On Jan 15, someone going by 'Rixstep Pwned' posted to Full-Disclosure taunting Rixstep for
their 'Month of Rixstep Bugs'.
Until this post, I had no idea who or what Rixstep was, just that they seemed to be riding on a recent wave of other "Month Of" bug programs. Specifically, the Month of Apple Bugs, Week of (Cancelled) Oracle Bugs and the Month of Linux Bugs. Lumping "Rixstep" in with Apple, Oracle and Linux doesn't just match. Especially since they are quietly challenging others to find bugs in their products, but not posting such a challenge to any major mail list or security forum.
In response to this gimmick I posted an OSVDB blog entry on January 15 calling it a "lame gimmick".
-----Original Message----- From: firstname.lastname@example.org To: email@example.com Subject: Lame Gimmicks Date: Wed, 17 Jan 2007 10:51:48 +0200 > It's not a win-win proposition, it is a lame gimmick. No it's not. We give software away. Period. People find bugs - not necessarily vulnerabilities, ANY BUGS - and we give them a software title they want. That's it. It's called 'quid pro quo'. It's also called 'win-win'. And your attitude is called 'anal retentive'. John PS. Our best to the fine state of Virginia. Grow up.
Jake has to ask the OSVDB moderators what the above mail means, as he had been out of town on business. I replied "check the blog" since it was still the top entry leading him to wonder "Why the hell is he bitching at me?" We suggest Jake reply and ask them to comment on the blog entry and that we would approve it immediately.
From: jkouns (firstname.lastname@example.org) To: email@example.com Cc: security curmudgeon (firstname.lastname@example.org) Date: Sun, 28 Jan 2007 23:02:02 -0500 Subject: Re: Lame Gimmicks John-- Sorry for the delayed response... I have been traveling over the past couple of weeks and just now have the chance to respond. After reading your email it appears that you are a bit upset but I am not quite sure why you directed the email to me personally (considering I didn't post the blog entry about your contest). I would suggest that if you still feel strongly about the posting that you submit a comment to the blog. I will definitely ensure that it is approved so your response is posted. However, since you have involved me in this..... I would ask one of the same questions Jericho posted on blog. I understand that the contest is about finding ANY type of bugs but why not post the contest to some of the big security mailing lists (such as Full-Disclosure or Bugtraq)? Do you plan on posting results when the contest is finished? Hope the contest has been successful. Anyways... Virginia is fine.... little cold but fine. --Jake
So Jake's mail comes 11 days after Rixstep's original mail, is polite but firm. Rixstep opts not to reply to Jake or me (in the CC) with any concerns or accusations. Due to long hours at my day job I fell behind on OSVDB updates and personal e-mail, ending up with over 3,500 mails (none spam) to deal with in some fashion. I eventually catch up and see Jake's reply and send one of my own.
From: security curmudgeon (email@example.com) To: firstname.lastname@example.org Cc: OSVDB Mods (email@example.com) Date: Sat, 24 Feb 2007 05:51:06 -0500 (EST) Subject: Re: Lame Gimmicks On Sun, 28 Jan 2007, jkouns wrote: It's been almost a full month, and John/Rixstep haven't addressed any comments to me, and haven't apparently posted any comments to the blog (or they were flagged as spam by the integrated WordPress system). You have to realize that this only reinforces the notion that the Rixstep challenge was nothing more than a PR gimmick riding the wave of the other "Month of X Bugs", right? Again, we're not close minded or biased, we'll happily present both sides of the argument. But when the party being questioned doesn't reply to some basic and sincere questions like Jake (and I) asked, it's difficult to believe anything other than the original speculation. Additionally, i'd love to know some of the backstory behind the Full-Disclosure thread/banter that directed me to the Rixstep challenge to begin with. Disgruntled employee, unsatisifed customer or something else? Jericho
That mail goes out on February 24 at 5:51a EST, after a month of Rixstep choosing not to reply to me via the blog or e-mail. Just under two hours later, Rixstep replies to me directly:
From: firstname.lastname@example.org To: email@example.com Date: Sat, 24 Feb 2007 14:45:17 +0200 Subject: Re: Lame Gimmicks Christ Jesus you wee tosser - you got nothing better to do? You really have personality issues, don't you? LOL John
From: security curmudgeon (firstname.lastname@example.org) To: email@example.com Cc: OSVDB Mods (firstname.lastname@example.org) Date: Sat, 24 Feb 2007 07:57:09 -0500 (EST) Reply-To: email@example.com Subject: [OSVDB Mods] Re: Lame Gimmicks On Sat, 24 Feb 2007, firstname.lastname@example.org wrote: : Christ Jesus you wee tosser - you got nothing better to do? : : You really have personality issues, don't you? LOL I'm busy with my day job and providing security solutions to my clients for the past few months causing my mails and replies to be considerably late. I *finally* get around to catching up on my *hobby* project (OSVDB.org) and send a quick mail to you and Jake (who you whined to even though he had nothing to do with the original comments). In return, not even two HOURS later, after my two MONTH late response, I receive this reply? If I post this thread in full, who do you think will come across as not having anything better to do or having 'personality issues'? Before you respond, consider that I have spent 10 minutes a month for the last 10 years pointing out the charlatans in the security industry. What has Rixstep been doing for the past ten years? I'll gladly take on the title of 'tosser' if you will will agree to take on the title of 'charlatan'. Deal? Jericho
So, why post all this? Two good reasons. First, i'm all for exposing jackasses in our industry. Second, look at the Rixstep contact page which threatens people who mail them (much the same way attrition does):
* Correspondence deemed to be abusive or of a harassing or threatening nature or merely of an extremely stupid nature is not private property and will most likely be published for the edification and entertainment of site visitors.