• Anti-Virus Companies: Tenacious Spammers

    [This was originally published on attrition.org.] No one can argue that the spam problem is getting better. Despite advances in anti-spam technology and legislation against spam, unwanted junk mail is flowing into our inboxes at an increased rate. Stock tips, enhancement drugs, Nigerian scams, DVD copy software and hundreds of other products or services get…

  • My Own PR Assault against Microsoft

    [This was originally published on attrition.org.] Infoworld broke a story on Microsoft’s plans for waging a public relations war against “linux” over taking too long to fix security vulnerabilities. The article by Kieren McCarthy outlines Microsoft’s planned smear campaign against its biggest rival, Linux, currently dubbed “Days of Risk”. With the decision to smear Linux in the media,…

  • Deconstructing the Defacer Challenge Hoax/FUD

    [This was written with Richard Forno and originally published on attrition.org.] On June 21, 2003, a small web site was created to harnass the competitive nature of the defacing community by holding a contest of computer vandalism. Several computer security companies took this event as an opportunity to whore themselves out to any media outlet…

  • Richard Clarke: American Grandstand

    [This was originally published on attrition.org] Richard A. Clarke, Special Advisor to the President for Cyberspace Security (lovingly known as the Cyber Security Czar), recently announced plans to retire after little over a year from his appointment by George W. Bush. Under President Bill Clinton, Clarke was appointed the first National Coordinator for Security, Infrastructure…

  • Disclosure: Greymatter Remote login/pass Disclosure

    [This was originally disclosed on the Bugtraq mail list and touched up slightly for style and mirrored on attrition.org. VulnDB 4081, CVE-2002-0324.] Software: Greymatter 1.21c and earlierVulnerability: Remote administrator login/password exposureVendor Status: Notified [0] I originally saw this posted on Metafilter [1] and linked to a two line description [2]. As with many other attacks,…

  • A Curious Response to Crime

    [This was originally published on attrition.org.] Crime pays. Those who question this only need to look at recent events surrounding a software company and one of their products. A company called Curious Labs currently develops and sells a graphic software package called Poser. It is widely used and respected by hobby graphic artists and professionals alike. Recently, Curious…

  • SecurityFocus Defaced? Kind of.

    [This was originally published on attrition.org. Jay Dyson and Simple Nomad contributed to this post.] Earlier today, various people/sites were reporting that SecurityFocus.com had been defaced. Initial inspection of the screenshots suggested this was the case, but further digging revealed what really happened. First, one must define a ‘defacement’. In the years of running the…

  • Microsoft’s Responsible Vulnerability Disclosure, The New Non-Issue

    [This was originally published on attrition.org] For almost a decade, a debate over the concept of Full Disclosure has reared its ugly head. Carried out on BBSs, newsgroups, security conferences, mail lists, parties, coffee shops and everywhere else, the Full Disclosure debate can be called “long standing” to say the least. As with everything in the computer…

  • Commentary on Patriotic Hacking

    [This was originally published on attrition.org.] Attrition staff have been getting several mails warning of impending “patriotic hacking” in retaliation for the terrorist attacks on September 11. Some are from the usual opportunists, exploiting world-wide attention on the recent terrorist attacks to further their own agenda. Others are from people who just want to do…

  • Book Review: Hack Attacks Denied

    [This was originally published on Enterprise Zone and mirrored on attrition.org.] Hack Attacks DeniedComplete Guide to Network LockDownJohn Chirillo0471416258, 512 pages, Wiley Common Security Practices in Uncommonly Tedious Text Despite more than 400 pages of source code and security defense examples, this book’s valuable content could easily be condensed into a single article sidebar. A…