Viet-Justice

Boing Boing has a list of mirrors that have Lynn’s Cisco presentation for download. Special thanks to all the mirrors out there for taking the time and resources to keep this presentation in the hands of the public.

Link
Link
Link
Link
Link
Link
Link
Link
Link
Link

ISS and Cisco have demonstrated to the world that they are untrustworthy. After hanging researcher Michael Lynn out to dry for doing what he felt was right at the time. During the late 1990s ISS’ slogan was “your trusted security advisor”. There was lots of cheerleading and fanfare that security was job one and the customer always came first. After seeing this latest demonstration of security being job one I’m certainly glad to see other companies take the lead in the security market space. It is very difficult to be a trusted security advisor if you are selling your own employees down the river and becoming very cozy with giants like Cisco and Microsoft. There was a time when ISS would not have held back on disclosing a newly discovered vulnerability. As time has gone on they have become, shall we say big corporate. Making sure that money from Cisco continues to roll in is apparently more important than backing your own research let alone your own researcher.

In several news articles Cisco had accused Lynn of illegally reverse engineering their IOS. One thing that nobody has pointed out yet from reading between the lines is the that Cisco went to ISS and asked their researchers to attempt to find vulnerabilities in IOS through reverse engineering. In my opinion it is kind of difficult to accuse someone of illegally reverse engineering your product whenever you asked them to. In my view and was acting as an agent of ISS and fully had Cisco’s permission to reverse engineer their router software. The Cisco PR machine is cranking out victim propaganda faster than Osama bin Laden can crank out terror propaganda. As the old saying goes, be careful what you wish for because it might come true. Cisco should have been more careful.

Bruce Schneier has a wonderful editorial on the topic at his blog. I would have to agree that full disclosure is a necessary evil in the security world. In this particular case my blanket answer for the problem of letting the bad guys know about your vulnerabilities doesn’t really apply, but for the record here it is. If you are either a manager or an engineer in operations is your responsibility to make sure that all of your employer’s information systems are up and running with no excuses for downtime or security breaches. With traditional operating system vulnerabilities it is not necessary to wait for a vendor to produce a patch. There are many IPS solutions available that allow you to create custom signatures. Astaro Security Linux is one that comes to mind that uses snort. If there is a zero day vulnerability that is revealed then it is up to operations staff to download the exploit code and craft their own IPS signature to protect against said attack. Nobody is going to look out for you except for yourself and any person working in IT who believes that the vendor is going to take care of all their security problems with a magic patch is being naïve.

At the end of the day we’ll probably see Michael Lynn as a net legend and sales of Foundry and Juniper equipment begin to overtake Cisco.

Lynn’s Presentation can be found by reading this notice. It’s probably not going to be too long before this site has to take it down, but multiple copies are floating around on P2P networks.

Lynn’s Black Hat Presentation Via eMule P2P

Some fools on capital hill have introduced legislation creating a Porn Tax and Mandatory Age Verification. This is a tax and should be stopped. In addition it creates unnecessary expenses for the financial services industry. We should be reducing costs in the private sector and not driving up expenses which weaken our economy.

Dear Senators

I am writing to you concerning the The Internet Safety and Child Protection Act of 2005. I ask that you oppose this legislation. First, it is a tax and this nation does not need any more taxes. Second, it requires that Adult, for-profit websites would be required to use software to verify the age of users attempting to access them. Online merchants, banks, and credit card companies could not process payment transactions that are not age-verified. The FTC would be empowered to issue and enforce regulations pursuant to age verification. The second clause of the bill is redundant. A person must be 18 or older to acquire a credit card in order to make a credit card transaction. In addition there is software to restrict the websites that minors go to available for purchase at any electronics store. Finally it creates a large degree of red tape for financial institutions. I see this legislation as a crutch for irresponsible parents who do not want to take the time to monitor their children’s activities online. We should encourage accountability for parents rather that letting them off the hook by doing something under the guise of “for the childern”.

Nebraska Attorney General Jon Bruning has decided he wants to invade the bedroom of a couple by charging the husband for having sex with his wife. Ok the story is a little weird since it involves a 22-year old male and a now 14-year old female. They were legally married in Kansas, but AG Bruning is going out of his way to disregard the laws of other states.

