From time to time, we receive questions about the attrition.org/errata/ pages. If you still have questions after reading this, please mail us: errata[at]attrition.org
Started in 1999, the Errata Project was designed to create a repository of specific information about the security industry and people operating within it. The focus of Errata is to catalog incidents that show the security industry, which should be a model of integrity, often lacks not only integrity, but also morals and ethics.
Over the years, the number of people working on Errata has ranged between 2 and 10. If you count sources that provide tips and information, the number would easily be more than twenty.
Not only do we verify the information we post, we go to great lengths to include as much of the background information as possible, so that anyone may independently verify the posted details themselves. Almost everything is peer reviewed by another project member before being posted.
We do not have a policy. In some cases, contact is made before publishing depending on the type of write-up. When a subject publishes something (e.g. book, article, blog post) they are putting it out there for peer review, whether they like it or not. In that theme, we do the same. The difference is, we typically have an internal review process to help avoid inaccurate material.
Anyone may dispute the information we post, whether a person we have posted details about or not. We believe in peer review and welcome extra sets of eyes going over our published material. If you find something you feel is inaccurate, or lacking in details, please contact us with additional information so that we may update or remove the information as warranted. Contact errata[at]attrition.org with the URL in question, additional details, and references to the information if possible. If you have information that should not be attributed to you, please indicate that clearly. We protect sources just as good journalists do. Note: information provided by someone who does not wish attribution, and has no external reference, might not be used until we can independently validate it.
Yes. Not only do we consider any disputes sent to us, we have proactively removed articles based on new information that came to our attention. This has lead us to edit and/or remove content without the original article being disputed in any manner. Further, at least one person has been removed from the Charlatan Watch List after extensive conversations with the individual in conjunction with additional review of material.
We firmly believe in giving people a fair shot. If a person demonstrates that they made a few mistakes, but have since demonstrated awareness of those mistakes, apologized for them (if appropriate), and taken steps to avoid such mistakes moving forward, then the Watch List has served its purpose and the person should no longer be included.
To some degree, yes, the Errata Project is a 'negative' endeavor. We focus on the bad in the security industry. However, we feel it necessary in order to help the industry learn from previous mistakes and strive to improve. This project is really no more negative than a standard vulnerability assessment; both look for the weaknesses and flaws in a system with the intention of reporting it to the appropriate parties.
Additionally, please consider the DatalossDB.org project. That was originally a project here on Errata that was moved to the care of the Open Security Foundation to enjoy better resources and management.
The best way to help is to provide us with information. If you see something bad within the security industry, report it. If you have found plagiarism or dealt with a professional who does not seem to be qualified, let us know. In addition, we have a published wish list, which also has a detailed ledger of the money received and spent related to this project.
We encourage people to download and host this information. Because the content changes frequently, we do not make an archive available. We do encourage you to use 'wget' to grab a copy of the site.
$ wget -w 2 -m -k -K -U "Squirrel Storage" http://securityerrata.org/
Note: This will convert the absolute paths to relative on your side, but wget does this at the end. You must let the command complete naturally for it to work.
That sucks, for both of us. Fortunately, there are mirrors set up so that you can browse more easily and quickly:
We have posted a detailed article that outlines our methodology.
As Chris Knight would say, "It's a moral imperative."
Absolutely. However, consider that the material we have posted is a sampling of what is out there. This project has very limited resources (e.g., specifically time), and we have not published everything we have discovered or been told. Largely, the security industry is full of good people trying to do the right thing. There are of course a significant number of people operating in the industry that have less of a moral standard and do not hold integrity as a principle.
Nothing really. securityerrata.org is a more official-looking web site and acts as a mirror of the content located on attrition.org. While there are some cosmetic differences, the actual content is replicated 100%.