Date: Mon, 1 May 2000 23:33:24 -0500 (CDT)
From: rain forest puppy 
Subject: IIS Security Hole (CRN is unprofessional)

Oh boy, here we go.  For those of you joining the fray, the topic of
conversation is the professionalism of CRN, a CMP pub, and of John Yacono
(Director/CRN Test Center Labs) himself.  You're being CC'd in on this as
from my vantage point, you're important people in the CMP family of
publications.  I wanted to make available to you a demonstration of
ill-reporting on CRN's part, unprofessionalism exhibited by John
Yacono, and just general bullshit.

Quick background: I'm the founder and author of the IIS backdoor (you
know, the one last week that involved the phrase "Netscape engineers are
weenies!").  CRN decided to do an article on it, and clearly didn't
investigate the facts beyond reading the Wall Street Journal.  They
proceeded to publish 'test results' which didn't illustrate anything.
Further, when Carole Fennelly commented as to his, John Yacono took it
upon himself to belittle her.

So here's the story, start to finish.  The best stuff is at the end, so
bare with me....through a trip of dates, times, and slander...

It all started on one fateful morning of Friday, April 14th.  I released
an advisory detailing the "Netscape Engineers are weenies!" backdoor in
IIS.  Article is available at:

This article was published on Bugtraq on Fri Apr 14 2000 - 07:30:17.  A
copy was placed on my website on the same day, around 08:04:00.

Like many media outlets seeing it as the 'hot topic', CRN composed a

The piece was dated: 12:13 PM EST Tues., Apr. 18, 2000.

I've commented on this exact article in my addendum to my advisory, which
is available at:

John Yacono responded in length.  So, first let me address his concerns.

> First, CRN is not at all an OEM pub: the audience is comprised of
> solution providers, web integrators, VARs, etc. We're a channel pub,
> sure, but not really for the OEM audience; unless of course they just
> want to find out what's brewing in the channel from our perspective.

Ok, perhaps I should have used the word 'channel' rather than
'sales-related'.  The problem is that many people wouldn't have a flippant
of a clue as to what constituted 'channel'...after all, Microsoft is
pushing the term 'channel' as an active website subscription mechanism.

> Second, sales has NOTHING TO DO WITH OUR PUBS CONTENT!!!!!!!!!!!!!!!
> Frankly, I don't care if you don't believe that, but it's the truth
> and I'm NOT gonna let that "sales" comment you made slide by. (If I
> knew you better, I'd probably have thrown in some expletives, too.)
> Think of it logically: If we printed biased stuff, VARs would start
> going somewhere else for their info, then we'd lose the advertisers,
> the mag and thus my job. Any pub that caters to their advertisers over
> their readership is run by fools. Nuf sed. (Sorry, bud, but you really
> went over the line there.)

You took the wrong context of 'sales'...I did not mean anything in regards
to advertising.  'sales', as in "offering of services in exchange for
money", those services being offered by the "solution providers, web
integrators, VARs, etc", as you put it. 

I've read your mag for 4 years while I was head tech for an OEM.  It's not
programming/development (Dr. Dobbs, C++ Users), it's not news (Information
Week, Internet Week), it's not electronics (Semiconductor Biz News), it's
not technical review/analysis (Network Computing).  It's channel, which I
think is the buzz word for 'sales', in this case 'sales of technological
equipment or services'.  Let's see what the CMP mother says..from

"[CRN] is the reseller's critical link to the product trends and industry
news needed to sell comprehensive solutions".

I don't see 'security research' anywhere in there.  But whatever, moving

> If you researched all our coverage of the bug, you'd know
> you've only commented on the early stages of our research and not it's
> culmination,

Well, let's see.  My addendum came out on Wed, 19 Apr 2000.  I commented
on the article that's dated the 18th.  If you published additional
articles beyond my release (19th), how am I to comment?

> Sure we asked for help from our community, and we posted a flawed 
> script (just as you did I must add)

The flaw did not stop it from working, per se.  And it did definately not
exhibit the flaws you reported, which was a script by someone else (who
gave my name a mention, none-the-less).

> but mainly because someone quoted you as not wanting to reveal any bug
> details.

Ok, plain and simple: where was this quoted.  I'm sure, as thorough
journalists you are, you will have a record.

Produce the quote.

> When Microsoft and a key source such as yourself clam up,

So I'm a key source?  This will then come back to haunt you...

> What's kinda whacked is you sort of hint at us being in bed with
> vendors,

This is only due to your misinterpretation of 'sales'....

> Simply put CRN's integrity is not up for sale

It's not a matter of being up for sale, it's a matter of a few journalists
exhibiting il-received practices and lying.

> I invite (challenge?) you to get to know we Test Center gearheads 
> better, before commenting on us

And I invite (challenge?) you to get to know Carole Fennelly better before
you comment on her.  Oh wait, the others don't know about this (yet).

Carole Fennelly wrote Imran Amwar regarding the CRN article on posted on
the 14th.  Her question was why 

John Yacono responded:

>> The main reason we did not visit his website for info was because he
>> told the media he would not provide more detail until a security
>> bulletin was issued by Microsoft. We just couldn't wait for that.

Hmmm...this in itself contains so many blunders.

1. Where did I tell the media?

2. "until a security bulletin was issued by Microsoft" the article it
	mentions "Microsoft recently released an advisory" even with
	your logic, you still failed to check.

