Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher and ongoing legal threats, The Full Disclosure mailing list is coming back, albeit from scratch and under a new operator.
Full Disclosure, which has been around since 2002, served as an open, public forum the discussion of vulnerabilities and exploitation techniques, along with other items of interest to the security community.
In a message posted to the list on March 19, John Cartwright, one of Full Disclosure’s creators, stated that the decision to shutter the service was made due to a conflict with someone in the security community who requested a large portion of the list’s archive be erased.
As it turns out, the email, or straw that broke the camels back, is assumed to be from Nicholas Lemonias and related to what is claimed to be personal information belonging to Secunia, a Danish vulnerability management firm.
In an email obtained by OSVDB and assumed to have been sent to Cartwright, Lemonias claimed that Secunia mistakenly posted to the mailing list and reserves the creation rights to that thread, along with the right to have all personal information deleted.
While its not clear what exactly the mistaken post referenced by Lemonias was, it could be when an email written by Secunia’s Advisory Team Lead, Chaitanya Sharma, was supposed to be addressed to the ‘vuln’ address at Secunia but ended up being sent to the Full Disclosure Mailing list.
Regarless, Cartwright had enough.
“I’m not willing to fight this fight any longer,” Cartwright wrote. “It’s getting harder to operate an open forum in today’s legal climate, let alone a security-related one.”
Gordon Lyon (aka Fyodor), who operates several Internet security resources and other mailing lists, said that upon hearing of the closing, he immediately reached out to Cartwright to offer assistance.
While Cartwright insisted that he was done with the list, he encouraged Lyon to move forward and create a replacement.
“You don’t need me. If you want to start a replacement, go for it,” Cartwright wrote in an email to Lyon.
“After some soul searching about how much I personally miss the list (despite all its flaws), I’ve decided to do so!” Lyon said in his announcment of the new list. “I’m already quite familiar with handling legal threats and removal demands (usually by ignoring them) since I run Seclists.org, which has long been the most popular archive for Full Disclosure and many other great security lists.”
While the list may take some time to build back an established subscriber and contributor base, Lyon’s effort is likely to be supported by security researchers and practitioners—though some vendors are not likely to be as supportive if history tells us anything.
Lyon already maintains other mailing lists including Nmap Dev and Nmap Announce, and says he will try his best to manage the list as well as Cartwright had.
“The new list must be run by and for the security community in a vendor-neutral fashion,” Lyon wrote. “It will be lightly moderated like the old list, and a volunteer moderation team will be chosen from the active users.”
“Vendor legal intimidation and censorship attempts won’t be tolerated,” he said.
Because the list is getting a fresh start and no previous subscriber information appears to be headed to Lyon, interested users will have to manually subscribe which can be done here.
“To be sure, there are personal and legal issues at play when you’re dealing with fresh zero-day,”said Tod Beardsley, Engineering Manager at Rapid7 in response to the FD list shutting down. “Going by John Cartwrights released statements, those seem to be the primary motivators for halting service. It’s sad to see it go, but just because the Full-Disclosure mailing list has come to an end, it doesn’t mean that “full disclosure” as a philosophy has ended.”
“Of course, things change,” Beardsley continued. “Today, while it was possible to follow F-D, it wasn’t usually a very pleasant experience. F-D was still the place to go for the absolute latest unvetted and unmoderated vulnerability info, but today, we have lots and lots of high-quality alternatives.”
Lyon, however, argues that there is still significant value in maintaining such a list.
“Some have argued that we no longer need a Full Disclosure list, or even that mailing lists as a concept are obsolete,” he said. “They say researchers should just Tweet out links to advisories that can be hosted on Pastebin or company sites. I disagree. Mailing lists create a much more permanent record and their decentralized nature makes them harder to censor or quietly alter in the future.”