
Full-disclosure – Administrivia: The End - Morgawr
http://marc.info/?l=full-disclosure&m=139522698431442&w=2
======
znowi
Instrumental in this message for me was this part:

 _There is no honour amongst hackers any more._

10-20 years back a term hacker had a close relation to a certain moral conduct
emphasizing freedom of knowledge. Today with a mass market of startups, that
was largely popularized by Hacker News, this perception has changed. A hacker
now is a founder. He must be good at raising money, monetizing a product and
the greatest feat of all - _exit_. There's no more moral obligations of the
past. Launch at all cost - the rest is an afterthought.

There's a discrepancy between the two cultures. I think this divide is the
source of the mailing-list problem and problems with freedom of information
and privacy at large we have today.

~~~
tptacek
I don't even know how to respond to the idea that teenagers breaking into
phone switches and harassing people, buying Pantera CDs on stolen credit
cards, stealing ESNs from other people's phones to make calls on someone
else's bill, and rm'ing Unix boxes are somehow _more honorable_ than adults
running businesses.

The "hackers" FD's moderator is talking about are the ones I'm talking about.
They aren't MIT students ordering sweet and sour bitter melon.

~~~
Zancarius
> are somehow more honorable than adults running businesses.

Gotta admit, I thought the same thing. Then I'm reminded of patent and
trademark law...

~~~
tptacek
What about it? Patent and trademark law are two things the typical valley
"hacker" acutely oppose.

~~~
guelo
Bullshit. I haven't seen one supposed startup hacker put up a fight once the
"grownups", investors, and lawyers start telling them they have to patent
something.

The only Silicon Valley moral is making money.

~~~
Zancarius
It's curious how well your comment fits with the article this discussion is
over, because I think that's the underlying problem. It's no longer about
fundamentally "hacker" interests as much as it is about financial gain,
influence, legalities, and gobs of other rubbish.

------
majke
A bit of context, maybe it will be helpful for some:

[http://seclists.org/fulldisclosure/2014/Mar/170](http://seclists.org/fulldisclosure/2014/Mar/170)

[http://seclists.org/fulldisclosure/2014/Mar/294](http://seclists.org/fulldisclosure/2014/Mar/294)

[http://seclists.org/fulldisclosure/2014/Mar/291](http://seclists.org/fulldisclosure/2014/Mar/291)

[http://seclists.org/fulldisclosure/2014/Mar/286](http://seclists.org/fulldisclosure/2014/Mar/286)

[http://seclists.org/fulldisclosure/2014/Mar/298](http://seclists.org/fulldisclosure/2014/Mar/298)

And a full email exchange:
[http://seclists.org/fulldisclosure/2014/Mar/index.html#123](http://seclists.org/fulldisclosure/2014/Mar/index.html#123)

My personal favourite (in a positive way):
[http://seclists.org/fulldisclosure/2014/Mar/160](http://seclists.org/fulldisclosure/2014/Mar/160)

~~~
acqq
Specifically:

[http://seclists.org/fulldisclosure/2014/Mar/298](http://seclists.org/fulldisclosure/2014/Mar/298)

It seems that one guy not only trolled the list but also he either created new
identities for more trolling or managed to attract more trolls as bad as he.
The guy also appears to deeply believe he's right.

It's still not fully clear to me if he is also the person thus described by
the list maintainer:

"I always assumed that the turning point would be a sweeping request for
large-scale deletion of information that some vendor or other had taken
exception to. I never imagined that request might come from a researcher
within the 'community' itself (and I use that word loosely in modern times)."

------
NathanOsullivan
It seems ironic for the end to arrive without full disclosure of why.

~~~
mhurron
Yes it would seem in the vein of the list to out the 'researcher' who is being
the final asshole.

~~~
sspiff
What would be the point, other than nailing that person to a post and having
them exposed to various forms of Internet abuse?

As you said yourself, this is just the final straw.

~~~
ctdonath
That would be the point.

~~~
sspiff
Are you suggesting this is a good custom and should be practised?

~~~
twic
Sounds pretty sensible to me. Isn't the alternative that we let people who do
bad stuff get away with it?

------
aidos
Can someone from the security community explain exactly what the list is? Is
it a mailing list where researchers disclose exploits that have been found
(after doing their best to responsibly notify the developers of the effected
systems)?

