From lyger at attrition.org Sun Mar 5 05:29:20 2006 From: lyger at attrition.org (lyger) Date: Sun, 5 Mar 2006 05:29:20 -0500 (EST) Subject: [attrition] Attrition News - 03/05/2006 Message-ID: http://attrition.org/news/content/06-03-05.001.html Attrition.org mentioned in fiction novel Sun Mar 02:44:15 EST 2006 Jericho and Lyger It was recently brought to our attention that attrition.org has been mentioned in a fictional novel. While original details were vague, we finally found out that an author by the name of Andy McNab (with the assistance of one Robert Rigby), penned a fictional book titled "Payback", copyrighted in 2005 and published in the United Kingdom. In fair use, the following is quoted: Payback, Andy McNab and Robert Rigby, c. 2005, p. 180: "She began hitting the websites she had used before to gain access to the Intelligence Service's internal computer system and George Fincham's personal e-mails. That time she had been helped by a hacker using the name Black Star, who was surfing the dark corners of the Deep Web. [...] From lyger at attrition.org Wed Mar 8 23:13:42 2006 From: lyger at attrition.org (lyger) Date: Wed, 8 Mar 2006 23:13:42 -0500 (EST) Subject: [attrition] new statistics updates Message-ID: http://attrition.org/errata/stats.html [03-08-06] - IT-Observer - Patching window is getting shorter [03-08-06] - Staff Writers, CRN - Top 50 malicious code samples reveals secrets [03-08-06] - Paul Meadocroft - Combating Identity Theft [03-07-06] - Robert McMillan - After flap, Symantec adjusts browser bug count [03-06-06] - Ryan Naraine - SiteAdvisor Finds Billions of Unsafe Web Visits From jericho at attrition.org Fri Mar 10 07:40:50 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 10 Mar 2006 07:40:50 -0500 (EST) Subject: [attrition] CNN Breaking News Message-ID: This is breaking? =) ---------- Forwarded message ---------- From: CNN Breaking News Date: Wed, 8 Mar 2006 09:59:02 -0500 -- Roman Catholic archdiocese of Dublin report says 102 priests are suspected of sexually or physically abusing at least 350 children since 1940, The Associated Press reports. From jericho at attrition.org Sat Mar 11 07:27:42 2006 From: jericho at attrition.org (security curmudgeon) Date: Sat, 11 Mar 2006 07:27:42 -0500 (EST) Subject: [attrition] jericho's guide to TV Message-ID: Since I don't have a blog on attrition.org, and don't feel like this is a news update, i'll spam all on the list! For years, I didn't watch TV at all really. I'd watch movies.. lots of them.. sometimes many times because they were that good or great background noise. The last couple of years, I have rediscovered TV after what I perceived to be a major slump in show content. For the last five years, I made a point to watch a couple of shows that I enjoyed for one reason or another. Once I discovered the ability to watch shows on my time tables (kind of like tivo), I could actually watch a lot more while I worked on other things. This has allowed me to actually watch more shows, find some great content, and eventually lead to this mail. The following are my opinions and comments on TV shows playing these days. Take them however you want, and remember that it all boils down to individual tastes and expectations. I may break the order and group up shows in some cases. Like movies, we often get two new TV shows that share a lot of attributes in common, always from different networks. So comparing them side by side seems right. If you want the cliff notes, search this mail for ** to see the good stuff. Skim, digest, ponder, ignore or reply as you please. -- 24 - I didn't watch this show past the first few episodes originally. In the last two weeks, I have watched all of season 1 and 2 in a matter of days. To enjoy this, you must suspend disbelief a lot more than you may expect. Not only do you have contrived plot twists and teasers, you have someone that can take more abuse than an attrition volunteer. If you can get past the shitty technical lingo, past the body count, past the abuse of protocol or rules, and then you have to deal with a president that you could actually respect! Mildly entertaining, but you can watch the first and last two episodes of a season and get the satisfaction. Alias - Check out the first and second season, good stuff. Suspend disbelief right away, as everything takes place one step out of our realm of thinking (which adds a lot of the interest). The double crosses and return of 'dead' people get old by the third or fourth season. The fifth (and reportedly last) season is limp. BattleStar Galactica ** - Forget any negative thing you may have heard or whipped up in your own mind. This show *rocks* in so many ways it can't be stated enough. It is nothing like a star trek ripoff, nothing like any other sci-fi show you have seen, and a far cry from the original series. Superb casting, excellent direction, a great story line, deeply flawed characters and raw anger that you have to wait 7 days for the next episode. They actually tackle a lot of today's political issues in a fairly subtle but in your face kind of way (ie: they do it just right). Blind Justice - Oh another cop drama, but with a gimmick. The cop is blind. If it makes it to a second season, it better evolve fast. Bones - Entertaining. Think CSI with a little more focused scientific angle (forensic anthropology), a really lame law enforcement angle, and a style more suited for the mainstream who can't wrap their heads around CSI. Boston Legal - The Practice spinoff, with Spader moving to a new form and working with Shatner. Overall, this show is has some great humor and is always light and amusing. They tackle today's political issues in the court room between the humor, and hopefully make people consider the issues. Commander In Chief - West Wing with a gimmick! The president is a femme, the show is more mainstream for those who can't wrap their heads around WW. We have to wonder, when is the episode where she has to make decisions while dealing with raging PMS? (Oh hush, it had to be asked!) The Closer - I saw the previews for this and it promised to be different, showing the brutal side of criminal interrogations. The commercials had real life people that were on the wrong side of a table during such interrogations, telling about how intense and brutal it was, oh my! Then the show aired and I wondered what drugs they were passing around hollywood. L&O Criminal Intent has a LOT better 'closers', much more interesting interrogations, and a lot better feel. I watched all thirteen episodes like a bad car wreck, and saw a single interesting interrogation/closing. Cold Case - It wins awards, gets high praise, and I can understand that. Hard to put my finger on why exactly.. the characters aren't developed very well, but the cases they solve are interesting. I have a feeling that the older you are, the more you will appreciate the show since the cases date back well into the past sometimes. - Criminal Minds - The FBI Behavioral Science Unit (BSU) flies around the country solving serial murder cases. Entertaining, and if the facts they rattle off about today's crime are real, good stuff. Killer Instinct - Two cops in San Fran get to solve 'deviant' crimes! Oh let the stereotypes begin. Add in one male and one female cop partners for sexual tension, the stereotypical angry black man boss/lt, and you have a recipe for suck. The Inside - Yes, another criminal behavior show! You haven't heard of this one (i'm guessing) because it plays off off-season. After the spring series are put to rest, this one comes on. Last year they aired seven episodes, and the eighth just popped up tonight. The FBI again, but an oddball leading a group that investigates hand picked cases, this has a se7en type feel to it. Worth a look. - CSI ** - The original, that takes place in Las Vegas. This show rocks, and continues to set the precedent for shows like it. If you are going to watch any CSI franchise, this is the one to watch. CSI Miami - David Caruso is a shallow gimp and should shoot himself to save us from the misery of this show. Right after that, the pop tart blonde needs to off herself since she is another shallow and boring character. After that, the guy who plays 'Ryan' needs to off himself because he got boring after the second episode he was in. That leaves 'Delco' which is one character with any interest. The fact that these losers only pull high profile cases, or flashy rich people crimes, or high dollar drug dealer crimes.. gets boring. But hey, it's Miami and they have to show how flashy and hip it is!@#$! Cancel this piece of crap. CSI New York - Unlike Miami, they learn from their mistakes! Season one was 'too NY' .. too dirty, too gritty, too scummy. Season two got new wardrobe, new offices, and a little brighter outlook. To counter Miami's flashy crimes, this crew deals with the darker side of crime. Overall, decent show, more akin to the original, and a very promising cast. - Deadwood ** - HBO original, how the west really was! Well, that is what I assume and probably read somewhere. Incredible cast, great acting and directing, intense character development. This is well worth watching. E-ring - Before any military action in the world can happen, it has to be planned and approved by the e-ring! And our entire military special forces consist of the same 2 or 3 people. The real show stealer for this (acting wise) is Aunjanue Ellis, not Dennis Hopper or Benjamin Bratt. Overall, entertaining, but good luck lasting another 10 episodes without leaning more heavily on the special ops, less on the pentagon politics. My Name is Earl - Great new comedy, sick humor, all around good time. While Jason Lee plays his part well, Ethan Suplee (his brother in the show) and Eddie Steeples (hey Crab Man!) stand out and really help make the show. Well worth watching. Eyes - An overly flashy and hip private eye company solve cases. Mildly entertaining is about the best I could muster for this show. Ranks up there with a car wreck, and I watch it since I do so while being productive on the other computer. House - After enough friends harassed me about how good the show was, I finally broke down and watched it. Over thirty episodes in a couple of days, and i'm hooked. Yes, the show is overly formulaic and that may hurt it in the long run. In the short term, you have one character that steals the show (Dr House, duh!), a routine supporting cast, and millions of viewers who would feed me to a wood chipper to be as big a jerk as he gets to be. Since we're not all doctors, the medicine and terms used are typically irrelevant past "complications" (part of the formula), but Hugh Laurie's character steals the show. Hustle ** - What, never heard of it? A shame. This is a quirky series from the UK and one that should be pumped into our country for sure. Each season is only six episodes (but a full hour of show w/o commercials), but they all shine through. A team of five long con operators and the scams the pull. The show is brilliant. - Invasion - New this season, what happens during after a hurricane hits florida, when there are strange lights in the water and people start acting different? Until the last couple of episodes, they held back too much, dishing out nothing to satisfy our curiosity. It's the type of thing that can drive hundreds of thousands away from the show overnight. Good cast, interesting plot.. if they can just keep up the pace each episode, it has some potential. Surface - New this season, what happens when we discover a new specifes of life that could threaten mankind? Sounds odd, but it's a really well done show. They keep up the pace where Invasion fails to. Threshold - new this season, and already canned, what happens when an alien 'presence' 'infects' some people so they become human-alien hybrids and begin to carry out 'their plan'. Sadly, this show had some real potential but apparently didn't appeal to the masses. Brent Spiner (yes, Data from ST:TNG) had a great role and continued to demonstrate his acting ability. - Law & Order - If you watch any of these, check out SVU. By far the best. Las Vegas - Best viewed when under the influence, as background noise, or if your IQ is less than 80. Entertaining to a degree but one has to question if they have jumped the shark, or about to any episode now. Vanessa Marcil is certainly good eye candy. Lost ** - I don't think I need to cover it. Eighty trillian jillian Americans watch this, why aren't you? (They are watching it for a reason! But you need to watch it from the first episode to really grok it) NCIS - A mix of CSI and other law enforcement shows. Light on the CSI/tech side, more on characters. Fairly light and entertaining, quite a stretch on just how many terrorists the navy can stop (season 1)! They finally moved on to more classic crime like regular murder and such. Numb3rs - FBI meets math geeks, crimes solved. Yeah, sounds cheezy and it is, but if the math *concept* and *theory* is real, seeing how it *could be* applied to crime is actually neat. Don't mind that this one math professor is able to wrangle extensive data sets and somehow manage impossible amounts of records in seemingly no time. Penn and Teller's Bullshit ** - Showtime original series. Our favorite comedians Penn and Teller tackle various topics that range from urban legends to fundamental truths that we live by, and prove them to be .. drumroll please .. bullshit. This show should be mandatory viewing by society. Prison Break ** - New series, and phenominal! Breaking out of prison is one thing.. but what about getting sent to prison (on purpose), to then break out (with your wrongly convicted brother who resides in solitary)? Government coverup looms but doesn't overshadow, prison life is risky, and the breakout scheme would make the best of hackers proud. Watch this series, but make sure you watch from episode one. Rescue Me - Great drama with the normal Dennis Leary influence. While I will no doubt be called an insensitive asshole, hopefully they can move on and lose the 9/11 crutch. Rome - Another HBO original, centered around Julius Caesar (and friends) in Rome. Again, I think the gist of this show is that it aims to be a bit more real than other portrayals, and if so, the politics, drama and backstabbing shows great precedent for our own political system. [Wow, this list is taking longer than I thought it would..] The Shield ** - Forget everything you know about TV police drama. Go out and rent the first four seasons of this show.. watch and enjoy. Michael Chiklis won three (?) Emmy's, CCH Pounder won two, the show won at least one for best television series drama .. and was nominated for a dozen others. FOR A REASON. Spooks - aka MI5, another show from the UK that we don't get to see here. Are you tired of US shows about government agencies that are all flash, gunfire, body counts, impossible technology and everything else? Tune in to Spooks, a show about spy agencies done right. While the feel and style seems a lot closer to reality, the show also teaches us that the average life of a field agent is about 2.8 seasons. If they could improve on the turnover rate, it might help. On the other hand.. fresh blood may be why the show stays interesting. Wanted - Another law enforcement show, with a gimmick! Enter 'Wanted', a show based on a special team of cops assigned to track down the top 100 most wanted in Los Angeles. Sounds interesting right? Yah, I should I be working for these shows, I know. Instead of keeping it simple and focused, the show went entirely overboard on the 'special team' part. You have an FBI agent, DEA agent, NCIS profiler and others on this UBER SPECIAL JOINT TASK FORCE. Excuse me, if you are going to highlight the different agency angle, make it relevant? Eight seconds every four episodes of "use your DEA contacts to see if Joe is a drug dealer" doesn't cut it. This show will be lucky to see a second season. Weeds ** - A Showtime original. No review or summary will do this show justice, because the plot is no more important than the cast and writers for the show. Middle income widow finds herself in a hard time and has to make ends meet. To do so, she turns to selling weed so that she can pay for the house and take care of her kids. Sounds odd, but show shines through in quality original humor. Mary-Louise Parker won a Golden Globe, beating out the highly overated Desperate Housewives (never seen it, the media hype alone is a turn off), which speaks volumes. This show rocks. The Wire - Another HBO original, about the Baltimore Police and crime. Before you dismiss it, the show has everything you want in a drama, mainly realism. The characters feel real, the crimes they work on, the hurdles they deal with, and the end result is serious. Great cast and character development, real crime, and likely the way it all works out in the end. Without a Trace - The FBI missing persons squad in NY. Overall a good series.. some ups and downs, sometimes focus a bit too much on the agent's lives (or it just isn't that interesting). Some episodes shine through and really hit home. From lyger at attrition.org Sun Mar 12 02:08:50 2006 From: lyger at attrition.org (lyger) Date: Sun, 12 Mar 2006 02:08:50 -0500 (EST) Subject: [attrition] postal: open up and say... HUHGLUGHULGHULGH Message-ID: http://attrition.org/postal/p0011.html Postal Installment #0011 ass like that das boot playing hard to get kids today behind the scenes let's make a deal it's so sweet ... subversion is the oldest trick she owes us another picture From lyger at attrition.org Mon Mar 13 20:24:29 2006 From: lyger at attrition.org (lyger) Date: Mon, 13 Mar 2006 20:24:29 -0500 (EST) Subject: [attrition] Movie Reviews Message-ID: http://attrition.org/movies/bits12.html Running Scared Cube 2 - Hypercube Maria Full of Grace Hotel Rwanda From lyger at attrition.org Mon Mar 13 21:17:44 2006 From: lyger at attrition.org (lyger) Date: Mon, 13 Mar 2006 21:17:44 -0500 (EST) Subject: [attrition] Update: Security Companies Message-ID: [06.03.13] - McAfee virus definition deletes or quarantines legitimate files [06.03.05] - Brickwall Security spams [06.02.25] - Personal information on stolen Ernst & Young laptop [06.02.23] - Deloitte & Touch loses McAfee employee data [06.02.17] - Iron Mountain dumped by client due to blackout From jericho at attrition.org Mon Mar 13 21:24:58 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 13 Mar 2006 21:24:58 -0500 (EST) Subject: [attrition] Update: Security Companies In-Reply-To: References: Message-ID: In his hurry to polish off a TV dinner, Lyger forgot to mention this update comes from the Errata section, specifically the 'Irony' page. http://attrition.org/errata/irony.html : [06.03.13] - McAfee virus definition deletes or quarantines legitimate : files : : [06.03.05] - Brickwall Security spams : : [06.02.25] - Personal information on stolen Ernst & Young laptop : : [06.02.23] - Deloitte & Touch loses McAfee employee data : : [06.02.17] - Iron Mountain dumped by client due to blackout From jericho at attrition.org Tue Mar 14 09:53:44 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 14 Mar 2006 09:53:44 -0500 (EST) Subject: [attrition] US Government Studies Open Source Quality Message-ID: (I recommend you read the original, as many parts of the text are links to other resources) http://www.osvdb.org/blog/?p=104 US Government Studies Open Source Quality "US Government Studies Open Source Quality" reads the SlashDot thread, and it certainly sounds interesting. Reading deeper, it links to an article by the Reg titled "Homeland Security report tracks down rogue open source code". The author of the article, Gavin Clarke, doesnt link to the company who performed the study (Coverity) or the report itself. A quick Google search finds the Coverity home page. On the right hand side, under Library, there is a link titled "NEW >> Open Source Quality Report". Clicking that, you are faced with "request information", checking the Open Source Quality Report box (one of seven boxes including Request Sales Call as the first option, and Linux Security Report is the default checked box), and then filling out 14 fields of personal information, 10 of which are required. So, let me get this straight. My tax dollars fund the Department of Homeland Security. The DHS opts to spend $1.24 million dollars on security research, by funding a university and two commercial companies. One of the commercial companies does research into open source software, and creates a report detailing their findings. To get a copy of this report, you must give the private/commercial company your first name, last name, company name, city, state, telephone, how you heard about them, email address, and a password for their site (you can optionally give them your title, and describe your project). Excuse me, but it should be a CRIME for them to require that kind of personal information for a study that I helped fund via my tax dollars. Given this is a study of open source software, requiring registration and giving up that kind of personal information is doubly insulting. Coverity, you should be ashamed at using extortion to share information/research that should be free. Even worse, your form does not accept RFC compliant e-mail addresses (RFC 822, RFC 2142 (section 4) and RFC 2821). Now I have to add your company to my "no plus" web page for not even understanding and following 24 year old RFC standards. HOW CAN WE TRUST ANYTHING YOU PUBLISH?! Oh, if you dont want to go through all of that hassle, you can grab a copy of the PDF report anyway. http://osvdb.org/ref/blog/open_source_quality_report.pdf From jericho at attrition.org Tue Mar 14 10:10:59 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 14 Mar 2006 10:10:59 -0500 (EST) Subject: [attrition] US Government Studies Open Source Quality Message-ID: (I recommend you read the original, as many parts of the text are links to other resources) http://www.osvdb.org/blog/?p=104 US Government Studies Open Source Quality "US Government Studies Open Source Quality" reads the SlashDot thread, and it certainly sounds interesting. Reading deeper, it links to an article by the Reg titled "Homeland Security report tracks down rogue open source code". The author of the article, Gavin Clarke, doesnt link to the company who performed the study (Coverity) or the report itself. A quick Google search finds the Coverity home page. On the right hand side, under Library, there is a link titled "NEW >> Open Source Quality Report". Clicking that, you are faced with "request information", checking the Open Source Quality Report box (one of seven boxes including Request Sales Call as the first option, and Linux Security Report is the default checked box), and then filling out 14 fields of personal information, 10 of which are required. So, let me get this straight. My tax dollars fund the Department of Homeland Security. The DHS opts to spend $1.24 million dollars on security research, by funding a university and two commercial companies. One of the commercial companies does research into open source software, and creates a report detailing their findings. To get a copy of this report, you must give the private/commercial company your first name, last name, company name, city, state, telephone, how you heard about them, email address, and a password for their site (you can optionally give them your title, and describe your project). Excuse me, but it should be a CRIME for them to require that kind of personal information for a study that I helped fund via my tax dollars. Given this is a study of open source software, requiring registration and giving up that kind of personal information is doubly insulting. Coverity, you should be ashamed at using extortion to share information/research that should be free. Even worse, your form does not accept RFC compliant e-mail addresses (RFC 822, RFC 2142 (section 4) and RFC 2821). Now I have to add your company to my "no plus" web page for not even understanding and following 24 year old RFC standards. HOW CAN WE TRUST ANYTHING YOU PUBLISH?! Oh, if you dont want to go through all of that hassle, you can grab a copy of the PDF report anyway. http://osvdb.org/ref/blog/open_source_quality_report.pdf From jericho at attrition.org Wed Mar 15 03:50:09 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 15 Mar 2006 03:50:09 -0500 (EST) Subject: [attrition] Book Review: High-Tech Crimes Revealed Message-ID: http://attrition.org/~jericho/works/security/review/book_review.high-tech_crimes_revealed.html High-Tech Crimes Revealed Cyberwar Stories from the Digital Front Steven Branigan ISBN: 0-321-21873-6 Addison-Wesley, Copyright 2005 I found this book just after Christmas (Dec 2005) and grabbed it hoping for a decent read about computer crimes and sociology, backed by real world experience and first hand tales from the 'digital front'. Instead, I got the worst collection of naive and inexperienced crap I have read in a long time. After paying money for this book, I feel as if I have fallen victim to a lame phishing scam. It is important to note that this book is copyright 2005, and says the first printing was in August 2004. It puts the entire book into perspective and quickly makes you question the author's credentials. In fact, if this book wasn't written in the mid to late 90's, shelved for almost ten years, and eventually printed, then Branigan should never claim any affiliation with the computer security industry/community. [..] From jericho at attrition.org Fri Mar 17 07:38:27 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 17 Mar 2006 07:38:27 -0500 (EST) Subject: [attrition] Bumper Sticker 101 Message-ID: Great rant courtesy of KGO. ---------- Forwarded message ---------- There are bumper stickers espousing views that one may disagree with, but which do so in a clever way. Then there are those that are just clueless. Today's candidate is a red white and blue (gotta be patriotic, because all the evil-doers clearly aren't) bumper sticker stating Abortion Is the ULTIMATE Terrorism! If a member of the the National Right To Life League sees this truck, they ought to pull the driver over, take out a dictionary and teach this bozo about the concept that words have specific meanings, and if one strings those meanings together in incongruous ways, it doesn't help The Cause - it simply makes those who share The Cause look ill-educated and foolish. Let's review. Terrorism is the use of violence or the threat of violence to achieve a political end. I know that the current administration finds it fashionable to expand the definition of "terrorist" and "terrorism" to include "anything that Dubya doesn't like", but that's the basic by-the-book concept. Use of violence or fear for profit or personal gain - that's extortion. Use of threat of embarrassment or other non-violent harm for personal gain - that's blackmail. With me so far? Let's review - terrorism = violence and/or fear, for political motive. Now let me see. Abortion as not just terrorism, but the ULTIMATE terrorism. HMMMM. Forced abortions of abortions among a given population might be a human rights violation, but it really wouldn't work as terrorism. I've got it! Imagine a video of a woman in a hospital smock, lying