Truth About Computer Security Hysteria
Vmyths undergoes another test of integrity
Tuesday, 4 February 2003
A STORY ON Wired revealed a confidential proposal to sell Vmyths to Symantec. I encourage you to first read the exposé and then come back to this column.
Our editorial staff cannot control the sale of Vmyths. On the other hand, our investor cannot control what you read at Vmyths. This "separation of church and state" is dictated by the contracts that formed Vmyths.
I want to stress an important point — our editorial staff cannot control the sale of Vmyths. Our investor can sell it to anyone for any price. On the other hand, our investor cannot control what you read at Vmyths. This "separation of church and state" is dictated by the contracts that formed Vmyths.
I negotiated with our investor for the contracts that formed Vmyths. I blame myself, and only myself, for failing to reserve "editorial integrity" rights over the sale. I personally apologize to our readers and to our editorial staff for my failure.
The front page of Vmyths boasts "this site is NOT sponsored by antivirus companies." In fact, Vmyths has operated since 9/11/01 with no real source of income. Our advertising revenue dried up immediately after the terrorist attacks. George C. Smith and I have done our jobs for at least a year with no paychecks. Our investor continues to support Vmyths with hardware & bandwidth, and I believe they will continue to support us.
Please don't underestimate our investor's support. Vmyths takes up a large chunk of their OC-3 bandwidth and they repel all sorts of attacks aimed at their web servers. I'm truly grateful to our investor for doing so much for Vmyths despite our lack of income...
...and I'm truly upset with Symantec for failing to secure hundreds of confidential business proposals from prying eyes. It appears Symantec took the data offline, yet they have so far refused to accept responsibility for exposing it. They refuse to apologize.
Reporter Brian McWilliams asked me some pointed questions about the sale of Vmyths. My answers appear below. If our investor has a problem with this, they can take it up with Symantec.
I answered one important question (who really owns Vmyths?) but I glossed over another one (how will you preserve the integrity of Vmyths?). I don't know how to answer the latter question until the sale takes place.
Let me repeat — our editorial staff cannot control the sale of Vmyths. On the other hand, our investor cannot control what you read at Vmyths. I encourage you to submit any comments & criticism for publication.
I blame myself, and only myself, for failing to reserve "editorial integrity" rights over the sale. I personally apologize to our readers and to our editorial staff for my failure.
Or write to VeaCulpa@Vmyths.com if you want to give us your thoughts in private. Unlike Symantec, we'll keep it strictly confidential.
LET ME STRESS another important point. I don't blame our investor for anything. They really have done a lot to keep us running even in these trying times.
Our editorial team can't control the sale of Vmyths, so I made an editorial decision in November 2001 to wait for the sale to take place. If they sell us to an antivirus firm, we'll deal with it; if they sell us to a NON-antivirus firm, then it won't matter. Either way, we'll know enough at the time of sale to give our readers good information.
The Wired story makes us look bad as a result of Symantec's negligence. It only made it worse when McWilliams focused on Vmyths over hundreds of other confidential business proposals.
Now our investor looks like a heel, and the editorial team looks like we kept our readers in the dark, and a buyer may snap us up for a lowball price. "Thank you, Symantec!"
And yet I realize it's just the latest test of our integrity.
Symantec won't apologize for their negligence — but you'll find an apology from me to Symantec as you continue to read this column. You'll also notice I "give Symantec credit where due." The computer security industrial complex needs ethics, and those ethics must begin somewhere. For this reason, Vmyths holds itself to a much higher standard than the industry we critique.
But only you can decide if Vmyths passed this latest test of our integrity. Did we succeed? Did we fail? Can we improve?
Again, I encourage you to submit any comments & criticism for publication. Or write to VeaCulpa@Vmyths.com if you want to give us your thoughts in private.
PLEASE NOTE: MY responses to Wired appear below. I changed some mild swearing, but otherwise my comments appear in verbatim. Again, if our investor has a problem with this, they can take it up with Symantec.
My responses to Wired appear here. I changed some mild swearing, but otherwise my comments appear in verbatim.
If our investor has a problem with this, they can take it up with Symantec.
- When did this proposal take place? Did you authorize Regent to make the proposal?
I don't recognize "Regent" or the name Paul Mace offhand, simply because I don't like to get involved in the corporate side of Vmyths. But — they proposed to buy us out for a low six figures? RISS (Rhode Island Soft Systems) CEO Eric Robichaud told me the lowest figure he would accept was $1.25 million plus a 3yr editorial budget commitment, now at $8.4k/month. (The 2000-2002 editorial budget was $4.2k/month.)
[Addendum: RISS originally told me $1.1 million; their current lowball is $1.25 million to the best of my knowledge. I can't control the sale, but I can renegotiate the editorial budget at this point. I'll approach the bargaining table with a bid of $8.4k/month for three years.]
Somebody must think RISS is dying to bail out. An offer of $350k would explain why Symantec doesn't own Vmyths right now. Heck, our resale value probably went UP another quarter-million thanks to Symantec's stupidity! I love irony.
You need to understand the creation of Vmyths to understand the proposed sale. When we negotiated the two contracts that created Vmyths, I refused to allow any advertising for antivirus products & services. Robichaud knew it'd turn away our biggest source of revenue, but he agreed — on the condition I take a major cut in the proposed editorial budget (which includes my salary). I dropped from $12.5k per month to $4.2k per month, and in return the contracts stipulated no antivirus ads.
However, I didn't specify anything for the sale of Vmyths. RISS can lay claim to everything but the mailing lists, which I claim the right to erase to protect subscribers' privacy. They can sell the website to anyone they want and they can keep every single dime.
Ironically: per the contracts, the buyer acquires the copyrights to everything I've written — and they'd own me for three days each month on top of it. (sigh) If Symantec bought us, they could make me shill at twelve trade shows every year and they could say "sponsored by Symantec" on every Vmyths web page. They just can't hawk an antivirus product/service on the site.
The proposal to sell Vmyths arose in late 2001 as a result of the 9/11 attacks. RISS poured time & money into Vmyths just months before the Internet bubble burst. The bubble caused us some pain, but Osama kicked us right in the teeth. All of our ad revenue dried up and it never returned. Robichaud flew me to Rhode Island in November 2001 to tell me in person why he wanted to cut his losses. It hurt, but I understood his reasons.
FYI: when Shane Coursey announced he would close WildList, Robichaud pleaded with me to stage a similar publicity stunt. I refused. Thankfully, he didn't take it personally. Editor-at-large George C. Smith is the one who asked me to sell T-shirts & coffee mugs. Robichaud left it to me to make the decision; I took my time before I conceded to Smith's idea.
[Addendum: I spelled Shane Coursen's name wrong. Robichaud might contest my use of the word "pleaded." I stand by it.]
- Is Vmyths currently up for acquisition?
Definitely so, but I don't care to ask Robichaud about the details. It would only remind me of my stupidity when I negotiated the contracts.
I blame only myself for not asking for concessions if Vmyths got sold. I will NOT blame my investors for seeing Vmyths differently than I do. I'm truly grateful to RISS for giving my idea a chance to prosper, and I'll be truly grateful to our next investor.
In my dream world, somebody would buy Vmyths for $2 million, convert it to a non-profit entity, and seed it with a $500k contribution. Microsoft, for example. Heaven knows Redmond's employees needed the benefit of our virus hoax-busting resource over the years...
- Who currently owns Vmyths.com — RI Soft Systems? Are they paying you for your editorial work at the site?
RISS has always owned Vmyths. RISS also owns a company called Mediaweave, which they advertise on Vmyths as our "sponsor."
RISS paid the editorial budget until August 2001. I waived the Sep/Oct budgets because the terrorist attacks kept me from fulfilling my backstage editorial duties. (I ended up paying our columnists out of my own pocket.) Our ad revenue dried up and it never came back, and RISS stopped fronting the editorial budget somewhere around July 2002. I've been funding Vmyths ever since from my rainy day bank account.
[Addendum: RISS paid only a stipend from November 2001 to July 2002 to cover most of my expenses. Then the stipend went away.]
I suppose my lawyer would tell me to stop writing & editing, but (a) I'm grateful to RISS for investing in Vmyths and (b) I work for a crusade, not for a business. We lack money? Big deal. Mediaweave continues to bless us with bandwidth & support and I continue to edit & write.
Because I'm funding it out of my own pocket, my family accountant tells me I'm now an "investor" for tax purposes. No big deal for Eric, because he claims to have built a "dividend" into the sale price for me. I suspect the decimal in "$1.25 million" is earmarked for me.
- Do you think you could successfully run Vmyths.com if the site were owned by an anti-virus software company?
I originally said "no" and I still believe it was the correct answer back then. The computer security industrial complex needs a truthful, uncompromising mainstream outlet for criticism. If Vmyths suckled on the teat of the antivirus industry from the start, we'd have grown to depend on their milk. Pushers can easily control their addicts, so I enforced a ban on antivirus ads. The industry's money couldn't taint our editorial content.
Our independence paved major inroads for computer security criticism. For the first time, large customers could turn to a mainstream website for an honest appraisal of the antivirus industry. Vmyths doesn't exist to make money, per se; rather, it exists to open the world's eyes. We don't push the PR angle, either; I myself have a nasty habit of criticizing reporters by name. We just wanted to change the world at a time when everyone else wanted to get filthy rich.
