mailing list archives
mi2g - fud, lies and libel
From: <not-mi2g () hushmail com>
Date: Tue, 20 Jul 2004 16:17:27 -0700
** I AM NOT AFFILIATED WITH MI2G IN ANY WAY **
On July 6, someone made a parody advisory post to Full-Disclosure spoofing
mi2g (mi2g.com). The person attempted to CC the Bugtraq and Vulnwatch
mail list, but the moderators of those lists rejected the post.
Instead of laughing along with the obvious hoax, mi2g responded in typical
fashion by releasing a "News Alert" in which they spread FUD, lie about
events that never took place, and libel the Bugtraq and Vulnwatch moderators.
It took them 14 days to release this, probably the same time that passed
before their collective blood pressure dropped. Some amusing clips from
Subject: RESTRICTED LIST: News Alert - Ransom demands coming through
to subdue negative publicity; Reputation damage accelerates through
Ransom demands? Negative publicity? Reputation damage accelerates?
London, UK - 20 July 2004, 17:30 GMT - The dark side of the internet
is increasingly coming into focus as false information posted on
"security" portals is purveyed and mirrored without question by a
range of inter-linked trusted web sites. The original internet
security portals, which have become famous for carrying software
vulnerability disclosures, are now being overwhelmed by new listings.
As a result, they are unable to cope with the flood of fresh postings
- genuine and hoax - on a daily basis.
In parallel, consistent negative publicity on trusted web sites and
security portals has led to the owners of some of those sites to
contact many companies, including mi2g, with a view to buying them
out in exchange for their silence. Ransom demands made have ranged
from $250,000 to $1 million to decommission a negative publicity
campaign mounted through a particular set of trusted web sites or
mi2g is saying that "trusted web sites and security portals" posting
the original hoax have contacted mi2g, offering to not post it in return
for up to one MILLION dollars. Who are these black hearted criminals?
These adverse developments are likely to lead to further loss of user
trust and unclear demarcation between useful and useless security
warnings as well as vulnerability disclosures in the months ahead.
Because of this obvious advisory parody, the poor masses are going to
have a hard time figuring out which advisories are legitimate? I think
mi2g assumes every security professional and administrator is as big
a retard as themselves.
The mi2g Intelligence Unit has tracked a particular development over
the last few weeks, where a rogue account created by a malevolent
party as mi2g-research () hushmail com has been consistently abused by
utilising it as the originator of a number of vulnerability postings
including one clear hoax titled: "Wendy's Drive-up Order System
A number of vulnerability postings? Check the archives! There is a
single post to Full-Disclosure, none to Bugtraq, none to Vulnwatch.
Where are these "number" of postings mi2g?
Upon reading this hoax "vulnerability" posting, available through a
number of security portals, it is clear that there is no purpose to
it other than to smear reputation and cause damage. However, the
organisations that originally took the posting did not bother to
check for accuracy and include such well known names as:
1. bugtraq () securityfocus com
2. full-disclosure () lists netsys com
3. vulnwatch () vulnwatch org
One out of three correct, good job mi2g! Again, check the archives.
Bugtraq and Vulnwatch did not post the hoax advisory, this is clearly
a defamatory statement meant to gain sympathy from your eight customers.
The post hit the Full-Disclosure list because it is the only list of
the three that is UNMODERATED.
Within days, there were mirror copies of the hoax vulnerability
"Wendy's Drive-up Order System Information Disclosure" on several
"security" focussed portals that mentioned mi2g incorrectly without
checking the facts within the posting or confirming accuracy through
other means, such as:
Perhaps someone in the security industry could teach a class at mi2g
headquarters on the basics of mail lists and automatic mail list archives.
These sites archive 100% of the content posted to hundreds of mail lists.
The material in the archives is clearly marked as coming from the original
person, and they make no claims as to the accuracy of such information
posted to the lists.
Read the list above again. These are the black hearted criminals that
mi2g claims tried to extort them for money in return for "silence".
What a complete load of manure.
The mi2g Intelligence Unit has written to these security portals and
to Hushmail. Only Hushmail.com has taken immediate action by
disabling the rogue email account, much to their credit. The other
so called "security" forums and trusted vulnerability posting
accounts, portals and mirror web sites have simply passed the buck
by stating that they did not control the content which they
published, even when it was blatantly evident that the posting they
were purveying was an obvious obnoxious hoax.
If it was blatantly evident that the post was a hoax, why is mi2g crying
like a six year old with a skinned knee? It is clear these "security
portals" are ignoring your request because you are asking them to alter
history in a sense. They maintain archives of mail list traffic. To
arbtirarily delete one post compromises the integrity (look that word
up please) of their service. If you check the vulnerability databases
like ISS, SecurityFocus and Secunia, you will notice they did not mirror
the content and clearly filtered it instead of including it in a database.
"These developments mean that any person or corporation can quite
easily decide to launch a clandestine smear campaign against any
brand in the world by bombarding appropriate bulletin boards and
trusted forums with false information through free email accounts,"
said DK Matai, Executive Chairman, mi2g. "There is a high
probability that more and more brands could fall victim to such
smear campaign postings. The reputation damage is being amplified
manifold by several automatic mirrors. In parallel, we are also
seeing demand for money from frequent reputation damage purveyors."
Put up or shut up DK Matai. None of these sites are attempting to extort
money from mi2g in return for "being silent" and witholding an obscure
hoax advisory buried in the thousands of trash posts to the Full-Disclosure
mail list. This is a blatant lie from Matai and mi2g, nothing more.
** I AM NOT AFFILIATED WITH MI2G IN ANY WAY **
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
Promote security and make money with the Hushmail Affiliate Program:
Full-Disclosure - We believe in it.
- mi2g - fud, lies and libel not-mi2g (Jul 21)