[2014-05-11 Update: Nicholas Lemonias has filed an invalid DMCA takedown notice regarding these pages. His mail and our reply are available for your reading pleasure.]
Yesterday I posted a blog to the OSVDB site with more information on the recent shutdown of the Full Disclosure mail list, as well as news about the new list that will take its place. In that blog I also included the most recent threat Full Disclosure archive sites had received from a person (or persons, see below) that go by "Nicholas Lemonias", over a thread he started and participated heavily in. The blog is simple and factual and speculates (strongly) that this was likely the proverbial "straw that broke the camel's back", as John Cartwright had received a wide variety of abuse and threats over the years.
According to a Softpedia Interview with Lemonias, he attends the University of Derby which maintains a student code of conduct that says "do not bring Student Living or the University into disrepute." Based on his emails to me, it sure seems like he is pushing the boundary of that. Given it is clear he is doing live testing of web sites, which is considered unethical unless they have an established bug bounty program, I am sure the University would not be happy to hear it. He is the founder and chief executive of "Advanced Information Security Corporation" which has no information available.
The bio he posted to Mendeley is amusing as the first line is now correct, after his Full Disclosure ordeal:
An internationally acknowledged information security expert, digital intelligence consultant, and professional ethical hacker looking for a permanent position within the field of information security. I am an experienced, visioning young professional with the ability to lead, manage and execute large security projects from inception to launch. My corporate principles are reliant on the concept of a structured framework towards analysing complex situations into simple strategic imperatives. Thus I received recognition by top blue-chip corporations, and international stock exchange actors including Microsoft Corporation, Nokia Corp., e-Bay Inc., Opera ASA Soft, Adobe Inc., and Cisco Inc. I am a M.Sc. degree holder in Information Security, and my academic thesis was concentrated on solving various vulnerabilities in satellite communications. During my academic studies I have discovered, and proven through my dissertation an incisive original technology which solves various vulnerabilities inherent to the design of satellite communications.
In September 2009, Nicholas Lemonias published a paper titled "Advanced Network Exploitation Research and Networking Concepts" that he copyrighted to his company Advanced Information Security Online. As a "senior lecturer" "at a London College" (really the University of Derby), he should be well aware of proper citation when writing papers. Unfortunately, it does not appear that is the case as the paper appears to contain a significant amount of plagiarism.
In addition to the blog, I also reached out to Lemonias to ask a few questions and get his side of the story:
From: security curmudgeon (jericho attrition org) To: Nicholas Lemonias (lem.nikolas@googlemail.com) Date: Wed, 26 Mar 2014 00:53:59 -0500 (CDT) Subject: care to comment? http://blog.osvdb.org/2014/03/26/the-death-and-re-birth-of-the-full-disclosure-mail-list/ Why did you mail legal threats to various parties trying to censor your own posts? You clearly had the discussion, you defended your research. Why would you turn around and try to get that pulled from public record? Why does your company, AIS, not have any information or links from the main page? http://www.advancedinfosecurity.com/ You call yourself a "security expert" but it is clear from the various replies on the old Full-Disclosure that the bug you found could not be used to cross privilege boundaries. You never demonstrated that it could be leveraged in such a way, yet aggressively defended your research. Will you admit now that you were wrong? - jericho
I wasn't sure if I would receive a reply given that he doesn't seem to be fond of having more mails public. Boy, was I wrong. I woke up to several emails containing threats and irrational demands. The following is the full thread, unedited with exception (small redaction), for the community to get another glimpse into what mail list moderators and now bloggers put up with from him. I can only imagine this will result in more threats and demands. As I told him though, this isn't my first trip to that rodeo.
From: Nicholas Lemonias. (lem.nikolas@googlemail.com) To: moderators osvdb org Date: Wed, 26 Mar 2014 10:27:02 +0000 Subject: [OSVDB Mods] False Statements. Police matter Dear Sirs, Can you please detele the following false statements from the public domains http://blog.osvdb.org/2014/03/26/the-death-and-re-birth-of-the-full-disclosure-mail-list/
From: Nicholas Lemonias. (lem.nikolas@googlemail.com) To: jericho attrition org Date: Wed, 26 Mar 2014 12:09:35 +0000 Subject: Brian Martin - Denver Can you please stop posting false statements about us. Best Regards,
From: Nicholas Lemonias. (lem.nikolas@googlemail.com) To: jericho attrition org Date: Wed, 26 Mar 2014 15:19:27 +0000 Subject: Mr Brian Martin Brian Martin , [redacted address] Denver, CO. Dear Mr Brian Martin, I am writing you to inform you that the false comments made from your part have been identified. Therefore I am writing to request that you stop posting and disseminating false comments and that you have been identified. I would like to raise that online harassment is a serious crime. I have already referred this to authorities in Denver, Colorado. Please delete your comments to avoid further action. Best Regards, Nicholas Lemonias.