~~~
nly
Snippets from the mailing list charter[0] and listinfo[1] which simply say
briefly:

    
    
        About Full-Disclosure
    
        Unlike bugtraq, this list serves no one except the list members themselves
        We don't believe in security by obscurity, and as far as we know, full 
        disclosure is the only way to ensure that everyone, not just the insiders 
        have access to the information we need to survive.
    
        We will try to operate this list without moderation, as we feel moderation 
        is an impediment to communication. 
    
        Any information pertaining to vulnerabilities is acceptable, for instance 
        announcement and discussion thereof, exploit techniques and code, related 
        tools and papers, and other useful information.
    

and, forebodingly:

    
    
        Politics should be avoided at all costs.
    

There's also the original announcement on the SuSE Linux security mailing
list[2] and a follow-up by Mr Cartwright with some further rationale[3].

[0]
[https://web.archive.org/web/20050306210635/http://lists.nets...](https://web.archive.org/web/20050306210635/http://lists.netsys.com/full-
disclosure-charter.html)

[1]
[https://web.archive.org/web/20041205194605/http://lists.nets...](https://web.archive.org/web/20041205194605/http://lists.netsys.com/mailman/listinfo/full-
disclosure/)

[2] [http://marc.info/?l=suse-
security&m=102639105014466&w=2](http://marc.info/?l=suse-
security&m=102639105014466&w=2)

[3] [http://marc.info/?l=full-
disclosure&m=102965261426089&w=2](http://marc.info/?l=full-
disclosure&m=102965261426089&w=2)

~~~
goldfeld
Given the list's modus operandi and goals, wouldn't it work well under a
format such as the blockchain? No moderation and no chance to delete what's
been posted, since the decentralization means it would by then be replicated
across lots of machines.

~~~
nly
You then can't filter or delete spam, which far outweighs legitimate mail.

~~~
Aqueous
You need to pay BTC in order to store in the blockchain(i.e. you can't send
0.00BTC transaction to someone.) That should go pretty far in eliminating
spam. Then again it might be too high a barrier for legitimate posters.

------
ef47d35620c1
Sites that allow anonymous postings through tor (e.g. reddit) are the last
remaining voice of freedom on the Internet.

It is unfortunate that HN is not numbered among those sites.

Edit: I was incorrect about HN. See the comment below. I am happy to learn
that I was wrong.

~~~
devconsole
Hi, I'm posting this through Tor. The reason I'm able to do this is because
this account is more than two weeks old. I also created this account through
Tor, so HN's operators should have no idea who I am.

For example, you have done an experiment below of posting comments through tor
using the newly-created account "throughtor":
[https://news.ycombinator.com/threads?id=throughtor](https://news.ycombinator.com/threads?id=throughtor)

If you turn on "showdead" in your profile, you'll see that account has a bunch
of dead comments. Those comments are dead because the "throughtor" account is
less than two weeks old, so HN's system automatically kills them since they're
posted through tor. Once two weeks elapse, you'll be able to post comments and
they won't be struck down. (Two weeks is the time it takes for the "new
account" status to wear off.)

This is a spam prevention technique, and it's necessary in order to
drastically reduce the amount of work moderators have to do to filter spam.

So, anyone who wants to post anonymously on HN should open up Tor Browser and
create an account right now, and save it for a rainy day sometime in the
future.

Remember not to use the same password as your regular HN account, because
you'll give your identity away if you do. In addition to the fact that there's
nothing stopping any server from logging every password across every service,
HN also stores passwords as unsalted SHA-1, so two identical passwords on two
different HN accounts will be stored as the same hash in the database, making
it trivial to detect your real identity.

At least, unsalted SHA-1 was the case as of arc3.1, which is now several years
old. Kogir probably changed it to something more sane in the meantime. But I
highly doubt anyone will be able to break into HN's server running BSD anyway,
so the unsalted SHA-1 isn't really a concern. This is just a reminder that
every piece of information you provide is a piece of information that can be
used to determine your identity.

And if you use this information to create more work for HN's operators, then I
will ssh into your macbook and scare the crap out of you in the middle of the
night by setting your volume to 100% and using text-to-speech. But seriously,
don't be lame. It's valuable that we are permitted any anonymity at all.

~~~
pg
We switched to bcrypt several years ago.

