Forwarded from: Robert Wayne <netmapper@private> To: full-disclosure@private Cc: isn@private, isn@private Hi there, I am a usual reader of all the major security lists and I laughed (in a way) to the posting about "Wendy's order system"... I laughed because at first glance I thought it was funny, but then I realised that what I was reading was a "vulnerability" on a security list, so it wasn't clear to me what that stupid joke was doing there. Ok, it's true.. full-disclosure is not moderated, everybody can post, yeah yeah, blah blah blah, but still: It is (meant to be) a security list. Am I wrong?. Please note that this is not just about another silly off-topic: someone deliberately posted a vulnerability, perfect in its structure, with all the right fields in the right place, on more than one security list. There is more than off-topic here. Ok, the content was clearly an hoax but it denotes a problem that could be much more dangerous... Let me point out that, as claims the anonymous guy that posted the (two?) articles, I'm not affiliated with mi2g. I thought about not replying and wasting my time, but given the fact that your stupid postings are going on, and some other people give you even credit for that, I would like to say something as well. Hope you don't mind. Hope the list doesn't mind. It is not something off-topic in my opinion, because it is strictly related to the way the security information are diffused so it is inherently about security. Before I proceed with the security issues related to the original post about "Wendy", I would like to explore some of the points you have made: --------------------- >Instead of laughing along with the obvious hoax, mi2g responded in typical >fashion by releasing a "News Alert" in which they spread FUD, lie about... I don't understand your point. I can laugh, you can laugh... but they are defamed! Can you explain why they should laugh? I don't get it... >Ransom demands? Negative publicity? Reputation damage accelerates? >mi2g is saying that "trusted web sites and security portals" posting >the original hoax have contacted mi2g, offering to not post it in return >for up to one MILLION dollars. Who are these black hearted criminals? First: my impression is that they are not referring to the sites you are talking about. I don't see anywhere in their message: "trusted web sites and security portals posting the original hoax have contacted mi2g". Are you making it up (lying) ? Second: are you working for all the sites mi2g is referring to, that you are so confident in excluding this possibility? Who gives you the right to judge something you don't know anything about? It appears to me that you've spent many (valuable?) of your hours discrediting that company, as well as bothering us (at least me) with your statements. Either you know something we don't or you'd better be silent. I can't tell if what mi2g says is true or not, I don't work there... do you? If I don't know something I tend not to speak publicly about it... at very least I don't try to sell it as THE TRUTH! >Because of this obvious advisory parody, the poor masses are going to >have a hard time figuring out which advisories are legitimate? I think >mi2g assumes every security professional and administrator is as big >a retard as themselves. Again, I do not agree with you. The whole point of their statement it is not about "Wendy"! Here it seems that YOU have some problems in comprehending the bottom line message (please note that I am not saying you are a retard): -------------------- "If you can so easily post a clear hoax and nobody - or very few of them - bothers to check, who can stop you from publishing a "real" (note the quotes!) vulnerability disclosure, more realistic than "Wendy's", attacking your competitor A or a product B ? What if you start publishing ten of them, and then hundreds? How this massive pollution of security lists and sites will change the user perception of a company A or product B? Will you buy a product from a company that has hundreds of so called vulnerabilities? I bet you wouldn't, at least you'll think about it twice... It doesn't really matter if they are real or not, they are listed everywhere, so the perception of them makes them real. If you have the power to disseminate a big number of lists (as well as very important web sites like securityfocus.com, that mirror any list without questioning the authenticity of the postings) with false vulnerabilities, you can discredit and damage any company. Full stop". -------------------- You got it? This is the message I understood from mi2g's reply and it makes perfect sense to me. Between you and me, it looks like you have already started this process against mi2g... Lies, false allegations, unreal vulnerabilities, all posted to public lists... You are working very hard... Is there at least someone paying you for this job? >One out of three correct, good job mi2g! Again, check the archives. I found also a posting on ISN that mi2g seems to have missed... Should I let them know?!? Hint: Don't look at the sites, you won't see it. Look on Google's cache... >a defamatory statement meant to gain sympathy from your eight customers. Eight? Is it just a guess or you know more than anybody else? >The post hit the Full-Disclosure list because it is the only list of >the three that is UNMODERATED. Yes, full-disclosure is unmoderated but I am sure you are aware that it is mirrored like any other security list on all sort of sites, so if you search on securityfocus.com (sorry guys if I named your site twice, but it is just an example) you will find these UNMODERATED postings. Now, if you read securityfocus.com and you trust them, you may end up "trusting" also what they publish (make sense?). If you post to FD then you are quite sure that your defamation (sorry, vulnerability disclosure) will end up on many reputable web sites... good job! I would suggest securityfocus.com (last time I name them, I promise) as well as other respectable security sites not to publish anything that is not moderated! By publishing them, they link their valuable name (the domain name) to the useless postings. I cannot imagine The New York Times or the Financial Times publishing without any form of control, the postings of an unmoderated list! >The material in the archives is clearly marked as coming from the original >person, and they make no claims as to the accuracy of such information >posted to the lists. The original person?!?!? You mean your account not-mi2g@private or, as I believe also your account mi2g-research@private ? You are an anonymous poster, that cowardly posts articles against a company and his Executive Chairman, without publishing your name! You are the LAST person that can talk about "original person"! If you got a problem with mi2g may I suggest you to solve it directly with them instead of publishing your rubbish on security lists? You are abusing these lists for your own agenda and I think this is not fair to me nor to the other readers of the lists. Can you please stop posting your rants against mi2g? Can you try to add some value to your postings (as well as your name of course). Can you detach your mind from mi2g for a second and use a normal email address? (An email address that hasn't got mi2g in it, I mean). >Put up or shut up DK Matai. None of these sites are attempting to extort >money from mi2g in return for "being silent" and witholding an obscure >hoax advisory buried in the thousands of trash posts to the Full-Disclosure >mail list. This is a blatant lie from Matai and mi2g, nothing more. Please, do something more interesting than spending your time blaming and accusing other peoples. Get a life! Robert Wayne _________________________________________ Help InfoSec News with a donation: http://www.c4i.org/donation.html
This archive was generated by hypermail 2.1.3 : Mon Jul 26 2004 - 06:02:22 PDT