Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Full-Disclosure Security List Suspended Indefinitely

Unknown Lamer posted about 4 months ago | from the poking-the-hornet's-nest-for-12-years dept.

Censorship 162

An anonymous reader writes with news that John Cartwright has been forced to shut down the full disclosure list. The list was created in 2002 in response to the perception that Bugtraq was too heavily moderated, allowing security issues to remain unpublished and unpatched for too long. Quoting: "When Len and I created the Full-Disclosure list way back in July 2002, we knew that we'd have our fair share of legal troubles along the way. We were right. To date we've had all sorts of requests to delete things, requests not to delete things, and a variety of legal threats both valid or otherwise. However, I always assumed that the turning point would be a sweeping request for large-scale deletion of information that some vendor or other had taken exception to.

I never imagined that request might come from a researcher within the 'community' itself (and I use that word loosely in modern times). But today, having spent a fair amount of time dealing with complaints from a particular individual (who shall remain nameless) I realised that I'm done. The list has had its fair share of trolling, flooding, furry porn, fake exploits and DoS attacks over the years, but none of those things really affected the integrity of the list itself. However, taking a virtual hatchet to the list archives on the whim of an individual just doesn't feel right. That 'one of our own' would undermine the efforts of the last 12 years is really the straw that broke the camel's back.

I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry.

I'm suspending service indefinitely. Thanks for playing."
The archives are still up on seclists.org, gmane, and Mail Archive. For now at least.

cancel ×

162 comments

Sorry! There are no comments related to the filter you selected.

Who? (5, Interesting)

Anonymous Coward | about 4 months ago | (#46523367)

Come on then, let's have full disclosure. WHO made the threats?

Re:Who? (1)

JJBSr (832011) | about 4 months ago | (#46523423)

C'mon AC we don't want to feed trolls here

Re:Who? (5, Insightful)

erikkemperman (252014) | about 4 months ago | (#46523483)

Perhaps without fingering individuals, it would be good to find about a bit more about what the hell happened here. This is not a guy who quits at the drop of a hat, right?

Re:Who? (2, Interesting)

Anonymous Coward | about 4 months ago | (#46523671)

Fuck that. My torch is already burning.

Re:What? (1)

Anonymous Coward | about 4 months ago | (#46523521)

"we don't want to feed trolls here"

What?

SlashDot is Trolls. Don't you ever bother to read this mush?

Re: Who? (2, Informative)

Anonymous Coward | about 4 months ago | (#46523923)

Twitter seems to agree (!!!!) that it was Nicholas Lemonias.

Re:Who? (-1)

Anonymous Coward | about 4 months ago | (#46523435)

Come on then, let's have full disclosure. WHO made the threats?

Snoden,

I believe this was a result of your efforts,
And now Insiders are attacking the lists,
Amoung many other things - I have seen, heard and witnessed many IT 9-to-5ers, Unlike thy,
Whom are all whining now, about NSA hacking, Infiltrations, Etc. Its happening 10 fold.
Tell the world the truth before Anonymous is forced to: That you are still working with the NSA and you are a giant psyop.

Re:Who? (3, Funny)

OolimPhon (1120895) | about 4 months ago | (#46524613)

Snoden,

I believe this was a result of your efforts,
And now Insiders are attacking the lists,
Amoung many other things - I have seen, heard and witnessed many IT 9-to-5ers, Unlike thy,
Whom are all whining now, about NSA hacking, Infiltrations, Etc. Its happening 10 fold.
Tell the world the truth before Anonymous is forced to: That you are still working with the NSA and you are a giant psyop.

Not a haiku!

He's right. (0, Insightful)

Anonymous Coward | about 4 months ago | (#46523393)

The fact that my living comes from appsec work is reflective of the shit world we live in. In a perfect world, this entire industry shouldn't exist.

Re:He's right. (5, Interesting)

ledow (319597) | about 4 months ago | (#46523439)

Nor would health & safety, auditing, repair shops, replacement parts, the guy who checks the pitot tube on aircraft is clean, etc. nor countless thousands of other industries. The fact that the industry exists shows you that a) we cannot secure things perfectly but b) we try hard to do so.

Fact is, you cannot make a secure product, no matter how cocky you are. So you need experts to secure things, whether or not they are forced to do so on sub-standard operating systems, hardware or applications.

Personally, I think we've come on leaps and bounds in terms of OS security in the time I've been around, but it's application security that's the problem - and the biggest problem comes from OS's not being "allowed" to lock down applications to their bare minimum necessary resources in the first place.

And now we have a new threat - hardware security where our own machines are being used against us.

It's like saying that if everyone put rubbish in a bin, we wouldn't need street cleaners. Almost true, not quite, but almost. But it's honestly, never, ever, ever going to happen until we are literally redefining "rubbish", "bin" and "cleaner" (i.e. automated robots running around doing it for us).

And real life, as shown here, is much more affected by stupid people, making stupid decisions and even enacting stupid laws. In a perfect world we wouldn't have any of those either. But still we have lawyers.

Re:He's right. (From the Snowden Coward) (0)

Anonymous Coward | about 4 months ago | (#46523513)

And real life, as shown here, is much more affected by stupid people, making stupid decisions and even enacting stupid laws. In a perfect world we wouldn't have any of those either. But still we have lawyers.

Hey there Member,
I cannot disclose who I am; though I am well respected here, That is all I may say.

The fact is: App security/Hardware security is a flaw of the newly-made WebBased-Mostly Enterprise Grade gear.
People get lazy, budgets go south; IT doesn't earn as much as they should, work too much, too many different hats; And shortcuts happen. Pink clouds are built, Which then require consultants with Chemtrail Jets and $$$$cary costly, To paint the cloud Grey with... Borium or something. :Rd

Talk soon,
Hugs eternal.

Nonsense. (5, Insightful)

johnnys (592333) | about 4 months ago | (#46523607)

There's a meme going around that "Fact is, you cannot make a secure product," is somehow a "Truth" that we all just have to accept.

This is just BS. Of course you can make a secure product. You just have to commit the time and resources to make security your top priority.

If you want to securely control your HVAC systems in your data centre, don't connect it to the Internet: Hire a person to operate it. If you want to securely control your nuclear reactor, don't connect it to the Internet but hire a staff to operate it using air-gapped systems.