~~~
jwcrux
That's great to hear - thanks for doing so.

------
brianmwaters_hn
What a shame; I just recently started taking on an interest in computer
security and signed up for the list. In just the few weeks I was on there, I
learned about a vulnerability in a device I had recently bought. I am
cherishing the opportunity (which I haven't found time for yet) to walk
through my first exploit!

As a newcomer I'm not really sure what John's referring to, though. Too bad...

~~~
JPKab
I'll offer my take on his "industry that shouldn't have become an industry".

One of the biggest drivers of cash into information security hires is
government regulation. Otherwise, a lot of these companies could give a shit
if they lose private data.

Enter the information security specialist who has no fucking clue how to
program or do anything remotely technical. They went out and got their CISSP
cert, and now they provide a legal shield to the corporation or government
office that hires them. Their very presence provides the security theater
needed to protect their employer from being sued for not providing the
necessary security.

If you are a CISSP on here, the fact that you're on this site means you are in
the minority of your loser poser peers. You probably hate these posers as much
as I do.

~~~
toyg
I think John's point was more wide-ranging. Even without regulation, the truth
is that security has long become just another market, where vulnerabilities
and skills are bought and sold for cash, like any other commodity. Security
used to be an aspect of system administration; now it's just another rat race
with all the trappings of commercialisation ("enterprise" products etc etc).

------
lazyjones
He doesn't disclose much information, but it looks a bit like he (sourly)
blames the industry and community for something that is very common elsewhere
too: to run a public forum or mailing list, you now need not only the users'
support and goodwill, but also legal counsel, a thick skin and willingness to
challenge legal threats, as well as all sorts of technical means to fend of
malicious activities (DoS/spam protection etc.).

What's stopping such communities from going "underground", i.e. to some
darknet where anonymity and protection from some of these hassles still
exists?

~~~
dfc
> What's stopping such communities from going "underground", i.e. to some
> darknet where anonymity and protection from some of these hassles still
> exists?

Principle? The whole point of FD was for these discussions to happen in the
open.

------
galapago
"He who foresees calamities, suffers them twice over"

~~~
BuildTheRobots
> "He who foresees calamities, suffers them twice over" \--Beilby Porteus,
> Bishop of Chester and London, 1731-1809.

Not heard the quote before; thank you.

------
Bjoern
Wow, this is sad. Hope we can get more info on what was going on.

Besides Bugtraq what mailing lists security wise do you follow?

EDIT: Or what other general means by Twitter, Websites, Databases, Blogs etc.
do you recommend?

~~~
tptacek
Why would you follow any mailing lists for security in 2014? The concept of a
security mailing list predates Twitter, vulnerability databases, Reddit, and
blogs. But we have all those things now, and they are all better than Full-
Disclosure on its best days.

~~~
Bjoern
Yeah people keep telling me mail is dead, but its still kicking around and is
very well alive. Let me edit my initial question to be email neutral though.

------
binaryatrocity
First thing I saw in my inbox when I got to work this morning. Sad really, the
list has certainly had it's moments.

Can't help but be a little optimistic, at least the "Google Vulnerability with
PoC" youtube-upload trollfest chain of emails is done flooding my inbox this
month :D

------
gwu78
"... an industry that never should have become an industry."

------
kang
What are some other similar lists to follow?

------
nixgeek
Today is a sad day. I wonder what will replace full-disclosure as the de-facto
vehicle to announce vulnerabilities.

~~~
guard-of-terra
Pastebin + reddit?

------
jruthers
Would anyone mind explaining to me as a noob what kind of legal challenges
public lists need to defend against these days?

Spam, trolls and politics are not new, but legal threats and DoS attacks I
didn't expect to be problems.

~~~
Bjoern
Some companies like to practice 'security by obscurity' to the fullest. They
sometimes try to keep bugs from being disclosed by researchers using various
means of ignore up to legal threats or other non disclosure contracts.

Often when things are at a really bad state its in the public interest to make
sure these issues get fixed rather than brushed under the carpet. Hence it
gets posted on various sec ML lists to ramp up pressure.

------
teebsd
[https://news.ycombinator.com/item?id=7431569](https://news.ycombinator.com/item?id=7431569)

------
rdl
Sad :( This was my favorite mailing list for the past decade or so, although
it's been in decline for years.