3. You failed to check at all.  The article was posted on the 18th, and I
	posted the advisory on my site, as well as released it to Bugtraq
	on the 14th.  The vulnerability was publicly disclosed, in full, 
	on the 14th.

So in your four days of fully researching the problem, your in-depth
investigative skills forget to consult the #1 source of security
vulnerability disclosure, and the prime source of the advisory/problem
itself. You even mentioned above that I was a 'key source'.  So
you obviously understood my involvement.  And yet, you failed to check my
website, Bugtraq, and basically the other dozen security full-disclosure
outlets, who all had the information by the 18th (the date your article
came out).  Funny that about 4 dozen other media outlets understood my
involvement and contacted me for information/verification.

And I love how a related article (which is dated onthe 17th, but seems to
be after the one on the 18th...I don't know how that works) states:

> As of yet, little is known about the bug except that Microsoft and
> certain "security consultants" were able to exploit it. 

Perhaps if the "journalists" would have checked their primary and
secondary sources, they would have found more information.

In any event, let's look at Carole's response to John:

> on 05/01/2000 09:24:43 PM
>Please respond to
>To:   John Yacono/JER/CMPNotes@CMPNotes
>Subject:  Re: IIS Security Hole (from CRN)

>>The main reason we did not visit his website for info was because he
told the >>media he would not provide more detail until a security
bulletin was issued by >>Microsoft. We just couldn't wait for that.

>Uh, what? RFP had an update on his site the day the media story broke.
And the >idea that he would wait for Microsoft to release a BULLetin is
just too >hysterical for words. I am a writer myself (
and believe me, I >would *not* wrire an article without at least checking
out the facts. I am also >under deadlines, but that story broke on a
Friday morning. By that afternoon, >RFP released an advisory on his site.
It wasn't worth at least looking at his >site?! Please.
>_carole fennelly

(forgive my quote mangling)

So Carole states what I have just said...the excuse "RFP was with-holding
information" was unfounded.  Now, John's reply to Carole:

X-Lotus-FromDomain: CMPNOTES
Date: Mon, 1 May 2000 21:53:22 -0400
Subject: Re: IIS Security Hole (from CRN)
Mime-Version: 1.0
Content-Disposition: inline

>Having a column in a small pub might qualify one as a writer, but only a
sense >of professional decorum (which your e-mail obviously lacks) will
make you a >journalist. As far as research goes, your two e-mails are full
of factual errors >so taking your own advice would be prudent. Making
errors while judging others >makes your communications seem comical at

>Perhaps when you appreciate the values of a journalist, you'll work for a
pub >that spans 23 countries, as I am humbly fortunate enough to do. Until
then, I >wish you well.

(again, apologies for the quote mangling)

Whoa, ok, let's see what we have here.

- "a sense of professional decorum (which your e-mail obviously lacks)"

And this has what to do with anything?  John, will an email
address make you feel more warm and fuzzy?  Grow up, it's a friggin email.
And that has no bearing on anything...she's writing from a personal
account.  Which is smart, considering you just dragged CMP's name into

- "As far as research goes, your two e-mails are full of factual errors"

Way to go on that those supporting facts there, bud.  You failed to
consult my website, the information was publicly disseminated on the 14th
to many primary security disclosure outlets, and your article bears a
timestamp of the 18th.  Where's the factual error?

- "Perhaps when you appreciate the values of a journalist, you'll work for
	a pub that spans 23 countries, as I am humbly fortunate enough to

First off, John: no competition, your dick is already bigger, as Carole
doesn't have one.  And now you're ranking her journalistic skills based on
the size of distribution of the magazine she writes for?  That's assinine.

McDonald's sells the most hamburgers in the world, but that doesn't make
them the best hamburgers....

And according to CMP, the coverage of CRN is 9 countries, not 23.

Then John response to both I and Carole, a little later:

> RFP: I sincerely wish I could apologize for that writers behavior (which
> is the only reason I'm bothering you with this e-mail). I sincerely hope
> you know that not all writers are like this.
> CF: You consider bothering your sources with matters like this a sign of
> journalistic integrity and professionalism? You really just don't get
> it. You're your own worst enemy. Please don't bother me with another
> e-mail. This is way too childish and incredibly unprofessional.

Of interesting note is the different respect he gives each of us.  Also
the way he continues to berate Carole.

So let's recap, shall we?

CRN published an article on the 18th stating they can't find primary
information on a vulnerability, when it was all published on the 14th
in the "usual places".

Carole Fennelly emails John on the subject, John responds with an opinion
on Carole's journalistic skills, using the size of his
distribution to back his opinions.

Everything I've seen coming from CRN, and especially John, has either been
borderline or way beyond professional.  Too bad.

Luckily for CMP, John is kept locked away in a Test Lab that has nothing
to do with the real world.  Take away his email access, and you don't have
to worry about him 'interfacing' with anyone again.

And I shall be publically disclosing this entire email thread, including
the letter (which CMP headers/email addresses) of John belittling

So seriously.  John, you're way out of line, and it's dumb that a magazine
so widely important as John seems to think makes stupid mistakes by not
even checking a primary source for a story.  It's obvious that CRN, more
than anyone else I saw, just wanted to hop on the bandwagon for this

And John criticizes Carole's journalistic skills.  Funny how reality is so
much different.

- rain forest puppy