over on the OSS list i have been venting some bullshit friction over the full-disclosure cave in and closure. for shame! see also thread on more better mixmasters, ---------- Forwarded message ---------- From: coderman <coderman@gmail.com> Date: Thu, Mar 20, 2014 at 3:18 AM Subject: Re: FD mailing list died. Time for new one (or something better!) To: oss-security@lists.openwall.com a modest and proportionate proposal, fuller-disclosure: - a hidden list (local accts only, no clearnet linkage) - a hidden daily digest (per mod prefs, see below) - a hidden xmpp (otr required - plaintext abused) - a hidden web archive (of the list traffic, read-only) - a hidden public chat (group xmpp+/|ircd, no clearnet linkage) - a hidden pastebin with or without simple nonce auth - a advogato reputation sys to stack rank and put below the fold (for list digest content, public chat, web archive, and public pastes) use case A: "JerkVendor is Jerk" - more accomodating disclosure fails, good faith and gratis effort returned with bile. - bugtraq drama ensues, takedowns. - "Hey, the advisory is still up here! -> fullerd.onion/..." use case B: "The Hot Drop" - *whispers* 'remember the Athens Affair? i'd rather not Opt-Out to report' - BREAKING NEWS: "Anonymous russian hackers drop dox on spyhack to darknet fullerd.onion..." use case C: "It's my party and I'll..." - 'so how it happened was, , i coaxed pre-auth SSL cert parsefail remote exec with escalate to system' - "Hey DEF CON! fuck that full-disclosure closure drama, let's get this party started!" - DEF CON XX official start and group xmpp/ircd distributes nonce for 0day to thousands of hidden participants simultaneously. [ remainder of distribution happens over sneakernet at con due to unexplained outage across entire Tor network for all users... ] not a concern at all, ever: - "HOLY SHIT TAKE THAT DOWN NOW!!!" legal motions - "HOLY SHIT TAKE THAT DOWN NOW!!!" supporter/peer pressure - "HOLY SHIT TAKE THAT DOWN NOW!!!" matters of national security - "HOLY SHIT TAKE THAT DOWN NOW!!!" hint in datagram at 100Gbps [ the inverse is use case D: "99.44% Peace of Mind" ] i don't see the point in anything less; other technologies filling existing roles fine, while the truly necessary drops have zero outlet. . . . finding someone with strong reputation and good judgement to publicly validate and speak to the efforts of the equally reputable but absolutely anonymous service operator? ... now that's a hard sell ... *grin*