Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Give the security clown a black armband

Rob Rosenberger, Vmyths co-founder
Tuesday, 7 August 2001

As read by the author (MP3) SECURITY ALERTS IN mid-July warned of a Code Red worm set to destroy the White House's web server if left unchecked. Hundreds of thousands of machines fell to the worm despite a (small) media blitz to notify the public.

Security experts did everything except hand out black armbands when they screamed about the Code Red worm. Internet users didn't listen — because they finally tuned out the wolf-criers.
Hmmm. Perhaps Internet users just didn't hear the first round of warnings.

At the end of July, "government and industry, in an unprecedented manner, have come together to warn users about" the scheduled reactivation of Code Red. This time, "the [entire] Internet could be seriously degraded" if the worm remained unchecked. The publicity hounds at Computer Economics, Inc. declared a whopping $1.2 billion guesstimate for Code Red's initial devastation.

What more can you do after you hold a joint press conference, issue a coordinated public statement, and notify 46 embassies about the pending catastrophe? The FBI's National Infrastructure Protection Center did everything but hand out black armbands. Heck, they even sanctioned one group's charts & graphs showing the extent of bloodshed.

(Boy, let me tell you. Everyone in the computer security world would give his eyeteeth for the same free publicity FBI NIPC lavished on the SANS Institute.)

Hmmm. Perhaps Internet users just didn't hear the second round of warnings.

Now computer security experts scream about a "new and potentially more dangerous variant" known as Code Red II. Remember when Russ Cooper (TruSecure) declared the original worm could force "the meltdown of the Internet"? This new worm is even "more dangerous" than its predecessor(s). I quote the SANS Institute:

Code Red II is more dangerous because it opens backdoors on infected servers that allow any follow-on remote attacker to execute arbitrary commands. Most importantly, due to the more malicious actions of this worm, patching and rebooting an infected server is no longer sufficient to clean the system. If a system has been infected, or if a vulnerable system has simply been left unpatched while Code Red II has been circulating, the only real solution is to reformat the system's hard drive and reinstall all the software.
So there you go! If you believe Code Red II resides on your computer, then you'll need to reformat your hard disk. Antivirus software (e.g. Symantec, Network Associates, Sophos, Trend Micro, Kaspersky, Central Command, Finjan, and so on) is not a "real solution." You must sacrifice your computer for the safety of the Internet as a whole. Spock said it best: "the needs of the many outweigh the needs of the few. (Or the one.)"

And yet Code Red II continues to spread unchecked. I don't know what worse can happen to the Internet besides a complete meltdown, but hey! It's coming.

The computer security industry lost the Code Red battle by its own (un)doing. You can cry wolf in a clown costume only so many times before society hits the 'mute' button... .
Hmmm. Perhaps Internet users just didn't hear the third round of warnings.

What next? Will cops drive around slowly in a light-blue Dodge K-series with a megaphone strapped to the roof, warning every resident to download a security patch from Microsoft's website?


INTERNET USERS DIDN'T listen — because they finally tuned out the wolf-criers. Remember the tale of the boy who cried wolf? "Nobody believes a liar ... even when he is telling the truth!" Why should we believe fearmongers this time?

Indeed, why should we take the Code Red threat seriously at all? The worm got its name simply because eEye's "chief hacking officer" (Marc Maiffret's official corporate title) drank cherry-flavored Mountain Dew soda as he dissected the code. And why should we take seriously any Code Red security alert which thanks "the guy at Del Taco that sold us food at 3am"?

Why, too, should we believe TruSecure's "surgeon general" (Russ Cooper's official corporate title) when he predicts Code Red will cause "the meltdown of the Internet"?

How can we take seriously a firm like @Stake? The CEO doesn't even know the name of one of his own vice presidents. He'd flunk if you asked him to match employees' names to their CB handles. And how can we take seriously anything written by a guy known only as "Weld Pond"?

The computer security industry runs around in clown costumes. They treat CB handles & corporate titles & technical analyses as an inside joke, yet they get miffed when society doesn't take them seriously. This insane hacker mentality helped pave the way for the technology sector's current stock woes. It also paved the way for years of comical wolf-crying in the security world. Wall Street stopped taking the hacker mentality seriously; so should everyone else. (I don't make this claim lightly.)

We'd get a lot more done around here if the security morticians would take off their clown makeup. Sadly, reporters act like children at a birthday party. They clap every time Maiffret & Cooper do something funny. They love to quote the "chief hacking officers" and the "surgeon generals" of the world. The media's favorite computer security experts play to the media's fetish for juicy computer security stories.

The computer security industry lives for headlines — and some people in this industry will prostitute themselves just to get quoted. (Prostitutes wear costumes & makeup, too. Coincidence?) You, too, can be a media whore. Just follow these simple instructions:
The computer security industry runs around in clown costumes. They treat CB handles & corporate titles & technical analyses as an inside joke ... yet they get miffed when society doesn't take them seriously.

  1. come up with a silly CB handle;
  2. give yourself a silly job title;
  3. name something after a can of soda you found in a break room; and
  4. scream "the Internet is about to shut down!"
See? It's even easier than reformatting your hard disk.

The computer security industry lost the Code Red battle by its own (un)doing. You can only cry wolf in a clown costume so many times before society hits the 'mute' button.


THINK OF THE frustration the computer security industry must feel right now. They delusionally think the Internet will die if users don't heed their sage advice ... but users just won't listen to them. I almost feel sorry for the clowns & prostitutes at a time like this. Almost.

Still, not many experts (and not many reporters) want to own up to their wolf-crying roles. I'll give the final word to a Steve Gibson fan who calls himself[1] — and I quote — "The Webfairy":

Nobody was calling wolf. We were trying to get word out about the danger of these yawning security holes in time to prevent this. The actual attack has turned out to have nuances we couldn't have imagined or predicted, but that makes it no less serious. That it isn't happening all at once doesn't make the peril less real either. Some subnets have already lost connectivity. Unless the infected machines are pulled off the grid, we all will eventually.