morgan
I recently was reminded of the full disclosure mailing list again after reading a paper about the ZF0-5 event that occurred around 2009. The ZF0 event was interesting on its own, but I'll save that for another post.
The FD list is long and storied. I first subscribed around 2017 only to later never look at it except when I was searching for something on the off chance that FD would have an exploit.
Recently though I decided to plug in the names of a few individuals that I knew had contributed to the list and ended up coming across my mentor. I really want to preface this with the fact that I have an immense amount of respect for the guy: He's brilliant and applied; far more than I.
With that said, what I read was nothing short of a public tiff that he had gotten into with another high-profile individual. It was interesting to see a man who was largely a big-fish-in-a-little-bowl be talked to as a peer by another individual. I'd never seen it done before because most people couldn't keep up with my mentor. As I witnessed the mailing list conversation I quickly realized how silly this person I respected sounded:
- He was unrealistically alarmist: In infosec, the absolute bane of the profession are individuals who choose to raise the alarm over minutiae for the purpose of being able to impress leadership, save face, or cover their own asses.
- He was critical without providing a solution: perhaps the easiest way to annoy anyone, this doesn't need much explanation. Don't be a jerk, help out if you're going to criticize an idea, especially if the idea you're criticizing is in the infancy stages.
- He was speculative: the cardinal sin of our industry. Speculation about "what could happen" only serves the individual who brings it up. At best, your speculation is convincing and you are able to put on airs for the layman crowd. At worst (and this always applies if there is a technical audience), people see through the speculation as motivated by either incompetence(80%) or malice (20%).
Personally, this sounds like a lot of people in this industry and it's difficult to fault anyone for something that they posted ~5 years ago as I think this is all something that we inevitably grow though.
In the interest of full disclosure (not the mailing list), I'm personally guilty of speculating. I've been doing it throughout my entire career here. Imposter syndrome is real and speculation is cope for not being able to find anything "good". It takes real guts to look at an application or network and hand in an empty/minimal report with a straight face. It takes courage and confidence to say "Hey, I didn't find anything. Good job".