Home page logo

fulldisclosure logo Full Disclosure mailing list archives

"Fud, lies and libel" against (type any name here, I'll use mi2g)
From: "Robert Wayne" <netmapper () ic24 net>
Date: Thu, 22 Jul 2004 16:38:04 +0100

Hi there,

I am a usual reader of all the major security lists and I laughed (in a way)
to the posting about "Wendy's order system"... I laughed because at first
glance I thought it was funny, but then I realised that what I was reading
was a "vulnerability" on a security list, so it wasn't clear to me what that
stupid joke was doing there. Ok, it's true.. full-disclosure is not
moderated, everybody can post, yeah yeah, blah blah blah, but still: It is
(meant to be) a security list. Am I wrong?.

Please note that this is not just about another silly off-topic: someone
deliberately posted a vulnerability, perfect in its structure,
with all the right fields in the right place, on more than one security
list. There is more than off-topic here.
Ok, the content was clearly an hoax but it denotes a problem that could be
much more dangerous...

Let me point out that, as claims the anonymous guy that posted the (two?)
articles, I'm not affiliated with mi2g.

I thought about not replying and wasting my time, but given the fact that
your stupid postings are going on, and some other people give you even
credit for that, I would like to say something as well. Hope you don't mind.
Hope the list doesn't mind. It is not something off-topic in my opinion,
because it is strictly related to the way the security information are
diffused so it is inherently about security.

Before I proceed with the security issues related to the original post about
"Wendy", I would like to explore some of the points you have made:


Instead of laughing along with the obvious hoax, mi2g responded in typical
fashion by releasing a "News Alert" in which they spread FUD, lie about...

I don't understand your point. I can laugh, you can laugh... but they are
defamed! Can you explain why they should laugh? I don't get it...

Ransom demands?  Negative publicity?  Reputation damage accelerates?
mi2g is saying that "trusted web sites and security portals" posting
the original hoax have contacted mi2g, offering to not post it in return
for up to one MILLION dollars.  Who are these black hearted criminals?

First: my impression is that they are not referring to the sites you are
talking about. I don't see anywhere in their message: "trusted web sites and
security portals posting the original hoax have contacted mi2g". Are you
making it up (lying) ?

Second: are you working for all the sites mi2g is referring to, that you are
so confident in excluding this possibility?

Who gives you the right to judge something you don't know anything about? It
appears to me that you've spent many (valuable?) of your hours discrediting
that company, as well as bothering us (at least me) with your statements.

Either you know something we don't or you'd better be silent. I can't tell
if what mi2g says is true or not, I don't work there... do you? If I don't
know something I tend not to speak publicly about it... at very least I
don't try to sell it as THE TRUTH!

Because of this obvious advisory parody, the poor masses are going to
have a hard time figuring out which advisories are legitimate?  I think
mi2g assumes every security professional and administrator is as big
a retard as themselves.

Again, I do not agree with you. The whole point of their statement it is not
about "Wendy"!

Here it seems that YOU have some problems in comprehending the bottom line
message (please note that I am not saying you are a retard):


"If you can so easily post a clear hoax and nobody - or very few of them -
bothers to check, who can stop you from publishing a "real" (note the
quotes!) vulnerability disclosure, more realistic than "Wendy's", attacking
your competitor A or a product B ? What if you start publishing ten of them,
and then hundreds? How this massive pollution of security lists and sites
will change the user perception of a company A or product B? Will you buy a
product from a company that has hundreds of so called vulnerabilities? I bet
you wouldn't, at least you'll think about it twice... It doesn't really
matter if they are real or not, they are listed everywhere, so the
perception of them makes them real.

If you have the power to disseminate a big number of lists (as well as very
important web sites like securityfocus.com, that mirror any list without
questioning the authenticity of the postings) with false vulnerabilities,
you can discredit and damage any company. Full stop".


You got it?

This is the message I understood from mi2g's reply and it makes perfect
sense to me. Between you and me,  it looks like you have already started
this process against mi2g... Lies, false allegations, unreal
vulnerabilities, all posted to public lists... You are working very hard...
Is there at least someone paying you for this job?

One out of three correct, good job mi2g!  Again, check the archives.

I found also a posting on ISN that mi2g seems to have missed... Should I let
them know?!? Hint: Don't look at the sites, you won't see it. Look on
Google's cache...

a defamatory statement meant to gain sympathy from your eight customers.

Eight? Is it just a guess or you know more than anybody else?

The post hit the Full-Disclosure list because it is the only list of
the three that is UNMODERATED.

Yes, full-disclosure is unmoderated but I am sure you are aware that it is
mirrored like any other security list on all sort of sites, so if you search
on securityfocus.com (sorry guys if I named your site twice, but it is just
an example) you will find these UNMODERATED postings. Now, if you read
securityfocus.com and you trust them, you may end up "trusting" also what
they publish (make sense?). If you post to FD then you are quite sure that
your defamation (sorry, vulnerability disclosure) will end up on many
reputable web sites... good job!

I would suggest securityfocus.com (last time I name them, I promise) as well
as other respectable security sites not to publish anything that is not
moderated! By publishing them, they link their valuable name (the domain
name) to the useless postings. I cannot imagine The New York Times or the
Financial Times publishing without any form of control, the postings of an
unmoderated list!

The material in the archives is clearly marked as coming from the original
person, and they make no claims as to the accuracy of such information
posted to the lists.

The original person?!?!? You mean your account not-mi2g () hushmail com or, as
I believe also your account mi2g-research () hushmail com ?
You are an anonymous poster, that cowardly posts articles against a company
and his Executive Chairman, without publishing your name!
You are the LAST person that can talk about "original person"!

If you got a problem with mi2g may I suggest you to solve it directly with
them instead of publishing your rubbish on security lists? You are abusing
these lists for your own agenda and I think this is not fair to me nor to
the other readers of the lists. Can you please stop posting your rants
against mi2g? Can you try to add some value to your postings (as well as
your name of course). Can you detach your mind from mi2g for a second and
use a normal email address? (An email address that hasn't got mi2g in it, I

Put up or shut up DK Matai.  None of these sites are attempting to extort
money from mi2g in return for "being silent" and witholding an obscure
hoax advisory buried in the thousands of trash posts to the Full-Disclosure
mail list.  This is a blatant lie from Matai and mi2g, nothing more.

Please, do something more interesting than spending your time blaming and
accusing other peoples. Get a life!

Robert Wayne

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]