Truth About Computer Security Hysteria
Beg! Roll over! Good reporter. Here's a virus treat...Rob Rosenberger, Vmyths co-founder
Thursday, 21 January 1999
Domesticated reporters wait for computer security firms to feed them stories. Today's non-event demonstrates it.HEADLINES SCREAMED LAST month when Network Associates announced the most complex virus ever discovered. (In their opinion.) Headlines screamed again this month when Finjan announced the most dangerous Internet security hole ever discovered. (In their opinion.) Yet reporters yawned earlier today when experts announced a bigger Internet security hole known as Word Template. Don't let the media's inattention fool you. Word Template can strike twice as many victims compared to Russian New Year. It's 1/40 the size of Remote Explorer. It can do anything to your computer if you read a web page with your eyeballs. You can fully describe it to a hacker in two sentences and you can implement it in ten minutes. Microsoft employees worked around the clock to release a security patch before anyone found out. Why did the press ignore it? Simple — nobody staged a media circus. I've complained for years about domesticated reporters who wait for computer security firms to feed them juicy stories, and this non-event demonstrates my point. Check out the refreshingly ho-hum items on PC World and ZDNet if you need some eye candy.
Why didn't the media scream in terror? Answer: nobody staged a media circus.
Why didn't Network Associates or Finjan alert their own customers? Answer: they didn't discover it.
Let me bring you up to speed on what happened:
The media waited a month before screaming about Microsoft's Russian New Year patch. They screamed because Finjan goaded them. Will the media scream next month about Microsoft's Word Template patch? Who will goad them?
History suggests Richard M. Smith will goad the media this time. It's a safe bet, trust me...
OKAY STUDENTS, TIME for a quiz. Which computer security firm is not like the others?
In the final analysis, Word Template qualifies as one of many Internet security holes discovered over the years. It will soon join its brothers in the land of obscurity. Download the patch, install it, and get on with your life.Did you guess which computer security firm is not like the others?
WELL, I'VE BASHED Finjan & Network Associates enough. Let's discuss what I think of Word Template. In the final analysis, I lump it in with all the other serious Internet security holes discovered in the last twelve years. I predict it will soon join its brothers in the land of obscurity. Download the patch, install it, and get on with your life. Ta da! Enough said. I must admit, today's lack of hysteria felt very refreshing. Of course, everybody "in the know" let Microsoft downplay it — something you can't say for the previous two events. Amazingly, FRISK walked away from millions of dollars in free publicity when they abandoned Word Template. Bontchev still grumbles about security problems in Microsoft products yet he remains politely quiet. (Redmond will host a little-known conference next month for computer security vendors. Man, if they don't pick up Bontchev's entire tab...) Leonhard went a little overboard with rhetoric in his newsletter, but I can easily forgive the co-author of a book called "Office 97 Annoyances." He kept quiet and postponed his WOW newsletter until Microsoft released a patch. He even asked me for constructive criticism four days before the news broke. (For the record: I offered zero criticisms.) Leonhard honestly cares about computer security and he, too, hoped to avoid a media circus.
FRISK walked away from millions of $$$ in free publicity when they abandoned Word Template. However, I doubt it will remain an orphan for long. (Did I mention Richard M. Smith?)Unfortunately, I don't think the media will ignore Word Template for long. Richard M. Smith (Phar Lap) likes to adopt orphaned computer security issues and he'll find this one hard to resist. Smith will probably point to my website as proof of a massive world threat: "even Rosenberger thinks this thing is twice as big as Russian New Year!" (No offense to Smith. We actually get along quite well in private if you can believe it. He knows I fight people like him as a hobby; I know he dabbles in computer security. He believes in his cause; I believe in my cause.)
I'LL STEP ON some toes when I say this, but I just don't see a philosophical need to keep every security hole a secret until a patch comes out. Notice I said "a philosophical need." Let me explain.
Did friends scare you with Halloween stories about Russian New Year? Why didn't they scare you with Halloween stories about Word Template? Answer: the media feeds them Halloween stories.Suppose Leonhard or Bontchev alerted the media when Word Template first came to light. We lived with it for years, so why should a few more weeks make any difference? How many computers would succumb to this exploit in the time it takes to develop a patch? "Aha, but now the hackers know it," you say. "The world faces imminent danger." Knowledge of this exploit's existence would somehow make it a race against the clock? Bah. Most people only visit sites like CNN, Yahoo!, ESPN, antivirus.com, coworkers' home pages, etc. Where do you go that makes you so vulnerable to hacking? Do you fear the Weather Channel will spring this newly discovered security hole on website visitors? What makes you or your company special enough for a malicious to single you out for a Word Template email hack? Can you honestly say "my computer is secure except for this one exploit"? Do you honestly think you'll wind up in an unemployment line if you don't fix it immediately? (Many computer security specialists disagree with me on this point. They simply cannot trust all employees to visit only safe websites and read only safe emails. I share their viewpoint, yet I must ask the obvious question: "why do you let an employee use the Internet at all if you can't trust him/her to use it safely?")
Okay, I'll bite. How many computers will succumb to Word Template just because it lacked a media circus?Hackers know a lot of ways to make your computer miserable. They don't even need to use security holes — they can exploit various features of the Internet if they wish. Or they can use the Internet itself to damage your reputation. For example, how would you stop someone from... oh, let me think... Aha! How would you stop someone from using the Internet to announce a major security flaw in your flagship business application? Realistically, then, a company like Microsoft hides any given security problem just to avoid negative publicity. This means Leonhard & Bontchev did two big favors. First, they found an important security hole; second, they didn't embarrass the folks in Redmond.