Wesley 'Arthur' Kenzie, aka Securikai
Despite publishing the article as 'Jericho' and every HTML page having
a contact on attrition.org, Kenzie opted to contact me at my OSF address,
which is unrelated to Errata work. Presumably, this was his first shot at
showing his stellar 'recon' abilities.
Subject: watch list?
Date: Mon, 23 Jan 2012 20:55:29 -0800
From: Arthur (Wesley) Kenzie (wkenzie[at]securikai.com)
To: bmartin@OSF
Brian, do you have a PGP/GPG key you could share with me to allow
encrypted communication? I presume you are Jericho?
Arthur (Wesley) Kenzie
wkenzie@securikai.com
GPG/PGP public key 0x831b2c89
Skype wkenzie
iMessage wkenzie@me.com
Confidentiality Statement: This e-mail, including attachments, may
include confidential and/or proprietary information, and may be used
only by the person or entity to which it is addressed. If the reader of
this e-mail is not the intended recipient or his or her authorized
agent, the reader is hereby notified that any dissemination,
distribution or copying of this e-mail is prohibited. If you have
received this e-mail in error, please notify the sender by replying to
this message and delete this e-mail immediately. Thank you.
From: security curmudgeon (jericho[at]attrition.org)
To: wkenzie@securikai.com
Date: Wed, 25 Jan 2012 18:59:40 -0600 (CST)
Subject: You can mail me here...
... and we don't need PGP for it.
Given the contact address at the bottom of the article is 'errata@attrition.org',
and any rational search would find this one first, I am not sure why you went
searching for any other address.
jericho
Despite telling him to mail me at attrition, he still CC's my OSF
address, which was not included on my reply.
From: "Arthur (Wesley) Kenzie" (wkenzie@securikai.com)
To: security curmudgeon (jericho[at]attrition.org)
Cc: bmartin@OSF
Date: Thu, 26 Jan 2012 10:10:34 -0800
Subject: Re: You can mail me here...
No need for PGP? or GPG? I am uncertain what you mean. What about authentication?
And tamper resistance? Or am I just naive to think it actually works as advertised?
I see that your orgs have relied on PKI in the past:
http://pgp.mit.edu:11371/pks/lookup?search=attrition.org&op=index
http://pgp.mit.edu:11371/pks/lookup?search=opensecurityfoundation&op=index
But aside from that, I wanted to know how I might get kicked off your watch list?
Wesley
GPG/PGP public key 0x831b2c89
[Stupid e-mail disclaimer removed]
From: "Arthur (Wesley) Kenzie" (wkenzie@securikai.com)
To: security curmudgeon (jericho[at]attrition.org)
Date: Fri, 27 Jan 2012 09:48:55 -0800
Subject: Fwd: You can mail me here...
Are you aware of who owns atrition.org and attrittion.org? They appear to have been
registered on Dec 12, 2011. Are you atritionorg@yandex.ru or is that someone else?
Domaintools says that atritionorg@yandex.ru owns 4 domains, so I presume that means
2 others besides these 2.
I have nothing to do with either/any of these domains. I was just checking today to
see what came up. And I am just passing this on to you in case you didn't know already,
and might want to know.
-- Wesley
From: security curmudgeon (jericho[at]attrition.org)
To: "Arthur (Wesley) Kenzie" (wkenzie@securikai.com)
Date: Fri, 27 Jan 2012 15:40:21 -0600 (CST)
Subject: Re: You can mail me here...
On Thu, 26 Jan 2012, Arthur (Wesley) Kenzie wrote:
: No need for PGP? or GPG? I am uncertain what you mean. What about
: authentication? And tamper resistance? Or am I just naive to think it
: actually works as advertised?
You are naive to think I care that much about someone tampering with your
mail in transit to me. You are naive to think someone would spoof mail
from you to me in this manner, given the timing. Further, you are really
naive, bordering on "criminally stupid" not fully understanding the
implications of PGP signing all of your mails.
: I see that your orgs have relied on PKI in the past:
I see that you make wildly stupid assumptions. That, or you simply do not
understand the meaning of the word "relied". Just because someone has a
PGP/GPG key, doesn't mean they rely on it, or use it for their hundreds of
mails every day.
: But aside from that, I wanted to know how I might get kicked off your
: watch list?
Stop trying to extort companies for starters.
: Confidentiality Statement: This e-mail, including attachments, includes
: confidential and/or proprietary information, and may be used only by the
: person or entity to which it is addressed. If the reader of this e-mail
: is not the intended recipient or his or her authorized agent, the reader
: is hereby notified that any dissemination, distribution or copying of
: this e-mail is prohibited. If you have received this e-mail in error,
: please notify the sender by replying to this message and delete this
: e-mail immediately. Thank you.
Really? Yes, very naive.
From: security curmudgeon (jericho[at]attrition.org)
To: "Arthur (Wesley) Kenzie" (wkenzie@securikai.com)
Date: Fri, 27 Jan 2012 15:43:24 -0600 (CST)
Subject: Re: Fwd: You can mail me here...
On Fri, 27 Jan 2012, Arthur (Wesley) Kenzie wrote:
: Are you aware of who owns atrition.org and attrittion.org? They appear
: to have been registered on Dec 12, 2011. Are you atritionorg@yandex.ru
: or is that someone else? Domaintools says that atritionorg@yandex.ru
: owns 4 domains, so I presume that means 2 others besides these 2.
I don't know him by name, but I know generally of him. It is a standard
typosquatting attack leading to a domain that has a bunch of false
information about me that is trivial to verify as false. But, that type of
attack isn't mean to sway intelligent people.
I imagine you were looking to snatch that up to make a point or try to
sell the domain to me. Tough luck, another douchebag beat you to it.
Attrition.com has received a lot more of our mail historically than any
other domain anyway. And I don't care that they do either. Feel free to
snap up any domain you want that looks or smells like this one.
: I have nothing to do with either/any of these domains. I was just
: checking today to see what came up. And I am just passing this on to you
: in case you didn't know already, and might want to know.
Yes, I am well aware of it and a lot more related to that domain.
From: "Arthur (Wesley) Kenzie" (wkenzie@securikai.com)
To: security curmudgeon (jericho[at]attrition.org)
Date: Fri, 27 Jan 2012 14:09:31 -0800
Subject: Re: You can mail me here...
On 2012-01-27, at 1:40 PM, security curmudgeon wrote:
:
: : But aside from that, I wanted to know how I might get kicked off your
: : watch list?
:
: Stop trying to extort companies for starters.
But I am not, nor was I ever. Distilling all the information I provide in my
confidential disclosure to companies down to one "without prejudice" reference
to a non-provident negotiated or mediated fee for expertise is a stretch to
call me an extortionist. And it ignores the main issue of vulnerability that
I am bringing to their attention. How would you suggest anyone do research on
how companies respond to learning they have messed up? I'm open to suggestions.
But barking at me seems like a classic case of trying to cause a distraction
away from the core negligence I have exposed. Also, minimizing this vulnerability
for any reason is just wrong based on the evidence I have seen, and will be
publishing later this year.
But if none of this carries any weight for you, I still am interested in knowing
what it would take to convince you.
As you can see from his reply, he doesn't think he is trying to extort companies.
Going out of his way to pay money for the resources needed to illegally intercept
their mail, contact the company saying he did it, and offering them a way to stop
it from happening for the low price of $25,000 dollars, is not "extortion" to
Kenzie, it is "security research". Trying to reason with him is a waste of time.
