lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <15261632-1112705547-cardhu_blackberry.rim.net-29366-@engine75>
Date: Tue Apr  5 13:52:46 2005
From: jasonc at science.org (Jason Coombs)
Subject: I need uh Qwik-Fix please sho 'nuff!

Aloha, 'Lor',

The PivX Solutions story is one that every information security professional can learn pro-active incident response and threat mitigation by studying in detail. It shows every company how important it is to have a security partner who can anticipate, from skill and experience, possible unusual threats that require pro-active countermeasures and adequate preparedness.

Not all attacks come in through the firewall or open ports on vulnerable boxes.

The PivX story shows how a motivated and creative attacker is capable of turning even an information security research community resource into a tool of malicious attack designed to cause a variety of harm.

It also reveals the necessity for governments around the world to never criminalize legitimate security research, public disclosure, and information security resources like bugtraq and full-disclosure. (Are you listening, France?)

'Lor', if that is your real name, do you have anything of value to say about PivX Solutions? I'd like to know what it is, if you think that you do.

You have claimed the company is bankrupt, but you can clearly see that's not even close to being true if you actually read the SEC filings from which you keep copying and pasting excerpts.

Do you seriously think that the investors of PivX care what you post to full-disclosure? More to the point, if you had any common sense whatsoever you'd know that investors don't put millions of dollars into funding a company and then give up on it overnight just because some anonymous paranoid copies and pastes excerpts of SEC filings while hurling insults.

I've asked you several times, both publicly and privately, and you have refused to offer a single shred of evidence that suggests anything improper is going on at PivX. At some point the glaring lack of evidence reveals that there must be nothing improper going on.

I quote you, from the e-mail you sent to me in response to my questions about what you knew and why you were upset with PivX:

lor.tharholm@...hmail.com wrote:
> before pivx buy stock
> listing i da co contact fer
> da latest c0dez n 0day!
> pivx try be big corp
> but i see big joke
> cuz pivx try make
> profit not security

You're missing the point entirely when you focus on how much money investors have put into PivX to date based on those investors' sincere belief that the company's objectives and technology are important enough to fund, conservatively.

If you think that a few million dollars is anything but conservative, then you obviously know nothing about the costs and the challenges of starting and growing a substantial business.

You and I couldn't possibly build what PivX has built in terms of professional corporate structure, public NASDAQ stock exchange listing, business relationships and loyal partners, qualified employees, paying customers, etc for anything less than PivX has spent to get where it is today, with its  existing problems-and-all.

We have known for many years that the pursuit of profit creates conflicts between the best information security decisions and the most profitable business decisions. Microsoft is the best model we have to prove that a profit motive, improperly and unethically managed, creates enormous wealth for investors -- often at the expense of security for others.

I have personally worked on forensics consulting projects, incident response cases, and criminal defense forensics where unnecessary, entirely avoidable security problems with Microsoft Windows and IE have literally ruined people's lives.

I joined PivX in May of last year because I knew very well what Thor Larholm and others at PivX had accomplished: they had built a business and a product and service offering that was capable of preventing people's lives from being ruined as a result of avoidable information security vulnerabilities. And people were taking it seriously. The market was awakening to the rightness of the PivX message on vulnerabilities.

Many of the criminal defense computer forensics cases I have worked involved Internet Explorer unpatched vulnerabilities being exploited by attackers who had a profit motive or raw malicious intent. The Internet gave the real criminal a way to commit their crimes while blaming others and leaving the evidence of the crime on hard drives of the person who ends up the accused.

I have witnessed child pornography crimes, credit card fraud and identity theft, extortion, spam, zombie armies for DDoS attacks, committed by remote control of a victim's Windows computer, and have also seen cases of the planting of evidence of crimes including child pornography onto people's computers by a malicious third party actually EXPLOITING THE EXACT SECURITY FLAWS THAT THE PIVX QWIK-FIX PRODUCT PROTECTS AGAINST.

Even you have been unable to allege that the company's Qwik-Fix product isn't valuable. It clearly is. You simply alleged that the product hasn't gotten 'traction' (I think that was the word you used). Whether that allegation is true or not remains to be seen.

People are now coming to realize that their lives really can be destroyed by computer vulnerabilities. That was never a risk before, from virus infections, so people thought that antivirus was the solution.

Now what every computer owner needs is a proactive security partner.

You cannot possibly argue that PivX has not become precisely that, and you have no idea what the company is or isn't doing to turn its market position into profits. You just know that PivX is trying to be profitable, and you accuse it of things as a result.

I'm the only person I know of in the entire world who has expressed a legitimate, well-founded concern about PivX.

