From jericho at attrition.org Tue Jul 5 07:54:05 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Jul 5 07:54:06 2005 Subject: [attrition] Errata: Data Loss Message-ID: with the new wave of volunteers, Errata has a fresh infusion of blood, will and insanity! The first of many new pages: http://attrition.org/errata/dataloss.html Your secret is safe with us.. promise! If you get a phone call from your credit card company, do you give them your social security number? Your mother's maiden name? The soul of your first-born child? Do you think that the company that holds your personal information cares more about you than their own bottom line? Of course you don't. And of course they don't. In a one month period, an estimated 40 million credit card numbers could have possibly been compromised. What do the companies in charge of your personal information have to say about it? Better yet... what is the media reporting? You won't get the same story on both sides, will you? What is becoming a near weekly occurance, large companies are collecting your personal information (sometimes without your knowledge or consent), and subsequently letting it fall into the hands of the bad guys. This is your personal information; name, address, social security number, credit card number, and more sometimes. All of this information is invaluable to criminals who carry out identity theft crime every day. [..] From jericho at attrition.org Fri Jul 29 20:44:34 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri Jul 29 20:44:37 2005 Subject: [attrition] Cisco/Blackhat Update Message-ID: http://www.infowarrior.org/users/rforno/lynn-cisco.pdf 1920 29 July 2005 I am awaiting a copy of what I understand was a cease-and-desist (or takedown) notice that was sent to my web host earlier this evening by folks representing either Cisco or ISS. (I suspect it's from Cisco, but I could be wrong.) The note was related to the file entitled "lynn-cisco.pdf" that contained Lynn's remarks from Black Hat '05 this week. Upon review of the C&D notice, I will respond accordingly and immediately, but have no intention of rolling over simply because a corporation is trying to rebuild its tarnished image in the public eye following its questionable and unethical handling of both a critical internet security vulnerability and a self-inflicted public embarrassment. For now, until I have received and reviewed the reported C&D (or takedown) notice, the original file containing the BH presentation has been replaced by this update file. In the interim, if you were looking to download the lynn-cisco file, please obtain it from http://www.infowarrior.org/users/rforno/lynn-cisco1.pdf" instead. My sense is that had Cisco said nothing about this briefing, it's quite likely few if any people or news outlets would've given it more than a passing thought like so many other vulnerabilities being reported these days in Vegas. Beyond that, it likely would have gotten caught up in the background "noise" of regular security community chatter. But through its heavy-handed tactics this week, Cisco ended up publicizing the problem significantly and also raised new questions about its handling of vulnerability reports and critical product updates. The company has nobody to blame but itself for its publicity woes this week. In closing, I appreciate the assistance and understanding of the Nidhog staff in this matter, and have assured them this issue will be resolved satisfactorily tonight. - Rick rforno@infowarrior.org From jericho at attrition.org Sat Jul 30 04:01:54 2005 From: jericho at attrition.org (security curmudgeon) Date: Sat Jul 30 04:01:57 2005 Subject: [attrition] ISS serves takedown notice for Cisco briefing (fwd) Message-ID: Get a copy while you still can! =) http://cryptome.org/lynn-cisco.zip ---------- Forwarded message ---------- From: Richard Forno To: Infowarrior List Cc: Dave Farber , Bruce Schneier , Declan McCullagh Date: Fri, 29 Jul 2005 22:59:45 -0400 Subject: [infowarrior] - ISS serves takedown notice for Cisco briefing This evening, I received a cease-and-desist (e.g., takedown) notice from attorneys representing Internet Security Systems (ISS). Having received and reviewed their letter, I have removed the file containing Michael Lynn's controversial Blackhat presentation. A copy of the notice can be found at: http://www.infowarrior.org/users/rforno/lynn-cisco.pdf Looking back at this week's events, my sense is that had the two companies involved (Cisco and ISS) said nothing about this briefing, it's quite likely that few if any people or news outlets would've given it more than a passing thought like so many other vulnerabilities being reported this week in Vegas -- after which, it likely would have gotten caught up in the "noise" of regular security community chatter. But as a result of their heavy-handed tactics this week, both Cisco and ISS have ended up publicizing a serious vulnerability quite significantly and thusly re-ignited the discussion over how the Internet security community handles vulnerability disclosure and product updates. By serving takedown notices in response to such situations, a company demonstrates clearly that it is more concerned with preserving its commercial interest in intellectual property than fostering community awareness and knowledge pertaining to critical internet security issues. Improvements to internet security will NOT become a reality as the result of questionable secrecy or from commercial lawsuits that serve to mask the more substantial and fundamental problems within the information security industry and Internet community at large. Security through obscurity doesn't work, and neither does security through lawyering. These practices make the Internet more, not less, vulnerable. I will close with a note of appreciation to my web hosting provider for their understanding and assistance in resolving this situation promptly and satisfactorily for all concerned tonight. As for me, it's now time to enjoy the weekend. -Rick Infowarrior.org You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.