------
scmurcott
Really was a great list, one of my favorite. I will miss it, sincerely.

------
DangerousPie
He didn't really explain the full problem so maybe I am not fully appreciating
the situation here, but this seems like a pretty big overreaction for a stupid
request from some a single user.

~~~
jinzo
As someone who had to deal with legal troubles when running a user facing
service I can say that it's not that easy if you don't have resources (or
knowledge/time) to response correctly to the legal inquiries. For example, a
relatively small (by internet standards) "local" forum has a somehow dedicated
(it's not their full time job) 3 man legal team that answers all the legal
inquiries.

If I add one of the latest in the series of my own experiences. Once upon a
time someone wanted to scam me on a website deal. We figured out who it was
(it was easy, he was the owner of the domain, paid for the hosting etc.) and
published the details (we were not the first, he's quite a known scammer
around here, we found numerous blogposts about him). He was even featured in a
local newspaper. Fast forward 5 or so years and I get a Cease and Desist
letter from him (or something looking like that) that the information in my
blog post is not accurate and he will sue me. I quickly see that google
doesen't bring much about him nowadays, in part to people not caring for their
blogs/doing redesigns and in part of him sending out "scary" letters. Of
course I could fight it, I had a lot of concrete (I was told court grade by
some lawyer acquaintances) proofs. But was it worth my time? My effort? My
psych? No. I redacted the blog post and let it be. I don't feel good about it,
because that means he will try to scam people that could'we been warned from
my post. But I wagered it and left it all behind.

EDIT: grammar n'stuff

~~~
debacle
The only reason legal bullying works is because so many people capitulate at
the first sign of conflict.

~~~
unclebucknasty
Not sure if you've ever been involved in a suit, but the "first sign of
conflict" is a critical juncture. Perhaps the most critical. And, in many
cases, your decision is a function of simple math.

Once you proceed past the "first sign of conflict", you will quickly sink a
lot of cash. You don't get a refund if you later decide to stop, nor any other
credit. That money is gone and either you keep going until you a.) win (or
lose) a protracted, costly battle; b.) bankrupt your cash, energy, or will; or
c.) find an opportunity to settle and stop the bleeding. By then, the damage
is done.

So, if you decide to proceed, then you are signing up for significant cost and
a ride for which you have limited control. They will keep throwing stuff at
you to entangle and frustrate you. If you take the suit as far as discovery,
then you can get into the high 6-figure or even 7-figure range before you know
it.

And, before you get to discovery, the motions, counter-motions, and other
pleadings can easily get you to six figures within a few short months or less
(depending on the complexity of the case).

If you are a small business, it can be a non-starter, especially when the
plaintiff is a much larger (and hostile) company. I've been through it
personally and I decided _not_ to "capitulate at the first sign of conflict".
I was pissed, they were wrong, I wouldn't be bullied, etc. So, I fought it.

We handily beat them back on the initial injunction they were seeking. Based
on the merit, we knew we'd win that easily. Still, it cost me ~$20K to
actually do it. It doesn't matter how weak their case is. They can make you
bleed to prove it. The standard for having the suit labeled frivolous is
extraordinarily high and you almost assuredly will not recover your legal
fees.

We kept fighting, using some of the foundation (research, etc.) laid during
the injunction battle to reduce costs. Still, by the time, we reached the
mandatory (in the state of CA) settlement conference (where we decided to
settle), we were out over $100K. So, that was the price of "not capitulating
at the first sign of conflict". Of course, we didn't have to concede
everything they initially demanded, but that small victory felt a bit Pyrrhic.

And, none of this cost includes the time, mental energy, and stress involved.
If you are running a small business, you likely don't have time/energy for it.
So, beyond literally bankrupting you, it can damage your business (perhaps
irreparably) in other ways.

------
chris_wot
What exactly happened?

~~~
woof
Somebody set up us the bomb!

Seriously, use 30 seconds to browse, ie [http://marc.info/?l=full-
disclosure&r=1&b=201403&w=2](http://marc.info/?l=full-
disclosure&r=1&b=201403&w=2)

Notice 144 posts about "Google vulnerabilities with PoC"?

~~~
unreal37
That's an ugly thread with people putting each other down in every post.

~~~
lawnchair_larry
Haha, that is on the more civil side of FD discussions. Many hackers have ego
problems.

