[ISN] "Fud, lies and libel" against (type any name here, I'll use mi2g)

From: InfoSec News (isn@private)
Date: Mon Jul 26 2004 - 03:31:10 PDT


Forwarded from: Robert Wayne <netmapper@private>
To: full-disclosure@private
Cc: isn@private, isn@private

Hi there,

I am a usual reader of all the major security lists and I laughed (in
a way) to the posting about "Wendy's order system"... I laughed
because at first glance I thought it was funny, but then I realised
that what I was reading was a "vulnerability" on a security list, so
it wasn't clear to me what that stupid joke was doing there. Ok, it's
true.. full-disclosure is not moderated, everybody can post, yeah
yeah, blah blah blah, but still: It is (meant to be) a security list.
Am I wrong?.

Please note that this is not just about another silly off-topic:
someone deliberately posted a vulnerability, perfect in its structure,
with all the right fields in the right place, on more than one
security list. There is more than off-topic here. Ok, the content was
clearly an hoax but it denotes a problem that could be much more
dangerous...

Let me point out that, as claims the anonymous guy that posted the
(two?) articles, I'm not affiliated with mi2g.

I thought about not replying and wasting my time, but given the fact
that your stupid postings are going on, and some other people give you
even credit for that, I would like to say something as well. Hope you
don't mind. Hope the list doesn't mind. It is not something off-topic
in my opinion, because it is strictly related to the way the security
information are diffused so it is inherently about security.

Before I proceed with the security issues related to the original post
about "Wendy", I would like to explore some of the points you have
made:

---------------------

>Instead of laughing along with the obvious hoax, mi2g responded in typical
>fashion by releasing a "News Alert" in which they spread FUD, lie about...

I don't understand your point. I can laugh, you can laugh... but they
are defamed! Can you explain why they should laugh? I don't get it...

>Ransom demands?  Negative publicity?  Reputation damage accelerates?
>mi2g is saying that "trusted web sites and security portals" posting
>the original hoax have contacted mi2g, offering to not post it in return
>for up to one MILLION dollars.  Who are these black hearted criminals?

First: my impression is that they are not referring to the sites you
are talking about. I don't see anywhere in their message: "trusted web
sites and security portals posting the original hoax have contacted
mi2g". Are you making it up (lying) ?

Second: are you working for all the sites mi2g is referring to, that
you are so confident in excluding this possibility?

Who gives you the right to judge something you don't know anything
about? It appears to me that you've spent many (valuable?) of your
hours discrediting that company, as well as bothering us (at least me)
with your statements.

Either you know something we don't or you'd better be silent. I can't
tell if what mi2g says is true or not, I don't work there... do you?
If I don't know something I tend not to speak publicly about it... at
very least I don't try to sell it as THE TRUTH!

>Because of this obvious advisory parody, the poor masses are going to
>have a hard time figuring out which advisories are legitimate?  I think
>mi2g assumes every security professional and administrator is as big
>a retard as themselves.

Again, I do not agree with you. The whole point of their statement it
is not about "Wendy"!

Here it seems that YOU have some problems in comprehending the bottom
line message (please note that I am not saying you are a retard):

--------------------

"If you can so easily post a clear hoax and nobody - or very few of
them - bothers to check, who can stop you from publishing a "real"
(note the quotes!) vulnerability disclosure, more realistic than
"Wendy's", attacking your competitor A or a product B ? What if you
start publishing ten of them, and then hundreds? How this massive
pollution of security lists and sites will change the user perception
of a company A or product B? Will you buy a product from a company
that has hundreds of so called vulnerabilities? I bet you wouldn't, at
least you'll think about it twice... It doesn't really matter if they
are real or not, they are listed everywhere, so the perception of them
makes them real.

If you have the power to disseminate a big number of lists (as well as
very important web sites like securityfocus.com, that mirror any list
without questioning the authenticity of the postings) with false
vulnerabilities, you can discredit and damage any company. Full stop".

--------------------

You got it?

This is the message I understood from mi2g's reply and it makes
perfect sense to me. Between you and me, it looks like you have
already started this process against mi2g... Lies, false allegations,
unreal vulnerabilities, all posted to public lists... You are working
very hard... Is there at least someone paying you for this job?

>One out of three correct, good job mi2g!  Again, check the archives.

I found also a posting on ISN that mi2g seems to have missed... Should
I let them know?!? Hint: Don't look at the sites, you won't see it.
Look on Google's cache...

>a defamatory statement meant to gain sympathy from your eight customers.

Eight? Is it just a guess or you know more than anybody else?

>The post hit the Full-Disclosure list because it is the only list of
>the three that is UNMODERATED.

Yes, full-disclosure is unmoderated but I am sure you are aware that
it is mirrored like any other security list on all sort of sites, so
if you search on securityfocus.com (sorry guys if I named your site
twice, but it is just an example) you will find these UNMODERATED
postings. Now, if you read securityfocus.com and you trust them, you
may end up "trusting" also what they publish (make sense?). If you
post to FD then you are quite sure that your defamation (sorry,
vulnerability disclosure) will end up on many reputable web sites...
good job!

I would suggest securityfocus.com (last time I name them, I promise)
as well as other respectable security sites not to publish anything
that is not moderated! By publishing them, they link their valuable
name (the domain name) to the useless postings. I cannot imagine The
New York Times or the Financial Times publishing without any form of
control, the postings of an unmoderated list!

>The material in the archives is clearly marked as coming from the original
>person, and they make no claims as to the accuracy of such information
>posted to the lists.

The original person?!?!? You mean your account not-mi2g@private
or, as I believe also your account mi2g-research@private ? You
are an anonymous poster, that cowardly posts articles against a
company and his Executive Chairman, without publishing your name! You
are the LAST person that can talk about "original person"!

If you got a problem with mi2g may I suggest you to solve it directly
with them instead of publishing your rubbish on security lists? You
are abusing these lists for your own agenda and I think this is not
fair to me nor to the other readers of the lists. Can you please stop
posting your rants against mi2g? Can you try to add some value to your
postings (as well as your name of course). Can you detach your mind
from mi2g for a second and use a normal email address? (An email
address that hasn't got mi2g in it, I mean).

>Put up or shut up DK Matai.  None of these sites are attempting to extort
>money from mi2g in return for "being silent" and witholding an obscure
>hoax advisory buried in the thousands of trash posts to the Full-Disclosure
>mail list.  This is a blatant lie from Matai and mi2g, nothing more.

Please, do something more interesting than spending your time blaming
and accusing other peoples. Get a life!

Robert Wayne



_________________________________________
Help InfoSec News with a donation: http://www.c4i.org/donation.html



This archive was generated by hypermail 2.1.3 : Mon Jul 26 2004 - 06:02:22 PDT