dc0de wrote:
Here is a fscked up story... (the sad part, is that it is true).

In January of this year, my company's marketing department asked me to give a talk at a conference being held in Lake Las Vegas, NV, during the first week of May. I agreed, and the topic was set for me, that of "Insider Attacks, the anatomy of an Inside Attack, and how to stop one.".

I asked our marketing group if there was a presentation started, or completed on this topic, and I was told that I would have to create it from "scratch", but if I needed any assistance to ask the marketing department.

Fast forward to about 3 weeks before the conference. I spoke to the marketing department, and asked them for assistance creating my presentation, as I had to deal with some family emergencies, and was running out of time. I received no assistance. I then spent every waking moment researching insider risk, and the risks associated with insider loss. I learned quite a bit, and have several hundred links to pertinent data on the web. Including information from the aforementioned IDR.

Now, fast forward to the presentation. It went flawlessly. As a matter of fact, there were approximately 80 people in the room, and 20 or so more in the hallway, watching with the doors wide open.

The next day, my company asked me to present the material again, as there were too many people who missed it. I reluctantly agreed, and put on another presentation. During the 2nd presentation, there was someone there that took the data back to the IDR.

Part of the presentation includes a slide that shows the Insider Attack Variables, including, Corporate environment and culture. Since the IDR's previous incident was caused by someone not performing their due diligence on 50 fraudulent companies, thereby allowing these companies to freely PURCHASE data from the IDR and commit fraud, I used their loss as an example.

I stated, "The [IDR Company Name] incident was caused, in part, by a company culture that was more focused on making sales numbers, than it was to vet the companies it was selling information to." The individual in the audience that took the data back to the IDR made some aggregious claims, that I was "mocking" them. This was not the case. I mentioned several other companies in the presentation, and wasn't mocking anyone.

However, the IDR claimed that my comments were slanderous, and their attorney began harrassing me on the phone. I then went to my internal company resources, who, took all of my information, and then put me on administrative leave.

Today, I find out that the company president went down to the Atlanta IDR's offices, and spoke with their President and legal council, and apparently, arranged a settlement agreement, on my behalf, that does not allow me to ever use the IDR's name again. (Hint, it located in Atlanta.) Part of the meeting, alledgedly included an email message from the person in... [ Read More (0.3k in body) ]

Dc0de has joined what we have started referring to as "the club." People we know who have received legal threats for saying true things in a public place. This seems to happen a lot to computer security people.

In the United States, you're supposed to have a right to freedom of speech. This isn't just a matter of what the law technically says or means. As Rattle has pointed out before, freedom of speech is a core value in our society. It is a value that transcends what the law merely requires, providing a model for how a mature society addresses all sorts of conflicts: The appropriate way to respond to critics is within the realm of ideas and not within the realm of coersion.

People who use the legal system to squash critics instead of appropriately addressing their criticism in print are operating in a manner that is out of sync with the core values of this nation. I hold this sort of behavior in very poor esteem.

However, this happens all the time, so a more fundamental fix is required. The legal system should not allow itself to be used by wealthy parties as a weapon to coerce people who do not have the resources to defend themselves. This is fundamentally unjust. The legal system must be reformed.

For a smart analysis of these issues see this paper about two other members of "the club," Billy and Virgil.

dc0de wrote:
Part of the presentation includes a slide that shows the Insider Attack Variables, including, Corporate environment and culture. Since the IDR's previous incident was caused by someone not performing their due diligence on 50 fraudulent companies, thereby allowing these companies to freely PURCHASE data from the IDR and commit fraud, I used their loss as an example...

The company that I work for now is terminating me, and claiming that I have to sign the IDR's document, (that they negotiated as part of their settlement), and of course, another document, forbidding me to speak about this issue.

Dc0de has joined what we have started referring to as "the club." People we know who have received legal threats for saying true things in a public place. This seems to happen a lot to computer security people.

In the United States, you're supposed to have a right to freedom of speech. This isn't just a matter of what the law technically says or means. As Rattle has pointed out before, freedom of speech is a core value in our society. It is a value that transcends what the law merely requires, providing a model for how a mature society addresses all sorts of conflicts: The appropriate way to respond to critics is within the realm of ideas and not within the realm of coersion.

People who use the legal system to squash critics instead of appropriately addressing their criticism in print are operating in a manner that is out of sync with the core values of this nation. I hold this sort of behavior in very poor esteem.

However, this happens all the time, so a more fundamental fix is required. The legal system should not allow itself to be used by wealthy parties as a weapon to coerce people who do not have the resources to defend themselves. This is fundamentally unjust. The legal system must be reformed.

For a smart analysis of these issues see this paper about two other members of "the club," Billy and Virgil.

dc0de wrote:
Part of the presentation includes a slide that shows the Insider Attack Variables, including, Corporate environment and culture. Since the IDR's previous incident was caused by someone not performing their due diligence on 50 fraudulent companies, thereby allowing these companies to freely PURCHASE data from the IDR and commit fraud, I used their loss as an example...

The company that I work for now is terminating me, and claiming that I have to sign the IDR's document, (that they negotiated as part of their settlement), and of course, another document, forbidding me to speak about this issue.

