Bloggers Beware: InfoSec Island


In Brief: InfoSec Island may not post what you submit, but instead grab text from your blog (whether authorized or not). When I filed a complaint, their first response was to threaten to delete the post, and they ultimately deleted my account (and then posted the entire email exchange to pastebin). If you post to their site, then don't be surprised if you and your post are abused. If you complain, expect to be told that you don't matter. In the end, despite being urged to reach out to me, they have not taken steps to resolve the matter.

Strong Recommendation: If you're a writer, I cannot urge you strongly enough to avoid or flee InfoSec Island. If you're a reader, then I strongly recommend that you not use their site any further. A business that profits from and exists because of the free contributions from people like me do not deserve continued patronage when they clearly disrespect the people who provide the content upon which they base their business.

Summary: On Thursday, January 5th, 2012, I submitted a revision of an earlier blog post to InfoSec Island. I'd spent a couple hours the previous night revising the text, since I felt it used first-person too much, plus integrating some feedback I'd received that would make it a better piece. The article was posted on Friday, January 6th, though I don't know when exactly. Someone cc'd me on twitter saying they liked it, and someone else commented on the post itself expressing their approval.

When I clicked through to see the comment, I noticed that the version posted was the original blog post and not the piece I had submitted. This upset me greatly, causing me to email them to complain about the impropriety of posting the wrong piece. The site does not provide a way for submitters to edit their articles once they're published. Michael Menefee of InfoSec Island responded very quickly and threatened to delete the post outright. When I objected, and provided the correct text for the post, he then threatened to delete my account. He then deleted the text of the post (to maintain the comment) and redirected it back to my blog. My account was then deleted altogether, so the post and comment are gone. Things snowballed into a drama-storm that is sadly typical of the infosec industry. There are several issues at play here, which I'll now discuss.

The Issues (as I see them)

As InfoSec Island is a business, there are potential copyright infringement issues in their not posting the text provided (my blog is protected under a Creative Commons license with Noncommercial). They did not have approval to go pull the draft from my site.

Apparently, InfoSec Island is/was having issues with their web site. According to a separate email from Anthony Freed (one of their curators), my submission came through as a garbled mess (I pasted plaintext into their WYSIWYG editor). Making a bad assumption, he went and pulled the blog post of the same title rather than contacting me first to make sure this was ok and to confirm that it was, in fact, the same text.

I very much feel like they (Menefee in particular) projected their angst from the site issues onto me. How dare I complain that they improperly used text for which they weren't authorized, apparently. :S I was not aware of their issues, nor am I responsible for their issues. Their site directly benefits from the freely-submitted content of people like me. They actively recruited me to contribute to their site for 6 months. Four months later, my account is canned for complaining about their posting the wrong content? Bad form.

Ultimately, what I expected from them was a quick apology and an offer to get the right text posted. Instead, they threatened to delete the post in their initial response. Talk about a "burning down the house" approach. Moreover, they continued to escalate things, threatening to delete my account altogether (which they did), and even going so far as to post the email exchange to pastebin.

Tweets and The Email Thread

In addition to sending a complaint to InfoSec Island via their "contact us" link, I also tweeted on Friday night about my frustration in finding that they'd magically posted text that hadn't been submitted.

After receiving the emails from Menefee threatening to delete the post and my account, I tweeted the following bit of frustration. Several people responded, and I had limited banter. The sum-n-total of it was that people suggested it was time to walk away, which I agreed with. Other people offered to reach out and mediate with someone higher up the food chain than Menefee.

Hearing from one friend on Sunday, who was speaking with a site higher-up (Lance Miller @wireheadlance - site owner?), it sounded like things were going to be ok. I held off on writing this post, and from saying anything else. Imagine my surprise Monday morning, then, when I saw the following:

Someone (presumably Menefee) took it upon themselves to post the email thread to pastebin (I presume in response to this tweet). Definitely classy, especially for a business that is benefiting financially from the freely-contributed content of authors like me.

Interestingly, the posted thread left out two email messages in the exchange. First, after saying "I can send you the correct text." I then sent him a follow-up email with the correct text. It's at that point that he said he'd unpublished the article for me to edit it, which turned out not to be true.

Second, after my brief "Seriously? This is your response?" email back to Menefee after his threat of deleting my account, I then sent the following:

"What you also don't seem to be grasping [sic] here is that I spent 2 hours of my own time to revise that article in order to deliver a better quality piece for your site. The result? It gets tossed without a glance because the site is broken, and with no way for me to know that."

Please note that both the "Seriously? This is your response?" email, and the above longer text, were both sent from my mobile right before walking into a Gracie jiu-jitsu class. Suffice to say, I wanted this to be positively resolved, and I couldn't believe the childish, escalating responses that I was receiving from him.


Sadly, despite intervention from a key acquaintance who knows all parties involved urging them to contact me, there has been no further official communication from InfoSec Island, nor have I received an official apology for their mistake. This is a business that profits financially from free contributions by people like myself. I'm still rather shocked that I was attacked for complaining, and that there is apparently no interest on their part to speak to me to sort things out. Clearly, this is an organization run by amateurs who don't respect the people who volunteer their time and intellectual property.

This post was first authored on January 9th, 2012, and held for review to see if a favorable resolution would occur. The key acquaintance sent a final admonishment late that week (around Jan. 13th) to encourage them to contact me to resolve this matter. Sadly, after giving them more than a week to do the simple task of reaching out to me, it seems that apologizing is beyond their conscience. It's unfortunate, because I believe that some of their people (e.g., Anthony Freed) are working in earnest to help build a solid portal, and yet this poor treatment of contributors is a black mark that leads me to conclude that everybody should pull back, stop contributing, stop reading, and stop supporting the organization. Any business that is unwilling to recognize when they've erred and work to make it right does not deserve continued patronage.


Thanks for the heads up.

That's really unfortunate, and a completely unacceptable way for someone to respond to you. In a real business, that person would be getting some spankings and you'd certainly be given an apology, maybe not by Michael, but at least from someone he answers to.

Like you said, really classy action from InfosecIsland. Posting an email exchange is immature enough, but to also then edit it and leave out posts? I mean, come on...

My opinion of InfosecIsland has definitely dipped very, very low.

Thanks - I agree completely!

Don't be fooled.

Infosecisland is a shit hole of the first order.

They are nothing more than a band of common criminals running a honeypot to target the security community at large.

They are dangerous.

Run away, quickly!

About this Entry

This page contains a single entry by Ben Tomhave published on January 23, 2012 1:15 PM.

PCI, QSAs, and the Audit-Industrial Complex was the previous entry in this blog.

The Password Analysis Red Herring is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7