official complaint relating to Data
  Protection Directives / and Data Protection Act (UK).

  Therefore my request relates to the retention of personal and
  confidential information by websites hosted by Secunia.

  These same information are also shared by UK local and governmental
  authorities and financial institutions, and thus there are growing
  concerns of misuse of such information.

  Consequently we would like to request that you please delete ALL records
  containing our personal information (names, emails, etc..) in whole,
  from your hosted websites (seclists.org) and that distribution of our
  information is ceased . We have mistakenly posted to the site, and
  however reserve the creation rights to that thread, and also reserve the
  right to have all personal information deleted, and ceased from any
  electronic dissemination, use either partially or in full.

  I hope that the issue is resolved urgently without the involvement of
  local authorities.

  I look forward to hearing from you soon.

  Thanks in advance,

  *Nicholas Lemonias*

Update 7:30P EST: Andrew Wallace (aka NetDev) has released a brief statement regarding Full Disclosure. Further, Nicholas Lemonias has threatened me in various ways in a set of emails, all public now.

[...]

--
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/

  By Date           By Thread  

Current thread:
  • The Death and Re-birth of the Full-Disclosure Mail List InfoSec News (Mar 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault