From james@globalnss.com  Mon Dec 31 04:18:43 2001
From: "James Sinclair" (james@globalnss.com)
To: (jericho@attrition.org)
Subject: GNSS > ATTRITION > LINK
Date: Mon, 31 Dec 2001 00:40:56 -0800

Jericho,

I was sent this by one of my colleagues - we never sent out the advisory
you paste here.

We sent out a bulletin offering free services and advice and it was
actually off the alldas mirror, I would be more than happy to provide
you with a copy of it. I would also happily point you in the direction
of at least 10 companies that phoned us and we helped through the
situation without requesting a dime.

It was started by me as a good method for new employees out of college
with high technical expertise but low customer interaction skills to
learn how to treat customers after they have had some sort of intrusion
whilst at the same time conducting a blind recovery or support.

As you well know, trying to obtain information from a guy that hardly
understands how his machine works and then trying to recover that
machine can provide a fantastic learning experience for both parties.

We still continue to send out these bulletins and of the 000's of
phonecalls received have never charged a dollar.

http://www.attrition.org/errata/sec-co/gnss01.html

If there is anything I can do, please do not hesitate to contact me.

Regards

-james

_________________________________________

James Sinclair
Chief Technology Officer
Global Network Security Services
T: 323 660 1767
F: 323 667 3132
C: 323 251 2667
E: james@globalnss.com
W: www.globalnss.com

GNSS|secure is changing the way we communicate~
www.gnss-secure.com
_________________________________________



Date: Mon, 31 Dec 2001 04:21:02 -0500 (EST)
From: security curmudgeon (jericho@attrition.org)
To: James Sinclair (james@globalnss.com)
Subject: Re: GNSS > ATTRITION > LINK

Let me review what you sent, the errata page, and discuss with staff.



From james@globalnss.com  Mon Dec 31 04:22:31 2001
From: "James Sinclair" (james@globalnss.com)
To: "'security curmudgeon'" (jericho@attrition.org)
Subject: RE: GNSS > ATTRITION > LINK
Date: Mon, 31 Dec 2001 00:44:51 -0800

Thanks.

Sorry for the annoyance.

Have  a Happy New Year (glad to see I am not the only one working!)

Regards

-james




Date: Mon, 31 Dec 2001 11:19:33 -0500 (EST)
From: Sioda an Cailleach (sioda@attrition.org)
To: security curmudgeon (jericho@attrition.org)
cc: Heathens (staff@attrition.org)
Subject: Re: GNSS > ATTRITION > LINK (fwd)

Where did you get the solicitation that is posted on Attrition? It doesn't
specifically mention that they charge for their services, though neither
does it specify that they are offering a free service. I tend to think
that the solicitation posted on Attrition was genuine and that they are
now trying to clarify that they are offering a free service. However, if
this is just a training excercise for their people, I don't see the
benefit to the defaced site. Also, I would want to dig further into how
this benefits them (do they sell training to people and use the defaced
sites as a lab classroom activity?). I worked at a site once that had a
big Andersen presense. Andersen "generously" provided many
"free" consultants to the project. The hidden cost was that these people
really contributed nothing of value and took time away from those who did
just to get "real" experience on their resume (so Andersen could bill for
them). I was given one of these consultants to "help" me with uucp
support. When I asked how much she knew about uucp, I was told "nothing,
but she's a quick learner". I declined the "help". In reality, I would
have been providing free training to this person at the client's expense.
Sounds like this is a similar deal.

.sioda.



Date: Mon, 31 Dec 2001 15:54:12 -0500 (EST)
From: Cancer Omega (comega@attrition.org)
To: security curmudgeon (jericho@attrition.org)
cc: Heathens (staff@attrition.org)
Subject: Re: GNSS > ATTRITION > LINK (fwd)

On Mon, 31 Dec 2001, security curmudgeon wrote:

> thoughts?

I think it's horseshit for several reasons.  Among them:

1.      Their original notice claims they were notified by a branch of
        the FBI.  That's a lie.  Why would the FBI run around notifying
        any businesses?  Also, why do they say 'Cybercrime Dept' when
        the "cybercrime" section of the FBI is NIPC?

2.      They make another reference to the National Security Advisor.
        The National Security Advisor's recommendations to the Senate
        have next to NOTHING to do with net.security.  Indeed, the
        blanket stance of the NSC is that anything that has any vital
        data on it at all should *NOT* be on the 'net!

3.      They never state outright that their services are free.  They
        just go on and on about what they can do for the recipient.
        That doesn't sound like a free offer of help; that sounds like
        a fucking sales pitch.

In short, I don't buy this guy's "clarification."  If anything, I'd sooner
throw his latest bullshit into the Going Postal section than I would
remove the errata piece.

.c



Date: Wed, 2 Jan 2002 15:39:58 -0500 (EST)
From: security curmudgeon (jericho@attrition.org)
To: James Sinclair (james@globalnss.com)
cc: Heathens (staff@attrition.org)
Subject: Re: GNSS > ATTRITION > LINK

> Jericho,
>
> I was sent this by one of my colleagues - we never sent out the advisory
> you paste here.

After reading this again.. if you didn't send it out, who did? Bears a
striking resemblance to your style of writing, your signature, etc. I
realize they can be forged, but I'm wondering why someone would go through
such efforts.

> We sent out a bulletin offering free services and advice and it was
> actually off the alldas mirror, I would be more than happy to provide
> you with a copy of it. I would also happily point you in the direction
> of at least 10 companies that phoned us and we helped through the
> situation without requesting a dime.

Please do. I can't guarantee I will be able to follow up on then but I may
try.

> We still continue to send out these bulletins and of the 000's of
> phonecalls received have never charged a dollar.

Perhaps so, but there are a few points that don't sit well with us
regarding all of this.

1.      Your original notice claims you were notified by a branch of
        the FBI.  That's a lie.  Why would the FBI run around notifying
        any businesses, especially unrelated to the victim company?  Also,
        why do you say 'Cybercrime Dept' when the "cybercrime" section of
        the FBI is NIPC? Why not specifically name the NIPC and provide
        a contact there or their website at least?

2.      You make another reference to the National Security Advisor.
        The National Security Advisor's recommendations to the Senate
        have next to NOTHING to do with net.security.  Indeed, the
        blanket stance of the NSC is that anything that has any vital
        data on it at all should *NOT* be on the 'net.

3.      You never state outright that your services are free.  You
        just go on and on about what you can do for the recipient.
        That doesn't sound like a free offer of help; that sounds like
        a fucking sales pitch.

4.      The URL you provide twice 404's, but offers to redirect them
        to alternate pages. Those pages go on about the security
        services you offer, speak of the business and do not hint
        or suggest they can receive free help.

Rereading the mail sent out with your companies name, i'm afraid I can't
agree with you at all. This seems like ambulence chasing at best.



From: James Sinclair (james@globalnss.com)
To: jericho@attrition.org
Subject: ATTRITION
Date: Mon, 28 Jan 2002 16:45:11 -0800

Jericho,

As per my previous e-mail, I have sent mails out to all involved with
our company in an attempt to verify if indeed the e-mail was sent in its
current form.
http://63.105.33.158/errata/sec-co/gnss01.html

The same as my first contact with you, no such e-mail was sent from GNSS
and especially not from myself. As we explained, many times our sales
force sent an e-mail out with some basic tips as to how to restore
services quickly and efficiently, at no time was any company or person
who contacted us for help with these issues charged or billed. Aside
from the fact that we are a CA based organization and do not have the
resources or desire to travel across the US helping these companies, we
also as mentioned in the previous e-mail utilized this services to
practice our blind support and start a process sheet to help us with our
current clients.

Of course there is little to prove that the e-mail was tampered, however
please recommend your desired course of action to have the page removed
or appended. It is your right to feel that our actions were not
ethically correct, however from the response from those we have aided
that does not seem to be the case.

Many people who receive some sort of intrusion are not aware of who to
call for help.

Regards

-james



From: security curmudgeon (jericho@attrition.org)
To: James Sinclair (james@globalnss.com)
Date: Fri, 1 Feb 2002 01:58:26 -0500 (EST)
Subject: Re: ATTRITION


> Jericho,
>
> As per my previous e-mail, I have sent mails out to all involved with
> our company in an attempt to verify if indeed the e-mail was sent in its
> current form.  http://63.105.33.158/errata/sec-co/gnss01.html
>
> The same as my first contact with you, no such e-mail was sent from GNSS
> and especially not from myself. As we explained, many times our sales
> force sent an e-mail out with some basic tips as to how to restore

So let me see if I have this straight.

You are saying that NO ONE at GNSS sent the mail quoted on the above URL..
yet you do send out mail sometimes to admins of defaced sites?

Are you saying that the mail we were sent is forged in some way.. either
forged and sent to the admin, or the admin changed the mail before sending
to us?

> Of course there is little to prove that the e-mail was tampered, however
> please recommend your desired course of action to have the page removed
> or appended. It is your right to feel that our actions were not
> ethically correct, however from the response from those we have aided
> that does not seem to be the case.

Let's answer the above questions before addressing this.



From: James Sinclair (james@globalnss.com)
To: "'security curmudgeon'" (jericho@attrition.org)
Subject: RE: ATTRITION
Date: Fri, 1 Feb 2002 00:17:37 -0800

Jericho,

Thank you for your response.

Yes, we used to send out mail to those who had sites defaced and felt
would need some aid in returning the site to its original form whilst
setting up necessary preventative measures to ensure the occurrence did
not happen again.

However, the actual e-mail printed on your errata section was not sent,
it is not the placing of the e-mail on your errata section that I am
arguing, it's the content.

Please advise.

Regards

-james



From: security curmudgeon (jericho@attrition.org)
To: James Sinclair (james@globalnss.com)
Date: Fri, 1 Feb 2002 04:06:12 -0500 (EST)
Subject: RE: ATTRITION


> Thank you for your response.
>
> Yes, we used to send out mail to those who had sites defaced and felt
> would need some aid in returning the site to its original form whilst
> setting up necessary preventative measures to ensure the occurrence did
> not happen again.
>
> However, the actual e-mail printed on your errata section was not sent,
> it is not the placing of the e-mail on your errata section that I am
> arguing, it's the content.

So.. how did we get it?

When we mirrored a site, we would mail out to the admin and offer them
some basic advice and explain who we were and what we did. I have included
that mail below so you can see how we approached it. Specifically:

  If you receive any additional mail from a security company or
  vendor, we'd like to state up front that we are in no way
  affiliated with them. We have found out that some security
  companies prey on victims of web defacement to solicit their
  products or services. If you receive such mail, please forward
  the full text with headers to us so that we can confront them.

Shortly after taking a mirror, an admin of a defaced site sent us the mail
in question along with one other (that is also up on errata).

So all that said.. if you didn't send it to them.. how did we get it?

Brian



From: James Sinclair (james@globalnss.com)
To: "'security curmudgeon'" (jericho@attrition.org)
Subject: RE: ATTRITION
Date: Fri, 1 Feb 2002 00:36:49 -0800

Brian, Jericho,

I cannot answer yor question of how you got it, if an admin sent a copy
of the actual mail we sent, then we would have no problem with it being
posted on errata. However as stated:

> Of course there is little to prove that the e-mail was tampered,
> however please recommend your desired course of action to have the
> page removed or appended. It is your right to feel that our actions
> were not ethically correct, however from the response from those we
> have aided that does not seem to be the case.

I do apologize for this hassle, but I am sure you can understand my
complaint. How would you like to progress...

