Full-Disclosure Security List Is Reborn
Barely seven days ago, I was among the many people who were lamenting the loss of the Full-Disclosure security mailing list. Today, I mourn no more as Full-Disclosure has been resurrected.
Full-Disclosure is a popular open mailing list for security disclosure that first got started in 2002, and over the years it has become a valuable source of security information. On March 19, however, John Cartwright, the founder of Full-Disclosure, decided it was time to pull the plug. Cartwright complained that he was getting a lot of takedown requests from a security researcher and, in general, he wasn't very pleased with the current state of the information security community.
Not everyone shares Cartwright's views, and many in the information security community wanted Full-Disclosure to return (and you can count me in that list). On March 25, security researcher Gordon Lyon, who is well-known in the information security world as "Fyodor," emerged as Full-Disclosure's savior.
Fyodor is widely respected for his security efforts; he is the creator of the popular open-source Nmap security scanner that has been in the market since 1997.
"Some have argued that we no longer need a Full Disclosure list, or even that mailing lists as a concept are obsolete," Fyodor wrote. "They say researchers should just Tweet out links to advisories that can be hosted on Pastebin or company sites. I disagree. Mailing lists create a much more permanent record and their decentralized nature makes them harder to censor or quietly alter in the future."
While archives of the original Full-Disclosure mailing list are still being maintained, readers will need to re-subscribe to the new Fyodor-run Full-Disclosure mailing list.
"If I can do this for as long as John did, and with anywhere near his skill, I will consider it a success," Fyodor wrote in his first Full-Disclosure post as the list's new maintainer. "I'll recruit a team of volunteer moderators from the active list members because this needs to be run by and for the community!"
In barely a day of operation, the list has already posted its first security advisory, though it's one that also demonstrates the folly of an open mailing list.
"It is possible for unauthenticated users to upload arbitrary files to the Internet whereafter it is not possible to delete these files from the Internet," Nico Lemoin, wrote in a Full-Disclosure advisory on persistent Internet storage. "This vulnerability has been exploited in the past against Ms. Barbara Streisand."
Sometimes you just have to take the good with the bad, and the Full-Disclosure list has long had both. Given the respect that most people in the information security industry have for Fyodor, I have no reason to suspect that the resurrected Full-Disclosure will be nothing short of a full success.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.