Take Me Off Your List!

Thomas Ptacek | March 15th, 2007 | Filed Under: Industry Punditry, Navel Gazing

The anonymous “editors” at SecurityFocus-A-Like IT Security Dot Com have whipped out the zero-day on the blogosphere, exploiting an obvious vulnerability (flattery injection) to hijack the keyboards of most of the security blogosphere. In this case, the vector for the attack seems to be a maliciously formatted OPML file.

You may remember IT Security Dot Com from such IT Security Scoops as “Complete Windows Vista Security Analysis”, the “in-depth technical assessment of the security improvements in Windows Vista, including shortcomings of the Vista model and how to gain full control over a Windows Vista machine”, for which you must provide your phone number, and which is actually just a cached copy of Matt Conover’s Symantec Threat Research report.

Speaking of Matt Canover: he is not among the “59 Top Influencers in IT Security”, even though he’s clearly among the top 59 Influencers at IT Security. Neither is Joanna Rutkowska (of Blue Pill fame), Mary Ann Davidson (firebrand CSO of Oracle), or Michael Howard (co-author of Microsoft’s security turnaround).

That’s OK, though. IT Security was at least smart enough to remember that there is a company called Oracle, and that they are kind of big, and that they have a management team page, from which they were able to find Amit Jasuja, who runs Oracle’s identity management line of business.

Obviously there’s a danger that IT Security Dot Com could mean something different than we do when they say “security influencer”. Never fear: they’ve classified the whole industry for us:

  • Chief Blogging Officers (people with blogs, with titles that include the letter ‘C’)

  • Bloggers (other people with blogs, some of whom even have names)

  • The 31 people that have blogs that are also equivalent to each other —- a class that simultaneously includes Pete Lindstrom (“write an advisory, go to jail”) and Robert Graham ( “write an advisory, you’re a sucker”), along with Ross Brown (CEO of one of the most influential vulnerability assessment company in the world), Alan Shimel (evil twin of Alan Shimel, the #2 most influential person in security), and Ron Gula —- and therefore all share position #21 on the list.

  • Corporate Security Officers (including Christopher Hoff, evil twin of Chris Hoff, best known for being 3% of the 21st most influential person in IT Security —- and Ron Gula, CSO of Tenable Security, who only coincidentally shares the name of Ron Gula, CEO of Tenable Security, to whom he reports). Also John Thompson and Thomas Noonan, respective security officers for Symantec and IBM/ISS.

  • White Hat Hackers, most noteably the evil hobbit Fydor, who gained infamy in 2007 by stealing credit for Nmap from Fyodor, his river elf nemesis. Also includes “white hat hacker” Mark Russinovich, whose hacking feats include being the W. Richard Stevens of Win32, Kevin Mitnick, whose “white hat” hackery earned him fame as a convicted felon, and Tsutomu Shimomura, who sadly passed away 3 years ago, murdered by white hat hackers.

  • SANS Internet Storm Center, the name chosen by the “white hat hacker” artificial intelligence that secretly animates the security blogosphere, powered by membership dues rumored to have exceeded $1Bn USD after it gained fame for defeating the treacherous Li0n worm, a force so important to security that I will lie and claim to have heard of it before reading this list.

  • The Dot Govs And Dot Mils, including “Heckuva Job” John Grimes, nominated by President Bush as Assistant Secretary of Defense for Networks and Information Integrtion, and Chief Information Officer for the Department Of Defense, controversially avoiding Senate confirmation for this post by recess appointment. Also, the secretive Committee on National Security Systems, which is actually just one person (hence, position on this list), but we’re not allowed to tell you who. Also 6 other agencies, organizations, and subdivisions, including CIAC but not CERT.

  • Last But Not Least Our Website And Please Can We Have Your Phone Number, another “A-list” of 30 “security pros” who’ve never been stumped by a security question from IT Security Dot Com’s readers, including head-scratchers such as “how much will it cost us to get you to co-sponsor our webinar, IT Security Dot Com IT Security Experts?”

I should mention that I’m joking about Tsutomu dying. I actually don’t know if he died or not, because I have no idea what he has done since 1995. Maybe Fyodor knows. The enduring mystery of “Where Is Tsutomu Now” has presumably vaulted him into the ranks of 2007’s Top Influencers; this makes sense to me, and I think it’s not fair that he’s all the way down at #42 while our silly blog is all the way up at 14. He can have our spot, and you can promote Peter Lindstrom from 3% of the 21st top influencer to 100% of the 42nd.

PS: You can tell me that it’s not really an ordered list. But then you’re going to have to acknowledge that Alan Shimel is not really more important than Bruce Schneier, and you may wind up in a blog war with #1 influencer Amrit Williams.

