Errata: Fred Cohen and Chet Uber spam


From: Richard Forno (rforno[at]infowarrior.org)
To: Infowarrior List (infowarrior[at]attrition.org)
Date: Wed, 29 Mar 2006 10:30:47 -0500
Subject: [Infowarrior] - Fred Cohen's New Philosophy:
    "Let's Spam our Colleagues"


This is a rant about some sleazy security marketeering.

Noted security expert Fred Cohen's got a book coming out, and that's
certainly good news for him and his readers -- as a fellow author, I wish
him well.  However, what is NOT good news is that Chet Uber of
SecurityPosture.Com has taken it upon himself to spam the Internet 
community repeatedly about the book in recent weeks.  Further and more 
disturbingly, in personal e-mail, Fred has confirmed his endorsement of 
Chet's spamming activities, despite his (Fred's) own lengthy anti-spam 
philosophy found on his personal website (http://www.all.net/spam.html). 
Hypocrisy, no?

So why is this spam "annoying than usual?"  Let me count the ways --

1. Repeated reporting of this item to his ISP (Cox.Net) reporting previous
instances of this note have gone unanswered.

2. It starts off with the famously-spammy catchphrase "You have got to
read..."  (No, I really don't....)

3. Chet includes the ENTIRE table of contents in the body of the spam.  
I'm surprised he didn't include a listing of charts or photos as well. (It
probably prints out to 2 pages on paper.)

4. Chet includes a VERY lengthy book review in the body of the spam. Given
the size of his spam note already, one wonders why he only included a 
single review.

5. Chet's e-mail header/footer implies that he is responsible and against
unsolicited e-mail, yet he chooses an "opt-out" format to manage his 
spammer list. "Opt-out" by default is a very impolite way of 
building/managing e-mail lists and akin to "asking permission later."  
(The fact they're harvesting e-mails in the first place is another story, 
however.)

6. Various security folks report that it seems Chet/Fred are harvesting
e-mail addresses from various sources -- including, according to one 
person, e-mail addresses found in conference attendee rosters, and another 
whose "receive-only" account received these spam notes.  (And folks wonder 
why I don't give ALL contact information to event organizers...)

On a related note,  as I made final edits to this note today, I received 
two different copies of another Chet Uber Spam (CUS) - that appears to be 
his own personal security newsletter. I've never spoke with Chet, and to 
my knowledge, never opted-into anything he produces.... so again, here's a 
case of a security firm apparently harvesting email addresses and spamming 
their colleagues. How disgusting.

Fred and Chet, welcome to my spam blacklist,  and congratulations on 
joining the roster of those security organizations whom I hold in 
professional contempt.

Rick
-infowarrior.org