Date: Mon, 31 Dec 2001 04:21:02 -0500 (EST)
From: security curmudgeon ([email protected])
To: James Sinclair ([email protected])
Subject: Re: GNSS > ATTRITION > LINK

Let me review what you sent, the errata page, and discuss with staff.

Date: Mon, 31 Dec 2001 11:19:33 -0500 (EST)
From: Sioda an Cailleach ([email protected])
To: security curmudgeon ([email protected])
cc: Heathens ([email protected])
Subject: Re: GNSS > ATTRITION > LINK (fwd)

Where did you get the solicitation that is posted on Attrition? It doesn't
specifically mention that they charge for their services, though neither
does it specify that they are offering a free service. I tend to think
that the solicitation posted on Attrition was genuine and that they are
now trying to clarify that they are offering a free service. However, if
this is just a training excercise for their people, I don't see the
benefit to the defaced site. Also, I would want to dig further into how
this benefits them (do they sell training to people and use the defaced
sites as a lab classroom activity?). I worked at a site once that had a
big Andersen presense. Andersen "generously" provided many
"free" consultants to the project. The hidden cost was that these people
really contributed nothing of value and took time away from those who did
just to get "real" experience on their resume (so Andersen could bill for
them). I was given one of these consultants to "help" me with uucp
support. When I asked how much she knew about uucp, I was told "nothing,
but she's a quick learner". I declined the "help". In reality, I would
have been providing free training to this person at the client's expense.
Sounds like this is a similar deal.

.sioda.

Date: Mon, 31 Dec 2001 15:54:12 -0500 (EST)
From: Cancer Omega ([email protected])
To: security curmudgeon ([email protected])
cc: Heathens ([email protected])
Subject: Re: GNSS > ATTRITION > LINK (fwd)

On Mon, 31 Dec 2001, security curmudgeon wrote:

> thoughts?

I think it's horseshit for several reasons.  Among them:

1.      Their original notice claims they were notified by a branch of
        the FBI.  That's a lie.  Why would the FBI run around notifying
        any businesses?  Also, why do they say 'Cybercrime Dept' when
        the "cybercrime" section of the FBI is NIPC?

2.      They make another reference to the National Security Advisor.
        The National Security Advisor's recommendations to the Senate
        have next to NOTHING to do with net.security.  Indeed, the
        blanket stance of the NSC is that anything that has any vital
        data on it at all should *NOT* be on the 'net!

3.      They never state outright that their services are free.  They
        just go on and on about what they can do for the recipient.
        That doesn't sound like a free offer of help; that sounds like
        a fucking sales pitch.

In short, I don't buy this guy's "clarification."  If anything, I'd sooner
throw his latest bullshit into the Going Postal section than I would
remove the errata piece.

.c

Date: Wed, 2 Jan 2002 15:39:58 -0500 (EST)
From: security curmudgeon ([email protected])
To: James Sinclair ([email protected])
cc: Heathens ([email protected])
Subject: Re: GNSS > ATTRITION > LINK

> Jericho,
>
> I was sent this by one of my colleagues - we never sent out the advisory
> you paste here.

After reading this again.. if you didn't send it out, who did? Bears a
striking resemblance to your style of writing, your signature, etc. I
realize they can be forged, but I'm wondering why someone would go through
such efforts.

> We sent out a bulletin offering free services and advice and it was
> actually off the alldas mirror, I would be more than happy to provide
> you with a copy of it. I would also happily point you in the direction
> of at least 10 companies that phoned us and we helped through the
> situation without requesting a dime.

Please do. I can't guarantee I will be able to follow up on then but I may
try.

> We still continue to send out these bulletins and of the 000's of
> phonecalls received have never charged a dollar.

Perhaps so, but there are a few points that don't sit well with us
regarding all of this.

1.      Your original notice claims you were notified by a branch of
        the FBI.  That's a lie.  Why would the FBI run around notifying
        any businesses, especially unrelated to the victim company?  Also,
        why do you say 'Cybercrime Dept' when the "cybercrime" section of
        the FBI is NIPC? Why not specifically name the NIPC and provide
        a contact there or their website at least?

2.      You make another reference to the National Security Advisor.
        The National Security Advisor's recommendations to the Senate
        have next to NOTHING to do with net.security.  Indeed, the
        blanket stance of the NSC is that anything that has any vital
        data on it at all should *NOT* be on the 'net.

3.      You never state outright that your services are free.  You
        just go on and on about what you can do for the recipient.
        That doesn't sound like a free offer of help; that sounds like
        a fucking sales pitch.

4.      The URL you provide twice 404's, but offers to redirect them
        to alternate pages. Those pages go on about the security
        services you offer, speak of the business and do not hint
        or suggest they can receive free help.

Rereading the mail sent out with your companies name, i'm afraid I can't
agree with you at all. This seems like ambulence chasing at best.