If you want to save money on salaries by connecting your critical systems to the Internet using commodity CPUs that don't separate writable RAM from executable RAM, and operating systems designed for single user with poor security built in, and software written by the lowest bidder using languages that encourage lazy programmers to write buffer overruns, then you will save money but there's no way you can make a secure product. But don't pretend it's a universal fact that security is not possible: Recognize it's your own penny-pinching that is causing the problem.

Re:Nonsense. (4, Funny)

mwvdlee (775178) | about 4 months ago | (#46523769)

If you want to securely control your HVAC systems in your data centre, don't connect it to the Internet: Hire a person to operate it. If you want to securely control your nuclear reactor, don't connect it to the Internet but hire a staff to operate it using air-gapped systems.

Because we all know humans can be trusted completely instead of often being the weakest link in a security chain.

This includes the guys that operate the machine, the people that build the machine, the people that supplied to components for the machine, the contractor that build the datacenter, their subcontractors, the people supplying bricks to the builders, etc.

In theory, it's possible to create a perfectly secure product, in practice there isn't enough money, time and knowledge in the world to do so.

Re:Nonsense. (4, Informative)

omglolbah (731566) | about 4 months ago | (#46523829)

Air gaps are fun.

Engineering workstation on the air-gapped system is connected to the same keyboard and monitor as an office machine.
Space constraints in the office on an oil rig.

The same engineer who went around pushing orange 'locks' in all the usb ports on the whole damn plant, including on the switches etc also created this gem.
Unlock the USb port on the KVM, add a usb stick. That way he could easily 'move files between the systems without looking for a stick'.....

You cannot fix stupid.

Re:Nonsense. (5, Insightful)

Travis Mansbridge (830557) | about 4 months ago | (#46523779)

Didn't stuxnet make it through air-gapped systems? Seems like for every step forward white-hats take, black-hats take one as well.

Re:Nonsense. (1, Informative)

Anonymous Coward | about 4 months ago | (#46523921)

Yes it did. The intrinsic problem is one of the fact that Windows itself is set up to do blindingly stupid things. Even if you picked "perfect" programming languages to suit the idiot GP poster (and, yes, he/she's an IDIOT.) you'd *STILL* have had a vulnerability because Windows blindly and stupidly runs *ANYTHING* that's a proper executable on insertion to the machine by a USB Mass Storage Device or a CD/DVD/BD. . In fact, it's one of Windows' selling points. Thing is, even if you didn't have that, there'd be some other weakness. The best you can *EVER* hope for is intrinsically secure, which means it is unlikely to be vulnerable. Problem is...if you're there, unless it's something like a hammer in the way of simplicity of use and function, you're not assured it is secure. Physical locks? I can break into most of them with a pick gun or a bump key- even the supposedly bump-proof ones. He'd call them secure- but they're not.

Security is a state of mind as much as it's a technique or a technology. Anyone that tells you that you can make things perfectly secure is lying or selling something.

Re:Nonsense. (2, Informative)

Anonymous Coward | about 4 months ago | (#46524217)

This is not true for Windows after XP.

Re:Nonsense. (2, Funny)

Anonymous Coward | about 4 months ago | (#46524599)

You've clearly never had a hammer bounce back and hit you in the head.

Maybe he should have said "perfectly secure" (0)

Anonymous Coward | about 4 months ago | (#46523873)

In your example, people can be exploited as easily (or more easily) than computers.
I just need to kidnap one of the children of the operators and make them sabotage the machine, bam, your security is foiled. I just need to bribe one of them with enough money (sometimes less than developing some APT) and your security is foiled. Many security issues are insides jobs.

Also, air gapped is good, but as stuxnet has shown, data is still moved back and forth somehow.

Governments spend big money making sure they personnel are secure, their systems are secure, etc, and they get hacked all the time. There is no such thing as perfect security; it reminds me of web hosts who promise some level of 9s, that still means there will be downtime, just not much.

Re:Nonsense. (0)

Anonymous Coward | about 4 months ago | (#46523885)

It's not BS. It's the truth. There's really only more secure and less secure. The nonsense is what you're shovelling. Airgapped is a good measure, but Stuxnet got in through firmware updates, initially on airgapped systems and then fully into the wild without them. The fact that you prop up the argument you try to make with that alone is sufficient enough to shoot you down. You need to look inward because the weak link in *ANY* secure system is humans. You're not getting rid of them- get a "perfectly" good "secure" system and it'll be so unusable that they'll write "strong" passwords down on post-it notes, try not to use it, etc.

What you talk to will improve things- but if you think that you can make secure stuff...you're deluding yourself and lying to the rest of the world in saying it. More secure versus less secure, yes. Truly secure...dream on.

Re:Nonsense. (1)

cavreader (1903280) | about 4 months ago | (#46524543)

Stuxnet got through thanks to the inside state supported intelligence operative with physical access to the Iranian centrifuge control system who inserted a USB stick to kick things off. Stuxnet was successful exploiting the OS but the creators also stole 2 signed certificates from 2 different Japanese companies that happened to be located in the same office park. Without these certificates they would have had a harder time exploiting the OS. It looks to me that when Stuxnet eventually propagated across the internet it was more of a test for the designers to see how the exploit delivery mechanism behaved in the wild while also re-directing attention from the fact that there was a mole inside the Iranian nuclear program. The version that appeared on the internet did not contain the same payload that wreaked mayhem on the Iranian centrifuges.

Re:Nonsense. (0)

Anonymous Coward | about 4 months ago | (#46523893)

You need to do more than airgap. You need to formally prove your code. That most likely means using something like ADA as it's a LOT easier to prove than c. It also means that your costs/kloc are going to be at least 10x what they were. There is a very good reason banks still run cobol and fortran blobs that no one living has seen the source code to. They work and their proved. The cost to replace is immense.

Re:Nonsense. (2)

LordLimecat (1103839) | about 4 months ago | (#46524009)

This is just BS. Of course you can make a secure product. You just have to commit the time and resources to make security your top priority.

Clearly Apple, Microsoft, Google, Mozilla, and Red Hat are all too lazy to do so. But Im sure youve got it all figured out.

I mean Im not a software dev, and I wouldnt claim to be an "expert" in security-- but surely it says something that noone's actually managed to write a "secure" application of any substantial complexity. We've gotten really good at patching bugs quickly (particularly google, various linux coders, and mozilla), but the fact that the applications are getting patched indicates that there are vulnerabilities, and its a bit silly to imply that the aforementioned organizations simply lack the expertise to "do it right".

Re:Nonsense. (1)

Anonymous Coward | about 4 months ago | (#46524235)

Clearly Apple, Microsoft, Google, Mozilla, and Red Hat are all too lazy to do so. But Im sure youve got it all figured out.

