The Death and Re-birth of the Full-Disclosure Mail List

After John Cartwright abruptly announced the closure of the Full Disclosure mail list, there was a lot of speculation as to why. I mailed John Cartwright the day after and asked some general questions. In so many words he indicated it was essentially the emotional wear and tear of running the list. While he did not name anyone specifically, the two biggest names being speculated were ‘NetDev’ due to years of being a headache, and the more recent thread started by Nicholas Lemonias. Through other channels, not via Cartwright, I obtained a copy of a legal threat made against at least one hosting provider for having copies of the mails he sent. This mail was no doubt sent to Cartwright among others. As such, I believe this is the “straw that broke the camels back” so to speak. A copy of that mail can be found at the bottom of this post and it should be a stark lesson that disclosure mail list admins are not only facing threats from vendors trying to stifle research, but now security researchers. This includes researchers who openly post to a list, have a full discussion about the issue, desperately attempt to defend their research, and then change their mind and want to erase it all from public record.

As I previously noted, relying on Twitter and Pastebin dumps are not a reliable alternative to a mail list. Others agree with me including Gordon Lyon, the maintainer of and author of Nmap. He has launched a replacement Full Disclosure list to pick up the torch. Note that if you were previously subscribed, the list users were not transferred. You will need to subscribe to the new list if you want to continue participating. The new list will be lightly moderated by a small team of volunteers. The community owes great thanks to both John and now Gordon for their service in helping to ensure that researchers have an outlet to disclose. Remember, it is a mail list on the surface; behind the scenes, they deal with an incredible number of trolls, headache, and legal threats. Until you run a list or service like this, you won’t know how emotionally draining it is.

Note: The following mail was voluntarily shared with me and I was granted permission to publish it by a receiving party. It is entirely within my legal right to post this mail.

From: Nicholas Lemonias. (
Date: Tue, Mar 18, 2014 at 9:11 PM
Subject: Abuse from $ISP hosts
To: abuse@

Dear Sirs,

I am writing you to launch an official complaint relating to Data
Protection Directives / and Data Protection Act (UK).

Therefore my request relates to the retention of personal and confidential
information by websites hosted by Secunia.

These same information are also shared by UK local and governmental
authorities and financial institutions, and thus there are growing
concerns of misuse of such information.

Consequently we would like to request that you please delete ALL records
containing our personal information (names, emails, etc..) in whole, from
your hosted websites ( and that distribution of our
information is ceased . We have mistakenly posted to the site, and however
reserve the creation rights to that thread, and also reserve the right to
have all personal information deleted, and ceased from any electronic
dissemination, use either partially or in full.

I hope that the issue is resolved urgently without the involvement of local

I look forward to hearing from you soon.

Thanks in advance,

*Nicholas Lemonias*

Update 7:30P EST: Andrew Wallace (aka NetDev) has released a brief statement regarding Full Disclosure. Further, Nicholas Lemonias has threatened me in various ways in a set of emails, all public now.

5 responses

  1. anonymous coward | Reply

    If Nicholas Lemonias actually exists, he is a very petty person. “Look I can upload data to Youtube” is hardly worth all the vitriol he’s put into defending his “discovery”. This thread alone would have cost him future customers and this final act likely costs him future employers, too.

  2. Can’t wait for the Streisand effect to hit on this.

  3. This email was clearly a stupid prank

  4. And which verifications are performed to verify that this abuse letter isnt a spoofed one?

  5. I’m really having a difficult time grasping the semi incoherent Lemonias email and it’s relevance to Full Disclosure or any other public forum. It’s basis is without merit, legal or otherwise.

    Nevertheless, once information is released into the public domain, that’s it kids. It’s a one way ticket. All rights to confidentiality dissolve. There is no deleting it. Erroneous information can be corrected with a retraction but the incorrect information is never subject to deletion.

    There are certain freedom of press issues that cannot be denied nor circumvented (though you’re mileage may vary depending on where the information is published). The internet gives each of us a great amount of personal power to be heard and considered by the broad masses. With great power comes great responsibility. Blaming the publisher for the author’s gross negligence is akin to shooting the messenger.

    Lemonias needs to atone for his misdeeds, not pass the buck to Full Disclosure. Lemonias alone (and people like him) are responsible for any breaches of confidentiality or failures to comply with data and disclosure directives. Asserting copyrights to content that you post to a public forum when such rights are specifically waived pursuant to the “terms of use” of the publisher is naive at best.

    Never cave to unsupportable threats. When you give up your rights to publish, you might as well give up your freedom of speech.

    I fully support Gordon and his efforts to salvage and maintain the continuity of Full Disclosure.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: