| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: not-mi2g at hushmail.com (not-mi2g@...hmail.com) Subject: mi2g - fud, lies and libel ** I AM NOT AFFILIATED WITH MI2G IN ANY WAY ** On July 6, someone made a parody advisory post to Full-Disclosure spoofing mi2g (mi2g.com). The person attempted to CC the Bugtraq and Vulnwatch mail list, but the moderators of those lists rejected the post. http://seclists.org/lists/fulldisclosure/2004/Jul/0311.html http://seclists.org/lists/vulnwatch/2004/Jul-Sep/ http://seclists.org/lists/bugtraq/2004/Jul/ Instead of laughing along with the obvious hoax, mi2g responded in typical fashion by releasing a "News Alert" in which they spread FUD, lie about events that never took place, and libel the Bugtraq and Vulnwatch moderators. It took them 14 days to release this, probably the same time that passed before their collective blood pressure dropped. Some amusing clips from their release: >Subject: RESTRICTED LIST: News Alert - Ransom demands coming through >to subdue negative publicity; Reputation damage accelerates through >hoax postings Ransom demands? Negative publicity? Reputation damage accelerates? >London, UK - 20 July 2004, 17:30 GMT - The dark side of the internet >is increasingly coming into focus as false information posted on >"security" portals is purveyed and mirrored without question by a >range of inter-linked trusted web sites. The original internet >security portals, which have become famous for carrying software >vulnerability disclosures, are now being overwhelmed by new listings. >As a result, they are unable to cope with the flood of fresh postings >- genuine and hoax - on a daily basis. >In parallel, consistent negative publicity on trusted web sites and >security portals has led to the owners of some of those sites to >contact many companies, including mi2g, with a view to buying them >out in exchange for their silence. Ransom demands made have ranged >from $250,000 to $1 million to decommission a negative publicity >campaign mounted through a particular set of trusted web sites or >security portals. mi2g is saying that "trusted web sites and security portals" posting the original hoax have contacted mi2g, offering to not post it in return for up to one MILLION dollars. Who are these black hearted criminals? Read on. >These adverse developments are likely to lead to further loss of user >trust and unclear demarcation between useful and useless security >warnings as well as vulnerability disclosures in the months ahead. Because of this obvious advisory parody, the poor masses are going to have a hard time figuring out which advisories are legitimate? I think mi2g assumes every security professional and administrator is as big a retard as themselves. >The mi2g Intelligence Unit has tracked a particular development over >the last few weeks, where a rogue account created by a malevolent >party as mi2g-research@...hmail.com has been consistently abused by >utilising it as the originator of a number of vulnerability postings >including one clear hoax titled: "Wendy's Drive-up Order System >Information Disclosure." A number of vulnerability postings? Check the archives! There is a single post to Full-Disclosure, none to Bugtraq, none to Vulnwatch. Where are these "number" of postings mi2g? http://seclists.org/lists/ >Upon reading this hoax "vulnerability" posting, available through a >number of security portals, it is clear that there is no purpose to >it other than to smear reputation and cause damage. However, the >organisations that originally took the posting did not bother to >check for accuracy and include such well known names as: > >1. bugtraq@...urityfocus.com >2. full-disclosure@...ts.netsys.com >3. vulnwatch@...nwatch.org One out of three correct, good job mi2g! Again, check the archives. Bugtraq and Vulnwatch did not post the hoax advisory, this is clearly a defamatory statement meant to gain sympathy from your eight customers. The post hit the Full-Disclosure list because it is the only list of the three that is UNMODERATED. >Within days, there were mirror copies of the hoax vulnerability >"Wendy's Drive-up Order System Information Disclosure" on several >"security" focussed portals that mentioned mi2g incorrectly without >checking the facts within the posting or confirming accuracy through >other means, such as: > >1. http://www.securityfocus.com >2. http://seclists.org >3. http://lists.insecure.org >4. http://archives.neohapsis.com >5. http://lists.netsys.com >6. http://www.e2ksecurity.com >7. http://www.derkeiler.com >8. http://www.gossamer-threads.com >9. http://www.landfield.com Perhaps someone in the security industry could teach a class at mi2g headquarters on the basics of mail lists and automatic mail list archives. These sites archive 100% of the content posted to hundreds of mail lists. The material in the archives is clearly marked as coming from the original person, and they make no claims as to the accuracy of such information posted to the lists. Read the list above again. These are the black hearted criminals that mi2g claims tried to extort them for money in return for "silence". What a complete load of manure. >The mi2g Intelligence Unit has written to these security portals and >to Hushmail. Only Hushmail.com has taken immediate action by >disabling the rogue email account, much to their credit. The other >so called "security" forums and trusted vulnerability posting >accounts, portals and mirror web sites have simply passed the buck >by stating that they did not control the content which they >published, even when it was blatantly evident that the posting they >were purveying was an obvious obnoxious hoax. If it was blatantly evident that the post was a hoax, why is mi2g crying like a six year old with a skinned knee? It is clear these "security portals" are ignoring your request because you are asking them to alter history in a sense. They maintain archives of mail list traffic. To arbtirarily delete one post compromises the integrity (look that word up please) of their service. If you check the vulnerability databases like ISS, SecurityFocus and Secunia, you will notice they did not mirror the content and clearly filtered it instead of including it in a database. >"These developments mean that any person or corporation can quite >easily decide to launch a clandestine smear campaign against any >brand in the world by bombarding appropriate bulletin boards and >trusted forums with false information through free email accounts," >said DK Matai, Executive Chairman, mi2g. "There is a high >probability that more and more brands could fall victim to such >smear campaign postings. The reputation damage is being amplified >manifold by several automatic mirrors. In parallel, we are also >seeing demand for money from frequent reputation damage purveyors." Put up or shut up DK Matai. None of these sites are attempting to extort money from mi2g in return for "being silent" and witholding an obscure hoax advisory buried in the thousands of trash posts to the Full-Disclosure mail list. This is a blatant lie from Matai and mi2g, nothing more. ** I AM NOT AFFILIATED WITH MI2G IN ANY WAY ** Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427
Powered by blists - more mailing lists