He said the marriage is valid, thanks to the “ridiculous” Kansas law, “but it doesn’t matter. I’m not going to stand by while a grown man … has a relationship with a 13-year-old — now 14-year-old — girl.”

The legal age for marriage in Kansas with parental consent is 12 for females and 14 for males. In this case the girl’s mother consented to the marriage and both families are hoping to make something work. AG Bruning is making a very big mistake here. We are a country of laws. Any attorney should be enforcing the law of the land no matter how “ridiculous”. If Kansas law is sooo “ridiculous” perhaps Bruning should run for office in Kansas and have the law changed.

Southern states have traditionally allowed marriage an very young ages due to the fact that they were once farming states. People getting married at 12 or 13 was not uncommon 100 years ago. I remember people getting married at 13 or 14 when I was in high school. It is unfortunate that poor families have to marry up the social ladder, out of poverty in rural communities, but this has been going on for hundreds of years. Often girls marry someone 5+ years older and well meaning parents seem to feel that marrying their daughter off to someone who is established in their careerand will be able to provide a life of less poverty is a reasonable solution. Finding romance in marriage is a post WWII artifact that has taken hold in our society in a very short time. This is just a historical artifact that may or may not be outdated for the rural parts of the country.

Either way, AG Bruning needs to take a break. It’s nice of him to leave his contact info on his web site so we can tell him what an idiot he is for interfering with Kansas law. It’s even nicer that he has an 800 number so we don’t have to pay to give him a piece of our minds.

Attorney General Jon Bruning
2115 State Capital
Lincoln NE 68509
800-727-6432
Email

Urban Outfitters has ticked off some people for marketing a shirt that reads “New Mexico, Cleaner Than Regular Mexico,” Yeah, whatever! Capitalism is what America is all about and the stink over this less than clean shirt will surely drive sales through the roof.

Jose Quinonez of BlueLatino.org said “They need to remove that T-shirt [from its stores] because it’s offensive and soft racist. What I mean by that is that they don’t outright say it, but they allude to the ‘dirty Mexican.’” I believe Mr. Quinonez is suffering from an affliction that most Americans have. Most Americans seem to think that there is always some hidden meaning in anything that people say. This is why effective business conversation consists of a) saying nothing but jibberish b) being so vague you can easily repudiate your statements if they offend anyone or c) being so vague that you avoid offending others while not communicating your point. If the shirt plainly says “dirty Mexican” then that is what it says, no arguing that. The sad thing is most Europeans and Asians would not be able to find “dirty Mexican” in the caption on the shirt. I certainly don’t see “dirty Mexican” written anywhere unless the new way of spelling it is “New Mexico, Cleaner Than Regular Mexico,”

The Anti-Defamation League is calling for a halt to the sales because it implies that Mexico is a dirty place. I hate to break it to the Anti-Defamation League but on an urban scale Mexico is a dirty place. You can’t dispute fact that Mexico City is the most polluted place on the planet. Since Albuquerque can’t be higher than number one the statement that New Mexico is cleaner is more than Regular Mexico is true. For some reason people are offended by the truth.

I would assume that Mitch Wagner is speaking of himself in his post on Blue Security and their solution for dealing with the SPAM problem.

Denial-of-service attacks are illegal. They are, as a matter of fact, criminal acts. Of course, the company says it’s not launching a denial-of-service attack — it’s just complaining. It said so repeatedly, as a matter of fact. However, just saying you’re not doing something doesn’t count if you go ahead and do it — although life would sure be simpler if it worked that way.

It’s quite obvious that Mr. Wagner either didn’t read what Blue Security’s product does or he has never been part of an organized letter writing campaign. Using this logic, organizing a group of like minded individuals to write or fax your local politician would be a Denial-of-Service. Monopolizing the fax line for the purpose of speaking on a single issue sounds like it fits Mr. Wagner’s description of a DoS. Let us not forget that all those angry letters arriving in the mail end up wasting the staffer’s time since they have to read those letters and then deal with all the paper lying around the office. I suppose one solution is to make it illegal to talk to your elected representatives since that would be a Denial-of-Service.

