On Sunday afternoon, Lyger noticed that the Wikipedia page for Attrition.org had undergone recent changes. The most notable thing was how "jericho-centric" it had become, along with pointing out we had been defaced and an inaccurate paraphrasing of jericho's response to the incident. These were curious additions given the page rarely received updates in the past and that someone didn't seem to care for us.
Lyger did four minutes of digging and put some pieces together, giving us a likely suspect. With a little poking through our web logs and checking past e-mail headers, it was obvious who it was. But first, the backstory.
On April 27, 2010, Jon Lybrook of WordSecure.com sent spam to curators[at]datalossdb.com advertising their service. The mail has all the marks of spam; doesn't address anyone in particular, isn't written for the recipient specifically, offers "to be omitted from future notifications" and contains general buzz-word laden crap. As with all security spam, we added it to the Errata project and moved on. On May 18, 2010, we received a second mail that only reinforced our notion that this was pure spam.
A month later, Jon Lybrook mailed our staff@ alias asking us to remove both mails, calling them a "smear crusade" against his name and his company:
From: Jon Lybrook (jon@wordsecure.com) To: AT (staff[at]attrition.org) Date: Tue, 22 Jun 2010 00:54:50 -0600 Subject: Request Dear Staff AT attrition.org (whoever you may be), Sorry to see you did not take interest in my appeals in April and May to curators[at]datalossdb.org looking for possible business partners and customers. I am also sorry if I offended you or your staff by sending you the emails. However I would appreciate your removing your postings of my emails to your organization from your website attrition.org. Specifically: http://attrition.org/errata/spam/wordsecure.com-spam01.html http://attrition.org/errata/spam/wordsecure.com-spam02.html I will be sure to not approach you again, so please remove your smear crusade against my name and company. I am an actual person here and not a spam bot. Thanks in advance, Jon -- Jon Lybrook WordSecure, LLC Phone: 1-877-878-6798 ext 705 FAX: 1-877-878-6798 https://wordsecure.com
What Lybrook fails to understand is that the wording of his two spam mails weren't specifically directed at the curators of DatalossDB.org. OSF, the parent 501(c)(3) of DatalossDB, does not have clients and has no interest or need in WordSecure's service. The second mail tries to make his pitch by appealing to the project to "make [our] business work smarter", despite DataLossDB not even being a business. Sorry Jon, spam is spam, and I replied politely saying we were not interested in removing the content:
From: security curmudgeon (jericho[at]attrition.org) To: Jon Lybrook (jon[at]wordsecure.com) Cc: Heathens (staff[at]attrition.org) Date: Sun, 27 Jun 2010 04:29:06 -0500 (CDT) Subject: Re: Request Hi Jon, : Dear Staff AT attrition.org (whoever you may be), (we're actually people too!) : Sorry to see you did not take interest in my appeals in April and May to : curators[at]datalossdb.org looking for possible business partners and : customers. I am also sorry if I offended you or your staff by sending : you the emails. Yes, unsolicted mail advertising a company or service, seeking new customers.. I believe that is pretty much the definition of spam? : I will be sure to not approach you again, so please remove your smear : crusade against my name and company. I am an actual person here and not : a spam bot. Publishing two spam mails is not a "smear crusade". If you question that, perhaps you should dig around our site a bit more. You will find that we can be very dedicated to just posting factual information, that could much more easily be called a 'smear campaign'. Alternatively, by that reasoning, we could add wording to the post that says those mails were "part of an aggressive spam campaign". Please advise if we should update accordingly. Your last line is confusing. Spam bot or not, an 'actual person' programs it, feeds it the spam to deliver and attempts to profit off that activity. Your status as a human really doesn't come into play or affect how we'd react to the mail. It wasn't even generically addressed like most decent spam software allow for. We appreciate you removing any datalossdb.org address from your "seeking customers" list. That will go a long way to ensure a third entry isn't added to our page. Jared p.s. In case it still isn't clear, most of the staff here are the core people volunteering on DatalossDB.
