RIP Full Disclosure: Security world reacts to key mailing list's death
'I realised that I'm done' sighs co-admin of vulnerability clearing house
The legendary Full Disclosure mailing list, where security researchers posted details of exploits and software vulnerabilities, is shutting down.
The service, which had been running for nearly 12 years since July 2002, has been suspended indefinitely after list admin John Cartwright was no longer prepared to put up with the hassle of running the thing. He reached breaking point when an unnamed researcher demanded he delete multiple posts from the archive, as Cartwright explained in a post to the list on Wednesday:
When Len [Rose] and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise.
However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.
I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself.
However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.
I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.
I'm suspending service indefinitely. Thanks for playing.
The Full Disclosure list served an important role in quickly alerting IT and infosec professionals to newly discovered computer security vulnerabilities: some holes were documented on the list with zero days' notice for the affected vendor; some were disclosed after patches had been developed and distributed. In either case, the threat of disclosure was seen as enough to encourage vendors to take shoring up security seriously.
But the emergence of exploit brokers and the ability to making money through selling zero-day exploits to governments has changed everything. In some ways Full Disclosure is a relic of a more innocent age of internet security.
Even though it has been the place to find Oracle Database, Apache web server and Linux kernel zero-days, in recent years it's admittedly carried a lot of posts revealing cross-site scripting flaws in blogs and similar low hanging fruit. Yet, its demise attracted strong reaction from the security industry.
Russ Spitler, veep for product strategy at AlienVault, commented: "This is a real step backwards for the security community. While the loss of a news source like Full Disclosure will be replaced, the reason for the shutdown is the real loss for the community.
"For years security by obscurity was the prevalent approach even among large software vendors – pressure from forums such as Full Disclosure helped changed that approach. The large vendors took charge of their security problems, established private disclosure processes, created communication channels about their security issues and formalized their approach to addressing the root causes.
"Microsoft has to be given credit and can be taken as an example of how the largest of companies can create and establish security programs to head off these problems."
Welcome to the world of no disclosure – more reactions
"Vendors in the earlier stages of The 5 Stages of Vuln Response Grief won't get why the loss of Full Disclosure is a loss to us all," Katie Moussouris, security strategist and self-described mother of the Microsoft Bounty Program said on Twitter, referring to her RSA 2013 talk on how companies deal with security bug reports (see video below).
Vendors in the earlier stages of The 5 Stages of Vuln Response Grief won't get why the loss of Full Disclosure is a loss to us all.— Katie Moussouris (@k8em0) March 19, 2014
"Full Disclosure mailing list shutdown makes me sad. I remember starting Symantec Vuln Research and posting our advisories there and BugTraq."
Other security researchers reckon the shutdown will only have a minimal impact on the way vulnerabilities are shared.
Jon French, security analyst at AppRiver, said: "Places that disclose security vulnerabilities are all over the internet. The big difference between many of these sites is the user base. A user base of hackers and nefarious users will likely have a much different public image and draw more scrutiny than one of security professionals.
"In this case, Full Disclosure has made the decision that the user base is to a point they no longer think is viable and the legal issues are no longer worth the trouble."
"It doesn’t sound like it was closed for fear of legal interventions, but rather that he’s just tired of dealing with the attempts of legal intervention. It’s hard to judge the decision to close down as being a right one or not since we don’t know the details. While this is a blow to websites that try to be open and free, I don’t think it will have too much of an impact on the way vulnerabilities are shared," French added.
Tom Cross, director of security research for Lancope, commented: "Having a forum where vulnerability details are disclosed helps ensure that everyone is aware of that information as soon as it emerges. The loss of this forum may result in more chaotic disclosures which will make remediating these issues more challenging. Hopefully an alternative forum will emerge."
Some are already beginning to think of ways to fill the gap left by Full Disclosure.
Chris Wysopal, co-founder and chief technology officer at code review firm Veracode, said: "Full disclosure can easily still be done with a tweet with #fulldisclosure and a link to Pastebin or other text hosting site."
Full disclosure can easily still be done with a tweet with #fulldisclosure and a link to pastebin or other text hosting site.— Chris Wysopal (@WeldPond) March 19, 2014
More reflection on they sad demise of Full Disclosure can be found in a blog post by security blogger Javvad Malik here. ®