From lyger at attrition.org Tue Oct 2 01:06:50 2007 From: lyger at attrition.org (lyger) Date: Tue, 2 Oct 2007 01:06:50 +0000 (UTC) Subject: [attrition] rant: how Apple iPWNED my iPhone Message-ID: http://attrition.org/security/rant/z/iphone.html Thu Oct 01 21:00:00 EST 2007 d2d Apparently, I'm a hacker (at least according to Apple). Every blog headline out there seems to indicate that. I downloaded and installed third party software onto my iPhone, an act that took me all of 3 clicks to do, and therefore I am a l33t iph0n3 h4x0r! Here is the order of events in my iPhone extravaganza experience: 1. Work tells me I need to buy a phone as a result of changes in tax laws. 2. I google the iPhone. It looks sexy. 3. I google "iphone +ssh" 1. I get this: http://churchturing.org/w/iphone-ssh/ - NO THANKS, not giving you my passwords 2. I find this: http://iphone.nullriver.com/beta/ 4. After an intense orgasm over the fact that I could have native ssh, I hit up the AT&T store. 5. iPhone in hand, I install this crazy Installer.app (all gui, all real easy), then install OpenSSH and a Terminal. All worked well. Two days later, an update shows up in iTunes when I dock the thing, as well as the following message: WARNING: Apple has discovered that some of the unauthorized unlocking programs available on the Internet may cause irreparable damage to the iPhone's software. IF YOU HAVE MODIFIED YOUR iPHONE'S SOFTWARE, APPLYING THIS SOFTWARE UPDATE MAY RESULT IN YOUR iPHONE BECOMING PERMANENTLY INOPERABLE. Yikes! 400$ for the phone, and a nice 2 year contract with AT&T, and I'm a going to be punished with a bricked phone for installing OpenSSH? Could someone explain to me how installing an application on a UNIX-based system (iPhone) constitutes damaging it? I've never seen OpenSSH go that awry. [...] From lyger at attrition.org Fri Oct 5 03:42:28 2007 From: lyger at attrition.org (lyger) Date: Fri, 5 Oct 2007 03:42:28 +0000 (UTC) Subject: [attrition] Wrath of the Impotent (Legal Fun): Medica Health Plan Message-ID: (our latest legal threat, now somewhat... silent...) http://attrition.org/postal/z/legal/medica/ From: "Magarian, Edward" (Magarian.Edward at dorsey.com) To: security curmudgeon (jericho at attrition.org) Cc: legal at attrition.org, root at attrition.org, jericho at attrition.org, comega at attrition.org, Date: Fri, 12 Jan 2007 11:00:55 -0600 Dear attrition.org: I have been retained by Medica Health Plans ("Medica") in connection with false and defamatory statements we learned you published about my client which can be found at http://attrition.org/dataloss; http://attrition.org/dataloss/dldos.html; and http://attrition.org/dataloss/dataloss.csv (see item #110). I am sending this letter to the contact on your website because it appears to be your preferred method of communication. You have published and continue to publish to this day statements that Medica had a data loss on June 29, 2005 affecting 1,200,000 members related to "fraud." This defamatory information has been picked up by other websites including www.emergentchaos.com. These statements which have been republished are simply false and defamatory. The issue referenced by your site had nothing to do with any member data, personal or otherwise, and there are no facts to support such an assertion. Your publication of statements which expressly targets Medica with the stain of exposing or even allegedly exposing personal information of its 1.2 million members is false, defamatory, damaging and constitutes defamation per se. [...] From lyger at attrition.org Tue Oct 16 02:07:18 2007 From: lyger at attrition.org (lyger) Date: Tue, 16 Oct 2007 02:07:18 +0000 (UTC) Subject: [attrition] postal: looks like we picked the wrong week to quit drinking (and heroin) Message-ID: http://attrition.org/postal/p0015.html we should have a (long) talk different shades of grey once again, scared away whinee leelte beetchez it was really 27 hours beastah has a job? communication breakdown more postal haiku conversation killer just bend over From lyger at attrition.org Thu Oct 25 03:40:56 2007 From: lyger at attrition.org (lyger) Date: Thu, 25 Oct 2007 03:40:56 +0000 (UTC) Subject: [attrition] commentary: Data Loss "Unplugged" Message-ID: http://attrition.org/dataloss/dlunplugged.html Wed Oct 24 23:33:36 EDT 2007 Lyger Since July 1, 2005, attrition.org has "officially" been tracking incidents regarding the theft, loss, or exposure of personally identifiable information (PII). In the months since the creation of the Data Loss web page, Data Loss Mail List, and Data Loss Database (Open Source) (aka "DLDOS"), we have been asked many questions about not only why we maintain these resources but also about what criteria we use to determine the inclusion of events into the mail list, web page, and database. For anyone interested, we feel that we should try to clarify our "requirements" and answer any questions that may arise. First, we can't "report" what we don't know. In most cases, we will only include events that are reported by a legitimate media source. While we could include blog rumors and tips via email from unverified sources, we feel that it's best to have a verifiable and reputable source of information in case there are any questions or concerns regarding the validity of the information contained in our resources. If an event isn't covered by a reputable media source, there's a good chance we may not include it in our resources. We do understand that work by others such as Chris Walsh, who finds additional breaches through Freedom Of Information Act (FOIA) requests, will uncover breaches not normally reported by media outlets, but attrition.org simply doesn't have the resources to actively pursue such additional information. We applaud Chris for his efforts and hope that he continues to keep up with his endeavors. [...]