Hoaxes, myths,
urban legends




About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

mi2g has no sense of humor, part 2

Rob Rosenberger, Vmyths co-founder
Monday, 26 July 2004

[Editor's note: it will help if you first read part 1 of this series.]

Rob Rosenberger IN THE ORIGINAL version of mi2g's press release, they denounced the Bugtraq and VulnWatch mailing lists for distributing the parody. Yet a Symantec employee[1] wrote to Vmyths to insist "the content in question was never approved to Bugtraq and does not appear in our archives." VulnWatch moderator Chris Wysopal likewise insists the parody didn't go out to VulnWatch subscribers.

mi2g's press re­lease de­nounced secu­rity sites by name for dis­tri­bu­ting a "hoax" to their readers. But two of the named sites didn't do what mi2g accused them of.

Two words: "mi2g erred."

Wysopal complained to mi2g about the errors in their press release. Later, he complained to Vmyths about mi2g's handling of the situation:

Within 24 hours they had changed their website and sent me a note saying that the mailing lists where the original was sent have received an update. There is no admission of mistake however. The words "correction" or "retraction" are not used. They did no fact checking, libeled two respected vulnerability disclosure lists, and in general are defaming the entire free security mailing list and portal community. All because of an obviously psuedononymous posting to an unmoderated list. The insinuation that security and IT professionals make decisions based solely on psuedononymous postings to unmoderated lists is insulting to the entire security community.

Computer security firms in general don't like to apologize ... and mi2g doesn't strike me as a high-road kind of company.

Memo to slandered security sites: don't hold your breath for an apology. mi2g knows you won't sue them for slander borne out of stupidity, and they know the world will forget about it in six months.

Now let's study an apparent error in the current version of mi2g's press release. They claim "a rogue account created by a malevolent party as mi2g-research@hushmail.com has been consistently abused by utilising it as the originator of a number of vulnerability postings."

This accusation confused me — because I scour the Internet each Monday for anything related to mi2g. (It's part of my job as a computer security critic.) "How could so many postings slip by me?" I wondered. So I searched the Internet specifically for mi2g-research@hushmail.com. Do you know what I found?

I found one post: the mi2g parody.

A reliable industry source (anonymity requested) did his own Internet searches. He, too, came up with a single post. He, too, found only the mi2g parody.

How can mi2g claim someone "consistently abused" the Hushmail account in question? How can mi2g claim this Hushmail account was "the originator of a number of vulnerability postings"? Did mi2g make up this accusation thinking no one would challenge it?

Or ... did mi2g merely confuse the concept of "singular" with the concept of "plural"? Let's go back to Merriam-Webster's online dictionary:

singular: 1a: of or relating to a separate person or thing : individual 1b: of, relating to, or being a word form denoting one person, thing, or instance 1c: of or relating to a single instance or to something considered by itself   plural: 1: of, relating to, or constituting a class of grammatical forms usually used to denote more than one or in some languages more than two 2: relating to, consisting of, or containing more than one or more than one kind or class

How can mi2g claim some­one "con­sis­tently abused" the Hush­mail account in ques­tion? Did they make up this accu­sa­tion thinking no one would chal­lenge it?
Or ... did mi2g merely con­fuse the con­cept of "singu­lar" with the con­cept of "plural"?

Does mi2g believe you "consistently used" your email account if you sent one email to a dozen recipients? That you "originated a number of postings" if you sent one email to a dozen mailing lists?

This leads me to once again whine about an "inverse problem of accuracy" that ultimately benefits mi2g. The more Vmyths strives for accuracy, the more we get critiqued for minor things. mi2g, on the other hand, can get away with all sorts of wild claims because they don't strive for accuracy. Our readers turn the screws on us while uncaring reporters turn a blind eye toward mi2g.

MI2G'S PRESS RELEASE wailed about some "ransom demands" they received. I repeat: "ransom demands." Somebody kidnapped mi2g's reputation and their sense of humor and their command of the English language!

