The Death and Re-birth of the Full-Disclosure Mail List

[InfoSec News <alerts () infosecnews org>]

http://blog.osvdb.org/2014/03/26/the-death-and-re-birth-of-the-full-disclosure-mail-list/

By jerichoattrition
March 26, 2014

After John Cartwright abruptly announced the closure of the Full 
Disclosure mail list, there was a lot of speculation as to why. I mailed 
John Cartwright the day after and asked some general questions. In so many 
words he indicated it was essentially the emotional wear and tear of 
running the list. While he did not name anyone specifically, the two 
biggest names being speculated were ‘NetDev’ due to years of being a 
headache, and the more recent thread started by Nicholas Lemonias. Through 
other channels, not via Cartwright, I obtained a copy of a legal threat 
made against at least one hosting provider for having copies of the mails 
he sent. This mail was no doubt sent to Cartwright among others. As such, 
I believe this is the “straw that broke the camels back” so to speak. A 
copy of that mail can be found at the bottom of this post and it should be 
a stark lesson that disclosure mail list admins are not only facing 
threats from vendors trying to stifle research, but now security 
researchers. This includes researchers who openly post to a list, have a 
full discussion about the issue, desperately attempt to defend their 
research, and then change their mind and want to erase it all from public 
record.

As I previously noted, relying on Twitter and Pastebin dumps are not a 
reliable alternative to a mail list. Others agree with me including Gordon 
Lyon, the maintainer of seclists.org and author of Nmap. He has launched a 
replacement Full Disclosure list to pick up the torch. Note that if you 
were previously subscribed, the list users were not transferred. You will 
need to subscribe to the new list if you want to continue participating. 
The new list will be lightly moderated by a small team of volunteers. The 
community owes great thanks to both John and now Gordon for their service 
in helping to ensure that researchers have an outlet to disclose. 
Remember, it is a mail list on the surface; behind the scenes, they deal 
with an incredible number of trolls, headache, and legal threats. Until 
you run a list or service like this, you won’t know how emotionally 
draining it is.

Note: The following mail was voluntarily shared with me and I was granted 
permission to publish it by a receiving party. It is entirely within my 
legal right to post this mail.

  From: Nicholas Lemonias. (lem.nikolas () googlemail com)
  Date: Tue, Mar 18, 2014 at 9:11 PM
  Subject: Abuse from $ISP hosts
  To: abuse@

  Dear Sirs,

  I am writing you to launch an official complaint relating to Data
  Protection Directives / and Data Protection Act (UK).

  Therefore my request relates to the retention of personal and
  confidential information by websites hosted by Secunia.

  These same information are also shared by UK local and governmental
  authorities and financial institutions, and thus there are growing
  concerns of misuse of such information.

  Consequently we would like to request that you please delete ALL records
  containing our personal information (names, emails, etc..) in whole,
  from your hosted websites (seclists.org) and that distribution of our
  information is ceased . We have mistakenly posted to the site, and
  however reserve the creation rights to that thread, and also reserve the
  right to have all personal information deleted, and ceased from any
  electronic dissemination, use either partially or in full.

  I hope that the issue is resolved urgently without the involvement of
  local authorities.

  I look forward to hearing from you soon.

  Thanks in advance,

  *Nicholas Lemonias*

Update 7:30P EST: Andrew Wallace (aka NetDev) has released a brief 
statement regarding Full Disclosure. Further, Nicholas Lemonias has 
threatened me in various ways in a set of emails, all public now.

[...]

--
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/