So, earlier this month the long established Full Disclosure mailing list was closed – or at least suspended indefinitely after the list moderator (John Cartwright) finally reached the end of his tether after many years of legal threats and gratuitous trolling. The e-mail sent to the mailing list outlining the reasons for it’s suspension can be accessed from the below link:
Now despite it’s faults, including the low signal to noise ratio, the Full Disclosure list acted not only as a venue for genuine full disclosure of security vulnerabilities but also as a venue for some of the more “interesting” aspects of hacker culture to be displayed. After a little wailing and gnashing of teeth in the security community (and some discussion of replacing the mailing list with the #fulldisclosure Twitter hashtag), Fyodor (aka Gordon Lyon, creator and maintainer of nmap) has now revived the mailing list with the blessing of the moderator of the original incarnation. Fyodor’s note announcing the revival of the list can be found at:
Now, my reason for writing this post is not just to highlight the welcome return of the Full Disclosure mailing list (thanks Fyodor) but more to highlight the vulnerability of some of our more treasured Infosec resources. I think there’s a tendency to forget that resources such as Full Disclosure are not pain-free for those that provide them. In some cases there’s a commercial reward for providing the resource, e.g. vendor mailing lists. But where those resources are provided out of a sense of community, I think we need to be more appreciative of the humans behind those services. Sure, trolling can be amusing for those with low/weird entertainment thresholds, but there’s no point taking it to the extreme such that you lose one of your avenues for displaying your self-perceived awesomeness. Similarly, if you post something to an e-mail list called Full Disclosure, please don’t be surprised if it remains on the Internet alongside the responses of those that don’t agree with you. If you’re not happy for your opinion to be eternally available then don’t post it to the Internet. Certainly don’t start throwing legalese at those providing the community resource otherwise or they may just take it away.
I’m certainly not advocating an absence of trolling, flaming or arguing on the re-born Full Disclosure as that would go against the established culture of the list but it would be good if the legal threats could be left behind with the old iteration…