And, as you know from our prior communications, I have spent a considerable amount of time and effort looking for information to support or explain my concerns, and investigating appropriate pro-active solutions to ensure that shareholders and customers are protected from harm if my concerns were valid.

Every person who came forward and made contact with me, including yourself, had either nothing to say, except to express disbelief that people who they have known for many years in infosec have managed to grow a public company, or they pointed at a single individual at PivX with whom they had a bad experience, whom they did not trust, and did not believe was an ethical person. One person out of how many people... Five dozen? More?

My investigation convinced me that this single individual was a serious problem, a forensic vulnerability.

Every company has at least one such person, but I concluded that in this case there was a chance that the person may actually succeed in causing harm if decisive action was not taken swiftly.

The evidence that I gathered has helped to improve PivX, and harden it against a variety of unusual attacks.

Including yours.

I hope you'll take the time to read more about the changes at PivX in the near future, and emphasize (or try to ridicule) them, rather than spinning your re-runs of idiotic and false bankruptcy allegations that do nothing but disclose your lunacy and your complete lack of understanding of business and finance.

If you know anything about me by now, you know that I have applied the right kind of well-researched and strategically-timed forensic pressures on companies, including Microsoft, to help them transform themselves and get security (and ethics) right.

I do this professionally on behalf of parties to lawsuits and in criminal court cases. It has been a privilege to be in a position to do it pro-actively, to avert legal problems rather than react to them.

You might call it a successful proof-of-concept.

Sometimes, in dispute resolution forensics, the 'dispute' is actually nothing more than the tug-of-war between business and engineering that confronts all professionals. And the 'resolution' is simply to gather the forensic evidence that explains the dispute clearly, so that unintended consequences can be traced to their root cause.

Because PivX has a mission to be pro-active, and because of my experience with these matters, I took pro-active forensic responsibility to help PivX perfect its business decision making and mitigate threats that I alone perceived.

You, and the rest of full-disclosure, have been very helpful in this undertaking. I am very appreciative of the help you gave me to be instrumental in discovering and communicating the truth to people at PivX who had the authority and power to act.

I will gladly testify at your criminal trial as to the technical and forensic issues that disprove your assertions of wrongdoing by PivX. I have an intimate understanding of these issues, and of this company.

I am also the only person who can help the court understand how beneficial your criminal actions have been to PivX.

You need my testimony to avoid a lengthy prison sentence, if and when you are caught and prosecuted for what you've attempted to do.

You know how to contact me.

Anyone else who would like to gain a better understanding of the intricate network of pro-active defenses that companies need today, that only an experienced incident response forensic specialist can provide, should seek out the help of a trusted expert and empower them to defend your interests, whatever those interests may be.

The battle lines are now drawn in the new business climate. Every company that relies on computers and computer communications must have a relationship with an experienced computer forensics specialist firm.

Reacting to problems rather than preparing for them forensically is a mistake nobody can afford to make today.

Sincerely,

Jason Coombs
jasonc@...ence.org

-----Original Message-----
From: <lor.tharholm@...hmail.com>
Date: Tue,  5 Apr 2005 02:07:44 
To:full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] I need uh Qwik-Fix please sho 'nuff!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

who got da crack w0rd!  who got da crack w0rd!  who got da crack
w0rd!

cuz

Qwik-Fix Pro revenues of $2,556
Our revenues in the fiscal year ended December 31, 2004 decreased
by 74.0%
Operating cash flows for fiscal 2004 reflect our net loss of
$8,610,083,
WE HAVE A HISTORY OF LOSSES AND, BECAUSE WE EXPECT OUR OPERATING
EXPENSES
TO INCREASE IN THE FUTURE, WE MAY NEVER BECOME PROFITABLE.

UNITED STATES
SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549

FORM 10-KSB 4/1/2005

PIVX SOLUTIONS, INC.

Our primary software product iz Qwik-Fix Pro(TM), uh host-based
intrusion prevention an' software defect remediation product. Qwik-
Fix Pro iz designed ta proactively block known an' unknown software
threats in all versions o' Microsoft Windows an' Internet Explorer
from being exploited by hackers, virus writers an' worm writers.
Ya' know what I'm sayin'?

HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA




PivX Solutions

By:      gOOFY AND d0Nald Duck and shit.
        By: /s/ signature
    -------------------------------             --------------------
- ------------
Title:                                      Title: General Counsel
and Secretary




-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkJSVV0ACgkQTrOyScgyfI6vEQCfXSCLVyjyGH8iI2v6nUrp1GLLaRoA
n2UASoy1lLNx5LPNMc5LT4WoBWDu
=m7kE
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