Fwd: FD mailing list died. Time for new one (or something better!)

coderman coderman at gmail.com
Thu Mar 20 09:30:48 PDT 2014


over on the OSS list i have been venting some bullshit friction over
the full-disclosure cave in and closure.

for shame!  see also thread on more better mixmasters,


---------- Forwarded message ----------
From: coderman <coderman at gmail.com>
Date: Thu, Mar 20, 2014 at 3:18 AM
Subject: Re: FD mailing list died. Time for new one (or something better!)
To: oss-security at lists.openwall.com


a modest and proportionate proposal,

fuller-disclosure:
 - a hidden list (local accts only, no clearnet linkage)
 - a hidden daily digest (per mod prefs, see below)
 - a hidden xmpp (otr required - plaintext abused)
 - a hidden web archive (of the list traffic, read-only)
 - a hidden public chat (group xmpp+/|ircd, no clearnet linkage)
 - a hidden pastebin with or without simple nonce auth
 - a advogato reputation sys to stack rank and put below the fold
   (for list digest content, public chat, web archive, and public pastes)

use case A: "JerkVendor is Jerk"
 - more accomodating disclosure fails,
    good faith and gratis effort returned with bile.
 - bugtraq drama ensues, takedowns.
 - "Hey, the advisory is still up here! ->  fullerd.onion/..."

use case B: "The Hot Drop"
 - *whispers* 'remember the Athens Affair? i'd rather not Opt-Out to report'
 - BREAKING NEWS: "Anonymous russian hackers drop dox on spyhack to
darknet fullerd.onion..."

use case C: "It's my party and I'll..."
 - 'so how it happened was,
    , i coaxed pre-auth SSL cert parsefail remote exec with escalate to system'
 - "Hey DEF CON! fuck that full-disclosure closure drama,
    let's get this party started!"
 - DEF CON XX official start and group xmpp/ircd distributes nonce for
0day to thousands of hidden participants simultaneously.
    [ remainder of distribution happens over sneakernet at con
      due to unexplained outage across entire Tor network for all users... ]


not a concern at all, ever:
 - "HOLY SHIT TAKE THAT DOWN NOW!!!" legal motions
 - "HOLY SHIT TAKE THAT DOWN NOW!!!" supporter/peer pressure
 - "HOLY SHIT TAKE THAT DOWN NOW!!!" matters of national security
 - "HOLY SHIT TAKE THAT DOWN NOW!!!" hint in datagram at 100Gbps
[ the inverse is use case D: "99.44% Peace of Mind" ]



i don't see the point in anything less; other technologies filling
existing roles fine, while the truly necessary drops have zero outlet.

.
.
.
finding someone with strong reputation and good judgement to publicly
validate and speak to the efforts of the equally reputable but
absolutely anonymous service operator?
... now that's a hard sell ...  *grin*



More information about the cypherpunks mailing list