From: Nicholas Lemonias. (lem.nikolas@googlemail.com) To: jericho attrition org Date: Wed, 26 Mar 2014 15:28:12 +0000 Subject: Re: Mr Brian Martin Brian Martin , [redacted address] Denver, CO. Dear Mr Brian Martin, I am writing you to inform you that the false comments made from your part have been identified. Therefore I am writing to request that you stop posting and disseminating false comments and that you have been identified. I would like to raise that online harassment is a serious crime. I have already referred this to authorities in Denver, Colorado. Please delete your comments to avoid further action. Best Regards, Nicholas Lemonias. https://www.soldierx.com/hdb/Jericho-Disorder-Cult-Hero-Security-Curmudgeon
Note that he has sent four mails, the last two basically duplicates except the inclusion of the soldierx.com link, which he sent wrapped in a redirect URL via google.co.uk.
From: security curmudgeon (jericho attrition org) To: Nicholas Lemonias.Cc: moderators osvdb org Date: Wed, 26 Mar 2014 12:21:54 -0500 (CDT) Subject: Re: [OSVDB Mods] False Statements. Police matter On Wed, 26 Mar 2014, Nicholas Lemonias. wrote: : Dear Sirs, : : Can you please detele the following false statements from the public : domains : : http://blog.osvdb.org/2014/03/26/the-death-and-re-birth-of-the-full-disclosure-mail-list/ Based on this mail, no. What are you claiming is false?
From: security curmudgeon (jericho attrition org) To: Nicholas Lemonias. (lem.nikolas@googlemail.com) Date: Wed, 26 Mar 2014 12:26:03 -0500 (CDT) Subject: Re: Brian Martin - Denver On Wed, 26 Mar 2014, Nicholas Lemonias. wrote: : Can you please stop posting false statements about us. Who is "us"? Why did you include where I live, which is very public information? In my experience, this is done by charlatans as an intended form of intimidation. In case you didn't do your Google 101, this is not my first threat. Legal or otherwise. I won't simply fold because you want me to. I will update the blog based on *facts*, or at the very least, your statements if you wish to provide one to counter anything I publish.
From: Nicholas Lemonias. (lem.nikolas@googlemail.com) To: jericho attrition org Date: Wed, 26 Mar 2014 17:40:39 +0000 Subject: Re: Mr Brian Martin I am calling Denver Police Department and its not going to be a court order I am afraid. Best Regards, Nicholas Lemonias.
From: Nicholas Lemonias. (lem.nikolas@googlemail.com) To: jericho attrition org Date: Wed, 26 Mar 2014 17:41:40 +0000 Subject: Re: Mr Brian Martin I am calling Denver Police Department and its not going to be a court order I am afraid. Best Regards, Nicholas Lemonias.
Yep, same mail twice again, each replying to his own previous mails.
From: security curmudgeon (jericho attrition org) To: Nicholas Lemonias. (lem.nikolas@googlemail.com) Date: Wed, 26 Mar 2014 12:48:36 -0500 (CDT) Subject: Re: Mr Brian Martin On Wed, 26 Mar 2014, Nicholas Lemonias. wrote: : I am calling Denver Police Department and its not going to be a court : order I am afraid. Make sure you call District 6, they are a few blocks away.
From: Nicholas Lemonias. (lem.nikolas@googlemail.com) To: security curmudgeon (jericho attrition org) Date: Wed, 26 Mar 2014 17:50:01 +0000 Subject: Re: Mr Brian Martin You better delete those false statements right away.
From: security curmudgeon (jericho attrition org) To: Nicholas Lemonias. (lem.nikolas@googlemail.com) Date: Wed, 26 Mar 2014 12:51:29 -0500 (CDT) Subject: Re: Mr Brian Martin On Wed, 26 Mar 2014, Nicholas Lemonias. wrote: : You better delete those false statements right away. Once again, tell me what you think is false.
From: Nicholas Lemonias. (lem.nikolas@googlemail.com) To: security curmudgeon (jericho attrition org) Date: Wed, 26 Mar 2014 17:53:51 +0000 Subject: Re: Mr Brian Martin You have NO RIGHT to post that.
From: security curmudgeon (jericho attrition org) To: Nicholas Lemonias. (lem.nikolas@googlemail.com) Date: Wed, 26 Mar 2014 12:59:01 -0500 (CDT) Subject: Re: Mr Brian Martin On Wed, 26 Mar 2014, Nicholas Lemonias. wrote: : You have NO RIGHT to post that. I have every right to. Further, you still have not answered the question on which part is false. Are you complaining on the grounds that I posted it, and it is real, and you don't want it public? Or are you complaining on the grounds that it was not sent by you? All of your mails to me, which I will be publishing, seem to establish a pattern. They make me think that the mail is authentic and you don't want it public knowledge.
From: security curmudgeon (jericho attrition org) To: Nicholas Lemonias. (lem.nikolas@googlemail.com) Date: Wed, 26 Mar 2014 18:10:39 -0500 (CDT) Subject: Re: Mr Brian Martin On Wed, 26 Mar 2014, Nicholas Lemonias. wrote: : You have NO RIGHT to post that. I also have a right to post this: http://attrition.org/postal/asshats/nicholas_lemonias/
Based on Lemonias' behavior on Full Disclosure, his emailed threats to me, and his apparent plagiarism, I personally consider him to be a Grade A Asshat.
[an error occurred while processing this directive]