July 2011
9 posts
2 tags
3 tags
btw.. @jamesattrition is a sock puppet for @cattechie / @vaidehinbc
…and it seems @caks2257 is Greg Evans’ sockpuppet of the day.
3 tags
That makes book #10 on my plagiarism shelf, with 5 more in the to-do stack. WTB razors, emo music and vodka.
4 tags
Charlatan Update: Gregory D. Evans, Copyright... →
Over one year ago, we documented a case where Evans was plagiarizing content for his Twitter feed. Since then, he has demonstrated a clear pattern of plagiarism and copyright violation. Even after his ‘National CyberSecurity’ web site was ousted by GoDaddy for repeated copyright violations (scraping entire articles and re-posting without permission), Evans continues to do it.
Read...
2 tags
@JosephKBlack: My closest Advisor is a Wizard, after that it's a furry Squirrel! ;0 ~Joe Black
@attritionorg: As a furry squirrel, I advise you to seek a competent psychiatrist. Quickly.
2 tags
When I file a bug report with a company, I really...
2 tags
2 tags
2 tags
Lyger has interesting taste in movies. →
June 2011
43 posts
3 tags
1 tag
baboonjunk asked: Why hasn't the attrition staff been retained as official infosec skeptics by the past 3 presidential administrations. They need a dose of rant. Is it because they're afraid?
2 tags
Just bought a box of 80 otter pops. See you...
2 tags
@postmodern_mod3: osvdb.org doesn't support SSL. #irony
@OSVDB: Login is over SSL, the public data we maintain is not.
@postmodern_mod3: Ah ha. The link to login should probably be https.
@attritionorg: Did you notice http://postmodern.github.com/ isn't HTTPS? Maybe complain to them first...
@postmodern_mod3: You never submit credentials to postmodern.github.com. Also, why are you replying? @osvdb made their point, issue closed.
@attritionorg: saying OSVDB should be 100% HTTPS and running a site that isn't is #hypocrisy
@attritionorg: because OSVDB uses HTTPS for creds, no reason to use it for the rest of the site. You wasted 15 mins of their lives.
@postmodern_mod3: To clarify, I said 100% https would be "ideal". http is fine for a static site.
@postmodern_mod3: I guess your right. Someone on the internet was wrong.
@jcran: am i wrong in thinking i could grab a cookie over http & use that to change pass?
@attritionorg: possibly. then what? you make changes to a database that require moderation to go live? annoyance at best it seems?
@jcran: but yeah, annoyance at best, it seems #wikipediastillfuctions
@jcran: yeah, i'm behind ssl only where it makes sense, but unless @osvdb reqs old pass to change pass, accounts can be comp'd
@attritionorg: doesn't require an old pass to change, will open a ticket on that. overall, the mods consider HTTP for that site acceptable risk
@jcran: thanks!
@attritionorg: no thank you, hadn't noticed that or I would have ticketed it long ago (begin the mocking)
@jcran: no worries, anyone effing w/ it gets the wrath of a thousand rabid squirrels anyway. #notadvisable
@postmodern_mod3: sorry if I'm wasting more of your time, but could you allow https URLs for /show/osvdb/:id ? It redirects me back to http.
@OSVDB: Can you provide a good reason for this? Again, that is part of the public database, nothing sensitive.
@postmodern_mod3: Also, web.nvd.nist.gov seems to support https requests. So I would think OSVDB should too.
@attritionorg: NVD has a lot of bad habits too, doesn't mean @OSVDB should follow them...
@jkouns: maybe best to just use NVD then if it meets your needs =)
1 tag
Security Rebuttal: Ponemon on Network Breaches... →
This is a rebuttal piece to “Security Professionals Say Network Breaches Are Rampant” (2011-06-22) by Riva Richmond (@rivarichmond) of the New York Times.
3 tags
DEF CON Security Charlatan of the Year Nominations →
So many choices!
1 tag
Security Rebuttal: Northrop Grumman, Cyber-gangs,... →
security curmudgeon:
This is a rebuttal piece to “Northrop Grumman constantly under attack by cyber-gangs” (June 21, 2011) by Ellen Messmer (@EllenMessmer), Senior Editor at Network World.
Warning: Due to Northrop Grumman, Timothy McKnight and Ellen Messmer’s use of inflammatory words like “Advanced Persistent Threat” and the mis-use of “zero day”, the...
2 tags
[cupcake]: i have standards you know
[jericho]: obviously you don't, given your association with attrition.org
1 tag
“A shout-out to all the real journalists on the Internet; writing to give people...”
– @LulzSec
1 tag
find it odd when a hacker con asks for your...
3 tags
[cupcake]: directory permission denied
[jericho]: don't stop in asshats
2 tags
Sometimes i see a blog title with a really interesting topic, load it and sigh.
ts;dr
Some articles can’t add value in under 300 words.
3 tags
@ioerror: Threat Post is embarrassing to read, what idiots. Aaron Barr is not "a respected authority on computer security" at all http://t.co/GpunVBl
@attritionorg: do you think he is not a) respected b) an authority on compsec or c) both?
@ioerror: c!
@attritionorg: thanks for clarifying (it was an honest question)
@ioerror: No problem, you're welcome. He belongs on your charlatan page.
@attritionorg: if you (or anyone) can provide a compelling list of reasons, we'll look into it. "being an asshole" or "vaguely slimy" != count
3 tags
2 tags
Why don’t LinkedIn invitations give me a link to confirm I do NOT know the person…
1 tag
“People should keep releasing fake LulzSec stuff. It helps filter out the peon...”
– @LulzSec
1 tag
1 tag
NetworkWorld: Northrop Grumman constantly under... →
Northrop Grumman claims 300 0-day attacks against them last year, now a 0-day every 11 minutes.
2 tags
Any conference panel that asks *me* to join to...
2 tags
Errata: Veracode Spam →
I received copies of this mail to errata[at]attrition.org, a contact address at OSVDB.org and DatalossDB.org. A quick Google search showed it was also sent to mail lists that it wasn’t appropriate for. Blatant spam. My reply to Veracode follows.
2 tags
2 tags
Hey @veracode .. why is a (formerly) reputable security company spamming? Sending it to errata@attrition saved us time though.
1 tag
ISC-CERT ALERT 2010-10-28 (PDF) →
Why SCADA deployments are fucked.
1 tag
Security Rebuttal: LulzSec Ups The Ante [Brian... →
This is a rebuttal piece to “The difference between curmudgeon and curmudgeon.” (May 27, 2011) by shrdlu, which is itself a reply of sorts to my reply to Bill Brenner’s “Take the word curmudgeon and shove it” rant. Blockquoted material is from @shrdlu.
3 tags
I really need to start up a security rebuttal blog...
yes, I just wanted to use the word “hackles”
2 tags
jake: true, but at BH panel many people in audience
jericho: 5x more snippy at BH. i want to upset them into caring
1 tag
jake: i'm just annoyed i think
jericho: Enhance your calm Jake Kouns.
jake: fuck the 3 seashells
1 tag
jake: you are like a bad reporter quoting me out of context!
jericho: rub some dirt in it, walk it off
1 tag
2 tags
“Things infosec cons need less of: 1) Sun Tzu 2) Career Advice 3) TBA spots for...”
– @steve_tornio
2 tags
2 tags
Security Company Fail: Certigna publishes SSL... →
[While this disclosure turned out to be a private key for a development / testing network, the fact is it still should not have been published in a world readable directory. Doing so highlights a serious breakdown in security policy and a failure in secure operations.]
thinq:
A French provider of SSL certificates appears to have made a bit of a boo-boo in its webserver configuration: publishing...
1 tag
Security Company Fail: Security 'expert' offers... →
myce:
Joseph Black, Senior Adviser at Black & Berg Cybersecurity Consulting, LLC, offered a challenge at his site’s homepage: hack it, and receive a $10,000 reward plus a position at the firm working alongside him. He felt so cocksure that he taunted the newly notorious online hacker group, LulzSec, via Twitter.And then, the group hacked the homepage of Black & Berg Cybersecurity...
1 tag
infosec island: LIGATT Email on LulzSec Dox PR... →
Wow, kudos to Anthony Freed and Infosec Island for their piece on LIGATT / LulzSec, *very* well done.
3 tags
“Listeng 2 Ankit Fadia:Easy money made impressing newbs on Security. Nothing on...”
– @jmdesvaux
2 tags
1 tag
Quiet day on the Sony front. Whatever gods they prayed to, seems to have worked for a brief period.
2 tags
Security Company Fail: Unveillance faces troubled... →
The Tech Herald:
In response to the news that the U.S. government wants to view hacking as an act of war, the group responsible for attacks on Sony and PBS targeted the Atlanta chapter of InfraGard, a security association that works with the FBI.
The aftermath of LulzSec docking their ship in InfraGuard’s port has resulted in accusations of corruption against data intelligence and metrics firm...
1 tag
Security Rant: Absolute Sownage; A concise history... →
Security Curmudgeon:
Over the last two months, the multi-national Sony Corporation has come under a wide range of attacks from an even wider range of attackers. The backstory about what event prompted who to attack and why will make a mediocre made-for-TV movie someday. This article is not going to cover the brief history of hacks; readers can find details elsewhere. Instead, the following only...
2 tags
Security Company Fail: LulzSec Hacks FBI Affiliate... →
Anonymous News Network:
LulzSec is at it again, bringing a whole new batch of stick-it-to-the-man.
In its most recent activity, LulzSec has defaced the website of Infragard Atlanta, the Atlanta branch of a cooperative between the FBI and public assets.
2 tags
Security Company Fail: Cisco deceived Canadian... →
Vancouver Sun:
VANCOUVER - The giant computer company Cisco and U.S. prosecutors deceived Canadian authorities and courts in a massive abuse of process to have a former executive thrown in jail, says a B.C. Supreme Court judge.
The point, said Justice Ronald McKinnon in a stinging decision delivered orally on Tuesday, was to derail a lawsuit launched by the former employee, and involved a...