Decius chimes in on dc0de's situation:

Dc0de has joined what we have started referring to as "the club." People we know who have received legal threats for saying true things in a public place. This seems to happen a lot to computer security people.

In the United States, you're supposed to have a right to freedom of speech. This isn't just a matter of what the law technically says or means. As Rattle has pointed out before, freedom of speech is a core value in our society. It is a value that transcends what the law merely requires, providing a model for how a mature society addresses all sorts of conflicts: The appropriate way to respond to critics is within the realm of ideas and not within the realm of coersion.

People who use the legal system to squash critics instead of appropriately addressing their criticism in print are operating in a manner that is out of sync with the core values of this nation. I hold this sort of behavior in very poor esteem.

However, this happens all the time, so a more fundamental fix is required. The legal system should not allow itself to be used by wealthy parties as a weapon to coerce people who do not have the resources to defend themselves. This is fundamentally unjust. The legal system must be reformed.

For a smart analysis of these issues see this paper about two other members of "the club," Billy and Virgil.

dc0de wrote:
Part of the presentation includes a slide that shows the Insider Attack Variables, including, Corporate environment and culture. Since the IDR's previous incident was caused by someone not performing their due diligence on 50 fraudulent companies, thereby allowing these companies to freely PURCHASE data from the IDR and commit fraud, I used their loss as an example...

The company that I work for now is terminating me, and claiming that I have to sign the IDR's document, (that they negotiated as part of their settlement), and of course, another document, forbidding me to speak about this issue.

There is no protection for whistle-blowers in the security industry. This is a major problem. There is a nitch for a lobby here that should be filled.

Dc0de has joined what we have started referring to as "the club." People we know who have received legal threats for saying true things in a public place. This seems to happen a lot to computer security people.

People who use the legal system to squash critics instead of appropriately addressing their criticism in print are operating in a manner that is out of sync with the core values of this nation. I hold this sort of behavior in very poor esteem.

All around scary stuff. Its a sad day when opinions get silenced by lawsuits.

That slander charge is a bitch. I said a lot of very bad, public things about Blackboard, their executives, and the sexual habits of their mothers. Thankfully no one ever pulled that crap on me.

Actually, slander is a growing concern of mine. The way you all have seen me give a presentation at say, Phreaknic, is the same way I give a presentation at BlackHat: rather informal with a fair amount of profanity directed at those who deserve it.

Its only a matter of time before some no talent ass clown somewhere takes offense.

Update:

I haven't heard from my current company yet, but as it seems, I'm still employed... and earning money on "administrative leave".

Funny though, I received an email today from a headhunter, with the following job opportunity:

===================================
From: "Jxxxxxx Mxxxxe"
To: redacted@removed.net
Subject: permanent position with choicepoint
Date: Wed, 17 May 2006 13:53:42 -0400
Message-ID: 009001c679da$d5f4cee0$1001a8c0@xxxxxxxx.com
MIME-Version: 1.0
Importance: High
Thread-Index: AcZ52tWmOLWu6kXHSLWnZoifXJmO1w==
Return-Path: jxxxxxxe@dxxxxxxxxxe.com

It was nice talking to you. They are looking for someone strong in
FIREWALL, CHECKPOINT, CISSP, VPN,DNS

Salary between 120 -130k plus 10-15% performance bonus at the end of the year.

Required Skills and Experience:
. Certified Information Systems Security Professional certification (CISSP) is required.
. Certified Information Systems Auditor certification (CISA) is desired.
. Cisco Certified Internetwork Expert certification (CCIE) is desired.
. Check Point firewall certified preferred.
. Experience with architecting and designing security infrastructures, understanding of how to design security devices, network and systems compliant with the requirements of a desired security posture or state is required.

. Highly knowledgeable of security principles such as defense in depth, grandularity of privilege, etc. and how these are applied in the real world.

. Expert understanding of intrinsic security weaknesses within the core infrastructure components such as TCP/IP, Checkpoint firewall, VPN, DNS, file transfer, proxy, and remote administration protocols.

. Pragmatic understanding of security problems as a mix of technology and process issues with the ability to pursue solutions at both layers within the organization.

Optional Skills

Key Job Functions:
In this exciting position you will -
. Design and architect global network and security systems including
firewalls, IDS, proxies, policy compliance tools, routers, switches, VPN hardware / software, and other security devices as specified.

. Lead and execute network security projects in a diverse set of areas that include: intrusion detection, end point security, log file correlation, security information management, actively identify where new work efforts are required, and network / security metrics.

. Take a leadership role in providing network security advice, such as risk analysis, to business units who engage with the Network Design and Engineering team.

. Manage the relationship with various network and security vendors to ensure their products and services add value to client

. Define, gather, and report metrics regarding network and security with the ChoicePoint environment.

. Act as a gatekeeper for operational requests related to network and security matters.

. Provide vision for network and security direction and designs to achieve these agreed upon objectives.

. Be a Team Lead to the firewall and network engineers, including developing the team members individually and as a group in order to achieve the next level.

. Improve stability, availability, and scalability of the network and security infrastructure.

. Develop a customer service orientation for the Network Design and Engineering team.

Jxxxxe Mxxxe
Tel: 678-xxx-0xx3 x 5xxx
Fax: 678-xxx-0xx0
www.dxxxxxxxxe.com