From jericho at attrition.org Mon May 3 18:57:27 2010 From: jericho at attrition.org (security curmudgeon) Date: Mon, 3 May 2010 18:57:27 +0000 (UTC) Subject: [attrition] Errata Overhaul and Re-launch Message-ID: Re-launch Overview: ------------------- Started over a decade ago, the Errata project of attrition.org is the longest maintained section of the site. While consistently the least viewed, it has provided a valuable resource to many people in and out of the computer security industry including employers and media. While far from a complete history of the darker side of our industry, the project serves as a reminder that security providers and companies can be as much of a risk as they provide help. http://attrition.org/errata/ Changelog: ---------- Significant changes for re-launch: - Standardized HTML (mostly) - Slightly better META content - Massive re-org of several pages - Most indexes converted to tables - Snazzy new graphics for main page - Significant backfill of events for several pages Moving forward: - Several ideas for new pages in the works - Endless backfill (1500+ mails / articles) - More HTML standardization (e.g., titles, META) Errata Information & Background: -------------------------------- Whether it is $39.99 anti-virus software, or $500/hr specialty penetration testing, you are paying a price for a piece of security. The security companies that offer these solutions insist that security is important for you as a person and critical to your business. So important in fact, that they expect you will pay ridiculous prices for solutions that aren't as complete or helpful as they seem. One of the cornerstones and components of 'security' is integrity; "1. adherence to moral and ethical principles; soundness of moral character; honesty". When security providers have a breakdown in their own integrity, you should be aware of it. When the company taking your money in return for security products and services fails to maintain a certain level of integrity, you should challenge them on why they think they are qualified to sell security offerings. This page exists to enlighten readers about errors, omissions, incidents, lies and charlatans in the security industry. With the media running rampant and insufficient checks and balances for their reporting in place, the general population has been misled about everything from hackers to viruses to 'cyberwar' to privacy. In recent years, companies peddling security products and services have taken a turn for the worse, casting aside ethics in favor of lies and profit. Over the years, many companies and people have developed a taste for money and fame when it isn't deserved. These frauds and charlatans survive on being in front of cameras and news articles, constantly peddling their ideas and solutions, when they typically have no merit. People often ask why we are so critical about articles, or focusing on a single paragraph of a larger article. Regardless of the size or frequency of errors, these problems can be viewed as single bricks in a large wall. The more people read these bricks, the more they begin to see the entire wall. After reading the same errors or omissions from several news sources, the information makes an amazing transition from 'unbiased news' to 'fact'. The notion that it is 'unbiased news' in the first place is just as ludicrious, but a fact of life. Like the news clips, charlatans build their careers by using the same methods. Quoted in an article here, give a weak presentation there and before long it is spun into an elaborate resume, extensive use of the word 'expert' and "twenty years of experience." The contents of these pages are the opinions and observations of attrition.org staff. However, we frequently receive pointers to articles, information and budding charlatans in our industry. In some cases, we receive material that we republish as is. For any material to appear on this page, we feel that our opinion or posted content is backed by a reasonable amount of evidence and logic. We try to distinguish what is factually incorrect versus our opinions. Do not take this page as gospel; use it as one of many information resources, do your own research and form your own opinions. While we will strive to keep this project as unbiased as possible, there will be many times where we can only counter opinions, bias and implications with those of our own. From lyger at attrition.org Sun May 23 20:19:37 2010 From: lyger at attrition.org (lyger) Date: Sun, 23 May 2010 20:19:37 -0500 (CDT) Subject: [attrition] State of the Attrition Address (redux) Message-ID: http://attrition.org/news/content/10-05-23.001.html Sun May 23 18:58:06 CDT 2010 Attrition Staff As you may have *not* have noticed, Attrition has had a little bit of downtime lately. For the most part, this has been limited to business hours, Monday through Friday, from opening to closing bells on the world financial markets. It all began long ago, in a galaxy far, far away... The last time this happened, there was a slight issue with noise coming from the box. The problem had been dealt with swiftly each time; as the box made sounds signalling its impending doom, it was kicked. Notice that the previous "kicked" was not in quotation marks; it was literally *kicked* with a human foot to make the noise stop. This solution actually worked... for about a month. Much as the way that Cancer Omega kicks liberals, the noises soon stopped, but the whining soon started again. It was then decided that a new box would be deployed, and what we have been using since then has simply been called "New Forced". Four and a half years later... In early March, "New Forced" unexpectedly went silent. Our NOC noticed that the box had shut itself down, and called us on our Bat-Phone early one Sunday morning. During the conversation, it was mentioned that the box was giving off, well, a *smell* that would usually indicate Southern-fried hardware. As the box was booted back up, the smell persisted, but it held up... for about 30 seconds. Then it was down again. One more reboot attempt succeeded, and it remained up, but we knew that a box like "New Forced" could only take so much d2d virtual leg-humping, so... [...]