“Full Disclosure” Shutdown Raises Questions About Email Mailing Lists In The Social Media Era

Editor’s note: Tom Cross is Director of Security Research at Lancope, where he works on network behavioral anomaly detection technology. He is also the cofounder of MemeStreams, a collaborative bookmarking platform and a Signal Media subject matter adviser.

In the days before Twitter, Facebook and even Friendster had arrived, a great deal of social interaction on the Internet occurred via email mailing lists. The closure last week of an information security mailing list, Full Disclosure, prompted a number of InfoSec professionals to ask whether these lists still have relevance when so many powerful new social media platforms are available to replace them. The rapid relaunch of that same list under new management has answered that question. Mailing lists still matter, and reasons why may shed light on opportunities for further innovation in social media.

The Full Disclosure mailing list is a loosely moderated forum where computer security researchers disclose the full details of vulnerabilities in software products, in some cases before those vulnerabilities have been fixed. Although some people bristle at the existence of these kinds of detailed disclosures, it is important to have a central forum where they can take place. Unfortunately, last week the moderator of the mailing list announced that he was closing up shop, citing legal threats from software vendors and a decline in the quality of posts. This event immediately prompted suggestions that vulnerability details should be disclosed on blogs, pastebin, and Twitter instead.

However, there are three key characteristics associated with email mailing lists that social media platforms currently have trouble replicating.

Centrality. The full disclosure of the details of security vulnerabilities is a controversial subject, but the bottom line is that if it is going to happen, it’s important that everyone who is responsible for protecting software systems and computer networks from attack be aware of the fact that it has occurred as quickly as possible. Having a central mailing list where these kinds of disclosures occur helps ensure that everyone who needs to know gets the word immediately. If these details are disclosed on blogs instead, everyone in the community might not be aware of posts that are out there, or it might take a longer time for information about new posts to disseminate within the community. Those delays can translate into windows of exposure in which some networks are unprotected.

One way to combat the lack of a central monitoring point is to use hashtags on Twitter. It was suggested that if everyone who had a vulnerability to disclose linked their disclosure on Twitter with the hash tag #fulldisclosure, people who need to keep track of vulnerabilities could do so by monitoring that hashtag. This approach would solve the need for centrality, but it brings up some other key issues.

Moderation. The Full Disclosure mailing list is loosely moderated, but it is moderated. On the other hand, anyone can use the hashtag #fulldisclosure on Twitter, and many people do so all the time for reasons that have nothing to do with information security. This fact introduces a higher cost for those who seek to monitor the hash tag, as they have to wade through lots of irrelevant content.

Retweets might naturally ensure that vulnerability disclosures get elevated within the information security community, but the problem with this approach is that it favors vulnerabilities that are interesting. Vulnerabilities in obscure software packages may not get retweeted as often, and as a consequence, people who need to be aware might miss them.

A potentially viable approach is for dedicated moderators to set up Twitter identities that exist for the sole purpose of plumbing through all of the different #fulldisclosure tweets and retweeting all of those that do, in fact, represent real vulnerability disclosures. Given the nature of the topic at hand, this moderation task could be risky. Shortened URLs that link to supposed vulnerability details could, in fact, link to malicious websites, so moderators would need to incur the risk of regularly clicking on potentially dangerous links. And there is another concern.

Permanence. It is said that the Internet is forever, but it’s not really true. Old websites and blogs often get taken down and social media systems usually aren’t architected to provide convenient access to old content. When it comes to vulnerability information, it’s important to have a historical archive, because security vulnerabilities that are disclosed today may still exist in computer networks many years from now.

One solution is to mirror every disclosure on multiple websites. Although it might be technically possible to mirror every web page linked from every tweet with the hash tag #fulldisclosure, it is far easier, from a technical perspective, to mirror an email list, because emails all have the same format. It is safer, too, because it is usually impossible to craft a text-based email in such a way that it can exploit a vulnerability in an email client or a web browser, but the rich content of web pages can often be turned to malicious purposes.

In addition, discussions about information security need to occur on platforms that are highly resistant to censorship, as any such discussion is going to be the target of frivolous legal complaints. As much lip service is paid to the idea that large commercial social media systems meet this requirement, in fact, they are not as resilient as they are thought to be.

Social media platforms that serve large numbers of people attract large numbers of spammers and other abusive users that they have to contend with. As a consequence, they often don’t have the resources to carefully scrutinize the abuse complaints that they’re receiving or adjudicate disputes rapidly. I’ve experienced this personally – my own Twitter account was disabled inexplicably late in 2011, and it took several weeks to get it reinstated. The ability to suppress important vulnerability information for several weeks by filing a complaint about it could have significant consequences for Internet security even if the complaint was ultimately judged to be inappropriate and the content was reinstated.

Fortunately for the information security world, the Full Disclosure mailing list has been relaunched, by Fyodor, the creator of the NMAP network scanner.

Some have argued that we no longer need a Full Disclosure list, or even that mailing lists as a concept are obsolete. They say researchers should just tweet out links to advisories that can be hosted on Pastebin or company sites. I disagree. Mailing lists create a much more permanent record and their decentralized nature makes them harder to censor or quietly alter in the future.

The designers of future social media platforms should take note of these observations. There is value to platforms that provide centrality, moderation capabilities and permanence. It seems obvious that modern social media platforms could offer these capabilities, but they often don’t. If email is ever going to truly become obsolete, a new platform will be needed that meets these requirements.

Image by dwori/Shutterstock