on an examining table with her feet in the stirrups and her legs spread. Shaky, hand-held video (discretely filmed from the side, so as not to offend by showing any "naughty bits"). She's looking sideways into the camera, with a crazed look on her face - that's so we know she's serious. She says "I demand the release of all the political prisoners in Iraq, or Doc here is going to ABORT THIS FETUS!" Yeah, that's gonna really happen. The mere thought has me trembling in my boots. Forget the fact that most women who have abortions don't want anybody to know. Kinda makes it hard to instill enough fear and terror to cause political change if one isn't willing to publicize the threat. Forget the fact that around the world, a good portion of the population would be saying "Go for it, girl - keep THE MAN out of your reproductive choices!" - not exactly the expression of fear that we're shooting for. Don't let any of that get in the way of one's terrorist objectives. Maybe the bumper sticker is an expression of the "ultimate fear" of those who put it on their vehicles - the threat of having their offspring ripped from their womb. Or maybe it's some crypto-rape-fantasty thing that they don't want to own up to - nah, let's not go there. In any case, it should be obvious to everybody that the scenario above is the REAL threat. It'll trump flying planes into buildings, beheading prisoners, blowing things up, videos of scared victims-to-be pleading for their lives, and all the rest. This truly is the ULTIMATE terrorism. But then, after the Schiavo Circus came to town, maybe I'm wrong - maybe this WOULD work as the ULTIMATE terrorism, at least in some circles. And lest anybody think that the idiocy is isolated to one corner of the political trade space, please consult darned near *anything* by PETA for proof that the left can be borderline illiterately loony, too. KGO From jericho at attrition.org Wed Mar 29 10:30:09 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 29 Mar 2006 10:30:09 -0500 (EST) Subject: [attrition] Fred Cohen's New Philosophy: "Let's Spam our Colleagues" Message-ID: This is a rant about some sleazy security marketeering. Noted security expert Fred Cohen's got a book coming out, and that's certainly good news for him and his readers -- as a fellow author, I wish him well. However, what is NOT good news is that Chet Uber of SecurityPosture.Com has taken it upon himself to spam the Internet community repeatedly about the book in recent weeks. Further and more disturbingly, in personal e-mail, Fred has confirmed his endorsement of Chet's spamming activities, despite his (Fred's) own lengthy anti-spam philosophy found on his personal website (http://www.all.net/spam.html). Hypocrisy, no? So why is this spam "annoying than usual?" Let me count the ways -- 1. Repeated reporting of this item to his ISP (Cox.Net) reporting previous instances of this note have gone unanswered. 2. It starts off with the famously-spammy catchphrase "You have got to read..." (No, I really don't....) 3. Chet includes the ENTIRE table of contents in the body of the spam. I'm surprised he didn't include a listing of charts or photos as well. (It probably prints out to 2 pages on paper.) 4. Chet includes a VERY lengthy book review in the body of the spam. Given the size of his spam note already, one wonders why he only included a single review. 5. Chet's e-mail header/footer implies that he is responsible and against unsolicited e-mail, yet he chooses an "opt-out" format to manage his spammer list. "Opt-out" by default is a very impolite way of building/managing e-mail lists and akin to "asking permission later." (The fact they're harvesting e-mails in the first place is another story, however.) 6. Various security folks report that it seems Chet/Fred are harvesting e-mail addresses from various sources -- including, according to one person, e-mail addresses found in conference attendee rosters, and another whose "receive-only" account received these spam notes. (And folks wonder why I don't give ALL contact information to event organizers...) On a related note, as I made final edits to this note today, I received two different copies of another Chet Uber Spam (CUS) ? that appears to be his own personal security newsletter. I've never spoke with Chet, and to my knowledge, never opted-into anything he produces....so again, here's a case of a security firm apparently harvesting email addresses and spamming their colleagues. How disgusting. Fred and Chet, welcome to my spam blacklist, and congratulations