From jericho at attrition.org Tue Aug 8 13:07:07 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 8 Aug 2006 13:07:07 -0400 (EDT) Subject: [attrition] New Article: Why Internet Security Continues to Fail Message-ID: Why Internet Security Continues to Fail Richard Forno (c) 2006. (Original: 2006-08-07) http://www.infowarrior.org/articles/2006-01.html In his public farewell to the Internet security community three years ago this month, famed security researcher Rain Forest Puppy (RFP) opined that the Internet security community was allowing commercialism to trump common sense security thinking ? a situation that he believed led to the growing Internet insecurity problem. Indeed, free-market financial interests and an unhealthy complacency from vendors and customers alike continue to overpower sound security logic and practices to establish a technology landscape nearly impossible to protect. While perhaps the security situation is deemed acceptable or ?good enough? given that endeavors to improve it remain an apparent exercise in futility, the argument can be made that its causes are cultural rather than technical in nature -- and subsequently marginalized or overlooked as a result. < - > These issues demonstrate briefly that the major obstacle to significant progress toward sound information security is not technical, but cultural. Assuming that the current state of insecurity is not acceptable and that serious improvements actually are demanded by customers, changes far beyond technology innovations must occur if any truly effective security benefits can be realized. However, technology is only part of the total security solution: if the self-serving business drivers of the information technology industry are not overcome and customer-side management cultures continue facilitating this ongoing exercise in security futility by rejecting a holistic commitment to real risk management, information protection products, policies, and practices that yield tangible benefits aligned toward these noble goals never can be achieved. http://www.infowarrior.org/articles/2006-01.html From lyger at attrition.org Sat Aug 12 22:30:30 2006 From: lyger at attrition.org (lyger) Date: Sat, 12 Aug 2006 22:30:30 -0400 (EDT) Subject: [attrition] news: Attrition is now recruiting.. AGAIN Message-ID: Sat Aug 12 05:09:12 EDT 2005 Lyger It's been over a year since the last call for volunteers. Don't be worried, attrition.org has been keeping up and going strong over the last twelve months, but we're now looking for a few "spechul" people for our projects. Compensation: None! Volunteers will not get paid. No hookers, no cocaine, no trips to the Caribbean. On a good day you will see ascii pornography when you type your favorite unix editor. On a great day, you get mocked and/or molested by other staff members. On the up side, you do get a shell account here for e-mail, irc and other such activity. With that will be some insulting email address aliases pointing to you to further burden you with spam. Interested? Read on! Hello! The hard one! The Errata section has been stagnant too long. This section of attrition needs work more than ever, with the security industry in such bad shape. Tasks will be updating the page with errata, charlatans and other news of interest. [...] From lyger at attrition.org Sat Aug 12 22:35:31 2006 From: lyger at attrition.org (lyger) Date: Sat, 12 Aug 2006 22:35:31 -0400 (EDT) Subject: [attrition] news: Attrition is now recruiting.. AGAIN In-Reply-To: References: Message-ID: oh yeah, about that missing link: http://attrition.org/news/content/06-08-12.001.html On Sat, 12 Aug 2006, lyger wrote: ": " Sat Aug 12 05:09:12 EDT 2005 ": " Lyger ": " ": " It's been over a year since the last call for volunteers. Don't be ": " worried, attrition.org has been keeping up and going strong over the last ": " twelve months, but we're now looking for a few "spechul" people for our ": " projects. ": " ": " Compensation: None! Volunteers will not get paid. No hookers, no cocaine, ": " no trips to the Caribbean. On a good day you will see ascii pornography ": " when you type your favorite unix editor. On a great day, you get mocked ": " and/or molested by other staff members. On the up side, you do get a shell ": " account here for e-mail, irc and other such activity. With that will be ": " some insulting email address aliases pointing to you to further burden you ": " with spam. ": " ": " Interested? Read on! ": " ": " Hello! The hard one! The Errata