I wouldn't say security is their top priority. It's of some importance but they'd rather spend more time and money to produce a product that appeal to their target demographics rather than making it completely air-tight.
Thing is, most people don't care that much about security. Even in places where it matters, it's always a tradeoff between convenience, cost and security.

Re:Nonsense. (0)

the_B0fh (208483) | about 4 months ago | (#46524833)

You have not seen OpenBSD, have you? It is not perfect, but quite close to it.

http://www.openbsd.org/securit... [openbsd.org]

Re: Re:Nonsense (1)

Anonymous Coward | about 4 months ago | (#46525189)

No, he's right. All those companies you mention do have the ability to create a secure product. But doing that is expensive. It cuts into the CEO's golf fund. So what we get is software that functions where it has visibility. If a security risk becomes visible then it gets fixed. Otherwise it sits in an NSA database for current or future use, or gets quietly used to run botnets. But the OP is entirely correct. This problem is very fixable with enough time and money.

Re:Nonsense. (2)

Nevo (690791) | about 4 months ago | (#46524013)

So, if I don't want an airplane to disappear, I should hire a pilot to fly it instead of network it with external systems, then?

Re:Nonsense. (1)

pr0fessor (1940368) | about 4 months ago | (#46524253)

Hire a person to operate it.

I think you forget the lengths people will go to to achieve a goal. What happens when that person is paid off to get in, threatened, or blackmailed.

You can make it so difficult that few to none would care to try, but it's not going to be 100% secure.

Re:Nonsense. (0)

Anonymous Coward | about 4 months ago | (#46524331)

There's a meme going around that "Mathematical systems can be complete or consistent but not both" is somehow a "Truth" that we all just have to accept.

Oh, wait.

Insecure systems are merely a corollary to that 1948 proof, and your schoolboy suggestions on how to make systems "secure" just shows you don't understand the problem. Everyone who understands the problem accepts the ultimate futility that underlies attempts to solve it.

Re:Nonsense. (2)

ObsessiveMathsFreak (773371) | about 4 months ago | (#46524695)

Insecure systems are merely a corollary to that 1948 proof, and your schoolboy suggestions on how to make systems "secure" just shows you don't understand the problem. Everyone who understands the problem accepts the ultimate futility that underlies attempts to solve it.

What is this, a rerun of the "security is encryption+verification" No-True Scotsman fallacy that lead to the Firefox self-signed certs debacle.

An abstract mathematical proof means we cannot make a secure product? And somehow the security community has bought into this? I worry sometimes that the security community is prone to ridiculously levels of dogmatism and groupthink befitting any serious hacking group.

You can make a secure product. Security does not mean 100% proof perfect security. Security means that it is difficult, very difficult, to break into or even break the product.

Right now, in a similar way to unencrypted connections, we have a situation where most programs are insecure, and wide open to exploits and worse. And right now, just as with self-signed certs, we have a security community dogma that regards trying to improve things as a step backwards. This is asinine.

Stop making excuses for bad software, and bad systems designs. We can build a better internet, which is more secure from the ground up. Our efforts will not be futile -- far from it. A better internet for all is waiting to be created out there.

Two words for you (1)

Nicolas MONNET (4727) | about 4 months ago | (#46524513)

If you want to securely control your HVAC systems in your data centre, don't connect it to the Internet: Hire a person to operate it.

Social engineering.

air gaps (0)

Anonymous Coward | about 4 months ago | (#46524521)

If you want to securely control your HVAC systems in your data centre, don't connect it to the Internet: Hire a person to operate it. If you want to securely control your nuclear reactor, don't connect it to the Internet but hire a staff to operate it using air-gapped systems.

Air gaps didn't help the Iranians against Stuxnet.

If you want a "secure" system you basically have to not have a programmable chip in it.

Re:Nonsense. (0)

Anonymous Coward | about 4 months ago | (#46524607)

In the 1990s, we had a choice of going with strong computer security from the ground up versus the absolute cheapest way possible with Hell to pay later on. Life would very different had we have done a few things different:

1: A private circuit switched network between businesses that ran alongside, but is independent of the Internet. This way, credit card processor "A"'s machine could communicate to bank "B"s machine, but no other links between the two would be allowed. Done right, with a certificate system in place on individual machines to disallow communication unless "blessed", this would force an intruder to go through multiple machines in order to get to a target, as opposed to just a firewall jump or two on Internet-communicating boxes. Think SIPRNet or NIPRNet, except for businesses. With both a central switching fabric and NICs that would only communicate with hosts that were authorized, this would mitigate a lot of attacks that are common these days.

2: A Harvard architecture, once RAM became no longer the major bottleneck (circa mid-1990s.) Having executable and data in the same space made sense in 1989 when some unnamed factory burned down, spiking up RAM prices, but these days, the benefit of having a RAM bank for data and a RAM bank for code outweigh the cost.

3: IPv6 should have been deployed by 2000, or perhaps an add-on to IPv4 that functioned almost identical, except added four more octets, without any other significant changes.

4: Core security software should be coded in a language designed for this purpose that is strongly typed, where one can (perhaps at great expense) mathematically prove code is secure. Ada 2012 comes to mind, for example. It isn't as easy to use or versatile as Python or PHP, but it will ensure that the code written in it at least passes some level of basic criteria.

5: Moving to a microkernel architecture with a built in hypervisor. This way, other operating systems can be virtualized quite easily, as well as updates can be done to the core security part without requiring a complete upgrade.

6: FPGA support in CPUs. This would allow security sensitive code to have its own instruction set different from the regular code.

7: SSL designed to support multiple CAs and weighting. This wouldn't be much more trouble for a user, it just means that a web server's cert would be signed by more than one party, and there would be an alert if one CA revoked the certificate (and that CA can be trusted/distrusted at will.) A WoT system is the best, a "here is a certificate, trust this" is the easiest, but a combination between the two is likely a useful medium.

8: Backup technology not improving with the times. With the exponential increase in storage density, tapes should have gone with that, and still be at a cost that is usable to an average consumer. Add the ability to boot from tapes, and data loss wouldn't be as big a problem as it is now.

9: Not handing security over to the network stuff exclusively. In the late 1990s, the primary line of defense moved from hosts to the network appliances (routers, firewalls, etc.) with little attention paid to internal machine security other than audits to check if the copy of the AV program is up to date. Machines should be doing their own IP encryption so that a compromised router won't mean an enterprise-wide breach.

