Evan Schuman: Resurrection of Full Disclosure mailing list is great news, if you're not a cyberthief

The alternatives to an independent list like Full Disclosure can't match it for stopping new cyberattack tactics

The hardest thing to get large companies to do is to share sensitive corporate information with direct rivals. A very close second to that is to get them to talk about a security attack they just suffered. But that double reticence provides a favorable business climate for cyberthieves.

If all companies in a sector shared information about cyberattacks with one another, they would all learn about new things to look out for. Because potential victims would be aware of where a new danger lies, cyberthieves would have to give up new tactics fairly quickly. If that information isn't being shared, the cyberthieves can just keep repeating their new attacks at one company after another. You would hope that companies could see how it would be beneficial to them to share information with rivals, which would then be encouraged to share information that could save them from a cyberattack as well. But cyberthieves needn't be too worried about that. There's far more suspicion and paranoia in large companies than can be overcome by security self-interest.

I've been thinking about all of this in the wake of the March 19 shutdown of the 12-year-old, highly respected global security mailing list called Full Disclosure. FD was a wonderful forum for security professionals to share new cyberthief tactics and report security holes. The folk who ran FD were vague about why the list was being shut down, other than it involving legal threats.

John Cartwright, the administrator of the list, bemoaned changes in the hacker community, saying in a message, "I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honor amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry."

Fortunately, we won't be writing the obituary for Full Disclosure -- yet. A few days after the list was shut down, Gordon Lyon, a fan of the list and himself a respected security researcher, surfaced to take over the administration of the list, with Cartwright's blessing.

Lyon decided to revive the list because he doesn't buy the arguments of some in the security field that lists like FD are no longer needed. To the suggestions that researchers can just host their advisories on websites like Pastebin and post links to them on Twitter, he said, "Mailing lists create a much more permanent record, and their decentralized nature makes them harder to censor or quietly alter in the future."

Lyon is right that FD is worth saving. Its most remarkable attribute is that it cleverly wins at the game of keeping the bad guys out by not ever trying. A senior security manager for a very large retailer made the point that the list embraces wide disclosure as the best weapon against thieves and vandals.

"Full Disclosure," he said during that dark week when it looked as if FD was gone for good, "was intended for security researchers, but they knew any attempt to exclude thieves was guaranteed futile, so they never tried. It's not really a rivals-versus-rivals issue. It's about white and gray hats versus black hats. This list was kind of an uneasy truce between the white and gray hats. It was also competition between researchers, as announcing a discovery bestows prestige. Among the list's accomplishments is that they worked out a disclosure policy. Responsible researchers agreed to notify software companies 30 (or more) days before publishing on FD, giving the vendors time to patch in exchange for the publicity associated with the discovery."

If FD had truly disappeared, there are other lists available, but the retail security manager said many security researchers would probably choose private communication options. "Taking its place will be private contests, such as pwn2own, and firms offering cash for vulnerabilities like Google's bug bounty, etc. Google pays far better than Apple, by the way. There -- allegedly -- are also private vulnerability exchanges, where (supposedly) you can sell a zero-day for cash or Bitcoins, no questions asked. It's long been assumed the NSA has made the bulk of the purchases."

But everyone in the security field should be rooting for Lyon to keep FD going. Its real demise would be a win for the bad guys. "By not having this place to expose them, the vulnerabilities will remain hidden longer, they will remain unpatched longer, yet the attacks will keep coming," the security manager said. "I expect to see a resultant increase in zero-day attacks and damage as a result."

There are just some things that an independent list like FD can do better than the other options. The "share immediately" school of thought has always had a fundamental flaw: The initial information available to breach victims is almost universally wrong, and dramatically so. It takes time to sort out forensics, to figure out which digital fingerprints are real and which were deliberately left by the attackers to send investigators in the wrong direction. That gets sifted out on an independent list that's policed by an aggressive community that lives to find weak logic or invalid assumptions uttered by their colleagues. As a result, information can get out cleanly and consistently.

When Lyon announced the relaunch, he pointed to the list's "light, versus restrictive, moderation and support for researchers' right to decide how to disclose their own discovered bugs."

Most critically, he pledged to handle the pressures that made his predecessor give up. "I'm already quite familiar with handling legal threats and removal demands -- usually by ignoring them," Lyon said. "Vendor legal intimidation and censorship attempts won't be tolerated."

Sounds like the list is in good hands again. That's good news for everyone who struggles to ensure information security, and very bad news for cyberthieves everywhere.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsecuritybecaFull Disclosure

More about AppleGoogleNSATopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts