lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: Siegfried at zone-h.org (Siegfried)
Subject: "Fud, lies and libel" against (type any name here, I'll use mi2g)

heh? you're the one who is trying to defend mi2g, i think you're that writer
from uk(?), i don't know if you're their friend or whatever. I mean look..
http://www.mi2g.com/cgi/mi2g/media.php
they are stealing news and many things from some sites for years (everybody
knows which ones), and they're whining because someone posted a fake and
funny advisory about them? come on, there are every week! just by checking
the original email we know if it's real or not.. and if someone really wants
to
release a fake advisory (appearing real) to attack another vendor, i'm sure
that the other vendor or readers would point it out.. if you don't trust
unmoderated
security mailing lists, then read the moderated ones, or look at the
security sites
which are writing summaries or just putting the good advisories together.
Don't blame
fd if it's unmoderated i think there were already many threads about it.
I don't see why a security would pay  $250,000 to $1 million because
they're forwarding "unmoderated and automatic messages", if it's real
it is nonsense, or maybe it's a hoax, you guys @ mi2g like to write news
for journalists, not for security sites.. things like "macosx is the most
secure
OS" and sell the paper full of stolen datas for hundreds of dollars.
and the advisory posted on isn is still available, i'm sure they laughed on
it so they published it, they usually don't post advisories.
so what's next? mi2g SA - social engineering vuln in multiple mailing lists
??
who cares


>---------------------------------------------------------------- 
>Hi there,
>
>I am a usual reader of all the major security lists and I laughed (in a
way)
>to the posting about "Wendy's order system"... I laughed because at first
>glance I thought it was funny, but then I realised that what I was reading
>was a "vulnerability" on a security list, so it wasn't clear to me what
that
>stupid joke was doing there. Ok, it's true.. full-disclosure is not
>moderated, everybody can post, yeah yeah, blah blah blah, but still: It is
>(meant to be) a security list. Am I wrong?.

Please note that this is not just about another silly off-topic: someone
deliberately posted a vulnerability, perfect in its structure,
with all the right fields in the right place, on more than one security
list. There is more than off-topic here.
Ok, the content was clearly an hoax but it denotes a problem that could be
much more dangerous...

Let me point out that, as claims the anonymous guy that posted the (two?)
articles, I'm not affiliated with mi2g.

I thought about not replying and wasting my time, but given the fact that
your stupid postings are going on, and some other people give you even
credit for that, I would like to say something as well. Hope you don't mind.
Hope the list doesn't mind. It is not something off-topic in my opinion,
because it is strictly related to the way the security information are
diffused so it is inherently about security.

Before I proceed with the security issues related to the original post about
"Wendy", I would like to explore some of the points you have made:

---------------------

>Instead of laughing along with the obvious hoax, mi2g responded in typical
>fashion by releasing a "News Alert" in which they spread FUD, lie about...

I don't understand your point. I can laugh, you can laugh... but they are
defamed! Can you explain why they should laugh? I don't get it...

>Ransom demands?  Negative publicity?  Reputation damage accelerates?
>mi2g is saying that "trusted web sites and security portals" posting
>the original hoax have contacted mi2g, offering to not post it in return
>for up to one MILLION dollars.  Who are these black hearted criminals?

First: my impression is that they are not referring to the sites you are
talking about. I don't see anywhere in their message: "trusted web sites and
security portals posting the original hoax have contacted mi2g". Are you
making it up (lying) ?

Second: are you working for all the sites mi2g is referring to, that you are
so confident in excluding this possibility?

Who gives you the right to judge something you don't know anything about? It
appears to me that you've spent many (valuable?) of your hours discrediting
that company, as well as bothering us (at least me) with your statements.

Either you know something we don't or you'd better be silent. I can't tell
if what mi2g says is true or not, I don't work there... do you? If I don't
know something I tend not to speak publicly about it... at very least I
don't try to sell it as THE TRUTH!

>Because of this obvious advisory parody, the poor masses are going to
>have a hard time figuring out which advisories are legitimate?  I think
>mi2g assumes every security professional and administrator is as big
>a retard as themselves.

Again, I do not agree with you. The whole point of their statement it is not
about "Wendy"!

Here it seems that YOU have some problems in comprehending the bottom line
message (please note that I am not saying you are a retard):

--------------------

"If you can so easily post a clear hoax and nobody - or very few of them -
bothers to check, who can stop you from publishing a "real" (note the
quotes!) vulnerability disclosure, more realistic than "Wendy's", attacking
your competitor A or a product B ? What if you start publishing ten of them,
and then hundreds? How this massive pollution of security lists and sites
will change the user perception of a company A or product B? Will you buy a
product from a company that has hundreds of so called vulnerabilities? I bet
you wouldn't, at least you'll think about it twice... It doesn't really
matter if they are real or not, they are listed everywhere, so the
perception of them makes them real.

If you have the power to disseminate a big number of lists (as well as very
important web sites like securityfocus.com, that mirror any list without
questioning the authenticity of the postings) with false vulnerabilities,
you can discredit and damage any company. Full stop".

--------------------

You got it?

This is the message I understood from mi2g's reply and it makes perfect
sense to me. Between you and me,  it looks like you have already started
this process against mi2g... Lies, false allegations, unreal
vulnerabilities, all posted to public lists... You are working very hard...
Is there at least someone paying you for this job?

>One out of three correct, good job mi2g!  Again, check the archives.

I found also a posting on ISN that mi2g seems to have missed... Should I let
them know?!? Hint: Don't look at the sites, you won't see it. Look on
Google's cache...

>a defamatory statement meant to gain sympathy from your eight customers.

Eight? Is it just a guess or you know more than anybody else?

>The post hit the Full-Disclosure list because it is the only list of
>the three that is UNMODERATED.

Yes, full-disclosure is unmoderated but I am sure you are aware that it is
mirrored like any other security list on all sort of sites, so if you search
on securityfocus.com (sorry guys if I named your site twice, but it is just
an example) you will find these UNMODERATED postings. Now, if you read
securityfocus.com and you trust them, you may end up "trusting" also what
they publish (make sense?). If you post to FD then you are quite sure that
your defamation (sorry, vulnerability disclosure) will end up on many
reputable web sites... good job!

I would suggest securityfocus.com (last time I name them, I promise) as well
as other respectable security sites not to publish anything that is not
moderated! By publishing them, they link their valuable name (the domain
name) to the useless postings. I cannot imagine The New York Times or the
Financial Times publishing without any form of control, the postings of an
unmoderated list!

>The material in the archives is clearly marked as coming from the original
>person, and they make no claims as to the accuracy of such information
>posted to the lists.

The original person?!?!? You mean your account not-mi2g@...hmail.com or, as
I believe also your account mi2g-research@...hmail.com ?
You are an anonymous poster, that cowardly posts articles against a company
and his Executive Chairman, without publishing your name!
You are the LAST person that can talk about "original person"!

If you got a problem with mi2g may I suggest you to solve it directly with
them instead of publishing your rubbish on security lists? You are abusing
these lists for your own agenda and I think this is not fair to me nor to
the other readers of the lists. Can you please stop posting your rants
against mi2g? Can you try to add some value to your postings (as well as
your name of course). Can you detach your mind from mi2g for a second and
use a normal email address? (An email address that hasn't got mi2g in it, I
mean).

>Put up or shut up DK Matai.  None of these sites are attempting to extort
>money from mi2g in return for "being silent" and witholding an obscure
>hoax advisory buried in the thousands of trash posts to the Full-Disclosure
>mail list.  This is a blatant lie from Matai and mi2g, nothing more.

Please, do something more interesting than spending your time blaming and
accusing other peoples. Get a life!

Robert Wayne

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