10: Offshoring security. Yes, it is cheap to offshore, but at least in the US, there is recourse if a backdoor is found. Code from countries that tend to cuddle up to countries hostile to the US when push comes to shove, there is nothing one can do if their code has backdoors or deliberate security weaknesses, other than pay another group to do the code the right way.

11: Finally, the race to the bottom. This is pervades all of computing. In general, what was once considered an early beta or even a late alpha back in the 1990s is something that releases (or more like escapes) today, mainly because companies feel they can patch it later.

Heh. (0)

Anonymous Coward | about 4 months ago | (#46524959)

Not sure if you're trolling or actually serious but your post seems to imply that things can be secured merely by not connecting them to the Internet. That obviously ignores the numerous other attack vectors through which many attacks are made. It doesn't take much of an understanding of security to think of several rather trivial attack vectors against an HVAC system that have nothing to do with Internet connectivity.

Steve

you propose a DOS against yourself (1)

raymorris (2726007) | about 4 months ago | (#46525239)

A) The internet isn't the only avenue of attack. So no, unplugging from the internet doesn't ensure security. Google "stuxnet" some time for a fun example.

B) Unplugging the POWER cord would greatly decrease the chance of a system getting hacked. However, that still leaves the system perfectly insecure because a secure system is defined as one that is assured to continue to provide correct functionally in the face of adverse conditions. When you remove functionality, you're performing a DOS attack against yourself.

The other day I was shopping for a safe. For $13,000 you can buy a safe made of steel and concrete several inches thick. For $39, you can rent a demolition saw, which will cut through several inches of steel in 80 seconds. Tell me again how simple it is to make things secure.

Re:He's right. (1)

koan (80826) | about 4 months ago | (#46524063)

until we are literally redefining "rubbish", "bin" and "cleaner"

Which happens by the way, quite often things are "redefined" in order to suit an agencies/states purpose.

Re:He's right. (1)

organgtool (966989) | about 4 months ago | (#46523745)

In a perfect world, this entire industry shouldn't exist.

In a perfect world, nothing would exist.

A tragedy (5, Insightful)

jbmartin6 (1232050) | about 4 months ago | (#46523437)

I think the changes brewing in the wake of Target breach and Snowden's leak show the power of full disclosure. It seemed to me that "responsible disclosure" was just another way of saying "no consequences." And we see time and time again how no consequences equals no action.

Re:A tragedy (5, Insightful)

jbmartin6 (1232050) | about 4 months ago | (#46523481)

Additional thought: responsible disclosure only works because of the threat of full disclosure.

Re:A tragedy (2)

Ash Vince (602485) | about 4 months ago | (#46523571)

Additional thought: responsible disclosure only works because of the threat of full disclosure.

No, often it works because if one person outside your organisation discovers something then when you get that issue raised with you it is pretty easy to take that to management and show them why the bug needs fixing. If one person can find it so can someone else who is less honest and hence might use it for fraud.

So responsible disclosure works because even if the threat is never disclosed fully by the person who found it, it might be discovered by some one else independently.

Re:A tragedy (2)

jbmartin6 (1232050) | about 4 months ago | (#46523667)

I don't agree. Well, ok, yes this might be what happens in some cases. However, there are plenty of cases, especially in the earlier years, where owners declined to fix anything until full details were disclosed. Excuses like no one else would ever use this, it can't be exploited, etc. were all over the place.

Re:A tragedy (5, Insightful)

BVis (267028) | about 4 months ago | (#46523997)

No, often it works because if one person outside your organisation discovers something then when you get that issue raised with you it is pretty easy to take that to management and show them why the bug needs fixing. If one person can find it so can someone else who is less honest and hence might use it for fraud.

Seriously?

First of all, you can bring whatever you want to management; the pointy haired bosses who control resource allocation likewise can ignore whatever they want. All they hear is "computer shit I don't understand blah blah blah security problem I don't understand blah blah OH MY GOD IT WILL COST MONEY TO FIX blah blah". I used to think "oh, nobody will do that" was just a joke.. then I worked for a small company that did e-commerce. I could stand on my head giving example after example and potential disaster scenarios all I wanted, they would not change anything. The only things that really got fixed were things I found myself and fixed silently without telling anyone. If I told you what info they had been storing you would be sick to your stomach.

Second of all, this: "Has anyone found $problem yet?" "No, but they could" "OK so it's not a problem right now, go do $stupidshitthatdumbassclientwants instead."

When you're dealing with non-technical management that nevertheless is given authority to make technical decisions with or without considering problems raised by people who actually know what the fuck they're doing, security problems will exist no matter how blatant. You can spend all the time you want teaching pigs to sing, but in the end you're wasting your time and annoying the pigs.. who sign your paychecks.

Re:A tragedy (0)

Anonymous Coward | about 4 months ago | (#46524583)

To which you reply, "Fine, I'll pop you an email with the details, please reply with one telling me not to investigate and fix it." :)

Re:A tragedy (2)

BVis (267028) | about 4 months ago | (#46524913)

Which, unfortunately, doesn't get the problem addressed. CYA is not a substitute for good decisions.

Re:A tragedy (1)

Minupla (62455) | about 4 months ago | (#46524597)

I agree there are companies out there like that. I'll say though, if a developer comes to me with security issue, it'll get addressed in my company. We (the security dept) has a seat at the decision making table when we select which tickets get worked on, and the power to red ticket a release until a security bug gets addressed.

That being said, one could argue that the reason we have that authority links back to the full disclosure movement and the impact of incidents like the Targets and the TJ Maxx ("What do you mean it couldn't happen here? Don't you think Target said the same thing a week before it happened there?").

If you don't have a security dept that will back you on these things, then someone hired the wrong ppl for the security dept.

Min

Re:A tragedy (4, Insightful)

BVis (267028) | about 4 months ago | (#46524901)

If you don't have a security dept that will back you on these things, then someone hired the wrong ppl for the security dept.

Problem: What is a security department?

Re:A tragedy (4, Funny)

Minupla (62455) | about 4 months ago | (#46524961)

Security dept: (n) A deptartment in a company that if it doesn't exist will cause the development department to be directly blamed for anything that goes wrong. See also: (n) scapegoat.

Seriously, my IT dept calls us "the latex department" because if we're involved they're protected. Otherwise they get the blame.

Min

Re: A tragedy (0)

Anonymous Coward | about 4 months ago | (#46525217)

You're right. And it's not just small companies either. Almost everywhere I've ever worked security takes a back seat. Profits, ego, politics, future features, visible bugs, etc always come first.

