There is an old saying that even all good things must come to an end. In this respect we should all mark March 19, 2014, as one of those days when a really good thing closed up shop.
I am referring to the fact that after over a decade, John Cartwright -- head of the popular Full-Disclosure mailing list which has been a public discussion forum for vulnerability researchers -- announced that he was suspending indefinitely his role as the site’s chief cook and bottle washer. This indeed marks a very sad day.
If you have not heard of or visited Full-Disclosure’s website over the years, that’s a shame. It has been an invaluable resource for security professionals and something of a bible for what used to be known as the “ethical hacker” community.
Image courtesy Shutterstock
While I usually comment on noteworthy items, and this certainly is in that category, it only seems appropriate to provide the full text of the posting Cartwright used to reveal his decision to suspend his operation. It is a sobering message and a wake-up call to everyone in the online security business.
Hi.
When Len and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise. However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.
I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself.
However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.
I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more.
There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.
I'm suspending service indefinitely. Thanks for playing.
Cheers
- John
While others have commented on Cartwright’s decision, I think the comments from High-Tech Bridge's CEO, Ilia Kolochenko, speaks for many of us in the security business:
"The end of the Full-Disclosure list is definitely a milestone for the information security industry – a very sad one, as years ago Full-Disclosure used to be one of the most reliable and popular sources of infosec/hacking information. But those days are gone and skilled hackers -- both Black and White Hats -- are no longer motivated to inform the public of their findings and exploits for free. They either work for vulnerability research companies like Vupen, participate in bug-bounties or simply sell 0days on the hacker black market. Obviously Full-Disclosure cannot exist without high-quality content, so I think this is why John Cartwright’s decision to suspend the Full-Disclosure list is entirely reasonable, but still sad.
“Being a regular reader of the list I also regularly see some off-topics, "holy wars", fakes and other garbage that administration has to filter every day. So, I perfectly understand the decision to suspend this list, as managing such a list in a proper way is a titanic daily job, especially nowadays."
Like most game-changing technology innovations, there are dark sides that go with the good and the Internet, like the nuclear fission before it which created a new energy source along with the atomic bomb, has always had its dark side. And, unfortunately with the maturation of the Internet has come the maturation of bad actors looking to exploit it.
As High-Tech Bridge's Kolochenko points out, the good intentions of the White Hats to expose flaws and vulnerability in the Web have ended their age of innocence. Indeed, distinguishing between White Hats and Black Hats has become a real challenge, especially in an era where distrust increasingly is undermining the trust necessary for the Internet Age to move forward.
I, too, wish Mr. Cartwright had the passion and inclination to carry on, but understand completely why he has chosen to call it a day.