Truth About Computer Security Hysteria
Still waiting for JPEGs to kill the InternetRob Rosenberger, Vmyths co-founder
Monday, 18 October 2004
MORE THAN A month has passed since Microsoft released a patch for a devastating, critical, hideous, catastrophic, unprecedented, horrifying, deadly, macabre, serious JPEG image processing vulnerability. Experts started wringing their hands the moment the media started asking for quotes. Russ Cooper (TruSecure) alluded to it as a real version of the Good Times hoax virus. According to a ZDNet story, Mikko Hyppönen (F-Secure) warned his firm's antivirus solution might fail against a JPEG attack.
Vmyths has confirmed the U.S. Army — the most retreat-prone ground force on Earth — stopped allowing JPEGs in emails, strictly as a precaution. To put it simply: they sounded retreat to avoid a bogeyman. (Much to the chagrin of Army public affairs officers who routinely send JPEGs to reporters who ask for them, but let's not digress.) A rumor/joke says a NASA bureaucrat wondered if they should terminate the popular "image of the day" feature on their website, fearing a malicious JPEG might attack people who look at images of Saturn and Mars. No doubt an intergalactic empire wants to infect our computers.
Malicious JPEG exploits have been spotted online, and even JPEG exploit "toolkits" have been spotted. The prophets weep over the coming imageddon, and the pundits muse over what the prophets say, and the Fortune 500 midwives wail in unison, and fraidy-cat soldiers act like damsels in distress...
...yet we've seen no "catastrophic Internet attack that rivets people's attention the way Sept. 11 did," to quote pundit P.J. Connolly.
Hundreds of septillions of cyber-terrorists all over the world want to double-click us into oblivion, yet they resist pulling the trigger for some strange reason. What gives?
Vmyths has kept a champagne bottle on chill since 1999 to celebrate the death of computing. Hey, we want to see the Internet writhe in agony! We thought for sure those 200,000 Y2K viruses would destroy us on 1/1/00. Then we knew the ILoveYou virus would destroy computing for sure. We sold our worldly possessions when the Code Red worm struck. We stopped using banks when the Slammer worm hit. We ran to a fallout shelter when the Blaster worm struck.
Now we've burned our Kodak photo albums over a JPEG vulnerability. Cyber-terrorists all over the world want to double-click us into oblivion ... and we're still waiting to pop that champagne cork. What gives?
[Continued in part 2]