Re:A tragedy (0)

Anonymous Coward | about 4 months ago | (#46524233)

That is how it should work, but in the real world way too many businesses would rather spend ten times as much on a legal team than on what it costs to have a programmer doing maintenance. You try out responsible disclosure, and get a response from the legal team making all sorts of empty threats from don't tell anyone about it, don't contact us again, to don't dare try to find any other security holes. Even when I worked at a place that had a contract for the vender to maintain and fix bugs in the software, they would deem security bugs as low priority, which meant it never got dealt with. Yet when security problems appeared publicly, more than once a fix was issued within two days. It is like they take the opposite approach, assuming that if one person finds it, someone else probably won't so they just have to manage that one person.

Re:A tragedy (0)

Anonymous Coward | about 4 months ago | (#46525047)

> No, often it works

Often?

So in other words, it doesn't work. Rationalizations like yours are why the security industry is such a mess. The exceptions ARE PART OF THE GENERAL CASE.

Re:A tragedy (0)

Anonymous Coward | about 4 months ago | (#46525075)

There is also the threat of disclosure only to the highest bidder, which the true security people fear more than full disclosure, while the PHB types are the opposite.

Re:A tragedy (1)

shuz (706678) | about 4 months ago | (#46524399)

The only change top down management at Target care about is the stock price and which levers when pulled affect that price. Target already has a very distributed development and IT model where any one person doesn't know much about anything other than the very specific system they work on. Furthermore their infrastructure is highly locked down but clearly there was a fault that was exploited. People feel emotionally violated by any ID theft, which makes sense. However the protections given by credit companies largely cover the fraud and so the average person should not experience a large net loss from the incident. In other words, life goes on.

Each individual in the world is the most significant security threat to each other person. As each individual could eventually find themselves in a position where they can negatively impact someone else. It is up security experts to come up with methods to minimize this effect. Having a net gain of no productivity and having a net loss of no productivity is the only way to be 100% secure. We must take risks as individuals and as a society if we are to have any chance at improving our situation and ultimately survival (net productivity gains). The security stories over the past year are dramatized for maximum impact. They are all useful lessons and provide information for future decisions. But neither Snowden reports nor Target originated ID theft caused net global productivity loss. If anything they created net economic gains as managers poured more money into addressing concerns and avoiding perceived future loss.

momkind (r)evolutionary dna advances (-1)

Anonymous Coward | about 4 months ago | (#46523473)

meeting our needs with more & more new clear options... no bomb us more mom us... never ends hopefully

Beta SuXXXXXXXXX! (0, Offtopic)

Anonymous Coward | about 4 months ago | (#46523491)

Beta Really SUX

If you believe in full disclosure (5, Insightful)

hsmith (818216) | about 4 months ago | (#46523503)

Name the names. Sorry, I simply don't buy the reasoning at all. If the problems were so bad you want to "stop it all together" then you indicate who that person is.

Seconded (2, Funny)

drinkypoo (153816) | about 4 months ago | (#46523533)

"I believe in full disclosure! And I'm not going to tell you why I'm doing this!" Fail, fail. Name and shame or fuck off, we have no time for your enabling bullshit. You have served your purpose, and are now useless. Er, not you, you know who I mean.

Re:If you believe in full disclosure (5, Insightful)

Zocalo (252965) | about 4 months ago | (#46523561)

Perhaps. By not applying Full Disclosure to the identity of the "insider" that has resulting in this you could accuse John Cartright of breaching his and the list's principles, but without knowing the details of the threat (and the list has resistant many such threats in the past) it's difficult to know what the consequence of that might be. Or maybe there is no really significant threat other than some inconvenience, but this is just the straw that broke the camel's back. If not taking down this list would result in the breach of a court order, then this is almost certainly the right tack to take, regardless of how painful it might seem, unless we are expecting John to potentially become another fugitive from justice, like Edward Snowden?

Sure,it's a sad day for freedom of information, and will no doubt have negative consequences due to more information being known only those with malicious intentions and companies sweeping issues under the rug due to lack of exposure, but even so I don't think it's ont that is worth compromising your life over, let alone expecting someone else to do so.

Re:If you believe in full disclosure (1)

Anonymous Coward | about 4 months ago | (#46524061)

Perhaps. By not applying Full Disclosure to the identity of the "insider" that has resulting in this you could accuse John Cartright of breaching his and the list's principles, but without knowing the details of the threat (and the list has resistant many such threats in the past) it's difficult to know what the consequence of that might be....

So, "full disclosure no matter what" is fundamentally flawed because there are situations where it's not appropriate.

Yeah, you could accuse Cartright of violating his principles. And you'd be right.

Re:If you believe in full disclosure (1)

LordLimecat (1103839) | about 4 months ago | (#46524069)

Barring an injunction / gag order, I dont believe anyone can prevent you from disclosing that their threats are why you are taking the list down.

Re:If you believe in full disclosure (1)

idontgno (624372) | about 4 months ago | (#46525119)

You don't believe in "chilling effects?" Threats regarding non-disclosure often include themselves in their subject matter... "you can't disclose X, Y, and Z, and you also can't disclose that you can't disclose X, Y, and Z"... and the threat can be sufficiently onerous to be credible.

I think you overrate the intimidating power of nominally legitimate instruments of judicial power, and underestimate the power of simply dragging someone through the courts for years on end. The process is its own punishment, and the threat of the process is quite often enough.

In other words... (0)

Anonymous Coward | about 4 months ago | (#46523537)

... That stupid cunt of a pseudo-researcher troll has won a sweeping victory. By trolling the list hard into submission that douche bag got even more than he wanted.

Re: In other words... (1)

AudioEfex (637163) | about 4 months ago | (#46524905)

I guess I don't understand why he didn't just tell the guy to fuck off and then ignore him.

just switch moderators he's burned out (4, Insightful)

xxxJonBoyxxx (565205) | about 4 months ago | (#46523557)

As a security guy who has also been on the short end of legal threats too I feel for this guy. He's burned out and could use a year on the beach. Take a year or two at a cushy corporate security job but please keep the list alive - there are plenty of other moderators who would pick up the slack.

Re:just switch moderators he's burned out (0, Troll)

Anonymous Coward | about 4 months ago | (#46523681)

He's burned out and could use a year on the beach.

I hear Guantanamo Bay is lovely this time of year.

