Hacker News new | comments | show | ask | jobs | submit login
Full Disclosure Mailing List: A Fresh Start (insecure.org)
86 points by 8ig8 on Mar 26, 2014 | hide | past | web | favorite | 17 comments

Fyodor's a mensch, but I think he's romanticizing the concept of Full-Disclosure and that he's ultimately going to be unhappy he tried to keep the list alive. Sometimes dead is better.

I'm not clear on why a mailing list like F-D is in any way better than a subreddit or an instance of Lobsters.

Proponents of the mailing list say that the list is decentralized and allows everyone to archive its contents. The list is not in fact decentralized, and a message board also allows for archiving. The boards don't do this by default, but that's a good thing.

Message boards also offer a better reading experience. A lot of F-D is dreck. A threaded view (maybe with voting, maybe with collapsible threads) is the only sane way to view it. Boards also offer search.

People wonder why I post so much on HN. It really has nothing to do with HN; it's that HN replaced Usenet (and blogging and IRC, but mostly Usenet). I now grudgingly admit that web-based message boards are better than Usenet. The relationship between Usenet and mailing lists was once deep and productive. Maybe message boards should replace lists (at least, big public lists) as well.

The main concern, I think, is that if someone censors the official archive, everyone has their own copy of the censored posts to use to prove such. It's the same sort of resilience you get from having local Git repositories, or from the Bitcoin block-chain. You don't get this from any message board I know of (although that's not fundamental to the definition of a message board.)

Sure, but people who want to preserve a high-fidelity archive of a message board can do that too.

Probably, but in the end, it doesn't matter: there is a single, widely archived mailing list that almost everybody knows about.

Outside the several mailing lists we have, there's nothing resembling a central repository of security research and industry gossip. It's possible that it all could be done better with a custom web forum, a VIP room on Chatroulette, or a well-designed UUCP dead-drop - but so far, despite many attempts, nobody really succeeded with that.

Plus, F-D is awful mostly because it's a fairly accurate mirror of the security community itself (and certainly many of the web forums I have seen). More often than not, this is what makes the headlines - not a novel sandbox escape exploit that bypasses kSLR.

F-D was mostly awful because it was open. There are plenty of private security forums with a much higher signal to noise ratio.

They perform slightly different functions and rely on a higher level of trust than an open mailing list can deliver but the security community is not uniformly awful.

Of course it allows search, and you can even customize that search if you have been subscribed for a long time by using your own mail client. Mailing lists also have a similar benefit to git where many people have archives (even if they are incomplete) so the content can't just be massively deleted easily.

> The list is not in fact decentralized

It's a lot more decentralized than a web page (with pull-bassed rss/atom and/or that is scarping friendly), and a lot more decentralized than a web app (even with some form of non-standard smarty-pants ajax/js/whatnot-api).

It's comes with reliable, working push notifications!

> [m]essage board also allows for archiving.

Oh come on. You can scrape message boards, and in theory they could provide a dump -- but of what? The SQL backup of certain sections of the board? Just the public threads, but not the private messages? Some kind of export that makes it less than plug-and-play to host a mirror of the archives with the full structure intact?

(I seem to remember there was some private investigation posted recently where someone that had downloaded a few dumps someone else had stolen after having cracked a few boards to get access to the raw data).

> The boards don't do this by default, but that's a good thing.

What? Public discourse. If it was there yesterday, it's nice to be able to have it again tomorrow. One of my few pet pain-points of data gone from the Internet is related to a thread on mix-master remailers that was posted[1] to the cypherpunk list in the late 90s (ironic I know, if I hadn't been so young that I didn't keep an archive of all interesting email -- I do have a printout though. It relates how a spokesperson for intelligence an service reported they try to run as many mixmaster nodes as they can, to better to traffic analysis).

> Message boards also offer a better reading experience.

There might be a few boards that offer half-decent reading experience, but in my opinion they're all worse than Pine. And Pine isn't that great of an email client.

> A lot of F-D is dreck.

Hello personal baysian filter, kill-thread etc.

> A threaded view (maybe with voting, maybe with collapsible threads) is the only sane way to view it.

I wish we had that here. Hiding threads would be great. I do have it my mail reader.

> Boards also offer search.

You can't be serious. http://insecure.org/search.html?q=THOMAS%20H.%20PTACEK

Then there's notmuch and a gazillon other ways to search your own mail. Not to mention just using gmail if you want to stick with the web interface. Granted, you can't search mail you haven't got. So either get a few mbox-archives from a mirror, or you can only find email you've read (or received). It's still hard to see how this is worse than most web forums.

> Maybe message boards should replace lists (at least, big public lists)

I will consent that big unmoderated lists can be a bit of a clusterfuck, and that email list doesn't scale that far. But neither does forums. Have a look at http://www.xda-developers.com. While it's a mostly pleasant place, trying catch up on one of those 20+page threads is painful compared to having it in a mailbox with proper threading and the ability to collapse sub-threads.

On a meta-note, I wonder why I can't down-vote this post (not that it would make a dent in neither your karma, nor this posts points ;-). Are there more benefits to the 100k karma club than to the 1k club? (Not saying it shouldn't be so, I just wasn't aware of any such difference).

[1] http://www.hypertekst.net/misc/anon-remail/

Btw, anyone have a copy of the archive? Last time I checked, I couldn't find it online.

So why exactly would I want to load up a web browser taking up hundreds of megabytes of my RAM, run the message board JS scripts, analytics, flash ads that suck up my CPU, let some advertising company track me just to view a message? I can run a responsive native gui/console app to read it like I do with my email and the experience is infinitely better.

Can somebody explain the drama/context that led to the original list being shut down? From the linked announcement from Cartwright:

> However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to. I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself. However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.

Last week's discussion on the announcement may help with background...


> You can prevent archiving (at least for Seclists) by specifying the X-No-Archive mail header in your post, but you might reconsider whether to post such a sensitive message to a public list in the first place.

Google Groups also removes posts from their public archive when they have the XNAY header. I use the header when I'm posting to the various Groups and lists to which I subscribe, because it effectively `tidies up' after me as I go.

I'm sure you have your reasons, but for me it'd be missing history when searching for a post. Imagine if https://groups.google.com/forum/#!topic/comp.os.minix/dlNtH7... wasn't available to read.

Three cheers for fyodor!

This would be an awesome list for the new YC company Threadable to manage.

What is Lobsters?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact