Rebuttal: The Curious Case of Sam Bowne

[This was originally published on attrition.org. This is a rebuttal piece to Sam Bowne, the person, Twitter personality (@sambowne), City College San Francisco professor and self-proclaimed whitehat hacker.]


Background: I was first introduced to Sam when noted charlatan Gregory D. Evans accused Bowne of being one of the “world’s biggest cyber bully’s” (sic). I was briefly involved in an e-mail thread with several people and gave input to Sam regarding Evans’ past. Apparently Evans’ press release, possibly coupled with a formal complaint to the school, resulted in Sam having to appear before a board at the college to defend himself against the accusations. I don’t know the details other than he left the meeting absolved of the allegations.

After the incident, I kept following Sam on Twitter as he provided a good set of links to interesting security news and gave input as he saw fit. During that time, he consistently made tweets about being a whitehat and showing scorn for blackhats / criminals. This proud waving of the whitehat flag became a badge of honor to him as he turned himself into a self-deprecating martyr of sorts.

Sat Oct 30 Sam Bowne says: @RayDavidson: @DownloadSquad: This guy was no whitehat–what he did was clearly illegal http://bit.ly/dvjiZO
Fri Dec 10 Sam Bowne says: Interesting controversy about white-hats using botnet vulns to clean off infections–I think it’s clearly illegal #BayThreat
Sat Feb 05 Sam Bowne says: @attritionorg Well, I don’t know who did it. I address whitehats because I don’t think anyone else will listen to me.
Sun Feb 06 Sam Bowne says: I just submitted an article to Infosec Island pontificating about black and white hats. If they run it, I will need an asbestos T-shirt.
Sat Feb 26 Sam Bowne says: @mckt_ I’ve been saying for weeks that white hats and CISSPs need to obey the law. This seems to be an intolerable offense to most tweeps
Fri Apr 08 Sam Bowne says: Rt @DaveMarcus: …”ethical” or “whitehat” in your profile … its lame… <– Some of us are Lame & Proud
Mon Apr 25 Sam Bowne says: RT @willbradley: @sambowne oh, nice. Gotta love righteous white hats. <–The technical term is “Insufferable Pompous Ass”
Sat Jun 04 Sam Bowne says: Rt @LulzSec: We just DDoS’d the IP that tried to inject us <–Offensive security, often discussed, but off-limits to white hats
Sat Jun 25 Sam Bowne says: I get a lot of abuse being a whitehat on Twitter, but it’s worth it. I’ve been able to help several people because of it.

He also shows a conflicted view on ethics while not realizing it. He sees a clear difference between obeying and breaking the law, he disagrees with the CISSP Code of Ethics in talking with blackhats and finally admits that he is interested in theoretical abstraction of ethical rules and doesn’t care about enforcement of ethical rules.

Fri Mar 05 Sam Bowne says: .@heavenraiza Re: Ethical Hacking–I see a clear difference between obeying the law and breaking it.
Wed Jan 12 Sam Bowne says: @hypatiadotca I don’t think it violates ethics to talk to black-hats, as long as I am trying to get them to go straight, not doing crimes
Fri Feb 18 Sam Bowne says: .@jack_daniel @Viss I am interested in the theoretical abstraction of ethical rules, regardless of whether there is enforcement

All of this is fine; having a healthy debate about ethics is good. Despite his proud whitehat designation, I actually appreciate him for realizing the CISSP Code of Ethics is ridiculous. It gave me hope that while good natured, he really did understand that the world is full of grays, despite past tweets about ethics suggesting he only saw black and white.

In the last few weeks, Sam started asking his followers for security contacts at various organizations.

Fri Jun 10 Sam Bowne says: I need a security contact inside PBS. Please contact me by Twitter or email to sbowne@ccsf.edu — thanks!
Mon Jun 20 Sam Bowne says: Does anyone have a security contact inside CNN? Those SQL holes need to be closed NOW.
Tue Jun 21 Sam Bowne says: Does someone have a network security contact in the Los Angeles Police Dept.? It’s not an emergency, but something they should know.
Fri Jun 24 Sam Bowne says: I am still seeking an infosec contact inside the Los Angeles Police Department. It’s getting more important too.
Sun Jun 26 Sam Bowne says: OK, this is pretty insane: does anyone have an infosec contact inside the government of China? Bad stuff, really bad
Sun Jun 26 Sam Bowne says: I need an infosec contact inside Inition or Thinglab, makers of 3-D printers http://t.co/JbebZkp
Sun Jun 26 Sam Bowne says: I need an infosec contact inside Relay Specialties, Inc. http://t.co/STkji0t

The first two requests are understandable. In the wake of activity from LulzSec and other groups, there was public exploitation of vulnerabilities in the websites of PBS and CNN. Sam was trying to find contacts to report the vulnerabilities being exploited by criminals. After that, his requests became more curious and begged the question of where he was getting the information. I had seen no tweets regarding vulnerabilities at the LAPD, Chinese government or the rest of his list. Was he monitoring an IRC channel or message forum where this information was being shared? Was he or his students actively testing web sites and products without permission? I was curious, so I asked.

Sun Jun 26 attrition.org says: @sambowne are your students finding all these issues in .cn gov, vendors and other contacts you are after?
Sun Jun 26 attrition.org says: @sambowne your proud ‘whitehat’ designation is curious when you ask for a sec contact inside the Chinese government.
Mon Jun 27 attrition.org says: @sambowne you going to explain how you and/or your students are finding these issues?
Tue Jun 28 attrition.org says: @sambowne Any particular reason you are ignoring my (and other’s) request for you to explain how you are finding so many?
Tue Jun 28 attrition.org says: @can0beans Nope, on day 2 of @sambowne tweeting, but not answering our question.
Tue Jun 28 RBC says: @sambowne I’m curious about what @attritionorg asked you as well. Curious where all your finds are coming from
Wed Jun 29 RBC says: @sambowne You always seemed so up front and bold with your beliefs. You always defended yourself, why are you not responding2 @attritionorg
Tue Jun 28 Chris Teodorski says: @attritionorg @sambowne did you get an answer to this?

With Sam ignoring these queries and comments, it seemed to many people, including myself, that he may have started live testing web sites for vulnerabilities and reporting them. Since he didn’t reply to any of us, even in private, it certainly began painting a picture that he may be dabbling in grayhat hacking.

This prompted me to go to his school web site to see if they had an ethics policy, so that I could quote it to him. While trying to find that, using their search engine like any user would, I ran into two security issues. The first was an SSL certificate for Google instead of CCSF which was curious. The second was a much more interesting issue that had serious ramifications. Following a general disclosure guideline that I have used for almost 15 years, I tried to find a listed security contact so I could inform them. When I couldn’t find anyone with ‘security’ in their title, and no apparent place to report such problems, I asked Sam if he could provide the contact information for me.

I started on Twitter, half-joking with him since he had been asking for other security contacts. I had already found it ironic that he was searching for security contacts via Twitter, while his own employer had none listed. Sam was tweeting after the question was sent, and had plenty of time to respond. I sent a DM and got a reply from him that was more troubling to me than anything else I had seen from him.

When he didn’t reply publicly, and didn’t reply to my second DM, I called the college the next day to get the information and let him know. At this point, I was mildly annoyed and made the comment about finding the ethics panel because everything to that point suggested to me that he was slowly going rogue. (I did not call for the ethics panel info, and had no intention of actually filing a complaint; I wanted to convey that I was serious about my questions and concern.) CCSF’s response was outstanding, with an immediately reply confirming they got the e-mail and would look into it at once. By the next day, Sam had blocked @attritionorg on Twitter. This was very curious given our friendly past, his ignoring my questions about how he was finding vulnerabilities, and even the brief direct messages.

Tue Jun 28 attrition.org says: oh @sambowne .. can you give me a security contact at ccsf.edu please? need to report something troubling.
Tue Jun 28 attrition.org says: @sambowne after being transferred twice, I got 2 contact addresses @ccsrf.edu to report a sec problem to. neither were you..
Tue Jun 28 attrition.org says: @sambowne after I send this e-mail to them about the security problems, next call is to find the ethics panel contact information
Tue Jun 28 attrition.org says: Very fast reply from IT @ ccsf.edu, they are looking into what I reported already. They confirmed @sambowne is not a proper sec contact.
Wed Jun 29 attrition.org says: So called “whitehat” @sambowne -> “This person has protected their tweets.” Running from honest questions Sam?
Sun Jun 26 zookus says: “@attritionorg: @sambowne you going to explain how you and/or your students are finding these issues?” I too am very interested.

The direct messages between us were brief, but troubling as I said:

to sambowne – I am serious. Can I get a security contact for ccsf.edu please? Ran into what I consider a serious issue on the web site. 9:51 PM Jun 27th
from sambowne – Please tell me what you have found. 10:11 PM Jun 27th
to sambowne – I cannot validate that you are the appropriate security contact for the City College of San Francisco. Monday, June 27, 2011 10:17:24 PM

Rather than help me find a designated security contact at his college, he asked me for the information. Per ethical and responsible disclosure guidelines, I did not provide him the information. Before you get on my case about him being an employee there, remember that Sam himself would have done the same thing.

Mon Jun 27 Sam Bowne says: The general wisdom I have told my students is not to even bother without an introduction to a real security contact inside.

The security contacts provided to me during my phone call confirmed that Sam was not a designated contact, but helped them from time to time by sharing information. In the long run, I was right to follow responsible disclosure and not distribute the information to a non-security contact at the affected organization.

From: Brian Martin (bmartin[at]attrition.org)
To: xxxxx[at]ccsf.edu, xxxxxxxx[at]ccsf.edu
Date: Tue, 28 Jun 2011 18:30:06 -0500 (CDT)
Subject: Possible security problem in ccsf.edu website

[security contacts];

I received your e-mail addresses after calling the school and asking who I 
should report this to. Please forgive me if you are not the appropriate 
contact, and either forward this information to the correct party or let me 
know who I should contact.

While performing a search of your website, I ran into an oddity that may 
have security implementations. To reproduce:

[..]

From: Txxxx Rxxxx (xxxxx[at]ccsf.edu)
To: Brian Martin (bmartin[at]attrition.org>, Gxxxx Vxxxx (xxxxx[at]ccsf.edu)
Date: Tue, 28 Jun 2011 16:36:30 -0700
Subject: Re: Possible security problem in ccsf.edu website

Brian-
Thanks for the info, Gxxxx and I sit next to each other and will look into the 
issues you have raised. Sam Bowne is a Faculty Member in our academic Computer 
Networking Department (CNIT), he is not part of our internal security team 
although he does research into security-related topics and regularly shares 
information with us.

In the end, it wasn’t anything sinister or unethical. Sam was simply performing a “Cold Calls” experiment, in which he was reporting published vulnerabilities to companies that likely were not aware of it.

Given everything I had seen; asking for security contacts for organizations that suggested he may be live testing, comments suggesting he saw a code of ethics as somewhat flexible, pretending to be a security contact when he wasn’t and ignoring any question related to the fiasco, the evidence suggested to me that he was making the transition from Samdalf the White to Samdalf the Gray. Why he didn’t send me an e-mail or DM saying he was working on a project, or merely “getting info from a public web site”, confused me. I am certainly happy that he is staying on his ethical kick, but would fully encourage him to work on his communication skills.

Rebuttal: Paul C Dwyer, ICTTF and LulzSec

[This was originally published on attrition.org. This is a rebuttal piece to “Lulzsec Hits ICTTF?” (June 26, 2011) by Paul C. Dwyer.]


Apparently, the now-notorious group “LulzSec” attacked the International Cyber Threat Task Force (ICTTF), despite no mention of the attack on their Twitter feed or their various pastebin.com releases. I certainly hope the attack really did happen, and that Dwyer is attributing the attack to the correct person(s). Otherwise, making up an attack as an excuse to write an insipid blog reply is sleazy.

Firstly, let’s get some context on this. The ICTTF International Cyber Threat Task Force is a not for profit organisation formed as a “Cyber Security Community”. The general purpose is to promote and assist with the fight against cyber threats. That is cyber criminality, cyber warfare and cyber scum (pedophiles, stalkers, etc)

You clearly define the ICTTF mission as fighting against cyber threats, particularly “cyber criminality”. Yet you go on to say that “I am not going to share any of the attack details with [law enforcement]”. Why wouldn’t you? The FBI has a case open on LulzSec and is always willing to take information and tips to assist their investigation. Why would you state your purpose and immediately defy it? This only makes me think that the attack did not happen, you did not collect information and this is only being used as publicity for your group. If true, you can claim success; I had never heard of your organization before this.

Our site has been hugely successful and positively received around the globe. With up to 30,000 visitors a day and over 1,000 members around the world we are going from strength to strength.

An organization like yours should measure success in the number of bad people you helped get rid of. So, Paul, how many paedophiles, stalkers or cyber criminals have you helped put away? Do you have any proof of whatever number you throw out as a response?

So recently we received a number of emails purporting to be from Lulzsec threatening to take down the site. Yaaaaawwwwwwwwwn!

Purporting to be? In case you had your head in the sand, you should know that many claims made on behalf of LulzSec were debunked. The group said many times “That wasn’t us – don’t believe fake LulzSec releases unless we put out a tweet first.” I don’t recall seeing the ICTTF or your name being mentioned on their feed. Based on that, since you only received e-mails, I believe you were not the target of LulzSec at all, rather impersonators.

DDoS and LOIC attacks and such like are about as intellectually impressive as boasting about the size of the breasts on your avatar girlfriend! They proved only that you managed to follow the 2 min video tutorial. The fact that you had to use a video to teach you tells us how great you are. BTW That was .sarcasm. oooops three syllables maybe I.ve lost you now?

I haven’t seen this much virtual dick waving since .. days ago, watching all the hackers drop each other’s docs and shit-talk each other. You are proving yourself to be their intellectual equals, by your standards.