Jon replied to me that same day:
From: Jon Lybrook (jon@wordsecure.com) To: security curmudgeon (jericho[at]attrition.org) Cc: AT (staff[at]attrition.org) Date: Sun, 27 Jun 2010 12:57:23 -0600 Subject: Re: Request Hi Jared, Thanks for the reply to my email from last week. Glad to hear you're a human too and I appreciate the response to my request! Perhaps it was the evil clown photos on your 'about us' page and the fact that your email was simply staff[at]attrition.org with no person's name that made your organization seem more menacing than human. Not exactly the image I have of whitehat security specialists, but then not everything in the world is clearcut as we would like to believe sometimes. You can call my email appeal spam if you like, and I could see why you might, but know my intention in sending the email appeal was not primarily to profit. My primary objective was to connect with qualified organizations that were interested in partnering with us, and finding people that could benefit from the secure messaging system we offer because we provide a great service that people need. If my motive was purely to profit and I had no integrity, as you seem to be saying, would I not have simply sent messages to anyone and everyone, not people relevant to the security industry like yourselves? The appeal went to less than 3,000 recipients I hand selected and was less harmful to the environment and people's time than sending out 3,000 post cards via snail mail. You have no way of knowing that I'm telling the truth about this, and may not care, but focused marketing efforts is our approach at WordSecure. Not spam. Again, I am sorry to have offended you and will again ask you to please take down your condescending comments about me and my company. The connection between attrition.org and datalossdb.org was mentioned in places on your site and I have taken note. I'll be sure to remember datalossdb.org and your treatment of me and my organization when my I, my colleagues and our resellers in the industry are considering security consulting and services. I hope you will give me the benefit of the doubt and comply with my request. Regards, Jon Lybrook
Jon gives a sincere reply to me but makes a few odd remarks. Nowhere on our web site does it say we are "whitehat security specialists". Justifying the sending of 3,000 e-mails as better than sending post cards is a non-sequitur. He further calls us posting his verbatim mails with a one line intro "condescending comments about [him] and [his] company". He goes on to give a vague "threat" of sorts that he and his colleagues will not give us business because of this, stating "I'll be sure to remember datalossdb.org and your treatment of me and my organization when my I, my colleagues and our resellers in the industry are considering security consulting and services." That of course is fine as neither attrition.org nor DatalossDB.org offer consulting or services other than the totally free web-sites we run. After all of this, he wants us to give him the benefit of the doubt and comply with his request.
Unfortunately, I ended up getting distracted from e-mail and busy with other things and never replied to him. As of this article, his last mail was still sitting in my inbox without reply. Understandably, Jon took this as me not willing to remove the content (I'm not) and unwilling to reply to him (I honestly planned on it) and moved to the next steps in dealing with us: Editing our Wikipedia page and setting a redirect should attrition.org visit his domain.
Checking out WordSecure's web page today while figuring out the Wikipedia editing, Lyger noticed that someone kindly put a redirect up for our domain only (pardon our path disclosure):
forced /home/web/postal/asshats# openssl s_client -connect wordsecure.com:443 CONNECTED(00000003) [..] GET / HTTP/1.0 HTTP/1.1 302 Found Date: Mon, 16 Aug 2010 06:43:38 GMT Server: Apache/2.2.15 (FreeBSD) mod_ssl/2.2.15 OpenSSL/0.9.8e Location: http://www.spj.org/ethics_code.asp Content-Length: 218 Connection: close Content-Type: text/html; charset=iso-8859-1 [..]
Jon apparently thinks we are not only journalists, but journalists that do not follow a code of ethics. This is painfully ironic given the big words at the top saying "Seek Truth and Report It", something Attrition.org is kind of known for with the Errata Project. Us posting that WordSecure and Lybrook sent spam is in keeping with that mission. We were "honest, fair and [most certainly] courageous" in dealing with that awful and dangerous spam. There was no deliberate distortion, we gave him a chance to respond to our allegations, we let Google handle source reliability, did not misrepresent, posted material as fair use, avoided stereotyping and exchanged views even though we found them repugnant. All in all, I believe we followed the code of ethics pretty well considering we're not journalists and we simply posted two pieces of spam verbatim with one line commentary on each.
In return for his kind redirection, we too have set up a redirect for the IP address he has been using for over a month to e-mail us and view our web site. Hopefully he will better understand that we are not "whitehat specialists" or whatever, that we are more INTERNET THUGS YO.
forced /home/web/postal/asshats# egrep -A2 Lybrook /home/web/.htaccess #173-14-24-113-colorado.hfc.comcastbusiness.net Jon Lybrook RewriteCond %{REMOTE_ADDR} ^(173\.14\.24\.113)$ RewriteRule ^/* http://en.wikipedia.org/wiki/Bear_(gay_culture) [L] forced /home/web/postal/asshats#
In editing Wikipedia, Jon demonstrates that his version of a 'smear campaign' is pretty weak. One of his additions was adding that we were defaced, but he failed to notice that we host our own defacement mirrors of not one, but both times we were hit. Failing research is not Jon's only deficiency, as he conveniently "paraphrases" me and turns it into something I did not say. From Jon's Wikipedia addition (bold is our emphasis):
The attrition.org website was hacked and defaced itself in 2001, in reply to which, site owner Brian Martin was quoted as saying, in effect, he could not be held accountable to the same standards he held security companies accountable to, since he was not running a security service -- at least not at the time.
In reality, that isn't at all what I said in the interview with InfoGuerra, mirrored at Hack in the Box:
We put the same amount of effort into security now as we did a year ago... which was not a whole lot. Many years ago the box was brought to a certain level of security. It was enough to fend off the ./hack kiddies and to this date it has done well. We've been mindful of remote vulnerabilities, as well as keeping the local file system locked down to a point (very restrictive permissions, very few SUID bins, etc). When running an open system like Attrition, there is only so much you can do. No matter how much security we put in place on this machine, at some point or another we have to trust others outside of this system and the security of those machines. With 25 users and allows for about 100+ hosts, some of them from .edu machines, some from networks known to have previous compromises, it's only a matter of time before someone will get in. This is a reality of running a multi-user system on the Net that can't have the luxury of sitting behind more protective firewalls, or denying more traffic.