-james



Date: Sun, 17 Feb 2002 17:39:20 -0500 (EST)
To: James Sinclair (james@globalnss.com)
cc: Heathens (staff@attrition.org)
Subject: RE: ATTRITION

> Brian, Jericho,
>
> I cannot answer yor question of how you got it, if an admin sent a copy
> of the actual mail we sent, then we would have no problem with it being
> posted on errata. However as stated:

Well. This is pretty simple and it appears the only explanation is not one
you want to admit to.

http://www.attrition.org/errata/sec-co/gnss01.html

Fact: an admin forwarded the mail in question to us

Fact: it is the same format and style you use

Fact: you admitted to sending some sites mail similar to this one

Discrepancy: you say you did not send this particular mail

> > Yes, we used to send out mail to those who had sites defaced and felt
> > would need some aid in returning the site to its original form whilst
> > setting up necessary preventative measures to ensure the occurrence
> > did not happen again.


So I guess my questions still stand and are still not really answered.
None of the staff here can figure this out based on your mail and the fact
we have a copy of the mail.

> > However, the actual e-mail printed on your errata section was not
> > sent, it is not the placing of the e-mail on your errata section that
> > I am arguing, it's the content.
>
> So.. how did we get it?
>
> When we mirrored a site, we would mail out to the admin and offer them
> some basic advice and explain who we were and what we did. I have
> included that mail below so you can see how we approached it.
> Specifically:
>
>   If you receive any additional mail from a security company or
>   vendor, we'd like to state up front that we are in no way
>   affiliated with them. We have found out that some security
>   companies prey on victims of web defacement to solicit their
>   products or services. If you receive such mail, please forward
>   the full text with headers to us so that we can confront them.
>
> Shortly after taking a mirror, an admin of a defaced site sent us the
> mail in question along with one other (that is also up on errata).
>
> So all that said.. if you didn't send it to them.. how did we get it?

This is the question that still stands.



From: James Sinclair (james@globalnss.com)
To: "'security curmudgeon'" (jericho@attrition.org)
Subject: RE: ATTRITION
Date: Sun, 17 Feb 2002 14:45:12 -0800

Jericho,

We seem to be going around in circles. I have no trouble in explaining
what type of e-mails we send, however the one on display did not
originate from us.

Wherever, However or Whatever led to it arriving at you is not my
concern, mine is the display of an e-mail that supposedly came from me
but did not.

What actions would you like me to take to validate my claims.

james



From: security curmudgeon (jericho@attrition.org)
To: James Sinclair (james@globalnss.com)
Date: Sun, 17 Feb 2002 18:24:24 -0500 (EST)
Subject: RE: ATTRITION


> Jericho,
>
> We seem to be going around in circles. I have no trouble in explaining
> what type of e-mails we send, however the one on display did not
> originate from us.
>
> Wherever, However or Whatever led to it arriving at you is not my
> concern, mine is the display of an e-mail that supposedly came from me
> but did not.
>
> What actions would you like me to take to validate my claims.

For starters, can you send me an example of what you mail out? Preferably
dated around the same time as the mail we have up?



From: James Sinclair (james@globalnss.com)
To: "'security curmudgeon'" (jericho@attrition.org)
Subject: Round Up.
Date: Sun, 24 Feb 2002 00:35:32 -0800

Jericho,

Just to confirm in writing, that I have made several attempts to discuss
the situation regarding the GNSS errata and my dispute as to the
validity of the contents to which your reply multiple times has been
"Then how did we get it".

I have been very open regarding the fact that we did send out mailers,
including sending you a copy of what we did send, I have offered
references of those sites we helped for no charge recover from
defacement and protect themselves in the future. I have asked you what I
could do to rectify the situation, have the errata amended to be our
actual mailing or remove the page.

Neither of us wish to repeat our comments which have gone back and forth
to the point that it is probably annoying us both! Perhaps this dispute
is highly ironic considering that your site aims to shame and provide
rebuttal on those that dispute those claims, however I really feel that
I have offered and attempted every avenue of rectification possible.

Your view that mailings should not be sent out is not the issue here,
what is the issue is the modified contents of our mailing.

Please could you make the appropriate changes so that we can put this
issue to rest once and for all.

Many Thanks

-james



main pageATTRITIONfeedback