on joining the roster of those security organizations whom I hold in professional contempt. Rick -infowarrior.org From jericho at attrition.org Fri Mar 31 11:55:32 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 31 Mar 2006 11:55:32 -0500 (EST) Subject: [attrition] Make Your Own Chevy Ads? Bad idea! (fwd) Message-ID: >From another list.. this underscores the downside to letting people create content that sticks around for more than a few minute =) ---------- Forwarded message ---------- Oh, I've got a great idea! What if we let other people make the content on our website! http://www.chevyapprentice.com/view.php?country=us&uniqueid=2f96c6f2-10b5-1029-98eb-0013724ff5a7 http://www.chevyapprentice.com/view.php?country=us&uniqueid=40a895fc-10eb-1029-98eb-0013724ff5a7 I wonder if Chevy will pick one of these to be the next international campaign? From lyger at attrition.org Fri Mar 31 12:02:11 2006 From: lyger at attrition.org (lyger) Date: Fri, 31 Mar 2006 12:02:11 -0500 (EST) Subject: [attrition] Security Analysis Websites Form New Public-Interest Firm Message-ID: SECURITY ANALYSIS WEBSITES FORM NEW PUBLIC-INTEREST FIRM March 30, 2006 (HANOVER, MD) - Attrition.Org and Vmyths.Com, two of the Internet's most venerable security information resources, are announcing their merger and subsequent creation of Brilliant Security Initiatives (BSI), a public-interest security consultancy based in Hanover, MD. Since late 2005, the firm has quietly received funding from the Department of Homeland Security to support the development of its next-generation adaptive search appliance based on BSI's proprietary Bilateral Unique Linear Logarithm technology. In a public statement to analysts this week, Attrition.Org founder Brian Martin and Vmyths founder Robert Rosenberger agreed that "while we've both had repeated offers over the years to 'go corporate' none of them seemed like a good match for our culture and services. This particular opportunity is a 'perfect storm' to align our expertise to serve a critical need for our nation's defense and bring an exciting project into reality." The BULL project is intended to provide seamless, intelligent and adaptive Realtime Query Services (RQS) for the Department of Homeland Security's own Secure Homeland Information Transfer network that provides a common shared and secure operating environment for federal, state, and local law enforcement and emergency responders. In addition to the RQS initiative, Brilliant Security develops and provides subscription-based research and analysis pertaining to Internet security and other topics related to critical infrastructure protection. "Most research firms provide analysis and 'advice' from an Ivory Tower perspective," says Jay Dyson, the firm's Technical Research Director. "What we bring to the table are lessons-learned based on direct, recent, and ongoing experience as security practitioners instead of industry groupthink and fuzzy research findings that change daily." In addition to the $3.4 million RQS funding for 2006 is a last-minute, $1.2 million contract to provide secure electronic mail services to the FBI's New York Field Office, which was discovered recently to be lacking such basic networked services for its crime-fighting activities. Supporting this effort is Lockheed Martin Information Systems, already overseeing a $500 million program to develop the successor to the Bureau's failed Virtual Case File system. Martin said, "Rob [Rosenberger] and I were tired of sending mail to New York based FBI agents only to get it bounced back as undeliverable, and that just won't fly in this day and age of fighting terrorism -- especially when it involves our invoices and getting paid for our work in the Big Apple." Assisting in this merger is Richard Forno, the former operator of the seven-year old Infowarrior.Org security site, who will join the venture as chief scientist, and noted security expert AJ Reznor as chief technology officer. Corporate technical support and outsourced consulting services for the New York FBI e-mail project will be provided by the five-year-old UnixGeeks.Org consultancy, also merged into the combined entity. With a full-time staff of fourteen, the new company will be based in Hanover, MD. The firm's new website will launch on 1 April 2006. Press Contact: bsi-press at attrition.org The Brilliant Security Initiatives family is always looking for more help. Send in your resume quickly, as the list of considerations is quite competitive: http://attrition.org/misc/ee/20050426-names.txt