From: security curmudgeon ([email protected])
To: James Sinclair ([email protected])
Date: Fri, 1 Feb 2002 01:58:26 -0500 (EST)
Subject: Re: ATTRITION


> Jericho,
>
> As per my previous e-mail, I have sent mails out to all involved with
> our company in an attempt to verify if indeed the e-mail was sent in its
> current form.  http://63.105.33.158/errata/sec-co/gnss01.html
>
> The same as my first contact with you, no such e-mail was sent from GNSS
> and especially not from myself. As we explained, many times our sales
> force sent an e-mail out with some basic tips as to how to restore

So let me see if I have this straight.

You are saying that NO ONE at GNSS sent the mail quoted on the above URL..
yet you do send out mail sometimes to admins of defaced sites?

Are you saying that the mail we were sent is forged in some way.. either
forged and sent to the admin, or the admin changed the mail before sending
to us?

> Of course there is little to prove that the e-mail was tampered, however
> please recommend your desired course of action to have the page removed
> or appended. It is your right to feel that our actions were not
> ethically correct, however from the response from those we have aided
> that does not seem to be the case.

Let's answer the above questions before addressing this.

From: security curmudgeon ([email protected])
To: James Sinclair ([email protected])
Date: Fri, 1 Feb 2002 04:06:12 -0500 (EST)
Subject: RE: ATTRITION


> Thank you for your response.
>
> Yes, we used to send out mail to those who had sites defaced and felt
> would need some aid in returning the site to its original form whilst
> setting up necessary preventative measures to ensure the occurrence did
> not happen again.
>
> However, the actual e-mail printed on your errata section was not sent,
> it is not the placing of the e-mail on your errata section that I am
> arguing, it's the content.

So.. how did we get it?

When we mirrored a site, we would mail out to the admin and offer them
some basic advice and explain who we were and what we did. I have included
that mail below so you can see how we approached it. Specifically:

  If you receive any additional mail from a security company or
  vendor, we'd like to state up front that we are in no way
  affiliated with them. We have found out that some security
  companies prey on victims of web defacement to solicit their
  products or services. If you receive such mail, please forward
  the full text with headers to us so that we can confront them.

Shortly after taking a mirror, an admin of a defaced site sent us the mail
in question along with one other (that is also up on errata).

So all that said.. if you didn't send it to them.. how did we get it?

Brian

Date: Sun, 17 Feb 2002 17:39:20 -0500 (EST)
To: James Sinclair ([email protected])
cc: Heathens ([email protected])
Subject: RE: ATTRITION

> Brian, Jericho,
>
> I cannot answer yor question of how you got it, if an admin sent a copy
> of the actual mail we sent, then we would have no problem with it being
> posted on errata. However as stated:

Well. This is pretty simple and it appears the only explanation is not one
you want to admit to.

http://www.attrition.org/errata/sec-co/gnss01.html

Fact: an admin forwarded the mail in question to us

Fact: it is the same format and style you use

Fact: you admitted to sending some sites mail similar to this one

Discrepancy: you say you did not send this particular mail

> > Yes, we used to send out mail to those who had sites defaced and felt
> > would need some aid in returning the site to its original form whilst
> > setting up necessary preventative measures to ensure the occurrence
> > did not happen again.


So I guess my questions still stand and are still not really answered.
None of the staff here can figure this out based on your mail and the fact
we have a copy of the mail.

> > However, the actual e-mail printed on your errata section was not
> > sent, it is not the placing of the e-mail on your errata section that
> > I am arguing, it's the content.
>
> So.. how did we get it?
>
> When we mirrored a site, we would mail out to the admin and offer them
> some basic advice and explain who we were and what we did. I have
> included that mail below so you can see how we approached it.
> Specifically:
>
>   If you receive any additional mail from a security company or
>   vendor, we'd like to state up front that we are in no way
>   affiliated with them. We have found out that some security
>   companies prey on victims of web defacement to solicit their
>   products or services. If you receive such mail, please forward
>   the full text with headers to us so that we can confront them.
>
> Shortly after taking a mirror, an admin of a defaced site sent us the
> mail in question along with one other (that is also up on errata).
>
> So all that said.. if you didn't send it to them.. how did we get it?

This is the question that still stands.

From: security curmudgeon ([email protected])
To: James Sinclair ([email protected])
Date: Sun, 17 Feb 2002 18:24:24 -0500 (EST)
Subject: RE: ATTRITION


> Jericho,
>
> We seem to be going around in circles. I have no trouble in explaining
> what type of e-mails we send, however the one on display did not
> originate from us.
>
> Wherever, However or Whatever led to it arriving at you is not my
> concern, mine is the display of an e-mail that supposedly came from me
> but did not.
>
> What actions would you like me to take to validate my claims.

For starters, can you send me an example of what you mail out? Preferably
dated around the same time as the mail we have up?