35 Comments so far

  • Amrit

    March 16th, 2007 12:58 am

    Please accept my resignation. I don’t care to belong to any club that will have me as a member, let alone #1 - you have to admit it was a nice exercise in blog social engineering though, have you ever seen flattery injection work so beautifully?

  • Thomas Ptacek

    March 16th, 2007 1:00 am

    No, I haven’t. I’m waiting for Lindstrom to call out ITSecurity.com for publishing an exploit instead of fixing the vulnerability.

  • Alan Shimel

    March 16th, 2007 1:12 am

    Come on Thomas admit it, you are just upset because they didn’t give vulnerability researchers as high a ranking as they did the analysts ;-) You really think Bruce is more influential then me? I am crushed ;-) BTW, you left out that Sam Van Ryder actually claims my blog as well. Maybe he can get into a bidding way with Hoff over it. I figured with this the multiple on my blog went through the roof. I guess I will still need a token to get on the subway.

  • Thomas Ptacek

    March 16th, 2007 1:14 am

    Hey, they said me and “Et Al” were about 15 ranks more important than John Thompson, so I’m super proud.

  • Mitchell Ashley

    March 16th, 2007 2:45 am

    Aw, come on. You all (me too) are just flattered to be on a list for something other than doing something wrong.

    Face it, if we all didn’t have blogs we’d have to resort to writing in journals, a.k.a. diaries. Who would fess up to that?

    Blogging is a manly term so we’re proud to say that!

  • Thomas Ptacek

    March 16th, 2007 2:48 am

    Baiting respected security bloggers into linking to a faux-news site is not a benign thing. I’m not trying to make you guys look dumb; I’m just reminding you that “IT Security Dot Com” is evil.

  • Amrit

    March 16th, 2007 10:55 am

    It’s pretty benign, and not very difficult to convince a bunch of self-referential navel gazers to link to a list of themselves

  • _ryan

    March 16th, 2007 11:37 am

    The entire “more bloggers from our feedreader” list was copy/pasted from the RSVPs from the RSA blogger meetup.

    _r

  • Christofer Hoff

    March 16th, 2007 11:47 am

    I still reject my #24 ranking because I appear twice on the same list (although my name is spelled incorrectly both times!)

    The funny thing is they haven’t cashed the check I sent them yet.

    I wonder what Fox News is saying about all this.

    I’m more in love with myself now, more than ever.

    /Hoff (Sandwich Meat Blogger)

  • Amrit

    March 16th, 2007 12:08 pm

    I spent yesterday scooping up I’m #1 t-shirts to go with my #1 Dad coffee mug (which is totally true, I really am, just ask my kids) I’m sure I have one of those #1 foam fingers somewhere in the garage ;-)

    Just goes to show that right now, someone somewhere is opening an email, or linking to a list, because they truly believe that someone really loves them…(here)

  • Thomas Ptacek

    March 16th, 2007 12:22 pm

    This list is an amazingly effective hack. “IT Security Dot Com” is in no way qualified to source such a list. They’ve taken apparently less than an hour to generate it. And I’m getting all sorts of mail congratulating me for being on it.

    How the hell did they pull this off?

  • Christofer Hoff

    March 16th, 2007 1:13 pm

    Cisco will no doubt acquire them for billions!

    …either that or the RationalSecurity Blogsolidation Corp. will swing into action once again.

  • Samuel Van Ryder

    March 16th, 2007 2:46 pm

    I suspect one of the sources is Lori Macvittie’s blog list: http://devcentral.f5.com/weblogs/macvittie/archive/2007/02/14/2743.aspx

    And Alan - to be fair - even back in February, I had seen the mistake and posted a comment on that site (check the comment section). I never claimed it and have freaking clue why it showed up there (or anywhere for that matter). I even made a comment on the IT Security Dot Com blog (which is not showing up). They obviously did not do their research. And on top of all of this, I do not advocate hostile takeovers of blogs like you rowdy bunch of pirates do. :-)

  • Thomas Ptacek

    March 16th, 2007 3:35 pm

    It is frustrating to me that this is the conversation we’re having. This is beyond Inside Baseball; this is inside batting practice. In AAA. There IS a list of security influencers for 2007, and none of us are on it.

    Instead of joking about how it’s nice to be on a list somewhere and it’s no big deal that the list is on a link farm and who cares and all that, can I get you guys to start proposing who SHOULD be on the list?

    I’ll start: DVD Jon.

  • Amrit

    March 16th, 2007 5:55 pm

    Why?

    What difference does it make? Seriously - who cares?

    I am pretty sure we will not even come to agreement on the definition of influential.

