[This was originally published on the OSVDB blog.]
After John Cartwright abruptly announced the closure of the Full Disclosure mail list, there was a lot of speculation as to why. I mailed John Cartwright the day after and asked some general questions. In so many words he indicated it was essentially the emotional wear and tear of running the list. While he did not name anyone specifically, the two being speculated possibilities in my mind were ‘NetDev’ due to years of being a headache, and the more recent thread started by Nicholas Lemonias. Through other channels, not via Cartwright, I obtained a copy of a legal threat made against at least one hosting provider for having copies of the mails he sent. This mail was potentially sent to Cartwright among others. As such, I believe this is the “straw that broke the camels back” so to speak. A copy of that mail can be found at the bottom of this post and it should be a stark lesson that disclosure mail list admins are not only facing threats from vendors trying to stifle research, but now security researchers. This includes researchers who openly post to a list, have a full discussion about the issue, desperately attempt to defend their research, and then change their mind and want to erase it all from public record.
As I previously noted, relying on Twitter and Pastebin dumps are not a reliable alternative to a mail list. Others agree with me including Gordon Lyon, the maintainer of seclists.org and author of Nmap. He has launched a replacement Full Disclosure list to pick up the torch. Note that if you were previously subscribed, the list users were not transferred. You will need to subscribe to the new list if you want to continue participating. The new list will be lightly moderated by a small team of volunteers. The community owes great thanks to both John and now Gordon for their service in helping to ensure that researchers have an outlet to disclose. Remember, it is a mail list on the surface; behind the scenes, they deal with an incredible number of trolls, headache, and legal threats. Until you run a list or service like this, you won’t know how emotionally draining it is.
Note: The following mail was voluntarily shared with me and I was granted permission to publish it by a receiving party. It is entirely within my legal right to post this mail.
From: Nicholas L. ([redacted])
Date: Tue, Mar 18, 2014 at 9:11 PM
Subject: Abuse from $ISP hosts
To: abuse@Dear Sirs,
I am writing you to launch an official complaint relating to Data
Protection Directives / and Data Protection Act (UK).Therefore my request relates to the retention of personal and confidential
information by websites hosted by Secunia.These same information are also shared by UK local and governmental
authorities and financial institutions, and thus there are growing
concerns of misuse of such information.Consequently we would like to request that you please delete ALL records
containing our personal information (names, emails, etc..) in whole, from
your hosted websites (seclists.org) and that distribution of our
information is ceased . We have mistakenly posted to the site, and however
reserve the creation rights to that thread, and also reserve the right to
have all personal information deleted, and ceased from any electronic
dissemination, use either partially or in full.I hope that the issue is resolved urgently without the involvement of local
authorities.I look forward to hearing from you soon.
Thanks in advance,
*Nicholas L.*
[Update Mar 26, 2014 7:30P EST: Andrew Wallace (aka NetDev) has released a brief statement regarding Full Disclosure. Further, Nicholas L. has threatened me in various ways in a set of emails, all public now.]
[Update Nov 26, 2025: I have redacted the last name and email address in the email and update above, which was lawfully obtained and I was given permission to post publicly. Why? I have received multiple attempts to have this material taken down completely from one Mr. Muhammad Kareem / Fahran Khan who first claimed to be a “legal representative” on behalf of one “Nicholas Lemonias”, and after being challenged now says “authorized representative”. I believe it is important to point out that preliminary evidence collected suggests Mr. Kareem / Khan sells this “take-down” service via Fiverr and/or other platforms, and is a resident of Pakistan, not Europe. If you would like more history of the individual related to his public posts and the Full-Disclosure mail list, you can read the archive. By redacting the information above, I am complying with the GDPR request (after a failed fraud/abuse request, after a failed 2014 DMCA request, and after a failed report to my local police) as a gesture of good faith, despite both individuals above approaching me in bad faith from the start. That said, I am within my rights to share the names of the persons filing these complaints against me. Enjoy the Pyrrhic Victory kids.]
Leave a Reply