
Full Disclosure Mailing List: A Fresh Start - 8ig8
http://insecure.org/news/fulldisclosure/
======
tptacek
Fyodor's a mensch, but I think he's romanticizing the concept of Full-
Disclosure and that he's ultimately going to be unhappy he tried to keep the
list alive. Sometimes dead is better.

I'm not clear on why a mailing list like F-D is in any way better than a
subreddit or an instance of Lobsters.

Proponents of the mailing list say that the list is decentralized and allows
everyone to archive its contents. The list is not in fact decentralized, and a
message board also allows for archiving. The boards don't do this by default,
but that's a good thing.

Message boards also offer a better reading experience. A lot of F-D is dreck.
A threaded view (maybe with voting, maybe with collapsible threads) is the
only sane way to view it. Boards also offer search.

People wonder why I post so much on HN. It really has nothing to do with HN;
it's that HN replaced Usenet (and blogging and IRC, but mostly Usenet). I now
grudgingly admit that web-based message boards are better than Usenet. The
relationship between Usenet and mailing lists was once deep and productive.
Maybe message boards should replace lists (at least, big public lists) as
well.

~~~
derefr
The main concern, I think, is that if someone censors the official archive,
everyone has their own copy of the censored posts to use to prove such. It's
the same sort of resilience you get from having local Git repositories, or
from the Bitcoin block-chain. You don't get this from any message board I know
of (although that's not fundamental to the definition of a message board.)

~~~
tptacek
Sure, but people who want to preserve a high-fidelity archive of a message
board can do that too.

~~~
f-
Probably, but in the end, it doesn't matter: there is a single, widely
archived mailing list that almost everybody knows about.

Outside the several mailing lists we have, there's nothing resembling a
central repository of security research and industry gossip. It's possible
that it all could be done better with a custom web forum, a VIP room on
Chatroulette, or a well-designed UUCP dead-drop - but so far, despite many
attempts, nobody really succeeded with that.

Plus, F-D is awful mostly because it's a fairly accurate mirror of the
security community itself (and certainly many of the web forums I have seen).
More often than not, _this_ is what makes the headlines - not a novel sandbox
escape exploit that bypasses kSLR.

~~~
oracuk
F-D was mostly awful because it was open. There are plenty of private security
forums with a much higher signal to noise ratio.

They perform slightly different functions and rely on a higher level of trust
than an open mailing list can deliver but the security community is not
uniformly awful.

------
btown
Can somebody explain the drama/context that led to the original list being
shut down? From the linked announcement from Cartwright:

> However, I always assumed that the turning point would be a sweeping request
> for large-scale deletion of information that some vendor or other had taken
> exception to. I never imagined that request might come from a researcher
> within the 'community' itself (and I use that word loosely in modern times).
> But today, having spent a fair amount of time dealing with complaints from a
> particular individual (who shall remain nameless) I realised that I'm done.
> The list has had its fair share of trolling, flooding, furry porn, fake
> exploits and DoS attacks over the years, but none of those things really
> affected the integrity of the list itself. However, taking a virtual hatchet
> to the list archives on the whim of an individual just doesn't feel right.
> That 'one of our own' would undermine the efforts of the last 12 years is
> really the straw that broke the camel's back.

~~~
8ig8
Last week's discussion on the announcement may help with background...

[https://news.ycombinator.com/item?id=7427865](https://news.ycombinator.com/item?id=7427865)

------
voltagex_
> You can prevent archiving (at least for Seclists) by specifying the X-No-
> Archive mail header in your post, but you might reconsider whether to post
> such a sensitive message to a public list in the first place.

~~~
koralatov
Google Groups also removes posts from their public archive when they have the
XNAY header. I use the header when I'm posting to the various Groups and lists
to which I subscribe, because it effectively `tidies up' after me as I go.

~~~
voltagex_
I'm sure you have your reasons, but for me it'd be missing history when
searching for a post. Imagine if
[https://groups.google.com/forum/#!topic/comp.os.minix/dlNtH7...](https://groups.google.com/forum/#!topic/comp.os.minix/dlNtH7RRrGA)
wasn't available to read.

------
voltagex_
Three cheers for fyodor!

------
rdl
This would be an _awesome_ list for the new YC company Threadable to manage.

------
aagha
What is Lobsters?

~~~
olalonde
[https://lobste.rs/about](https://lobste.rs/about)

