From: Ruvi Kitov (ruvi@tufin.com)
To: webmaster@attrition.org, root@attrition.org, abuse@attrition.org
Date: Fri, 6 Jan 2006 13:31:12 +0200
Subject: A serious privacy problem with Attrition web site

Hi,
I just noticed on google that the following page was indexed, and can be
accessed via the web:
http://attrition.org/misc/ee/20050426-cissp.txt

It displays contact information for several hundred CISSP's. You may want to
hide this page, if you don't want to get sued by someone.
It seems that the entire directory http://attrition.org/misc/ee/ is
browsable (I guess this is how the breach occurred in the first place).

Best regards,
Ruvi Kitov


Ruvi Kitov
Tufin Technologies - "Making Security Manageable"
US Sales: 1-(877)-270-7711
International Sales: +972-3-612-8118
http://www.tufin.com




From: security curmudgeon (jericho@attrition.org)
To: Ruvi Kitov (ruvi@tufin.com)
Cc: Heathens (staff@attrition.org)
Date: Fri, 6 Jan 2006 06:50:55 -0500 (EST)
Subject: Re: A serious privacy problem with Attrition web site


Hi Ruvi,

: I just noticed on google that the following page was indexed, and can be
: accessed via the web: http://attrition.org/misc/ee/20050426-cissp.txt

Yes, it can..

: It displays contact information for several hundred CISSP's. You may
: want to hide this page, if you don't want to get sued by someone. It
: seems that the entire directory http://attrition.org/misc/ee/ is
: browsable (I guess this is how the breach occurred in the first place).

That file actually has the contact information for several *thousand*
CISSP's. We have no plans on hiding the page, and i'd love for you to cite
an example of the law that suggests I could be sued over it. It is
information that was made public by someone else, and we're just mirroring
it.

The entire /misc/ee/ directory is browsable, *on purpose*. That file was
put there intentionally, after the information was taken from isc2.org,
where the original "breach" occured. The problem isn't with attrition, the
problem is with people having any faith in ISC2 maintaining a sense of
security. Oh, if you are interested, all of this stems from attrition.org
and several other sites having an April 1st hoax defacement [1], in which
we use the file above. This was done to show that ISC2 does not care about
the privacy of the people they sucker into paying for their certification.

It's curious that you contact attrition.org citing a 'security breach'
when it should be readily apparent that we have nothing to do with ISC2,
the CISSP certification program, or anything else to suggest this was
nothing but intentional.

Jericho

[1] http://attrition.org/attrition/hoax_defacement-05-04-01.html




From: Ruvi Kitov (ruvi@tufin.com)
To: 'security curmudgeon' (jericho@attrition.org)
Date: Fri, 6 Jan 2006 14:25:28 +0200
Subject: RE: A serious privacy problem with Attrition web site

Hi Jericho,
I personally have no issue with this, as I am not listed on the page. I
stumbled upon it when searching for an email address, after someone
contacted us for an evaluation.

I imagine that some of the people listed on this page would be concerned
about having their contact info listed (e.g, they'll start getting SPAM).
Usually, when you register your contact information in web sites, you assume
that it will not be posted without your explicit consent.

I assumed that you would want to hide this list (but apparently I was
wrong).

Regards,
Ruvi




From: security curmudgeon (jericho@attrition.org)
To: Ruvi Kitov (ruvi@tufin.com)
Date: Fri, 6 Jan 2006 07:29:01 -0500 (EST)
Subject: RE: A serious privacy problem with Attrition web site


: I imagine that some of the people listed on this page would be concerned
: about having their contact info listed (e.g, they'll start getting SPAM).

They already have! If they mail me and ask (without threats), I remove
them from the list without question. About a dozen have mailed so far.

: Usually, when you register your contact information in web sites, you
: assume that it will not be posted without your explicit consent.

Which it was posted, and *with* their consent from what I understand. You
had to opt in to be published on the CISSP roster. But when all of it ends
up in a single file (due to a bug in the ISC2 search engine), they cry
foul, go figure =)

The ISC2 search engine allowed wildcard searches for years. Search for 'a'
and it would pull back any name with that letter. Then we discovered you
could search for * and pull the entire list back. ISC2 fixed that and
tried to obscure the new system/scheme, but it took someone about 30
seconds to figure out a way around it and pull down a fresh list.

: I assumed that you would want to hide this list (but apparently I was
: wrong).

Nope, I am all for exposing what ISC2 did =)

Jericho




From: Cancer Omega (comega@attrition.org)
To: security curmudgeon (jericho@attrition.org)
Cc: Ruvi Kitov (ruvi@tufin.com), Heathens (staff@attrition.org)
Date: Sun, 8 Jan 2006 00:28:10 -0500 (EST)
Subject: Re: A serious privacy problem with Attrition web site

On Fri, 6 Jan 2006, security curmudgeon wrote:

> It's curious that you contact attrition.org citing a 'security breach' when it 
> should be readily apparent that we have nothing to do with ISC2, the
> CISSP certification program, or anything else to suggest this was nothing but intentional.

Ruvi does not appear to understand that ISC^2 is comprised of a bunch of fucking slope-browed 
retards who wouldn't know real computer security if it sucked their dicks and spit in their 
mouths.

Prior to April 1st of 2005, ISC^2 had a search "feature" (gack) that, through simple and 
perfectly legal use, unquestioningly divulged the entirety of its contents with just one 
alphanumeric character featured on every U.S. QWERTY keyboard.  Snagging the ISC^2's 
search-interface's projectile-vomit output and slopping its content as an ASCII file entailed 
about as much "hacking" as it takes anyone to fart the two opening notes of the theme to "Jaws."

So spare me this huge stinking pile of horseshit about this file being some kind of "security 
breach" already!  The next person who calls ISC^2's getting caught with its dick in its hands a 
"security breach" gets a free poke in the eye and a bonus kick in the nuts.

.c



From: Ruvi Kitov (ruvi@tufin.com)
To: 'Cancer Omega' (comega@attrition.org), 'security curmudgeon' (jericho@attrition.org)
Cc: 'Heathens' (staff@attrition.org)
Date: Sun, 8 Jan 2006 08:23:06 +0200
Subject: RE: A serious privacy problem with Attrition web site

Dear C,
You are right in your assessment that I know nothing about ISC^2 - I've
avoided security certifications so far in my short career.
I imagine that most people (even in the security world) are not aware of
ISC^2's privacy breach, and therefore would be alarmed (as I was) to find
attrition.org's mirror files. When the unsuspecting visitor wanders onto
attrition.org's site, it is difficult to determine whether the directory
listing is intentional or a breach.

I sympathize with your position on the privacy issue, and agree that ISC^2's
posting users' data is ridiculous.

On the legal side - someone may get pissed off one day, and sue both ISC^2
and Attrition.org for privacy breachs.

Good day,
Ruvi



From: security curmudgeon (jericho@attrition.org)
To: Ruvi Kitov (ruvi@tufin.com)
Cc: 'Cancer Omega' (comega@attrition.org), 'Heathens' (staff@attrition.org)
Date: Sun, 8 Jan 2006 01:29:40 -0500 (EST)
Subject: RE: A serious privacy problem with Attrition web site


: On the legal side - someone may get pissed off one day, and sue both
: ISC^2 and Attrition.org for privacy breachs.

They had to opt in to share that information on the web in the first
place.

Jericho




main page ATTRITION feedback