Truth About Computer Security Hysteria
mi2g has no sense of humor, part 2Rob Rosenberger, Vmyths co-founder
Monday, 26 July 2004
[Editor's note: it will help if you first read part 1 of this series.]
IN THE ORIGINAL version of mi2g's press release, they denounced the Bugtraq and VulnWatch mailing lists for distributing the parody. Yet a Symantec employee wrote to Vmyths to insist "the content in question was never approved to Bugtraq and does not appear in our archives." VulnWatch moderator Chris Wysopal likewise insists the parody didn't go out to VulnWatch subscribers.
Two words: "mi2g erred."
Wysopal complained to mi2g about the errors in their press release. Later, he complained to Vmyths about mi2g's handling of the situation:
Within 24 hours they had changed their website and sent me a note saying that the mailing lists where the original was sent have received an update. There is no admission of mistake however. The words "correction" or "retraction" are not used. They did no fact checking, libeled two respected vulnerability disclosure lists, and in general are defaming the entire free security mailing list and portal community. All because of an obviously psuedononymous posting to an unmoderated list. The insinuation that security and IT professionals make decisions based solely on psuedononymous postings to unmoderated lists is insulting to the entire security community.
Computer security firms in general don't like to apologize ... and mi2g doesn't strike me as a high-road kind of company.
Memo to slandered security sites: don't hold your breath for an apology. mi2g knows you won't sue them for slander borne out of stupidity, and they know the world will forget about it in six months.
Now let's study an apparent error in the current version of mi2g's press release. They claim "a rogue account created by a malevolent party as email@example.com has been consistently abused by utilising it as the originator of a number of vulnerability postings."
This accusation confused me — because I scour the Internet each Monday for anything related to mi2g. (It's part of my job as a computer security critic.) "How could so many postings slip by me?" I wondered. So I searched the Internet specifically for firstname.lastname@example.org. Do you know what I found?
I found one post: the mi2g parody.
A reliable industry source (anonymity requested) did his own Internet searches. He, too, came up with a single post. He, too, found only the mi2g parody.
How can mi2g claim someone "consistently abused" the Hushmail account in question? How can mi2g claim this Hushmail account was "the originator of a number of vulnerability postings"? Did mi2g make up this accusation thinking no one would challenge it?
Or ... did mi2g merely confuse the concept of "singular" with the concept of "plural"? Let's go back to Merriam-Webster's online dictionary:
Does mi2g believe you "consistently used" your email account if you sent one email to a dozen recipients? That you "originated a number of postings" if you sent one email to a dozen mailing lists?
This leads me to once again whine about an "inverse problem of accuracy" that ultimately benefits mi2g. The more Vmyths strives for accuracy, the more we get critiqued for minor things. mi2g, on the other hand, can get away with all sorts of wild claims because they don't strive for accuracy. Our readers turn the screws on us while uncaring reporters turn a blind eye toward mi2g.
I kept getting stuck on the word "ransom." It didn't make any sense — until I realized they meant to say extortion. Let's return to Merriam-Webster's online dictionary:
mi2g needs a dictionary, no doubt about it. Their press release makes more sense when we use the correct word:
Consistent negative publicity on other trusted web sites and security portals has led to the owners of some of those sites to contact many companies, including mi2g, with a view to buying them out in exchange for their silence. [Extortion] demands made have ranged from $250,000 to $1 million to decommission a negative publicity campaign mounted through a particular set of trusted web sites or security portals.
mi2g's vague accusation raised a red flag with me because I've talked at length about Vmyths investor Eric Robichaud's urge to sell out. Did Robichaud pitch an offer to them? If he did, did he use tactics like those described in the press release? If he used such tactics, did he imply I'd stop critiquing mi2g after the sale?
Then I lowered my red flag. I mean, think about it. If you dared to issue a press release about "ransom demands" levied on your own firm ... wouldn't you at least name the "particular set of trusted web sites" that kidnapped your reputation?
I lowered my red flag even more when I analyzed mi2g's use of plurals in their vague accusation. "The owners of some of those sites" offered a buyout in return for "their silence" and these "demands" came from "a particular set of trusted web sites or security portals." The consistent use of plurals makes it sound like the mafia runs an extortion ring deep within the computer security industry.
You don't often see this kind of paranoia in a press release. Thorazine, anyone?
I'm not the only one who noticed mi2g's glaring omission. VulnWatch moderator Chris Wysopal raised the same questions when he complained to Vmyths about mi2g. "I have no idea of what they are talking about with the 'negative publicity campaign.' Which organizations are the targets? Where are the postings?"
Well, Chris, mi2g identified themselves as one of the targets. They didn't name their kidnapers, but a short list of suspects might include:
So! Which of these suspects issued a wussy $250,000 ransom? Who had the gonads to demand $1 million? Did mi2g's kidnapers insist on Euros or pounds or dollars? Can mi2g count on the two FBI cybercops stationed in England to track down the cyber-terrorist who wrote this diabolical parody?
And why, oh why, didn't mi2g identify the kidnapers in their jaw-dropping "media alert"?
[Continued in part 3]