    For example most Gartner security analysts speak to an average of 6-8 large enterprises in every vertical and they do this 3-4 times a week and we definitely provided a hefty amount of influence on tactical and strategic security direction, not to mention the number of vendors that would respond to a single research note, take for example the NBA (network behavior analysis) market or SIEM (Security information and event management), or dare I say IDS is dead!

    Does this mean an analyst is influential? Depends on your definition…

    What about a security researcher, are they influential? Do they influence buying decisions or strategy for large global organizations? Depends on your definition…

    So although I do agree with your analysis of the silly list the itsecurity.com folks created, I don’t understand your frustration or desire to create another list.

  • Thomas Ptacek

    March 16th, 2007 6:08 pm

    I don’t like it when people say, “this is hard to figure out, so, not only is it not worth trying to figure out, but we should just play around when incompetant people pretend they’ve figured it out”.

    You propose “influential Gartner analysts”. Instead of preaching about why there might be some influential Gartner analysts, name some. It can’t be Steinnon; we’re talking about 2007.

    I absolutely believe that there are influential analysts. It would be interesting to know who they are. Everybody who got on their blog and congratulated themselves and their peers for landing on this silly list is now obligated to contribute something interesting to the security blogosphere. Thing of it as detox.

    Name the most influential analyst you can think of, Amrit.

  • Amrit

    March 16th, 2007 6:28 pm

    Thomas,

    I never said it was hard, I said - what is the point

    In security for Gartner it would be John Pescatore, and some number of 7-8 others. There are certainly others that are not in security as well, but again what is the point? Seriously man, why are you so wrapped around the axle on this? I certainly don’t give a shit.

  • Thomas Ptacek

    March 16th, 2007 7:39 pm

    I have a list of around 30 top influencers now. Pescatore wasn’t on it. A great addition, and thank you!

    Amrit has contributed. Everyone else needs to, too. What the hell is the point of having a security blogosphere if we can’t make top 10 lists together?

    Get to work, Alan. Nominate someone.

  • .:Computer Defense:. » Top 59 Influencers in IT Security (2007)

    March 16th, 2007 9:10 pm

    […] I’ve been following the comments over at Matasano and I realize that Thomas doesn’t think they belong in any sort of list… but I beg to differ… The Matasano blog is usually one of my favourite reads of the day. Anyways, we just wanted to share the list. […]

  • Marcin

    March 16th, 2007 10:53 pm

    Thomas, you may think your group/blog is not influential at all… Regardless if you are or not, I enjoy reading your blog. What I like most is your attitude-bluntness-”no holding back” what you really think.

  • -: A Random View of an Insecure World : » Blog Archive » Top 59 Influencers in IT Security

    March 17th, 2007 12:30 am

    […] Yes, it’s gotten a lot of press already and there are a lot of people who disagree with the original list. It looks like someone took the roster from the Security Blogger Meetup at RSA, made it into a list and did some random rankings to make it look official. There are some glaring omissions (as Thomas mentions on the Matasano blog) of people who I’d argue are very influential in the security industry today. […]

  • wrc

    March 17th, 2007 9:10 am

    When I see the phrase “IT Security”, I really have to wonder who made that up. Is it a demographic group in something like PRIZM NE Workplace?

    If I look up foo-co, will I get back “Executive Sharks” “IT Security” and “Accounting Elite”?

    Does the description of “IT Security” look like “Median budget of $2,500,000 a year / Spends money on gadgets / Attends trade conferences / reads CSO magazine and US News & World Report”?

  • Richard Bejtlich

    March 17th, 2007 3:42 pm

    As I alluded to in my post on this ridiculous list, I was actually contacted by the author (who is unnamed at itsecurity.com) for my “review” for “glaring omissions.” I told him I didn’t want any part of his list. You can see previous work of his here.

  • Andy Willingham

    March 18th, 2007 8:48 am

    You mean that my 8 months of blogging has NOT vaulted me to the top of the IT Security world?! Why do I continue with this? All my dreams are crushed!

  • Chris_B

    March 18th, 2007 10:26 pm

    TP

    You need a new category, may I suggest either “snark” or “humor”.