Now if these recent attacks were Lulzsec or a pseudo copycat Lulzsec it doesn’t really matter. Who cares! The MO’s are pretty similar and unsophisticated.

Anyone with a shred of integrity cares. Anyone who believes in the concept of “innocent until proven guilty” cares. Your blog title maligns LulzSec, despite you having absolutely no evidence it was really them. You then say it doesn’t matter if it isn’t really them, because they are all essentially the same. Are you a security professional or a bigoted fraud?

I am not going to share any of the attack details with LE, suffice as to say the hop through the Pfizer server in NY was a mistake. Judging by the amount of “shemale” porn on your desktop you are a little confused in life. My apologies for switching on your webcam last night but it was the only way I could take a picture of you! Put it this way, you are young so don’t make more mistakes that may change the direction and path of your life. At ICTTF we do not dial 911

So you traced an attack against your system to a server in NY, then immediately jump to what the attacker had on his/her desktop. Either this is bullshit grandstanding, or you just admitted to felony computer crime on the ICTTF blog. Maybe someone should report you to law enforcement. Last I heard, they do not take kindly to acts of vigilantism. Your ad hominem attacks against their supposed lifestyle choices are not taken kindly by a lot of people either.

If you didn’t report this to LE, did you at least give Pfizer a heads-up so they can try to fix their system? If not, remind me what the ICTTF mission is again?

You, sir, are a raging jackass.

Rebuttal: Ponemon on Network Breaches [Richmond/Ponemon]

[This was originally published on attrition.org. This is a rebuttal piece to “Security Professionals Say Network Breaches Are Rampant” (2011-06-22) by Riva Richmond (@rivarichmond) of the New York Times.]


The Ponemon Institute does not command much respect in many InfoSec circles. Like other ‘research analysis’ firms (e.g., Gartner), their reports rarely provide any insight or information that hasn’t been known for years by security practicioners. To C-level executives that prefer to read the sports section before articles pertaining to security, their papers are undoubtedly “eye openers”. Peddling common knowledge to these executives for thousands of dollars does not seem ethical to me, but if people are willing to pay…

Case in point:

There has been a flood of news about hacker break-ins at companies. But how bad is the situation really?

Significantly worse than the headlines suggest, and getting worse still, a new study from the research firm Ponemon Institute suggests. The study says breaches are rampant and occurring much more often than is publicized.

This is not news to anyone following security, and really should not be news to anyone in the business sector either. For decades, it has been proven time and time again that many breaches do not go reported. Many only see the light of day after word slowly leaks out, an employee mentions it in passing or fraud occurs as a result of the breach. In recent years, data breach notification laws have forced more companies to fess up when a breach happens, giving us a better look at the frequency of such breaches. Of course, this only counts toward the breaches that are known. Bad guys frequently compromise a network and perform no activity that would warrant detection, do not exfiltrate data, or if they do copy data, don’t use it in a manner that would be detected (e.g., mass credit card purchases, identity theft, etc.).

Breaches have been rampant for years. Compromises that may or may not have involved the breach of sensitive data have been staggering for years. Zone-H.com shows almost 50,000 incidents (mass defacements generally don’t count as separate intrusions) in the last decade. Does Ponemon consider this when making the statement above? Or would Richmond / Ponemon like to qualify what “publicized” means to them? Just because you don’t look at a given publication, doesn’t mean it wasn’t publicized.

The firm’s survey of 581 security professionals at large companies in the United States, Britain, France and Germany found that 90 percent of them had at least one breach in the last year and 59 percent had two or more. And the costs are mounting; 41 percent of break-ins cost more than half a million dollars.

41% of break-ins cost more than half a million dollars. This is a staggering number, one that certainly makes the reader pay attention. In reality, it is your duty to question that number. Where did the damage figure come from? Did the random security professionals at large companies claim this? Did they have any backing for the damage figures? Are there public records in SEC filings and court records that verify even a fraction of the 41%? Hey Ponemon, you are a ‘research’ center, you did research and fact-check this… right?

The topic of inflated damage figures for computer crime goes a long way back. As far back as 1999, I was ranting about the topic and showing how numbers appear to be arbitrary. In subsequent years, it was demonstrated that the damage figures in the Mitnick case were severely inflated, and that the companies and prosecutors making the claims could not back the figures when pressed to do so.

Given the diversity of a “break-in”, the notion that so many cost “over half a million” dollars sounds unreliable at best. If a web server is defaced, the incident response likely does not cost that much. If a large-scale intrusion into the network happened at a global organization, that number could easily be more than 1 million. There are simply too many unknowns for anyone to come up with accurate numbers, so many fudge them and lean on the side of “spectacular” rather than “cautious”. Since Ponemon does not disclose their survey methodology or publish their questionnaire, we cannot even see how these numbers may have been reached.

