From lyger at attrition.org Wed Jul 4 02:54:27 2007 From: lyger at attrition.org (lyger) Date: Wed, 4 Jul 2007 02:54:27 +0000 (UTC) Subject: [attrition] Surf No Evil: The Fight Against Big Brother Message-ID: http://attrition.org/security/rant/z/filter2.html Submicron writes: As previously discussed, there are a number of inherent flaws in the practice of web content classification and how the fruits of that classification are then sold in the form of content filtering products. The impact of these flaws, however, are not limited to the consumers of content filtering products. Mis-classification of web content affects websites themselves, often as harshly as it affects users of content filtering who need access to the resources provided by mis-classified sites. Before discussing the impact of mis-classification on legitimate websites and users of content filtering, it is important to understand the process by which a website is classified (or mis-classified) by the content classification industry. [.] Jericho writes: To better illustrate this problem, consider the following web sites and their URLs. Each one is a legitimate business that has absolutely nothing to do with indecent material, but runs the risk of being filtered due to 'inappropriate content' simply because of the site's name. Some filtering products act on the assumption that if a 'bad' word is in the URL or site name, it must be part of the content they are offering. [.] Lyger writes: ... which leads us to a time in the not-so-distant past (as you will read below) where attrition.org was again directly affected by the content filtering industry. Shortly after the release of an email to the "General Attrition Mayhem Mail List", we received a curious email stating the following: From: A.A. (xxxxxxxx at xxxxxxxx.com) To: lyger (lyger at attrition.org) Date: Sat, 16 Jun 2007 13:01:50 -0700 (PDT) Subject: Bloody Bobbing Bollocks, You've Been Blocked! lyger- Wow... just wow. Imagine my happiness when I arrived at work after a few days off and saw a bunch of new dataloss entries and a new going postal. "Good times," I thought to myself," as I typed attrition.org into my address bar only to be greeted by this: You have attempted to access a site that is not consistent with [Company]'s Internet Usage Policy. [...] From d2d at attrition.org Sat Jul 14 04:47:11 2007 From: d2d at attrition.org (d2d) Date: Sat, 14 Jul 2007 04:47:11 +0000 (UTC) Subject: [attrition] Postal Installment #0015: the pigeon is not screaming Message-ID: http://attrition.org/postal/p0015.html death, rape, and santa short, simple, suffer troll flashback that'll be $150 an hour, please only for a price not even a KTKSBYE funny like a suicide OSVDB: one-stop password shop love at first sight teh pr0n startz herez [.] From lyger at attrition.org Thu Jul 19 23:08:38 2007 From: lyger at attrition.org (lyger) Date: Thu, 19 Jul 2007 23:08:38 +0000 (UTC) Subject: [attrition] rant: Partial Truths: A Guide to Legally Covering Up a Data Loss Incident Message-ID: http://attrition.org/security/rant/z/partialtruths.html Thu Jul 19 19:05:40 EST 2007 d2d Steps required: 1. DO NOT TELL THE PRESS. 2. Comply with state laws, as your in-house counsel conveniently interprets them. 3. If you must tell the press: * Do not release the total number affected. * Use ambiguous language that does not even hint at the scope of the breach (omit quantifiers like: some, all, many, assloads) * Be sure to include "There have been no reports of misuse...". * Finally, add a comforting "The (system|file|gnome) was password protected." In truth, none of the above-mentioned methods truly cover up a data loss incident, but they do make them significantly less painful for the companies who experience the losses. They also do not have nearly the impact on consumers that breaches reported with full disclosure might. It is a rather simple process of deception: tell the truth only where you have to, and tell only the partial truth as required by law. The IBM tape loss earlier this year is a fantastic example of how to make a significant breach receive little press. The breach was widely reported, but since IBM released no numbers there was little scope, and as such the incident was quickly forgotten. Since IBM won't disclose the numbers, we assume it was in the millions and if you had dealings with IBM, worked for IBM, bought from IBM or thought of IBM in a sensual dream, you are probably affected. [...] From lyger at attrition.org Fri Jul 20 22:52:07 2007 From: lyger at attrition.org (lyger) Date: Fri, 20 Jul 2007 22:52:07 +0000 (UTC) Subject: [attrition] rant: What The Hell Was He Thinking? Message-ID: http://attrition.org/security/rant/z/privacy.html Fri Jul 20 17:40:29 EST 2007 Lyger and Jericho For those who haven't heard, a recent data loss incident involving the Louisiana Board of Regents was recently disclosed to the media. In short, about 80,000 Social Security numbers were inadvertently exposed over the internet, and the media seemed to be very quick in picking up on the story. An independent researcher by the name of Aaron Titus made this discovery, contacted a media source and made the disclosure. Fairly interesting. Here's the problem: Aaron Titus made a mistake. He asked for advice regarding responsible disclosure of a known vulnerability (i.e. an exposure of personal information in a public location), and then proceeded to ignore almost every bit of rational advice given to him. [..] Note that we redacted Aaron's email address in the email above. It is worth mentioning that we also redacted his work telephone number from the same email. We would really hate to invade his personal privacy since he values it so much, but with that said, why would a "privacy advocate" ask for advice regarding responsible disclosure, email us at attrition.org, receive our advice, and then do this: https://www.ssnbreach.org/ [...] From lyger at attrition.org Sat Jul 28 18:36:11 2007 From: lyger at attrition.org (lyger) Date: Sat, 28 Jul 2007 18:36:11 +0000 (UTC) Subject: [attrition] Movies: The Return, Breach, Mr. Brooks, Bridge to Terabithia, Speak Message-ID: http://attrition.org/movies/bits13.html (from Martums) The Return 2006 Plagued by nightmares (visions), ghosts haunt traumatized 20-something professional. ---------- Breach 2007 The tagline says it all: Inspired by the true story of the greatest security breach in U.S. history ---------- Mr. Brooks 2007 Boring Mr.-Rogers-type has this wicked alter-ego. Always a step ahead of the investigators, Brooks gets blackmailed by some profound idiot who happens to photograph him in the act. Hilarity ensues. ---------- Bridge to Terabithia 2007 Finally! An un-Disney, Disney movie, without the Brady Bunch or Leave It to Beaver bullshit, and substantially less phony crap than usual. One minute, it's live-action whistle while you work, then you blink, and they rip the rug out from under you. Geesh. ---------- Speak 2004 from IMDB: After a blurred trauma over the summer, Melinda enters high school a selective mute. Struggling with school, friends, and family, she tells the dark tale of her experiences, and why she has chosen not to speak... [...]