  • Security Bloggers Network and Influential List Nonsense « Mark Curphey - SecurityBuddha.com

    March 19th, 2007 8:47 am

    […] Of course if you are part of a network you subscribe and see what others are saying. It became almost like a mailing list. While it’s true to say there are a good number of very smart and talented folks on the list and there has been some great content come across my RSS reader; for me the Security Bloggers network had a low signal to noise ratio and some of the other members were not folks I want to be associated with. This came to a head when ITSecurity.com produced a blog baited list of the top 59 most influential security people. The list is farcical in so many ways; no Dan Geer, Mike Howard, James Gosling, Andy Jaquith, Phil Venables, Spafford and so on. Tom Ptacek sums it up with a great quote …another “A-list” of 30 “security pros” who’ve never been stumped by a security question from IT Security Dot Com’s readers, including head-scratchers such as “how much will it cost us to get you to co-sponsor our webinar, IT Security Dot Com IT Security Experts?” […]

  • alan shimel

    March 19th, 2007 9:36 am

    OK, Thomas I made my top 10 list just for you. http://www.stillsecureafteralltheseyears.com/ashimmy/2007/03/what_does_it_me.html

  • What’s It Worth? Your Data, Your Blog, Yourself. | RiskAnalys.is

    March 19th, 2007 9:39 am

    […] Finally, Big4Guy gives us How to Audit Spreadsheets for Section 404 Compliance.   I like the Big4Guy site quite a lot.  Sure, it’s SOX, and it’s dry, but let me explain. You see, he’s down and dirty about what to do and how to do it.  He’s not navel gazing about the relative importance of himself or his purpose in life.  He’s just given us “how it is and how you ought to do it.”  Got to respect that. […]

  • kurt wismer

    March 19th, 2007 10:51 am

    if i may make a suggestion - i agree with amrit, making a single official list is pointless… the people who influence me are different than the people who influence you (whoever you are, this is directed at everyone)…

    each person should probably have their own list - and guess what, at that point it becomes indistinguishable from a blogroll…

  • Thomas Ptacek

    March 19th, 2007 1:06 pm

    I think the distinguishing factor, Kurt, is that almost nobody on my list has a blog.

  • kurt wismer

    March 19th, 2007 2:48 pm

    good point… now i’ve probably offended a bunch of people who have influenced me a great deal outside of the *cough/hack/choke* blogosphere…

    of course a linkroll is as good as a blogroll, and with the extent to which things are archived onto the web, you could probably find/generate links to representative pages for most of them…

  • Steve Christey

    March 19th, 2007 6:32 pm

    Tom -

    How did they pull this off???

    BECAUSE WE DON’T SAY THIS STUFF OURSELVES.

    We don’t name names about who we think is influential or not. Navel gazing is right.

    Look at the comments - almost all of them about what’s wrong with the list, not who should really be on it, and some people actually saying we shouldn’t bother.

    At least they got Michal Zalewski on their list, and that guy who co-researched those IDS problems all those years ago, I forget his name. He works at some place called “Matasana” according to the list.

    - Steve

  • Mitchel Ashley

    March 19th, 2007 7:19 pm

    Alan, that was nice of you to mention Brad in your list.

    Let me tell you all, he’s an up and comer. Brad may not have all the fancy degrees and accreditations but he’s as good as they come. He’s learned in the trenches of life and he’s as hard a worker as you’ll find anywhere. Definitely a star in our organization. He does everything we ask of him and more. From when he took on leading the Denver ISSA chapter, to traveling to the far east, or when he lends his creative talents to help design our next generation products. He’s a star all around.

    I remember when he passed his CISSP on the first try. Brad is not my son but I’m proud of him like he is, and a friend as well. He and Alan are both in my list, even though I didn’t mention them on my first blog post.

  • Scott J. Roberts

    March 19th, 2007 10:05 pm

    Even as great as I think I am I knew it seemed too good to be true being put on a list of such prolific names. And we all know what they say about when something seems to good to be true.

    That being said I have to echo the thoughts of many that such a list is ludacris. One of the biggest reasons, to add on to the many that have already been submitted, is the fact that any day at any time something new can happen and someone can completely change the entire landscape. DVD John did when he broke CSS, HD Moore did when Metasploit came out, and someone will again when the first major vulnerability/exploit/worm for Windows Vista is released. It’s a fluid industry, and you can be at the top of the heap one day, and not remembered the next.

  • Computer world security » Blog Archive » Thomas wins funniest “I’m on the list” posting

    March 29th, 2007 4:57 am

    […] Thomas wins funniest “I’m on the list” posting Thomas Ptacek writes, “Take Me Off Your List!“, refering to the security influencers list published earlier this week.  His basic point is that the list was nothing but link bait to get security bloggers writing about ITSecurity.com.  The amusing thing is, I agree with him, but it’s fun to be on a ‘Top X’ list and know you’ve at least made enough of an impact to get that far.  I think the majority of the people on the list, as well as most of the people reading it, understand it’s not much more than a snapshot of who’s ranking well in a Google search on ’security’.  I still say congratulations to everyone on the list, you’ve been noticed. […]

    • Leave a reply