Evan Schuman: Resurrection of Full Disclosure mailing list is great news, if you're not a cyberthief
The alternatives to an independent list like Full Disclosure can't match it for stopping new cyberattack tactics
Computerworld - The hardest thing to get large companies to do is to share sensitive corporate information with direct rivals. A very close second to that is to get them to talk about a security attack they just suffered. But that double reticence provides a favorable business climate for cyberthieves.
If all companies in a sector shared information about cyberattacks with one another, they would all learn about new things to look out for. Because potential victims would be aware of where a new danger lies, cyberthieves would have to give up new tactics fairly quickly. If that information isn't being shared, the cyberthieves can just keep repeating their new attacks at one company after another. You would hope that companies could see how it would be beneficial to them to share information with rivals, which would then be encouraged to share information that could save them from a cyberattack as well. But cyberthieves needn't be too worried about that. There's far more suspicion and paranoia in large companies than can be overcome by security self-interest.
I've been thinking about all of this in the wake of the March 19 shutdown of the 12-year-old, highly respected global security mailing list called Full Disclosure. FD was a wonderful forum for security professionals to share new cyberthief tactics and report security holes. The folk who ran FD were vague about why the list was being shut down, other than it involving legal threats.
John Cartwright, the administrator of the list, bemoaned changes in the hacker community, saying in a message, "I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honor amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry."
Fortunately, we won't be writing the obituary for Full Disclosure -- yet. A few days after the list was shut down, Gordon Lyon, a fan of the list and himself a respected security researcher, surfaced to take over the administration of the list, with Cartwright's blessing.
Lyon decided to revive the list because he doesn't buy the arguments of some in the security field that lists like FD are no longer needed. To the suggestions that researchers can just host their advisories on websites like Pastebin and post links to them on Twitter, he said, "Mailing lists create a much more permanent record, and their decentralized nature makes them harder to censor or quietly alter in the future."
More by Evan Schuman
- Evan Schuman: What if you can't trust your inbox?
- Evan Schuman: Supreme Court on obvious patents: Common sense isn't so horrible
- Evan Schuman: Do you know the people you're following on Twitter? Neither does Twitter, apparently
- Evan Schuman: Is Google forgetting that interactivity pays its bills?
- Evan Schuman: Killer robots? What could go wrong? Oh, yeah ...
- Evan Schuman: One law to rule all data breaches -- but let's make it a real law
- Evan Schuman: Snapchat's reputation is vanishing (unlike its images)
- Evan Schuman: Snapchat's latest feature shows why IT must tame marketing's inner monster
- Evan Schuman: With Heartbleed, IT leaders are missing the point
- Evan Schuman: Social media endangers corporate secrets
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!