I kept getting stuck on the word "ransom." It didn't make any sense — until I realized they meant to say extortion. Let's return to Merriam-Webster's online dictionary:

ransom: 1: a consideration paid or demanded for the release of someone or something from captivity   extortion: 1: the act or practice of extorting especially money or other property; especially : the offense committed by an official engaging in such practice

mi2g needs a dictionary, no doubt about it. Their press release makes more sense when we use the correct word:

Consistent negative publicity on other trusted web sites and security portals has led to the owners of some of those sites to contact many companies, including mi2g, with a view to buying them out in exchange for their silence. [Extortion] demands made have ranged from $250,000 to $1 million to decommission a negative publicity campaign mounted through a particular set of trusted web sites or security portals.

mi2g's vague accusation raised a red flag with me because I've talked at length about Vmyths investor Eric Robichaud's urge to sell out. Did Robichaud pitch an offer to them? If he did, did he use tactics like those described in the press release? If he used such tactics, did he imply I'd stop critiquing mi2g after the sale?

Then I lowered my red flag. I mean, think about it. If you dared to issue a press release about "ransom demands" levied on your own firm ... wouldn't you at least name the "particular set of trusted web sites" that kidnapped your reputation?

If you dared to issue a press re­lease about "ran­som de­mands" levied on your own firm ... wouldn't you at least name the "par­ti­cu­lar set of trusted web sites" that kid­napped your repu­tation?

I lowered my red flag even more when I analyzed mi2g's use of plurals in their vague accusation. "The owners of some of those sites" offered a buyout in return for "their silence" and these "demands" came from "a particular set of trusted web sites or security portals." The consistent use of plurals makes it sound like the mafia runs an extortion ring deep within the computer security industry.

You don't often see this kind of paranoia in a press release. Thorazine, anyone?

AS I SAID, mi2g's press release failed to identify anyone who extorted money to end a "negative publicity campaign." Contrast it with their decision to name those who (supposedly) "passed the buck" in the mi2g parody. What gives?

I'm not the only one who noticed mi2g's glaring omission. VulnWatch moderator Chris Wysopal raised the same questions when he complained to Vmyths about mi2g. "I have no idea of what they are talking about with the 'negative publicity campaign.' Which organizations are the targets? Where are the postings?"

Well, Chris, mi2g identified themselves as one of the targets. They didn't name their kidnapers, but a short list of suspects might include:

  1. Vmyths. We arguably launched the first "negative publicity campaign" at mi2g way back in 1999. I've penned some of my best comedy lines at their expense.

  2. NTK newsletter. They, too, started heckling mi2g and its bombastic CEO way back in 1999. You'll bust a gut laughing at a quote by D.K. Matai in the 12/3/99 edition.

  3. Richard Forno (InfoWarrior.org). He took mi2g to task in a well-received opinion piece. In a rebuttal to TechNewsWorld, mi2g flunky Jan Andresen — one of the few besides Matai who can speak for mi2g — insisted "we disagree with Richard Forno when he refers to our analysis as sensationalist. His 'mathematical masturbation' reference in an article against mi2g in the past suggests that he has an axe to grind and may be acting in the interest of a particular software vendor or lobby."

    (Richard Forno? Acting against mi2g in the interest of a particular software vendor or lobby? Good grief! mi2g viciously attacked Forno's criticism! He's injured! Nurse, get a styptic pencil and a Flintstones band-aid, stat!)

    Chris Belthoff (Sophos)
    "We don't see how they [mi2g] are able to come up with such numbers and would love to be shown the methods by which they are reached."

  4. The Register. This online newspaper enjoys a serious cult following around the world and they sometimes tarnish mi2g in news stories.

  5. PaX. A virus writer who garnered his 15 nanominutes of fame in 2002 at mi2g's expense. He debunked one of their horribly flawed research papers as "full of irregularities and half truths."

So! Which of these suspects issued a wussy $250,000 ransom? Who had the gonads to demand $1 million? Did mi2g's kidnapers insist on Euros or pounds or dollars? Can mi2g count on the two FBI cybercops stationed in England to track down the cyber-terrorist who wrote this diabolical parody?

And why, oh why, didn't mi2g identify the kidnapers in their jaw-dropping "media alert"?

[Continued in part 3]
[second edition]