Don't see how this is troll (1)

ub3r n3u7r4l1st (1388939) | about 4 months ago | (#46524515)

Here is one hotel in the bay area

http://hotelcaimanera.com/inde... [hotelcaimanera.com]

Of course given your occupation you may be dragged to the naval base nearby and have your room and meal paid for by U.S. government.

Re:just switch moderators he's burned out (1)

ub3r n3u7r4l1st (1388939) | about 4 months ago | (#46524735)

There are reasons why the security guys are paid higher on average than the rest of the IT people or developers.

crime (1, Offtopic)

Fluffy the Destroyer (3459643) | about 4 months ago | (#46523615)

You know, when you commit a crime and another person is aware of that crime and does nothing, that same person is guilty as well. If theres any legal repercusion to this...shouldn't they be involved...just say'n

Re:crime (2)

wonkey_monkey (2592601) | about 4 months ago | (#46523691)

You know, when you commit a crime and another person is aware of that crime and does nothing, that same person is guilty as well. If theres any legal repercusion to this...

a) They're not guilty of the same crime
b) What crime are you talking about?

obligated (1)

Fluffy the Destroyer (3459643) | about 4 months ago | (#46524077)

its a reference. If you commit a crime and did nothing your guilty. I'm not an expert at this but by the law at least where I am, (Canada...perhaps USA as well) if someone commits a crime and do nothing, you are obligated to act...not do nothing and ignore. Thats what I meant. To me being aware of bugs and ignoring those bugs and forcing others to to do so is simply wrong.

Because all too often, devs are assholes (4, Insightful)

WOOFYGOOFY (1334993) | about 4 months ago | (#46523645)

This is what we were talking about yesterday regarding the github brouhaha . Assholism amongst the dev community appears to be so high that, statistically speaking , the odds of being able to run a site like this one, or say have a decent working atmosphere tends to zero once the company is big enough or the site is popular enough.

For significant public-interest websites, you somehow need a serious source of funding just for maintenance work to counter the effects of assholes. For companies, they're basically pirate ships populated by people who think of themselves as laws unto themselves, as glorious buccaneers . The lesson of git hub and this guy is simple. Software devs are just as bad as anyone in Exxon . They'll drop trou and take a gigantic dump on any aspect of the social contract they want to the moment it suits them.

I am not saying this is in contrast to some golden bygone era of civility. People have always been like this. Well, for a while in software development, before Bill Gates started sending out cease and desist legal notices to people who were copying the software he copied from CPM , there was s kind of golden era perhaps. But then Lucky Autisim Boy started to make real money at Microsoft and then IBM decided to start getting software patents en masse and civility retreated to the borders of academic research . Now it appears that's gone also.

We're not better and we're not going to be the ones to usher in a new way of dealing with our fellow humans. What we know for sure now is that just like our most successful exemplars, Jobs and Gates, we're as exploitative, opportunistic amoral and dehumanizing as the next industry. And that's a little sad.

Re:Because all too often, devs are assholes (1)

ThatsDrDangerToYou (3480047) | about 4 months ago | (#46523809)

... Lucky Autisim Boy

Lols. Who is going to play him in the biopic?

... started to make real money at Microsoft and then IBM decided to start getting software patents en masse and civility retreated to the borders of academic research . Now it appears that's gone also.

We're not better and we're not going to be the ones to usher in a new way of dealing with our fellow humans. What we know for sure now is that just like our most successful exemplars, Jobs and Gates, we're as exploitative, opportunistic amoral and dehumanizing as the next industry. And that's a little sad.

Well, to be fair, "we" (is there a "we"?) are not known for our people skills. I guess about the best I can hope for is that my immediate bosses shield me from most of the assholes. There are pockets of good within the morass of ass. Plus, there are hot women here! (Pro tip: work in life sciences)

Re:Because all too often, devs are assholes (0)

Anonymous Coward | about 4 months ago | (#46524269)

>I am not saying this is in contrast to some golden bygone era of civility. People have always been like this. Well, for a while in software development, before Bill Gates started sending out cease and desist legal notices to people who were copying the software he copied from CPM , there was s kind of golden era perhaps.

Nahhh... might not be software development, but back then, it was all the same (2 years before BG's letter):

http://i.imgur.com/sA22hGY.jpg

"Smart" jobs seem to attract people who decided to work hard to become smart just so they could be smarter than others, rather than for the education itself. :(

Re:Because all too often, devs are assholes (1)

PPH (736903) | about 4 months ago | (#46524815)

People have always been like this.

Not to this degree. The Internet has made anonymity much easier than in the past. As a result, people can pull a*hole stunts with little risk to their reputation.

I'm not saying we should get rid of anonymity. But we need to develop the culture to give a statement credibility in line with its possible cost to the speaker. Back in the 'old days', if you didn't confront your opponent publicly, you got laughed out of town.

Re:Because all too often, devs are assholes (1)

idontgno (624372) | about 4 months ago | (#46525175)

For companies, they're basically pirate ships populated by people who think of themselves as laws unto themselves, as glorious buccaneers .

Ok. Who else read this sentence and visualized the Crimson Permanent Assurance [wikipedia.org] sailing the Bounding Main (Street)?

I had to smile, even though the real topic is depressing as hell.

Expert shares thoughts on Flight MH370 (-1)

Anonymous Coward | about 4 months ago | (#46523701)

The web has changed since 2002.... (1)

scorp1us (235526) | about 4 months ago | (#46523707)

We have easier ways of collecting information. We could even do it in a decentralized manner so there is no one to moderate/sue.

The real priority here... (5, Funny)

Anonymous Coward | about 4 months ago | (#46523815)

Isn't finding out who made the threats. Where can we find the Furry porn?

Re:The real priority here... (1)

Shoten (260439) | about 4 months ago | (#46523931)

Isn't finding out who made the threats. Where can we find the Furry porn?

Find a local LARP and ask around. They'll know.

Re:The real priority here... (0)

Anonymous Coward | about 4 months ago | (#46524655)

Isn't finding out who made the threats. Where can we find the Furry porn?

