Malware research hub and mailing list Full-Disclosure has announced that it is to close after 12 years of operation.
According to founders Len Rose and John Cartright, they are “suspending service indefinitely”.
In a statement, Cartwright said that upon the creation of the list in 2002, they knew that it would “have our fair share of legal troubles along the way” and after requests to delete things, requests not to delete things and a variety of legal threats – both valid or otherwise.
However, having spent a fair amount of time dealing with complaints from one particular individual, the service is to be closed. “The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself,” he said.
“However, taking a virtual hatchet to the list archives on the whim of an individual just doesn’t feel right. That ‘one of our own’ would undermine the efforts of the last 12 years is really the straw that broke the camel’s back.”
Cartwright said that he was not willing to fight any longer and it was getting harder to operate an open forum in today’s legal climate, let alone a security-related one.
He concluded by saying that “there is no honour amongst hackers any more” and “there is no real community”.
“The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry,” he said.
Russ Spitler, VP product strategy at AlienVault, said: “This is a real step backwards for the security community. While the loss of a news source like full disclosure will be replaced, the reason for the shutdown is the real loss for the community.
“For years security by obscurity was the prevalent approach even among large ISV’s – pressure from forums such as full disclosure helped changed that approach. The large vendors took charge of their security problems, established private disclosure processes, created communication channels about their security issues and formalised their approach to addressing the root causes.
“The loss we see today is the fact that isolated players can rob the greater community of such a resource. We have now let a few people take away a major communication channel, one that helps shed light on the problems we are all trying to solve. Without public discussion of these issues steps will never be taken to address them, letting the actions of a few rob the public of this discussion is a sorry state for us to find ourselves in given the problems we still have to face.”
Jon French, security analyst at AppRiver, said: “Places that disclose security vulnerabilities are all over the internet. The big difference between many of these sites is the user base. A user base of hackers and nefarious users will likely have a much different public image and draw more scrutiny than one of security professionals. In this case, full disclosure has made the decision that the user base is to a point they no longer think is viable and the legal issues are no longer worth the trouble.
“It doesn’t sound like it was closed for fear of legal interventions, but rather that he’s just tired of dealing with the attempts of legal intervention. It’s hard to judge the decision to close down as being a right one or not since we don’t know the details. While this is a blow to websit
es that try to be open and free, I don’t think it will have too much of an impact on the way vulnerabilities are shared.”
Tom Cross, director of security research for Lancope, said: “For many years the Full Disclosure Mailing List has served an important role in the ecosystem that identifies and remediates computer security vulnerabilities. Having a forum where vulnerability details are disclosed helps ensure that everyone is aware of that information as soon as it emerges. The loss of this forum may result in more chaotic disclosures which will make remediating these issues more challenging. Hopefully an alternative forum will emerge.”
Tim (TK) Keanini, CTO Lancope, said: “The full disclosure mailing list will always have a special place in my heart but the reality is that the disclosing and sharing of zero days have changed as TOR and cryptocurrency have emerged and the darknets offer this to anyone who is willing to pay. In short, full disclosure is now a business and a growing business at that. The role that the full disclosure mailing list played was an important one at the time and it feels like a historical part of the Internet is going away.”
Ilia Kolochenko, CEO of High-Tech Bridge, said: “The end of the Full-Disclosure list is definitely a milestone for the information security industry – a very sad one as years ago Full-Disclosure used to be one of the most reliable and popular sources of infosec/hacking information. But those days are gone and skilled hackers – both black and white hats – are no longer motivated to inform the public of their findings and exploits for free.”