As Attrition.org states, Jericho is a security curmudgeon, pimp, helicopter pilot, lighter thief, HTML nazi, cat herder, guinea pig relationship specialist and obsessive compulsive TV game show participant.
Jericho has been poking about the hacker/security scene for over 19 years (for real), building valuable skills such as skepticism and anger management. As a hacker-turned-security whore, he has a great perspective to offer unsolicited opinion on just about any security topic. A long-time advocate of advancing the field, sometimes by any means necessary, he thinks the idea of ‘forward thinking’ is quaint; we’re supposed to be thinking that way all the time. No degree, no certifications, just the willingness to say things many in this dismal industry are thinking but unwilling to say themselves. He remains a champion of security industry integrity and small misunderstood creatures.
Jericho delivered a talk at Balk Hat USA and RVAsec about his hobby project Errata which is almost 14 years now.
The Attrition.org Errata project has documented the shortcomings, hypocrisy, and disgraces of the information technology and security industries. It exists to enlighten readers about errors, omissions, incidents, lies and charlatans in the security industry.
– Jericho, what types of your sources contribute the most information? What group of your sources is the most valuable?
– In the last year, it has been an even mix of comments via Twitter or email. While Twitter may be a bit more frequent, the emails typically have a little more information to go on.– Among Errata 7 categories – charlatans, companies, security companies, plagiarism, certified pre-owned, legal threats, statistics – what section consumes the most of your time? Do you see any growing activity in any category?
– Hands down, it is the Charlatans page. It requires the most research to ensure accuracy, verification of all sources, and ensuring it is as fair and balanced as possible. It also requires the most original authoring. If we had unlimited time or resources (e.g. personnel), it would be Charlatans.
– When does someone move from watch list to the Errata? What metrics do you use to determine the severity of a case and that it deserves a full article?
– It is a judgment call, so the decision is made as a group. Everyone gives feedback if they believe there is enough activity, and more specifically, enough *intent* by the person to do bad things. There are no formal metrics or guidelines, each case is too different.
– One charlatan was removed from Errata. Do you have anything else planned for removal?
– Actually, two have been removed. One from the watch list, one from the full list. Currently, there are no plans for additional removals. Those are done when the person(s) approach us to rationally discuss the page, show an interest in changing for the better, and work together to get them going in the right direction.
– You already had several sitdowns with your “heroes” which brought positive results. Do you plan more such discussions?
– I assume by “heroes” you mean charlatans. We generally don’t plan for such meetings, they happen when the person contacts us and wants to discuss further. In one case, it was someone who heard they were on the unpublished watch list. In other cases, it was someone already published, but as mentioned in my response to previous question, wanted to improve.– You are maintaining a black list but in your opinion, which companies or individuals are the best in security industry? Who do you look up to?
– The amount of companies who actually do really good are so few, it’s hard to even list them. Publicly, as Errata / attrition.org, we cannot really endorse anyone. It would ultimately lead to problems with the perception of bias. If the company turned around and started doing bad, then we’re in a position of documenting someone we said was good.
– And who is the most dangerous – AV or other software or services or maybe individual “experts”?
– Each has their own attributes that make them dangerous. The single “expert” that gets on the news and seen by millions can prove to be worse than a company with 500k customers.
– According to your stats, we see that auto fail stats by year are decreasing – what has changed? Do you think it will continue to decrease?
– Just the reported incidents we have documented have failed. We know there are a lot more incidents, but they tend to affect a much smaller group, or are fixed in very short order. When that happens, they tend not to make news. I’d like to think that the QA process at these companies has improved over the years, and that past incidents taught them the importance of testing, which led to lower incidents.
– Do you know of any progress with vulnerability disclosure standards?
– This is really a question for the OSF and the OSVDB project. While I am involved with that, I would rather it be kept separate from the Errata talk. To me, they are very different projects with different goals.
– Can you share any latest info on companies using your data from OSVDB or DatalossDB?
– The OSF has to answer that. I can say that yes, many companies are using data from both projects, but OSF has to give details.
– How often do researchers face legal threats and how dangerous are most legal threats?
– It doesn’t appear to happen that often based on the documented incidents. However, even one or two a year is depressing. In most cases, they are not dangerous per se, but they still pose a serious risk in the way of influencing future researchers. Every time there is a legal threat, researchers new to the field may see that and decide not to share their research, just to ensure they avoid such a hassle.