The archives are still up at e621 [e621.net] . For now at least :3

A sad day indeed (0)

Anonymous Coward | about 4 months ago | (#46523913)

As one of the first subscribers back when it started, let me just say THANK YOU for the wonderful service you have provided over the years. Your efforts were probably the single most influential source for getting a lot of the big vendors motivated to provide more timely patches and fixes for their often poorly developed and quality tested code. You have my admiration for putting up with it as long as you have. I hope someone else will have the courage to pick up where you left off. There is no other really effective way to keep the vendors honest imho.
Best wishes on your new adventures!
K

Lets make this expensive for the dweeb (1)

Anonymous Coward | about 4 months ago | (#46523957)

Ok folks, some dweeb is trying to edit reality so that he looks better. He is probably threatening the list if they don't edit it to make him look less stupid. I think if this person has to bring a few thousand of us to court to edit reality, then it will get very expensive. Here is a copy of my MBox file of Full Disclosure from way back in 2002 to the present. It's quite complete and I'm sure what this idiot is trying to erase is in there. How many of you are willing to do the same?

http://www.baribault.com/FullD... [baribault.com]

Re:Lets make this expensive for the dweeb (1)

Anonymous Coward | about 4 months ago | (#46524325)

Or, just joyfully give him what he asks for.
      Because after a select subset is deleted, a diff with the originals is MUCH easier.

Why work to figure out what is bugging the gentleman when he is willing to do the work for you?

So where did you say that archive was ;-)

Skills Levels of Hacking Community (5, Interesting)

ObsessiveMathsFreak (773371) | about 4 months ago | (#46524111)

There is no honour amongst hackers any more. There is no real community. There is precious little skill.

This quote should concern everyone. We have now had an entire generation of programmers raised on walled garden apps, cookie-cutter scripting libraries, and above all a wave of cheap VC funding and hardware. How many people are left out there that can build the likes of Bittorrent, Bitcoin, a language like C, a game like Elite, or even a site like Slashdot? How many people, young people, are there who can write an OS kernel, design a basic circuit, and at a more pertinently serious level, reliably write software to implement mathematical encryption algorithms.

Reading this I'm inclined to believe that recent meme post about how the programming/silicon valley community has been taken over by "brogrammers", "hipsters" and "neckbeads", which to my mind are simply constitute cultural re-skinnings of the infamous Visual Basic programmers of old.

I worry that the unglamorous, mostly uncompensated, and largely intellectually driven practice of pure software programming and creation has been left behind in recent years. I personally have noticed little progression and indeed in many areas a general regression in the quality and reliability of software since approximately 2006/7.

While I would attribute this to my general "civilization is in decline" zeitgeist worries, my frustrations with software, UIs, and websites in particular has undoubtedly increased manifestly in the last 2-3 years or so. Maybe I'm just getting old -- or maybe programmers really are getting worse.

Re:Skills Levels of Hacking Community (0)

Anonymous Coward | about 4 months ago | (#46524421)

The quotes concerns me not at all, given that it's sour grapes from someone who's at the end of his tether, and not a fair judgement of reality.

How many people are left out there that can build the likes of Bittorrent, Bitcoin, a language like C, a game like Elite, or even a site like Slashdot?

Thousands. There are also tens of thousands of mediocre programmers who didn't exist before, so the average went down, but the peak stayed the same, or is even higher. I mean I personally know at least a dozen programmers good enough to do any of the above, and my circle of friends numbers around 200, so extrapolate from there.

a general regression in the quality and reliability of software since approximately 2006/7.

You don't say what kind of software. Apps didn't exist in 2006 so you can't say they've got any worse. Desktop apps don't seem to be getting worse - most of the ones I use have steadily improved over the last 10 years. As for server software, Google is writing software today with a quality and reliability level that wasn't even possible twenty years ago. And more and more people are moving over to *IX systems - the PS4 OS is a thing of beauty compared to the PS3 OS, because it's based on FreeBSD. Things are just getting better and better.

Re:Skills Levels of Hacking Community (2, Insightful)

Anonymous Coward | about 4 months ago | (#46524445)

How many people are left out there that can build the likes of Bittorrent, Bitcoin, a language like C, a game like Elite, or even a site like Slashdot?

That's a wide range of problems to solve.
    C is special, probably not rateable.
    For the rest, a few percent of focused folks with the right attitude, education, mentoring, experience, and luck.
    The answer hasn't changed in 50 years.

What has changed is that available tools let the rest of the folks do much more widely useful work.
      (Except of course for the bug/security thing.)

Re:Skills Levels of Hacking Community (1)

Sockatume (732728) | about 4 months ago | (#46524653)

They're off doing the more interesting things that are enabled by the high level-languages and tools you decry: designing robotic swarms, writing interactive protein folders, analysing the semantic content of language through the internet. People didn't lose interest when they abandoned the old tools, they abandoned the old tools because they're not the only intellectual game in town.

Full Disclosure was just a marketing vehicle (1, Insightful)

Anonymous Coward | about 4 months ago | (#46524341)

I followed Full Disclosure for years and it was really nothing more than a marketing vehicle for unknown wannabe white hats to get noticed and get a job. Then there were the black hats who used it to brag about their latest criminal activities. And finally there were the trolls, the most consistent (and crazy) of which was "Weev" who was later arrested and jailed for the AT&T iPad user id/email URL guessing thing.

It was never really anything more than a source of amusement. Twitter and Pastebin have really made public mailing lists obsolete.

Re:Full Disclosure was just a marketing vehicle (1)

AlterEager (1803124) | about 4 months ago | (#46525065)

Twitter and Pastebin have really made public mailing lists obsolete.

I have no opinion of the rest, but this bit needs a +1 Funny.

He is.... (0)

Anonymous Coward | about 4 months ago | (#46524385)

..... right and there is nothing left anymore online, the internet was a place to escape the outside world, now it is the outside world!
(not to sound racist) This is how it must have felt when the white people stole the black music and fucked it up..... completely shit!

Re:He is.... (0)

Anonymous Coward | about 4 months ago | (#46525017)

..(not to sound racist) This is how it must have felt when the white people stole the black music and fucked it up..... completely shit!

Who stole what from who and did what to it you say?
http://www.scotsman.com/what-s-on/music/black-music-from-scotland-it-could-be-the-gospel-truth-1-1293195

The whole security world is in a very bad shape (4, Insightful)

Opportunist (166417) | about 4 months ago | (#46524459)

The snakeoil peddlers and smokescreen builders are in full swing. I guess it's the "in the kingdom of the blind, the one eyed is king" thing, where security managers who have no clue hire consultants who have a little bit thereof. I recently handed in my resignation as the CISO of a fairly large logistics giant because I reached the point where I could no longer carry the responsibility, especially for customer data.

