Truth About Computer Security Hysteria
mi2g has no sense of humor, part 2Rob Rosenberger, Vmyths co-founder
Monday, 26 July 2004 [Editor's note: it will help if you first read part 1 of this series.] IN THE ORIGINAL version of mi2g's press release, they denounced the Bugtraq and VulnWatch mailing lists for distributing the parody. Yet a Symantec employee wrote to Vmyths to insist "the content in question was never approved to Bugtraq and does not appear in our archives." VulnWatch moderator Chris Wysopal likewise insists the parody didn't go out to VulnWatch subscribers.
Within 24 hours they had changed their website and sent me a note saying that the mailing lists where the original was sent have received an update. There is no admission of mistake however. The words "correction" or "retraction" are not used. They did no fact checking, libeled two respected vulnerability disclosure lists, and in general are defaming the entire free security mailing list and portal community. All because of an obviously psuedononymous posting to an unmoderated list. The insinuation that security and IT professionals make decisions based solely on psuedononymous postings to unmoderated lists is insulting to the entire security community.Computer security firms in general don't like to apologize ... and mi2g doesn't strike me as a high-road kind of company. Memo to slandered security sites: don't hold your breath for an apology. mi2g knows you won't sue them for slander borne out of stupidity, and they know the world will forget about it in six months. Now let's study an apparent error in the current version of mi2g's press release. They claim "a rogue account created by a malevolent party as email@example.com has been consistently abused by utilising it as the originator of a number of vulnerability postings." This accusation confused me — because I scour the Internet each Monday for anything related to mi2g. (It's part of my job as a computer security critic.) "How could so many postings slip by me?" I wondered. So I searched the Internet specifically for firstname.lastname@example.org. Do you know what I found? I found one post: the mi2g parody. A reliable industry source (anonymity requested) did his own Internet searches. He, too, came up with a single post. He, too, found only the mi2g parody. How can mi2g claim someone "consistently abused" the Hushmail account in question? How can mi2g claim this Hushmail account was "the originator of a number of vulnerability postings"? Did mi2g make up this accusation thinking no one would challenge it? Or ... did mi2g merely confuse the concept of "singular" with the concept of "plural"? Let's go back to Merriam-Webster's online dictionary:
MI2G'S PRESS RELEASE wailed about some "ransom demands" they received. I repeat: "ransom demands." Somebody kidnapped mi2g's reputation and their sense of humor and their command of the English language! I kept getting stuck on the word "ransom." It didn't make any sense — until I realized they meant to say extortion. Let's return to Merriam-Webster's online dictionary:
mi2g needs a dictionary, no doubt about it. Their press release makes more sense when we use the correct word:
Consistent negative publicity on other trusted web sites and security portals has led to the owners of some of those sites to contact many companies, including mi2g, with a view to buying them out in exchange for their silence. [Extortion] demands made have ranged from $250,000 to $1 million to decommission a negative publicity campaign mounted through a particular set of trusted web sites or security portals.mi2g's vague accusation raised a red flag with me because I've talked at length about Vmyths investor Eric Robichaud's urge to sell out. Did Robichaud pitch an offer to them? If he did, did he use tactics like those described in the press release? If he used such tactics, did he imply I'd stop critiquing mi2g after the sale? Then I lowered my red flag. I mean, think about it. If you dared to issue a press release about "ransom demands" levied on your own firm ... wouldn't you at least name the "particular set of trusted web sites" that kidnapped your reputation?
AS I SAID, mi2g's press release failed to identify anyone who extorted money to end a "negative publicity campaign." Contrast it with their decision to name those who (supposedly) "passed the buck" in the mi2g parody. What gives? I'm not the only one who noticed mi2g's glaring omission. VulnWatch moderator Chris Wysopal raised the same questions when he complained to Vmyths about mi2g. "I have no idea of what they are talking about with the 'negative publicity campaign.' Which organizations are the targets? Where are the postings?" Well, Chris, mi2g identified themselves as one of the targets. They didn't name their kidnapers, but a short list of suspects might include:
[Continued in part 3]