Indeed, hackers are increasingly staging targeted attacks aimed at stealing something specific, said Larry Ponemon, founder of the institute. They study the target, find an opening and then quietly get in and out. Most are mercenaries, members of criminal syndicates or representatives of unfriendly countries, he said, and their attacks “are much more stealthy and much more difficult to identify.”

Three words for you Larry, and get used to them: CITE YOUR SOURCES!

How can you say with any certainty that “most are mercenaries, members of criminal syndicates or representatives of unfriendly countries”, if they “quietly get in and out”? How can you say anything about their demographics if they were undetected? You can’t, so you make it up to scare people, all the while profiting heavily off your “research”.

About 60 percent of respondents said they were able to identify the source of at least some of the attacks suffered by their organizations. They traced 34 percent of them to China and 19 percent to the Russian Federation.

As you are an adjunct professor for ethics and privacy at Carnegie Mellon University’s CIO Institute, I find it ironic that you don’t feel compelled to qualify this statement more. I would go so far as to say that you are being unethical by omission. Organizations “traced” these attacks simply by observing the IP address of the attack. As anyone with a couple months in security knows, that does not necessarily tell you where the attack originated. Many criminals compromise systems in specific countries for a variety of reasons, including disinformation. An American criminal launching an attack against an American corporation via a compromised system in China is smart, and has absolutely nothing to do with the attack being from the Chinese.

Nearly half of the breached companies surveyed by Ponemon suffered a damaging loss of data, which “speaks volumes about the mindset of the attacker community,” said Karim Toubba, vice president of security strategy at Juniper, which sponsored the survey.

This is perhaps the most telling line in the entire article. Juniper, a company that offers a wide variety of security solutions, sponsored this survey. The higher the number of breaches, the higher the number of damages, the better it is for a security company looking to sell solutions. Notice that while Juniper links to the survey from their page linked above, they do not make it obvious that it was a sponsored survey? “Press Releases: Ponemon Institute Survey Finds 90 Percent of Businesses fell Victim to Cyber Security Breach at Least Once in the Past 12 Months”

For a sponsored survey like this one, it is that much more important that the methodology be published for peer review. Let the industry see what questions were asked, if they were leading or if they were unclear. If you don’t, then we can only assume this is one big circle jerk between Ponemon and Juniper to drum up business for both companies, not a meaningful survey to our industry.

There’s certainly little reason to talk when, as the Sony case has shown, news of your vulnerability might make hackers hit you harder, customers lose confidence in you and your stock price drop.

For a New York Times reporter, one has to question the author of the article’s professionalism. Saying that the recent Sony compromises lead to a stock price drop is a bold statement. More so when you don’t disclose that their stock had been steadily dropping since March 1, a full month before the first DDoS attack against Sony. While the GeoHot lawsuit, negative press coverage and resulting attacks likely did hurt them, there is strong evidence that more issues were at play. It is ironic that Richmond links to a New York Times article about Sony’s earnings that does not mention stock movement, but cites a reason for significant losses: the Tsunami that recently hit Japan.

Your own article links to evidence suggesting you are not aware of the whole story, and have not looked at the subject matter closely. Disappointing to say the least.

Rebuttal: Northrop Grumman, Cyber-gangs, APT and 0-day [Messmer]

[This was originally published on attrition.org.

This is a rebuttal piece to “Northrop Grumman constantly under attack by cyber-gangs” (June 21, 2011) by Ellen Messmer (@EllenMessmer), Senior Editor at Network World.

Warning: Due to Northrop Grumman, Timothy McKnight and Ellen Messmer’s use of inflammatory words like “Advanced Persistent Threat” and the mis-use of “zero day”, the witnesses will be treated as hostile.]


The fact that this article stems from a talk at a Gartner conference is the first warning sign. Gartner is not known for useful, timely or accurate analysis in many security circles.

About a dozen separate legions of organized hackers have been diligently attempting for years to break into aerospace and defense company Northrop Grumman to steal sensitive information, the company’s chief information security officer (CISO) said at a Gartner security conference here.

“These advanced attacks have been going on for several years,” said Timothy McKnight, vice president and CISO at Northrop Grumman, during a panel discussion on the topic of the “Advanced Persistent Threat,” (APT) the term often used to describe attacks by hackers determined to break into companies and government agencies with the goal of stealing intellectual property or other sensitive information.

The introduction sentence comes across as if McKnight thinks his company is special or different. On the off chance he believes so, let’s clear that up real fast. Bad guys have been attempting to break into tens of thousands of companies for years, decades in some cases. Back in the day, vendors like Sun Microsystems, operating system creators like Microsoft and service providers like Hushmail have been targets. A wide variety of bad guys, some more persistent than others, spent weeks, months and years trying to break in. This is how the Internet works. That statement ranks right up there with “TCP/IP is the backbone protocol of the Internet” to me. Both statements are equally known and equally boring.