Our investor happened to believe they could turn a decent profit from Vmyths. Siskel & Ebert likewise pitched a TV show where people could turn for an honest appraisal of the movie industry. Their investor, too, happened to believe they could turn a decent profit from it.
Our non-stop truth campaign earned us some serious retaliations from the antivirus industry. You still can't take on this multi-billion-dollar cartel without getting the snot kicked out of you. They habitually destroy what they can't control and, man, did they try to destroy Vmyths. Don't even get me started.
But the beautiful thing about inroads is that others will take the paths you paved. I & editor-at-large George C. Smith believe SecurityFocus followed our lead only after we proved you could survive truthful criticism. As for security critic Richard Forno? I'm glad to say the man finally grew some 'nads. Others will follow the inroads we paved.
So right now, if bought out by an antivirus firm, I'll offer a guarded "yes" that Vmyths probably could survive in today's more open, more honest critical environment. I should note Symantec bought SecurityFocus after they hired Smith as a columnist. Smith continues to rant without interference to the best of my knowledge. I'll give Symantec credit where due.
- The proposal states that "having Rob in your hip pocket during his daily press interviews can only help. This would be a very small deal for Symantec ('pocket change'), which makes it a no-brainer. Rob would lead to more sales in 12 months than this site would cost to acquire." Do you believe this statement is true?
"Daily press interviews"? I don't hump reporters' legs like so many others in the antivirus world. Heck, I don't even put my phone number in our weekly newsletter! Perhaps Symantec meant their PR team would schedule me for daily leg-humping sessions.
[Addendum: our investor wrote this, not Symantec. I stand corrected and I apologize to Symantec for aiming the comment at them.]
Yes: I believe we'd generate more than $350k per year, or even $1.25 million per year. From what I hear, Vmyths generates some very interesting leads for our sponsor, Mediaweave. We reach a lot of overworked system administrators and a lot of small companies. Those who listen to my audio rants will hear me pitch for Mediaweave at the end.
[Addendum: I meant to say we could generate such value for a computer security firm. Mediaweave doesn't benefit nearly as well from their sponsorship, and so our investor continues their search for a buyer.]
It appears we've got a truly fanatical following among the English-speaking militaries & intelligence agencies. The U.S. alone has created a massive new bureaucracy; they'll need a lot more computers and a lot more security as a result. In a world of computer security hype, the savvy worker bees will want to hear the truth, and we do everything we can to make Vmyths ring true.
We've also got a following among computer talk show hosts on low-watt radio stations. I do my audio MP3 rants for their benefit because the big antivirus vendors abandoned them some years ago. No offense to the industry, but they've grown too big to court the small talk shows like they used to. My rants play for free on low-watt stations, most of them are comedy gems, and you can't beat it.
- What are your medium- and long-term plans for Vmyths?
FYI, I put the near-term plans on hold for a reason I won't discuss.
Scratch one long-range goal. White House fearmonger Richard Clarke is rumored to be on his way out, two years earlier than I expected. (Last year I predicted he'd exit right after the 2004 presidential election.) Clinton & Dubya's counter-terrorism advisor couldn't stop fantasizing about Osama bin Laden's cyber-attack plans, and thousands died in the World Trade Center for it. More than a few "doers" in Washington dismiss Clarke as an articulate leech who knew where all the beltway skeletons were hidden. Yeah, he leveraged himself way above the Peter Principle, but I think Vmyths deserves partial credit for exposing him.
In 2003-04, I want to set up an archival service (much like [vulgar website name]) where people can do research on computer security hype. We're probably talking 1,000 subscribers at $100 a year. It would be an important niche for Fortune 500 computer security teams. Robichaud gave Mediaweave the okay to build the service into Vmyths. The work goes slowly and is currently on hold.
I originally planned to double the editorial budget this year. Ironically, I can achieve my goal by expressing it as 2 x $0.
:-) I wanted to bring on at least one more columnist, plus I'd already negotiated to print Rob Slade's reviews of awful computer security books. I won't accept columns unless Vmyths can pay for them. The truth deserves at least a stipend, and that's what stops us from expanding right now.
In the long term, in 2007, I want to put Vmyths on trial for its life. Too many things exist when they have no reason to exist — you know, like the U.S. government's Y2K survival coordination center. What if computer security hysteria drops to a manageable state by 2007? Or what if a young upstart website defeats hysteria much better than we do? Could the world live without Vmyths?
[Addendum: I meant to say "when they no longer have a reason to exist."]