Can someone from the security community explain exactly what the list is? Is it a mailing list where researchers disclose exploits that have been found (after doing their best to responsibly notify the developers of the effected systems)?
Snippets from the mailing list charter[0] and listinfo[1] which simply say briefly:
About Full-Disclosure
Unlike bugtraq, this list serves no one except the list members themselves
We don't believe in security by obscurity, and as far as we know, full
disclosure is the only way to ensure that everyone, not just the insiders
have access to the information we need to survive.
We will try to operate this list without moderation, as we feel moderation
is an impediment to communication.
Any information pertaining to vulnerabilities is acceptable, for instance
announcement and discussion thereof, exploit techniques and code, related
tools and papers, and other useful information.
and, forebodingly:
Politics should be avoided at all costs.
There's also the original announcement on the SuSE Linux security mailing list[2] and a follow-up by Mr Cartwright with some further rationale[3].
> We will try to operate this list without moderation, as we >feel moderation is an impediment to communication.
I feel like everyone wants to hate moderation but it's one of those things, that when used correctly, make a community good.
I'm on several mailing lists that have grown significantly over 3-7 years. I, along with most other founding members, left lists that didn't have any moderation as they inevitably grew into a community similar to what's described in this announcement.
But the mailing lists/forums that had moderate moderation, removing furry porn for example, have continued to grow and continue their initial cause. Good moderation is not censorship, I would even say that people disrupting the core purpose of a community censor more than a good moderator by burying worthwhile content below shit posts.
Given the list's modus operandi and goals, wouldn't it work well under a format such as the blockchain? No moderation and no chance to delete what's been posted, since the decentralization means it would by then be replicated across lots of machines.
You don't need the complexity of a unified ledger to have a distributed message passing system.
The ledger could provide some assurances that others have had access to a given set of messages, but that really only helps with the boring sort of arguments.
You need to pay BTC in order to store in the blockchain(i.e. you can't send 0.00BTC transaction to someone.) That should go pretty far in eliminating spam. Then again it might be too high a barrier for legitimate posters.
Full-Disclosure is a popular mailing list that is ostensibly about discussion of vulnerabilities (particularly new ones), but is often as not the security scene's version of 4chan. It was a sort of successor to Bugtraq.
Full disclosure is a lightly moderated security mailing
list generally used for discussion about information
security and disclosure of vulnerabilities. The list
was created on 9 July 2002 by Len Rose and is
administered by John Cartwright.
The wikipage goes on to list some notable zero-day vulnerabilities.
Yes (vulnerabilities rather than exploits, although these disclosures often contained proofs of concept.) It was the de facto standard vehicle for this.
No, it was the de facto standard mailing list for releasing vulnerabilities. Over the last 7 years it's gotten less and less relevant as a way of releasing vulnerabilities, because large public mailing lists are not a particularly effective way to publish vulnerabilities.
People seem to believe that happened because vulnerabilities started to obtain a market value, but:
* The serious high-end memory corruption vulnerabilities were (a) more common and (b) much simpler at FD's inception, making them more amenable to posting on a list; in 2014, a high-end vulnerability is likely to be complex enough to merit in-depth consideration on a blog instead.
* Table-stakes XSS vulnerabilities also tend to get written up in blogs (where they help establish a track record for researchers whose future employers aren't going to trawl through FD looking for them), and when they get bought, get bought by bug bounties. It is hard to argue that bug bounties are a bad thing; nobody benefits from a web vulnerability in a SaaS product other than the operator of the SaaS product.
Hehe, nope. It's the list where exploits and vulns are dropped, without getting into the circus and the money of responsible-coordinated-whatever. It's old style. It couldn't survive.