Second paragraph, things go downhill quick. First, using the term APT makes you an idiot who buys into marketing terms that have nebulous meanings (or someone whoring to an industry that relies on everyone using the same poor term equally). Case in point, you assign ‘APT’ to hackers “determined to break in” “with the goal of stealing intellectual property or other sensitive information”. Most idiots use APT to brand an attacker on the grounds of being advanced (e.g., “that SQLi was totally advanced, we couldn’t have stopped it!”), persistent (e.g., “they attacked us, and only us, for three weeks trying to get a foothold in the door) or a threat. Wait… if an APT is a threat, and an APT keeps breaking into places like RSALockheed, or the Department of Energy, why are you still calling it a threat? At what point does it become an APPWFU (Advanced Persistent Person Who Fucked Us)?

Since you don’t mention any actual compromises, are they really advanced? Are they really a threat to you if you are so easily detecting and thwarting these attacks? It sounds more like you are setting the stage to proactively blame your next compromise on an “APT”. Don’t worry, we understand, we did the same thing.

The cyber-intelligence group at Northrop Grumman keeps a tally of forensics on attacks emanating from the groups that each work as a team “waking up each day to get into Northrop Grumman,” McKnight said. “We can tell what their attack procedures are, how they write the malware.”

The typical attack methods are attempts to compromise user machines through zero-day vulnerabilities. While about 300 zero-day attack attempts were recorded last year, the pace has ramped up enormously where it’s not uncommon to see zero-day exploits coming in at 11-minute intervals.

This is very telling, Timothy, that you really don’t have much of a clue about security, and that any pretend-metrics or statistics you throw out are absolutely meaningless. When you say these dastardly attackers are writing malware, that means one thing. When you suddenly transmogrify that into zero-day vulnerabilities, and further claim there were 300 zero-day attacks last year, you firmly demonstrate you don’t know the definition of these terms you casually throw about. Further, it means the “Senior Editor” of Network World doesn’t validate any of the spew being offered by a source. No attempt to sanity check his comments, no attempt to define the terms to make sure they are offered in the correct context.

A zero-day (0-day) vulnerability is one that has not been published; the security community doesn’t know about it, it isn’t listed in vulnerability databases and there are no vendor advisories about it. Detecting 0-day in an attack is not easy. If Northrop Grumman really did detect 300 zero-day attacks last year, and sees one every 11 minutes, then it is their duty to report them to vendors. The fact that we haven’t seen the company credited in advisories from Microsoft, Apple or any other vendor seems to confirm my suspicion that McKnight is mixing “zero-day” with “any garden variety attack that has been published”. Unless all of those attacks are against Northrop Grumman created applications, in which case it simply isn’t believable you’d have that bad of programmers and that good of security staff. So Timothy, are you (A) an idiot or (B) the most unethical toad the security has ever seen, sitting on nearly 500 zero-day vulnerabilities that are likely being used against other companies this very second? There is no (C) answer.

This is why CISOs should be kept on a leash, away from journalists.

In March, RSA acknowledged it was hit by an APT attack that resulted in the theft of undisclosed information about its SecurID product. The problems only seemed to grow.

Really, if an attack is successful, when isn’t it an “APT”? It was obviously more advanced than your security, just persistent enough to work (even if it was all of an hour long) and clearly threatened you in some way. Seriously people, drop this bullshit term. If you don’t, we can use it as a good litmus test to ferret out the idiots in our industry. As $someone wrote, “hacking is what happens to other people, APT is what happens to us”.

This is another key area that Messmer screwed up. Why let RSA get away with this? Theft of undisclosed information is factually incorrect. The bad guys know what information was taken. RSA knows what information was taken. It was disclosed to two parties when it happened. Qualify that statement to “ undisclosed to RSA’s paying customers” (without signing a restrictive NDA) and hound them for details. Take them to task for keeping it secret while only offering bits and pieces as public pressure demands it. Remind your readers that their silence is putting their customers in jeopardy every single day.

Lockheed Martin recently disclosed that it was hit by an attempted APT that in part made use of this stolen information related to RSA SecurID tokens. Lockheed does not believe that the attackers managed to steal sensitive information, however.

Really?! Now we have “attempted APT”? Which is it.. attempted to be advanced, attempted to be persistent, attempted to be a threat, or they attempted all three? If this doesn’t prove how overblown and mis-used this term is, then keep using it so we know who to feed to the zombies first.

Rebuttal: The difference between curmudgeon and curmudgeon [@shrdlu]

[This was originally published on attrition.org. This is a rebuttal piece to “The difference between curmudgeon and curmudgeon.” (May 27, 2011) by shrdlu, which is itself a reply of sorts to my reply to Bill Brenner’s “Take the word curmudgeon and shove it” rant. Blockquoted material is from @shrdlu.]


