attrition.org Errata Project: Frequently Asked Questions

Fri Nov 18 22:13:47 CST 2011

From time to time, we receive questions about the attrition.org/errata/ pages. If you still have questions after reading this, please mail us: errata[at]attrition.org


What is the Errata Project?

Started in 1999, the Errata Project was designed to create a repository of specific information about the security industry and people operating within it. The focus of Errata is to catalog incidents that show the security industry, which should be a model of integrity, often lacks not only integrity, but also morals and ethics.

How many people work on the project?

Over the years, the number of people working on Errata has ranged between 2 and 10. If you count sources that provide tips and information, the number would easily be more than twenty.

Do you verify the information you post?

Not only do we verify the information we post, we go to great lengths to include as much of the background information as possible, so that anyone may independently verify the posted details themselves. Almost everything is peer reviewed by another project member before being posted.

What is the process / policy for providing a subject the opportunity to respond prior to posting something publicly?

We do not have a policy. In some cases, contact is made before publishing depending on the type of write-up. When a subject publishes something (e.g. book, article, blog post) they are putting it out there for peer review, whether they like it or not. In that theme, we do the same. The difference is, we typically have an internal review process to help avoid inaccurate material.

What if I want to dispute information posted?

Anyone may dispute the information we post, whether a person we have posted details about or not. We believe in peer review and welcome extra sets of eyes going over our published material. If you find something you feel is inaccurate, or lacking in details, please contact us with additional information so that we may update or remove the information as warranted. Contact errata[at]attrition.org with the URL in question, additional details, and references to the information if possible. If you have information that should not be attributed to you, please indicate that clearly. We protect sources just as good journalists do. Note: information provided by someone who does not wish attribution, and has no external reference, might not be used until we can independently validate it.

Has any person or article been removed?

Yes. Not only do we consider any disputes sent to us, we have proactively removed articles based on new information that came to our attention. This has lead us to edit and/or remove content without the original article being disputed in any manner. Further, at least one person has been removed from the Charlatan Watch List after extensive conversations with the individual in conjunction with additional review of material.

We firmly believe in giving people a fair shot. If a person demonstrates that they made a few mistakes, but have since demonstrated awareness of those mistakes, apologized for them (if appropriate), and taken steps to avoid such mistakes moving forward, then the Watch List has served its purpose and the person should no longer be included.

This seems like a negative endeavor, why not focus on something more positive?

To some degree, yes, the Errata Project is a 'negative' endeavor. We focus on the bad in the security industry. However, we feel it necessary in order to help the industry learn from previous mistakes and strive to improve. This project is really no more negative than a standard vulnerability assessment; both look for the weaknesses and flaws in a system with the intention of reporting it to the appropriate parties.

Additionally, please consider the DatalossDB.org project. That was originally a project here on Errata that was moved to the care of the Open Security Foundation to enjoy better resources and management.

How can I help the project?

The best way to help is to provide us with information. If you see something bad within the security industry, report it. If you have found plagiarism or dealt with a professional who does not seem to be qualified, let us know. In addition, we have a published wish list, which also has a detailed ledger of the money received and spent related to this project.

Can I mirror this site?

We encourage people to download and host this information. Because the content changes frequently, we do not make an archive available. We do encourage you to use 'wget' to grab a copy of the site.

$ wget -w 2 -m -k -K -U "Squirrel Storage" http://securityerrata.org/

Note: This will convert the absolute paths to relative on your side, but wget does this at the end. You must let the command complete naturally for it to work.

I am reading this via Google cache or Archive.org because you are down!

That sucks, for both of us. Fortunately, there are mirrors set up so that you can browse more easily and quickly:

Who Mirror URL
@gattaca http://securityerrata.eu/
@sysuaf http://www.clockcycles.org/securityerrata/
@securitygen http://www.securitygeneration.com/securityerrata/
@FeralCatHotel http://www.FeralCatHotel.com/securityerrata/


How do you detect plagiarism?

We have posted a detailed article that outlines our methodology.

Why do you do this?

As Chris Knight would say, "It's a moral imperative."

Surely this is just a few bad apples, right?

Absolutely. However, consider that the material we have posted is a sampling of what is out there. This project has very limited resources (e.g., specifically time), and we have not published everything we have discovered or been told. Largely, the security industry is full of good people trying to do the right thing. There are of course a significant number of people operating in the industry that have less of a moral standard and do not hold integrity as a principle.

What is the difference between attrition.org/errata/ and securityerrata.org?

Nothing really. securityerrata.org is a more official-looking web site and acts as a mirror of the content located on attrition.org. While there are some cosmetic differences, the actual content is replicated 100%.