I come from a technical background. Not a business one. I'm neither manager nor beancounter by education, though I now have to pose as one. My security "career" started out with malware analysis and reverse engineering. With time, I ended up in management, eventually shifting over to another job and reaching said CISO position, after digging through the depths and pits of security management, process management and IT-management in general. I learned what makes managers tick and why they're so in love with IT-governance tools: They offer a lot of neat business ratios that allow you to pretend you know what your company is doing without even having to understand it.

And this is where the problem starts. Because IT-Consulting companies jumped that bandwagon instantly. Their main selling point today is that they deliver you some of those business ratios. That's what is wanted. Nobody gives a shit whether they know what they're doing or whether they have some key pushing monkeys that can barely decypher the output of Nessus. Because that's what 9 out of 10 consultants we hired (I had to, don't look at me like that!) could do, and little more. Fire up some automated analysis tool and have it sit there, collect data, then compile some neat looking report (i.e. copy/paste the output, then write a summary based on the fill-the-gaps crib sheet).

'scuse me, but I don't need a consultant for a few 100 bucks an hour just to push 3 buttons, and then end up with a "security analysis" that doesn't even find half the problems!

The least I'd expect from a consultant is that he knows more about a subject than I do. Else, well, why have him? Why should I pay him if he should rather consult me than me him?

But they get away with that. For two reasons. First, the average security manager knows even LESS than them. The average security manager is first and foremost a manager, not a technical person. He knows the processes, he knows the procedures, he maybe knows the legal stuff it entails. But lacks the intimate knowledge of the inner workings of networks and computer systems. In such a world led by the blind, the one eyed can easily become their king. And because they know processes, procedures and legal foundation, they also know what leads to problem number two: It doesn't matter. They're safe. They did everything ISO27001 demands, they did everything BS7799 requires, they did everything their governance framework expects, they're safe. Their company isn't, but why should they give a shit? Their job is safe, that's what matters. To them, at least.

And no, I have no idea how to improve that situation. No matter what you change, you're not going to get any better results.

Re:The whole security world is in a very bad shape (2)

Xaedalus (1192463) | about 4 months ago | (#46524807)

Speaking as someone who came into the IT industry in his 30's and is a finance analyst, I can tell you this: business is a game. Your managers and your product managers and your executives (particularly those with MBAs) all know that business is a meta-level game. It doesn't matter what you produce, code, or what market you serve--at a certain level it's all about profit, loss, retooling your resources, and ultimately figuring out what tactics will generate maximum profit while keeping costs as low as possible. Those business ratios you speak of are what businesses live and die by at the Exec/Managerial level. Or, think of it as a MTG game: you have two or more players, with a 60 card deck. Depending on the build of the decks involved, one player could recycle their cards from the graveyard, while the other person has a burn deck. No matter what--the game is going to come to an end at some point. Each player has a win strategy, which also coincidentally happens to be an exit strategy. The game goes on, each player uses their resources as best they can. One person wins, one person loses, and that's it. They then move on to another game. That's exactly what happens in the executive/managerial world, especially in IT. Quality, quantity, reputation, service, sales, they're all just levers. Now, you'll always have the rare company that focuses on a specific reason for its existence that ISN'T primarily to make profit (Pixar, Apple, Google) but those are a rarity. Sturgeon's law applies to business operations just as it does to anything else. Business is a game--and for 90% of the employers out there, you are a replaceable resource who will be kept on as long as your value (technical, social, etc.) exceeds your cost, because that's what business IS. It's a process, a game.

To me, it's shocking how many product managers I've met who don't really give a damn about their products, they're more focused on developing their products to be -good enough- to sell in the market. But then once I spent enough time around them (and most of them are just MBAs), it made sense. They learned that business is just a game, and they don't take it personally. They have enough connections and networking that they simply move on to the next job and treat it like a game too. The rest of us (non-execs and managers) take this personally--and that's our problem.

Re:The whole security world is in a very bad shape (0)

Anonymous Coward | about 4 months ago | (#46525237)

Cynics as you describe then will never make anything great in their life. In other words, they waste their life for mediocrity.

Just think about Steve Ballmer, he was an MBA, but you bet he was 1000% loyal to the company. He fought for it, he sweated for it, he was a mindless bulldog.
And he was successful as long as a mind (Gates) decided for the bulldog.

Similar things can be said about Ellison, Piech, Jobs, Gates, Hewlett, Packard and tons of little companies who lead in their niche. Many of those do this for generations, like Rohde&Schwarz.

Re:The whole security world is in a very bad shape (1)

swb (14022) | about 4 months ago | (#46524973)

The least I'd expect from a consultant is that he knows more about a subject than I do. Else, well, why have him? Why should I pay him if he should rather consult me than me him?

IT consulting is just bluster, a kind of bluffing game. The idea that with a slightly greater variety of experience, the consultant knows more than the fixed-environment guy who only knows his own environment. IT consulting as a business plays on the notion that this is more true than not and that most of the time you will know more than the client does.

I think it's easy to fall into the trap that there is always somebody who knows more and has all the answers. It's why consultants get hired and why people pay for technical support contracts. Sometimes its true, but I think too often the idea that there is an "expert" who really does know (and isn't just better than average at deducing ad-hoc solutions to similar problems) is flawed.

dma8e (-1)

Anonymous Coward | about 4 months ago | (#46524525)

And the bottom Arch1tecture. My

I blame Bush! (0)

Anonymous Coward | about 4 months ago | (#46524639)

Ever since he made it okay to torture people, civilization has gone to hell. It's okay now to be a total brute.

Don't make me go in that briar patch (0)

Anonymous Coward | about 4 months ago | (#46524831)

I think the guy that started this should get his way.
    Let the stuff that's upsetting him be changed.

Then it will be easier to diff this against archives and highlight what is causing him grief.

Let him do the work to make it more public.

Re:Don't make me go in that briar patch (0)

Anonymous Coward | about 4 months ago | (#46524911)

Of course in an civil community, one might help him think through the consequences and see if he wants to rethink his request.
    Not sure if 'rethink' is the right word if there wasn't much thinking in the first place?
    Worst case, there was thinking, just not so good. More might result in trying to boil the ocean by trying to make all archives magically cease to exist.

The beach thing sounds like a good plan as well.

Meh, obsolete anyway (1)

SmurfButcher Bob (313810) | about 4 months ago | (#46525117)

<sarcasm>...and good riddance. Look guy, Ellison said it - Oracle's database has not been hacked in over a decade.

*cough*

Go Guerilla (0)

Anonymous Coward | about 4 months ago | (#46525163)

Distribute via TOR or GNUnet. Sign pseudonymously using GNUpg.

Free advice from Deep State Germany.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>