OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-Disclosure] mi2g - fud, lies and libel

not-mi2ghushmail.com
Date: Tue Jul 20 2004 - 18:17:27 CDT


** I AM NOT AFFILIATED WITH MI2G IN ANY WAY **

On July 6, someone made a parody advisory post to Full-Disclosure spoofing
mi2g (mi2g.com). The person attempted to CC the Bugtraq and Vulnwatch
mail list, but the moderators of those lists rejected the post.

http://seclists.org/lists/fulldisclosure/2004/Jul/0311.html

http://seclists.org/lists/vulnwatch/2004/Jul-Sep/
http://seclists.org/lists/bugtraq/2004/Jul/

Instead of laughing along with the obvious hoax, mi2g responded in typical
fashion by releasing a "News Alert" in which they spread FUD, lie about
events that never took place, and libel the Bugtraq and Vulnwatch moderators.
 It took them 14 days to release this, probably the same time that passed
before their collective blood pressure dropped. Some amusing clips from
their release:

>Subject: RESTRICTED LIST: News Alert - Ransom demands coming through
>to subdue negative publicity; Reputation damage accelerates through

>hoax postings

Ransom demands? Negative publicity? Reputation damage accelerates?

>London, UK - 20 July 2004, 17:30 GMT - The dark side of the internet
>is increasingly coming into focus as false information posted on
>"security" portals is purveyed and mirrored without question by a
>range of inter-linked trusted web sites. The original internet
>security portals, which have become famous for carrying software
>vulnerability disclosures, are now being overwhelmed by new listings.
>As a result, they are unable to cope with the flood of fresh postings
>- genuine and hoax - on a daily basis.

>In parallel, consistent negative publicity on trusted web sites and

>security portals has led to the owners of some of those sites to
>contact many companies, including mi2g, with a view to buying them
>out in exchange for their silence. Ransom demands made have ranged

>from $250,000 to $1 million to decommission a negative publicity
>campaign mounted through a particular set of trusted web sites or
>security portals.

mi2g is saying that "trusted web sites and security portals" posting
the original hoax have contacted mi2g, offering to not post it in return
for up to one MILLION dollars. Who are these black hearted criminals?
 Read on.

>These adverse developments are likely to lead to further loss of user

>trust and unclear demarcation between useful and useless security
>warnings as well as vulnerability disclosures in the months ahead.

Because of this obvious advisory parody, the poor masses are going to
have a hard time figuring out which advisories are legitimate? I think
mi2g assumes every security professional and administrator is as big
a retard as themselves.

>The mi2g Intelligence Unit has tracked a particular development over
>the last few weeks, where a rogue account created by a malevolent
>party as mi2g-researchhushmail.com has been consistently abused by

>utilising it as the originator of a number of vulnerability postings

>including one clear hoax titled: "Wendy's Drive-up Order System
>Information Disclosure."

A number of vulnerability postings? Check the archives! There is a
single post to Full-Disclosure, none to Bugtraq, none to Vulnwatch.
Where are these "number" of postings mi2g?

http://seclists.org/lists/

>Upon reading this hoax "vulnerability" posting, available through a
>number of security portals, it is clear that there is no purpose to

>it other than to smear reputation and cause damage. However, the
>organisations that originally took the posting did not bother to
>check for accuracy and include such well known names as:
>
>1. bugtraqsecurityfocus.com
>2. full-disclosurelists.netsys.com
>3. vulnwatchvulnwatch.org

One out of three correct, good job mi2g! Again, check the archives.
 Bugtraq and Vulnwatch did not post the hoax advisory, this is clearly
a defamatory statement meant to gain sympathy from your eight customers.
 The post hit the Full-Disclosure list because it is the only list of
the three that is UNMODERATED.

>Within days, there were mirror copies of the hoax vulnerability
>"Wendy's Drive-up Order System Information Disclosure" on several
>"security" focussed portals that mentioned mi2g incorrectly without

>checking the facts within the posting or confirming accuracy through

>other means, such as:
>
>1. http://www.securityfocus.com
>2. http://seclists.org
>3. http://lists.insecure.org
>4. http://archives.neohapsis.com
>5. http://lists.netsys.com
>6. http://www.e2ksecurity.com
>7. http://www.derkeiler.com
>8. http://www.gossamer-threads.com
>9. http://www.landfield.com

Perhaps someone in the security industry could teach a class at mi2g
headquarters on the basics of mail lists and automatic mail list archives.
 These sites archive 100% of the content posted to hundreds of mail lists.
 The material in the archives is clearly marked as coming from the original
person, and they make no claims as to the accuracy of such information
posted to the lists.

Read the list above again. These are the black hearted criminals that
mi2g claims tried to extort them for money in return for "silence".
What a complete load of manure.

>The mi2g Intelligence Unit has written to these security portals and
>to Hushmail. Only Hushmail.com has taken immediate action by
>disabling the rogue email account, much to their credit. The other

>so called "security" forums and trusted vulnerability posting
>accounts, portals and mirror web sites have simply passed the buck
>by stating that they did not control the content which they
>published, even when it was blatantly evident that the posting they
>were purveying was an obvious obnoxious hoax.

If it was blatantly evident that the post was a hoax, why is mi2g crying
like a six year old with a skinned knee? It is clear these "security
portals" are ignoring your request because you are asking them to alter
history in a sense. They maintain archives of mail list traffic. To
arbtirarily delete one post compromises the integrity (look that word
up please) of their service. If you check the vulnerability databases
like ISS, SecurityFocus and Secunia, you will notice they did not mirror
the content and clearly filtered it instead of including it in a database.

>"These developments mean that any person or corporation can quite
>easily decide to launch a clandestine smear campaign against any
>brand in the world by bombarding appropriate bulletin boards and
>trusted forums with false information through free email accounts,"

>said DK Matai, Executive Chairman, mi2g. "There is a high
>probability that more and more brands could fall victim to such
>smear campaign postings. The reputation damage is being amplified
>manifold by several automatic mirrors. In parallel, we are also
>seeing demand for money from frequent reputation damage purveyors."

Put up or shut up DK Matai. None of these sites are attempting to extort
money from mi2g in return for "being silent" and witholding an obscure
hoax advisory buried in the thousands of trash posts to the Full-Disclosure
mail list. This is a blatant lie from Matai and mi2g, nothing more.
 

** I AM NOT AFFILIATED WITH MI2G IN ANY WAY **

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html