Personal attacks from Security Errata and Attrition.org? No.

I just read an interesting blog post from my old friend Wim Remes about yesterday’s blow-up over a Security Errata article accusing Mike Dahn of mismanaging Security B-Sides funds and lying about it.

I’m not going to dive back into yesterday’s debate except to say we should withhold judgement until Dahn tells his side of the story. As I’ve said before, I consider Mike a friend and have a hard time believing he would deliberately do something wrong. I also have a lot of respect for the folks at Attrition.org and have a hard time dismissing the things they bring to light.

That brings me to the point of this post: Wim Remes’ defense of Brian Martin and company and my reaction as someone who has been in the Attrition.org crosshairs in the past.

Of Security Errata, Remes writes:

Whether you’re Gregory D. Evans, Ankith Fadia, Steve Gibson or HTBridge doesn’t matter. If you’re on the errata page, I believe there’s something fishy about how you work, how you interact with the community or how you present yourself. Why? It’s quite simple actually …

When accepting errata articles, Brian Martin and the crew behind attrition.org are extremely scrutinous about the material. I’ve learned that the hard way. Writing for errata is probably the most demanding thing I have done … ever! Yes, I’ve done it and it sucked the blood out of my fuzzy cojones. Every single fact you present needs to be supported by substantial evidence (which doesn’t necessarily end up on the site), every claim is scrutinized and every document is read and re-read before it ends up on the site. Briann will, at length, fact-check with both sides where possible. I know he has in several instances, I can not confirm it has happened in this case but knowing how it works I’m inclined to think he has at least tried.

I’ve never been written up in Security Errata. But back in May I was sharply disagreed with in a post about what they saw as the absurdity of something I wrote about so-called security curmudgeons.

This paragraph was hard to read, because it obviously didn’t make me look good:

When writing an article that lumps a group of people together, the least the author could do is cite a source or three. This is something that should be a fundamental part of how any blogger or journalist operates. Blogging foul, Brenner. The second point I take issue with is his categorization of curmudgeons into ‘good’ and ‘bad’, with an inevitable shades of gray distinction coming shortly after I bet. How do I know? Because I am a ‘gray curmudgeon’ in his black and white world.

The thing is, in hindsight, he was right to cry foul. I still stand by the message of my post, which is that we need to talk to each other with more civility. But looking back I did paint big pieces of the security community with an over-sized brush. They called me out and I think it was fair.

I’ve followed Attrition.org and Security Errata for a long time and have never walked away feeling like they had tried to engage in character assassination. Their critiques are always loaded with data to support their arguments. They dig deep and get to know the target before firing.

That’s why yesterday’s Security Errata post bothered me. I can’t dismiss what they say, even if their target is someone I’ve known and trusted for years.

I’m eagerly awaiting Dahn’s response. Whatever he says, I think this is a useful wake-up call for the Security B-Sides planners.

Hopefully, when the dust settles, all this will lead to something better.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a