“It’s about maturity, which is a very different beast.”

According to the dictionarymature is defined as “fully developed in body or mind, as a person: a mature woman“. Suggesting that less-than-polite replies to someone in the industry is immature is presumptuous. Being mature and taking shots at someone are not mutually exclusive. In fact, I argue that a mature person can very well reply to someone in a variety of ways, and a so-called immature response is simply one of those choices.

“In my more than 25 years in the industry, I’ve seen the attitude promulgated that if you’re smart and have skillz, it’s okay to be an asshole. That it’s somehow okay to hurl insults under the guise of “educating” someone and that they should be grateful for it. That caring about something gives you permission to display your bad temper for all to see, because you’ll make up for it by doing something really cool.”

In your 25 years, apparently you didn’t learn logical argument as you heap a load of extra caveats and definition onto a term that no one else has brought up before. I even went out of my way to define exactly what a curmudgeon was, at least in the context of these articles, and you ignored it completely. That is immature if you ask me. Instead, you describe an egotistical asshole, not a curmudgeon.

It is also amusing that you throw out your “25 years” as a way to command respect, and berate people who think that because of their time in the industry they are “entitled” to insult others. Is it fair that you say tenure does not give them the right to insult others, but want people to respect your opinion and your right to insult them based on your tenure?

“There are plenty of egotists in the industry who think they’re entitled to a free pass on manners, and when I’m hiring, I steer clear of them, because there are just as many genius-level hackers who can also manage to behave themselves and work cooperatively with others without starting brawls.”

Apparently, as a manager, you are unable to understand that people can be very different on and off work. You imply that somehow, someone who shows the levels of immaturity that you assign to curmudgeons couldn’t possibly behave themselves or work cooperatively. This is baffling to me, as I could provide a list of managers I have worked for that will tell you otherwise. Each of them knowing full well who I was off work, what I wrote and how I behaved.

Your comments also remind me of those insipid and ignorant managers who made absurd claims like “I only hire whitehats!”. Because they shoved their head in the sand and opted not to consider what an employee may do outside of work, they somehow thought their hiring practices were solid and they couldn’t possibly hire a person that leads a dual life. It’s amazing how many of those managers were employing what many now call ‘gray hats’; white hat by day, black hat by night.

“Nobody would call Jayson Street a n00b or naďve, and yet he also tries to help wherever he can without being a jerk about it.”

Did you say something about 25 years? This comment suggests you have been in the industry for a year or two at most. I personally think Jayson Street is both naďve and a n00b. There, your article is factually incorrect. Before you go off on some silly notion that I am the only one, let me stop you in advance from embarassing yourself. There are a lot of people in our industry that think the same. Many are not vocal about it because Jayson is well-liked for being a “nice guy”, but not well respected because of his past actions (e.g., some of his presentations, the ‘Dissecting the Hack’ fiasco, etc.).

Like many people, your judgement is clouded because you like him as a person, not because you are objectively evaluating his expertise.

“There is absolutely no need to sully enlightenment, integrity, openness and honesty by adding rage (and let’s call it what it really is: a temper tantrum).”

There is a distinct line between throwing some snarky comments, showing a healthy level of disdain, and a temper tantrum. Your blurring of the lines is self-serving and undermines the point you are trying to make. If I throw out a few tweets with curmudgeonly remarks, or even ones that would qualify as rude or filled with mock-rage, it isn’t a temper tantrum of any sort. It may be something as simple as mild annoyance or creative writing to make a point.

“Every honorable goal that security professionals have – be it research, defense, development or education – can be achieved without stomping on fellow humans in the process.”

That is certainly a good point. But you also forget about what happens in our industry when we forgo those negative emotions and actions. It makes us unwilling to look past “he’s a nice guy” to see “he doesn’t know jack shit”. That in turn leads to a common acceptance of a person that would otherwise be considered a charlatan by most people’s standards. A bunch of nice people in a group doing nothing but patting each other on the back and lobbing compliments to each other isn’t conducive to a critical and skeptical body capable of honest peer-review with integrity.

“Age does not confer the right to bully others under the guise of “educating” them; nor does any level of experience or knowledge. No matter how much you’ve contributed to the state of security (or think you’ve contributed – watch that ego again), you still don’t get a pass on any bad behavior, and your lack of social skills is not a badge of honor.”

In so many words, in your article, you have called curmudgeons (by your skewed definition) immature, assholes, ill-tempered, egotistical, uncooperative, combatative, ugly, childish and a bully. Remind me again what your entire article is ranting about? Oh, that’s right.. curmudgeons that you brand with the same traits exhibited by yourself. I don’t see any difference between your claims of their actions and your own as far as criticism and bullying.