It’s vigilante justice, and vigilante justice is wrong. If the law doesn’t suit you, fix the law. Vigilante justice leads to a breakdown of rule of law.

First you have to have a law and a law enforcement agency in order to have vigilante justice. There is no international law regarding SPAM and there are no international SPAM COPS. Vigilantism is commonly referred to as “Taking the law into your own hands” which if there is no law it makes that quite hard to do. Mr. Wagner also does not take into account situations where the law allows citizens to act. The justified homicide clause in many state laws is one such example. Texas being the most forgiving

§ 9.42. Deadly Force to Protect Property

A person is justified in using deadly force against another to protect land or tangible, movable property:

(1) if he would be justified in using force against the other under Section 9.41; and

(2) when and to the degree he reasonably believes the deadly force is immediately necessary:

(A) to prevent the other’s imminent commission of arson, burglary, robbery, aggravated robbery, theft during the nighttime, or criminal mischief during the nighttime; or

(B) to prevent the other who is fleeing immediately after committing burglary, robbery, aggravated robbery, or theft during the nighttime from escaping with the property; and

Now, I’m not advocating that we hunt down spammers and shoot them but the people of internet community are fed up with SPAM. There’s no telling how many states have laws where so called internet vigilante justice may be acceptable under some obscure clause pertaining to some other act. In addition I expect some city, county, or state legislators to begin legalizing some form of retaliation within reason, whatever within reason means to the local voters. Another issue with bringing people to trial for vigilante justice is getting a jury to convict. Even in states other than Texas where it is not legal to shoot someone for stealing or vandalizing your property, many potential jurors believe that you have the right to your property regardless of what state law says and will acquit. Since many people are fed up with SPAM it is not unreasonable to expect a jury to acquit Blue Security and any citizen subscribers to their service of any wrongdoing. Jury nullification is within the rule of law and some states such as Georgia allow jurors to determine fact AND law. . I fail to see how Mr. Wagner’s statement that vigilante justice leads to a breakdown of rule of law” is true in such cases where a jury believes that such action is socially acceptable.

In a statement, the Entertainment Software Rating Board’s chief, Patricia Vance, called on the industry to proactively protect games from illegal modifications by third parties, “particularly when they serve to undermine the accuracy of the rating.”

Great! What next, are we going to prohibit modding cars because of unexpected consequences? I believe the ESRB needs to get a clue. The rating is a “factory spec”. If somebody modifies the original how can you realistically expect it to be exactly the same? That would be like performing some engine and transmission modifications on a car and expecting the 0-60 time to be the same as it was from the factory. The whole point of mods is to change the original. Some people just don’t understand. I guess Patricia Vance isn’t Asian, otherwise she would have a tricked out Type-R Civic and a basic understanding of what modding is.

As I predicted security can be the undoing of some companies. CardSystems realizes that they are doomed without Visa and American Express’ business.

CardSystems CEO Perry said card issuers have adequate penalties for violations such as the one that happened at his company. He called outright network expulsion “unprecedented.”

It may be unprecedented, but it’s long over due in my opinion. If companies take chances with the financial lives of other people shouldn’t their business partners take equal chances with their financial lives?

The religion of peace has once again shown compassion. The most mighty Islamic thological school in South Asia, Darool Uloom Deoband, has issued a fatwa against Imrana Ilahi and has ordered her to marry her rapist who incidentally is her father-in-law.

“She had a physical relationship with her father-in-law, and it nullifies her marriage,” said Mohammad Masood Madani, a cleric at the theological school. He said it made no difference whether the sex was consensual or forced.

This is so backwards that you would think it happened in Alabama or Utah. Makes you wonder what goes on behind closed doors at all those Muslim boy’s schools in South Asia. It does give me an amusing idea. The next artistic project I have in mind is to make an Islamic version of the movie Deliverance. More memorable lines would go like “Allah says you sure have a pretty mouth!” or “Squeel like an Infidel!”

Today Visa and American Express announced they are no longer going to do business with Atlanta based CardSystems. This is a good example of what should happen to companies who don’t protect customer data. If MasterCard and Discover pull out they’re good as sunk. Let this be a wakeup call to any other companies out there who don’t take security seriously.