Since July 5 2005, Attrition.org has tracked events involving large-scale thefts and loss of personally identifying information (PII). In the months and years since then, we, as well as dozens of volunteers, enthusiasts, and well-wishers have spent literally thousands of hours gathering data, discussing matters related to data breaches, creating web pages and databases, and promoting the idea of security and privacy for personal information. We feel that our combined efforts have been valuable to the security and privacy communities alike, and we hope that efforts like ours will continue to promote awareness, and maybe, some day in the future, actually make a difference.
With that said, we're done.
Much like Attrition.org's past defacement mirror, the time has come for us to say "no mas". In the past few weeks, it has come to our attention that too many people are more concerned with making a profit off of our work without any offer of acknowledgement or compensation. For those who aren't familiar with Attrition, we're a non-profit hobby site that takes on "projects" as we see fit, when we want to, and when we have time. For those who *are* familiar with Attrition, you probably know that we don't take kindly to being dealt with unfairly. Commercial entities, including "identity-theft prevention" upstarts and book authors, will gladly contact us, ask for information and advice, and then not even offer us the equivalent of a reach-around when selling their materials. We don't pimp our resources to others; they come to us. Unfortunately, more often than not, they won't even send us a "thank you". We've mentioned it in the past, but we're not going to mention it in the future. This is the last mention.
Besides that, we also have had to consider the consequences from our own actions. What would happen if we make a typo and add an extra "0" to a total? 1,000,000 becomes 10,000,000 pretty quickly, propogates through the internet, and then we're in the wrong for making a simple mistake, not unlike someone who made a simple .htaccess mistake and left 1,000,000 Social Security numbers open to the world. Unlike companies with no policies or procedures in place to protect customer information, we take responsibilty for our actions, and all of the worthless identity theft protection services in the world wouldn't make our error right. It's a heavy burden to bear, and we would rather not be responsible for making any of these problems worse. We do not want to divide this cause, we only wanted to bring it together.
From this point forward, we will not be updating the Data Loss web page, DLDOS (Data Loss Database - Open Source), or the Data Loss RSS feed unless we find an event worthy of our time and effort. For the commercial entities and journalists who have conveniently ignored and/or bypassed giving us credit for our resources, we thank you. You're giving us the reason we need to simply STOP spending our time and energy on this.
Do it yourselves.
Spend a few hours a day searching news feeds, receiving and sending emails regarding requests for information, and trying to keep good natured about it. Do that for almost the next three years. Make your own web page. Make your own database. Make your own mail list. You'll get thanked privately, but don't expect any public credit unless you ask for it or demand it.
Best wishes to those who still want to stay in the game.
FIN