Now, based on the above.. am I a curmudgeon (my definition, not yours) or an asshole for pointing all of this out?

Rebuttal: LulzSec Ups The Ante

[This was originally published on attrition.org. This is a rebuttal piece to “Lulzsec Ups The Ante” (June 16th, 2011) by Brian Honan.]


Reading Honan’s article will set the stage and provide backstory as to the topic at hand. Honan goes on to offer his opinion and commentary on the events surrounding LulzSec and their activities of breaking into systems and frequently disclosing all of the details. Honan and I have had some productive exchange on Twitter regarding his piece, but 140 characters isn’t cutting it. Blockquoted material is from Honan’s article.

“They claim to be highlighting how weak the security of these organisations is and to teach them a lesson in how to secure their systems. By any logical reasoning this is not a valid argument. “

First, they are highlighting the weak security in these organizations. This is not a “claim”, this is a fact. Breaking into a company, copying their sensitive data and then publishing it to the world demonstrates beyond doubt that some type of security lapse occurred. Second, “by any logical reasoning this is not a valid argument” is in itself illogical. LulzSec’s actions are logical; they break in, take information and publish it, demonstrating a security problem. That is logical. This is a matter of you just not agreeing with their tactics or logic, not the absence of logic.

“If you were to equate this to real life it would be similar to someone breaking into your house and leaving a note on your kitchen table to tell you that the lock on your front door was weak and while they are at it, taking some private information and posting it on a noticeboard for everyone to see.”

This is a very poor analogy. What household has personal information of 200,000 people laying on the kitchen counter? Brian changed his analogy saying what if we change average home to average business premise? Then we don’t need an analogy! This is exactly what is happening; the only difference is between breaking a application / network and breaking a window to get to the information.

“There is also the matter that in a number of cases Lulzsec has posted the personal information of the customers of the sites that were breached onto the Internet which now poses a security threat to those individuals. There are more ethical and acceptable ways to make companies aware that their security is not up to scratch and does not involve putting innocent people at risk.”

Honan is right, there are more ethical and acceptable ways to make companies aware of security lapses. However, there are three points you miss:

1. The security profession at large has been trying to do this for over 30 years with very limited success. Even now, we see breaches due to really basic vulnerabilities that have been reported for yearsParameter tampering should not exist in any application, especially banking, yet it does. Citi is a company that spends a ridiculous amount of money on third-party auditing of their applications, yet this somehow slipped through the cracks. How long must we stand on soapboxes and demand better security? How long must we play the responsible disclosure game to vendors that don’t learn from their mistakes? At what point can researchers finally be absolved of the responsibility and burden of caring about security when the vendor doesn’t?

While breaching a company and publishing sensitive information is not ethical, it is acceptable to some people (like LulzSec and others).

2. The act of disclosing a list of credit cards or passwords can easily be argued as a form of dysfunctional public service. Consider the whole picture; a company had personal information, kept it in an insecure manner and did not adequately protect it. If a criminal hacker took the information quietly, it may take months or a year to learn of the loss as investigators finally connect the dots to determine the source of the leak. In this case, LulzSec or any other group that takes the information without a financial motive immediately tells the world of the problem. Consumers are now immediately aware of the issue and can proactively protect themselves against abuse. The vendor can change passwords or issue new credit cards quickly, before a significant amount of abuse occurs. Neither scenario is enjoyable, but one way informs the consumer immediately; something that 5 years of growing breach legislation is finally forcing companies to do.

3. You say “does not involve putting innocent people at risk” in a manner that suggests you are ignoring who really put the consumer / end-user at risk in the first place. LulzSec didn’t put innocent people at risk; they made public the fact that people were already at risk. The blame lies with the vendors that are not taking adequate measures to secure sensitive data.

“It appears [LulzSec] launched a Distributed Denial of Service (DDoS) attack against the CIA website, http://www.cia.gov. At the time of writing the CIA website is not reachable.

I suspect that they may have tried to breach the website but were unable to do so and as a result have simply blocked all traffic to the site.”

There is simply no evidence that LulzSec tried to breach the site. Evidence exists that their modus operandi was to DDoS the site, not try to break in. The last few days have seen the group launch DDoS attacks against a number of companies without any apparent attempt to break in first.

“This may not expose any sensitive information or breach the security of the site, but it does present a very embarrassing situation for the CIA.”

It is only “embarrassing” because, over the years, the media has not explained how DDoS attacks work. Everyone is vulnerable to saturation attacks. Everyone. Claiming that the CIA should be embarrassed because someone with more bandwidth than they had took them down is like saying a person should be embarassed because they got beat up by five larger individuals. Sometimes, there is nothing you can do other than accept the fundamental laws of physics.