section has been stagnant too long. This ": " section of attrition needs work more than ever, with the security industry ": " in such bad shape. Tasks will be updating the page with errata, charlatans ": " and other news of interest. ": " ": " [...] From lyger at attrition.org Wed Aug 16 22:57:11 2006 From: lyger at attrition.org (lyger) Date: Wed, 16 Aug 2006 22:57:11 -0400 (EDT) Subject: [attrition] SCREWED! the AOL search history DB snafu Message-ID: http://attrition.org/news/content/06-08-16.001.html Wed Aug 16 19:15:24 EDT 2006 martums You kissed your privacy goodbye a long time ago, right? >From Wikipedia: On August 4th, 2006, AOL released a compressed text file on one of its websites containing twenty million search keywords for over 650,000 users over a 3-month period, intended for research purposes. AOL pulled the file from public access by the 7th, but not before it had been mirrored, P2P-shared and seeded via BitTorrent. News filtered down to the blogosphere and popular tech sites such as Digg and Wired News. Whilst none of the records on the file are personally identifiable per se, certain keywords contain personally identifiable information [1] by means of the user typing in their own name (ego-searching), as well as their address, social security number or by other means. Each user is identified on this list by a unique sequential key, which enables the compilation of a user's search history. AOL acknowledged it was a mistake and removed the data, although the files can still be downloaded from mirror sites. Additionally, several searchable databases of the report also exist on the internet. [2] Mistake? If betraying the trust of 2/3 of a million subscribers equals a mistake, how do they define catastrophe? Apart from the obvious PR quagmire that AOL now finds itself in, and the painful regret (or torn anus) that AOL users may be feeling (and should have been feeling since they signed up ), the long-term impact is immeasurable. Their stock is falling [3]. They're giving away BYOA accounts, [4] (they'd have to at this point), a move which may cost Time Warner over a billion dollars by 2009. [5] They're facing penalties, fines, not to mention lawsuits. [6] If there's a bottom for any business to hit, they're very close. [7] They should take a cue from ValuJet and change their name (again). [8, 9] AOL states they keep 30 days of user-identifiable search history, and that a research division may keep three months or more of search history, but not associated to specific accounts, (the latter echoes of what was released on 4 August). Google has already stated they will continue to store search queries and related info, and that they won't make the same mistake AOL did. [10, 11] Predictably, Yahoo! Search! will! do! the! same! Considering the staggering amount of infrastructure Google possesses, (Great Caesar's Ghost--Google has an estimated four PB of RAM alone), their data retention capabilities far exceed the 90 days of history AOL retains for research purposes. [12, 13] That search you did recently for Paris' poodle porn may come back to haunt you. Even though you were just doing it for a friend. [...] From lyger at attrition.org Mon Aug 21 01:16:39 2006 From: lyger at attrition.org (lyger) Date: Mon, 21 Aug 2006 01:16:39 -0400 (EDT) Subject: [attrition] postal: Attrition Web Logs: wtf?? Message-ID: http://attrition.org/postal/logs/logs.002.html Mon Aug 21 00:03:21 EDT 2006 nepen I've chosen an apt query from the files to sum up this edition of the logs postal: cache-ntc-ab03.proxy.aol.com - - [14/Jun/2006:15:12:27 -0400] "GET /pipermail/isn /2005-April/001411.html HTTP/1.1" 200 5001 "http://www.google.com/search? q=whos+watching+you+on+the+internet&hl=en&lr=&ie=UTF-8&start=10&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; AOL 9.0; Windows NT 5.1)" In short, WE ARE, BITCH. The Wonders of Technology: Ever wonder what that guy sitting next to you on the train is doing? You know, the one frantically pressing keys on his cellular phone? Well, we here at attrition are now able to provide you with a unique look into the mind of the WAP-enabled cell phone user. p01-04.opera-mini.net - - [15/Aug/2006:05:13:36 -0400] "GET /postal/z/032/0815.html HTTP/1.1" 200 9728 "http://www.google.com/xhtml?client=ms-opera_mb_no&channel=bh&q=Find%20horny%20girls%20 email%20addresses" "Opera/8.01 (J2ME/MIDP; Opera Mini/2.0.4509/1296; en; U; ssr)" p01-04.opera-mini.net - - [16/Aug/2006:03:43:43 -0400] "GET /mirror/attrition/1999/09/10/ www.1499.com/mirror.html HTTP/1.1" 200 1944 "http://www.altavista.com/image/results? q=fat+fuck&mik=photo&mik=graphic&mip=all&mis=all&miwxh=all" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060101 Firefox/1.0.8" p04-07.opera-mini.net - - [15/Jun/2006:23:45:55 -0400] "GET /fuck/ HTTP/1.1" 200 688 "http://www.google.com/xhtml?client=ms-opera_mb_no&channel=bh&q=How%20to%20fuck%20" "Opera/8.01 (J2ME/MIDP; Opera Mini/1.2.2960; en; U; ssr)" [...] From lyger at attrition.org Tue Aug 22 22:57:55 2006 From: lyger at attrition.org (lyger) Date: Tue, 22 Aug 2006 22:57:55 -0400 (EDT) Subject: [attrition] review: Book: Way of the Peaceful Warrior Message-ID: http://attrition.org/~martums/works/reviews/warrior/ Dan Millman: Way of the Peaceful Warrior Someone did some bad acid during their college years Amazon - ISBN 1932073205 - 240 pages Tue Aug 22 17:27:51 EDT 2006 martums Crap or fertilizer? >From Amazon: During his junior year at the University of California, Dan Millman first stumbled upon his mentor (nicknamed Socrates) at an all-night gas station. At the time, Millman hoped to become a world-champion gymnast. "To survive the lessons ahead, you're going to need far more energy than ever before," Socrates warned him that night. "You must cleanse your body of tension, free your mind of stagnant knowledge, and open your heart to the energy of true emotion." From there, the unpredictable Socrates proceeded to teach Millman the "way of the peaceful warrior." At first Socrates shattered every preconceived notion that Millman had about academics, athletics, and achievement. But eventually Millman stopped resisting the lessons, and began to try on a whole new ideology--one that valued being conscious over being smart, and strength in spirit over strength in body. Although the character of the cigarette-smoking Socrates seems like a fictional, modern-day Merlin, Millman asserts that he is based on an actual person. Certain male readers especially appreciate the coming-of-age theme, the haunting love story with the elusive woman Joy, and the challenging of Western beliefs about masculine power and success. --Gail Hudson Warrior is one of the few books that I deliberately read before seeing the film. With Nick Nolte and Amy Smart in the trailer, it looked great, a must-see. The reviews on the early pages boldly proclaim how the book can have a profound effect on one's life. I tore into it with high expectations. In retrospect, many of the reviews I've seen about this book are polar. Either it has a powerful impact on the reader, or it's just a waste of time. On the outset, I was expecting the former. Unfortunately, I walked away with the latter. [...] From lyger at attrition.org Wed Aug 30 18:37:58 2006 From: lyger at attrition.org (lyger) Date: Wed, 30 Aug 2006 18:37:58 -0400 (EDT) Subject: [attrition] Introducing the Data Loss Database - Open Source Message-ID: http://attrition.org/dataloss/dldos.html Wed Aug 30 18:27:24 EDT 2006 Since July of 2005, attrition.org has been tracking data loss and data theft incidents not just from the United States, but across the world. Our archives go back to the year 2000, and with over 142 MILLION records compromised in over 300 incidents across six years, we would finally like to introduce a very basic and rudimentiary database that will assist others in tracking these incidents. DLDOS (Data Loss Database - Open Source) is a simple flat comma seperated value file that can be imported into your database of choice, whether it be MySQL, Microsoft Access, or Oracle (good luck). We provide the date, the company that reported the breach, the type of data impacted, the number of records impacted, third party companies involved, and a few other sortable items that may be of interest. At this point, attrition.org is not hosting an actual database itself, but the raw data is free and available for use as long as attrition.org is credited for the use of said data. Really, we're not trying to be jerks, but if you're going to use our data in your research, be it a web site or paper written for a commercial entity, just give us a shout out please. Attrition.org's main data loss page can be found here: http://attrition.org/dataloss/ Attrition.org's Data Loss Mail List information: http://attrition.org/security/dataloss.html Please feel free to use this information, build on it, grow on it, and share it. Updates to the raw data will be provided by attrition.org weekly, if not daily. Share and share alike; distribute and learn.