Following the first part of our interview with Errata’s Jericho, this section encompasses more of his answers regarding nuances of InfoSec blacklisting.
– Errata has a section dedicated to suspicious statistics, which various media outlets try to feed us. It’s a sad thing but is there any place for amusement like what’s the most absurd numbers have you come across?
– That section has not been updating in some time, for the same reason we had to stop updating ‘Media’ (articles). There are too many bad stats being passed off as legitimate. I occasionally blog in great deal about bad vulnerability statistics for OSVDB.
– What do you think of comments like – people write plagiarized book on purpose and try to get mentioned on your site, and then curiosity sells this book?– I can’t imagine that anyone is actually doing that. Even if they are, it is about the most absurd business strategy ever. It is already difficult to sell computer books. Most are not a vehicle for profit; rather, they are used for resume fodder and the name recognition. Given how difficult it was for us to obtain some of these books, I don’t think it is working if someone is actually attempting that.
– Can you share an interesting example of a blowback not covered at presentations?
– I am currently going through a new one. A charlatan on the watch list threatened to sue the company I work for (i.e. my day job), which has absolutely nothing to do with Attrition, Errata, or anything else I do in my spare time. It is a desperate attempt to pressure me into removing the material. Apparently he hasn’t read previous articles and comments I wrote. Desperate and unethical attempts to remove content like that only strengthen my resolve.
– Where do most legal actions against you come from?
– Almost all of the legal threats have come from Charlatans in the past years I believe. We had a few back when we took copies of defaced web pages as well.
– Can you share any serious consequences for you in terms of criminal procedures?
– Only one of the threats actually made it to a filed case, and it was settled out of court before the first real hearing. Ultimately, we removed 1 image that was icing on the cake and not needed to support the article (that had been published for months). It was a Pyrrhic victory for them.
– I understand you receive plenty of legal threats but they resulted only in couple of trials, am I right? Why is it so? Where and why do your opponents drop claims?
– Just the one as mentioned. Most never make it to court because they are groundless claims to begin with. Sure, anyone can file any lawsuit against anyone for anything. But finding a lawyer that will take such a case becomes difficult. Even then, such a lawsuit will only result in the ‘Streisand Effect’, and will not achieve the results they want. As soon as word breaks we are getting sued for specific content, people ensure that copies of it are posted all over the Internet just in case we have to take it down.– What were the recent attacks on your website?
– Honestly, no clue. We stopped watching our logs to that degree. The amount of automated scanners looking for vulnerabilities is absurd. It is almost a full time job just trying to figure out which attacks are automated or not. We do our best to maintain a secure server but know better than anyone it is ultimately going to fail. We’ve been compromised a few times in the past, and I am sure if we aren’t currently owned, we will be again.
– Your presentation slides say you: “Wouldn’t mind seeing InfoSec industry burn to the ground.” Do you think it is mostly a security theatre? If it burns to the ground now – what will come instead?
– Most of our industry is either theatre or a money-making machine. Very little of what is *sold* helps like claimed. The basic security technologies we have relied on for 20 years (e.g. Firewalls, IDS) continue to do just as good, if not more, than the new fancy solutions with buzz words and blinky lights.
– Projects like yours help build open society. Have you thought of or are you planning to help launch similar initiatives, maybe on local level?
– Personally, I support the local community in many ways. I have been a contributor to our local hacker space, continue to help a local hacker-run DIY shop, help organize our BSides Denver conference, and more.
– Are your audience and volunteers’ help growing now? Do conference talks help with this?
– No, and no. It has been difficult to find volunteers since day one. Very few stick with it, and very few put in the hours. That is why we don’t publish that much. If we had a single full time person for example, I imagine we’d have 3 – 4x the content you see. There are plenty of leads, just not enough time to research and write about them.
– What are your goals for Errata now? Are you planning to attract volunteers?
– We’ve tried several times in the past, and it ultimately didn’t work out. We had a few that helped with some of the initial research, but even the last group didn’t make it more than a couple months. It becomes as time-consuming trying to manage the volunteers as it does to do the work ourselves. It makes sense though. It is time consuming work, and offers no personal glory. It requires a lot of effort to document a charlatan, and ultimately the only thing you get is a sense of personal satisfaction. Compare that to other projects that have software releases, a big user-base that relies on your work, etc.
– What have you learned running Errata? Has Errata changed anything in you?
– I’ve learned a lot and have a blog in the works. I don’t know when it will be published, but likely this year. Where the Errata presentation was an overview of the project and status, this will be more a ‘Lessons Learned’ and personal commentary on it.