Rebooting the Full Disclosure List 15
An anonymous reader writes with good news for advocates of Full Disclosure of security vulnerabilities. A week ago, the venerable full-disclosure list was shut down; now, a successor has arisen run by fyodor. From the announcement email: "As an F-D subscriber and occasional poster myself, I was as shocked as you all last week when John Cartwright threw in the towel and shuttered the list. Now I don't blame him one bit. He performed a thankless job admirably for 12 years and deserves some time off. But I, for one, already miss Full Disclosure. So I decided to make a new list today which is a successor in name and spirit. Like the old one, it uses Mailman and is being archived by my Seclists.org site as well as numerous other archives around the world. This list is a fresh start, so the old userbase won't automatically transfer over. And I haven't added any of you either, because it is your choice. ... I hope you'll join us and resume posting your security info and advisories. If not now, then someday."
I suggest the ultimate legal protection: (Score:2)
TOR hidden service. They can't threaten to sue who they can't identify.
Re:I suggest the ultimate legal protection: (Score:4, Insightful)
TOR hidden service. They'll just threaten to sue the person who runs the TOR endpoint - they don't care.
FT (a lot) FY
Re: (Score:1)
You are not using an endpoint when vising a hidden service. The traffic stays in the tor network. You have (obviously) an entry point, but that is only known to the visitor, not outsiders.
Re: (Score:1)
Yes, and how do you trust your "visitors"?
Re: (Score:2)
Yes, and how do you trust your "visitors"?
You don't trust yourself? And even if you don't, how does that reveal info on who is running the hidden service? Of course you know your own entry point into the Tor network; the Tor client even shows you. netstat shows you. But if you want to find/sue the person running the hidden service, you need to find that person's entry point.
Re:I suggest the ultimate legal protection: (Score:5, Interesting)
TOR is one idea but I think this would be a perfect place for the EFF to step in. Hosting full disclosure on their site would likely limit the legal harassment and is inline with their mission.
Re:I suggest the ultimate legal protection: (Score:4, Interesting)
TOR is one thing, but I'd rather have the EFF step in, so there isn't any appearance of the list being shady. It might be legal to hide in a back alley and make sales transactions in cash, but it is a lot better for first impressions to have a storefront and the appearance of being a mainstream service.
This FD list is probably one of the most critical items to general computer security we have next to a vetted cipher suite.
Re: (Score:3)
Very true. In fact, this is something mentioned in the pramble of Phil Zimmerman's PGP, with that people should encrypt their writings just as one sticks papers in an envelope and doesn't send everything via postcards.
However, appearance matters, and TOR has a negative connotation. Having a website that appears on the up and up to discuss full disclosure, and have it have the appearances of being legit is a completely different issue from getting TOR out of the shadows.
Re: (Score:2)
Does it need to be?
As a long-time subscriber to FD (Score:4)
Thank you Fyodor!!