[..]
We are not a security company, we do not sell security products, and we perform no security services related to Attrition.org. We're not trying to claim we're experts and sell you products/services, so it is different than many of the sites we point out in errata or commentary.
It is clear that Lybrook is either mentally handicapped, or this is his own version of a 'smear campaign' against me and Attrition.org. Nice Jon, but a tad transparent. We're also sorry that it took you a dozen or so attempts and at least one rejection before getting all of your changes accepted. Those Wikinazis suck. =(
We do have to give Lybrook thanks though, for making it so easy to figure out who was behind this. On top of using "Jonlyb" as his username for Wikipedia, he also forgot to authenticate one time leaving his IP address instead. That IP address, 173.14.24.113, was easy to match up when looking at the headers of the mails he sent:
Delivered-To: staff[at]attrition.org Received: from terabear.com (mail.terabear.com [206.168.112.52]) by forced.attrition.org (Postfix) with ESMTP id C39F18ED5D for (staff[at]@attrition.org); Tue, 22 Jun 2010 01:55:19 -0500 (CDT) Received: from [127.0.0.1] (173-14-24-113-Colorado.hfc.comcastbusiness.net [173.14.24.113]) by terabear.com (MAILER-6 TERABEAR) with ESMTP id o5M6tA0G019525 for (staff[at]attrition.org); Tue, 22 Jun 2010 00:55:11 -0600 Message-ID: (4C205E3A.7090308@wordsecure.com) Date: Tue, 22 Jun 2010 00:54:50 -0600 From: Jon Lybrook (jon@wordsecure.com)
That in turn lead us to find all kinds of fun hits in our logs from him searching Google with creative terms (relevant but boring ones left out):
forced /home/lyger/asstastic# grep 173-14-24-113-colorado.hfc.comcastbusiness.net access_log.2010-* | grep -i google | cut -f11 -d" " | sort -u "http://webcache.googleusercontent.com/search?q=cache:xkjcO-f-hQEJ:attrition.org/security/rant/av-spammers.html+brian+martin+attrition&cd=1&hl=en&ct=clnk&gl=us" "http://www.google.com/search?hl=&q=Brian+Martin+hacker&sourceid=navclient-ff&rlz=1B3GGGL_enUS337US337&ie=UTF-8" "http://www.google.com/search?hl=&q=attrition.org+MasterCard&sourceid=navclient-ff&rlz=1B3GGGL_enUS337US337&ie=UTF-8" "http://www.google.com/search?hl=&q=attrition.org+fuck&sourceid=navclient-ff&rlz=1B3GGGL_enUS337US337&ie=UTF-8" "http://www.google.com/search?hl=&q=attrition.org+sex&sourceid=navclient-ff&rlz=1B3GGGL_enUS337US337&ie=UTF-8" "http://www.google.com/search?hl=&q=privacy+policy+site%3Aattrition.org&sourceid=navclient-ff&rlz=1B3GGGL_enUS337US337&ie=UTF-8" "http://www.google.com/search?hl=en&q=Jericho+attrition.org&aq=f&aqi=&aql=&oq=&gs_rfai=&fp=8631cdd35a4d476d" "http://www.google.com/search?hl=en&rlz=1B3GGGL_enUS337US337&q=attrition.org&aq=f&aqi=g3&aql=&oq=&gs_rfai=" "http://www.google.com/search?hl=en&rlz=1B3GGGL_enUS337US337&q=attrition.org+asshole&aq=f&aqi=&aql=&oq=&gs_rfai=" "http://www.google.com/search?hl=en&rlz=1B3GGGL_enUS337US337&q=jericho%40attrition.org&aq=f&aqi=&aql=&oq=&gs_rfai=" "http://www.google.com/search?q=priceless+site:attrition.org&hl=en&lr=&as_qdr=all&prmd=iv&ei=ABhTTI6aDpHUtQPav_DVBQ&start=10&sa=N" forced /home/lyger/asstastic#
Should I be worried, Jon, that you may develop a man crush and start your bromance of me? To help you out, yes, we are assholes. This site has a policy that relates to privacy (the very first link on our home page). I believe the first two bullets sum up that policy, especially as relates to you.
So, Jon, the ball is in your court. You spam, we posted. You edited Wikipedia and redirected us. We wrote this and redirected you. Do you really want to lower yourself to our level of shenanigans and keep up this virtual pissing contest? You certainly aren't making your spam go away by doing this, and as demonstrated by this article, you are only going to make potential customers realize you are not very good at security and you are a prick on top of it.
Sincerely,
Jared Brian security curmudgeon Jericho Your #1 Fan
Bear hugs and kisses!
X X X O O O
DISCLAIMER: Loyal attrition.org readers: Please do not take this article as permission to act on our behalf. Please do not go poking around WordSecure looking for vulnerabilities in the service, and please do not mock Tera Bear or Chrono Synthesis for their web design that makes our site look Web 2.0-ish. We're serious, leave the poor schmuck alone!
[an error occurred while processing this directive]