Hoaxes, myths,
urban legends




About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

Token computer security critic

George C. Smith, Ph.D., Editor-at-large
Tuesday, 7 August 2001

[Editor's note: a Reuters newswire focused on the hysteria behind Code Red's media coverage. I asked editor-at-large George C. Smith what he thought of it. His reply follows.]

THAT WAS THE kind of lame news concoction Vmyths.com exists to pillory. Such articles, when they appear, occasionally after some predicted major fire fails to suitably ignite, try to pass off a type of vanilla corporate news-creature drivel in which the equivalent of an editorial parlor trick is levied upon the audience.

We worry about an Internet meltdown. People who live near Mt. Etna worry about molten lava. Guess who worries more about their plight?

In this specific case, the real critic, colleague Rob Rosenberger, can be reduced to a token presence. Typically, you get one line, usually buried after the dance of the "voices of reason." You know them, those who went on the publicity jag in the first place, stacked up until hurl is induced so that the uplifting tale of how corporate-computer-security-USA did everyone (you gentle reader, the world) a favor, can be equably delivered.

A grab-bag of placating received wisdoms is offered.

The good old "everyone's networks or computers would have crashed if we hadn't hyped it." (The antivirus minister of information, David Perry: "afterwards, that doesn't mean the whole effort was a fraud ... it just means it was successful," he says, drawing comparison between the Biblical Flood-like hysteria and corporate back-scratching overMillennium Bug and Code Red. Some guy from the SANS Institute developed it in somewhat different form.)

The delightful "some of us rely too much on fear as a sales tool, but not me, I think," shuffle. (Marc Maiffret.)

And the always fashionable communal argument-crushing finisher: "you just wait, buddy-boy, something even worse is just around the corner." ("Experts agree that Internet users got off easy with Code Red and that one day another worm, or some malicious program that works and spreads automatically, will come along and be much more devastating.")

Every one of these, bona fide clichés delivered repeatedly and lambasted in "Education, schmeducation."

The second big fault of this reporting is that it includes very little history. There's some mumbling about "wake-up calls" but, mostly, everyone talks as if it's just the first time this has happened, when it's been trotted out regularly over the past half-a-dozen years or so. Third, it doesn't discuss the media's role and its yen for whiff of the looming disaster story which makes it easy to game.

Herein lies the central yawning hypocrisy: This media apparatus, incapable of honestly critiquing itself or the industry it is professing to cover in this instance, blames a nebulous "they" in the computer security arena for hyping things. "They rode along — and some, perhaps, went overboard in their self-promotion..." blandly states one selected to be the bearer of burdens and speaker of universal truths. No one names names or gets interestingly specific. That would be too ... rude. There would be unhappiness, name-calling, possible blemishing of reputation, perhaps poison-pen letters to superiors & managing editors, and cynicism would be unleashed to roam the land.

In this specific case, the real critic, colleague Rob Rosenberger, can be reduced to a token presence. Typically, you get one line, usually buried after the dance of the "voices of reason."

REUTERS EVEN QUOTES the original Code Red fearmonger as one of the voices of probity. It's just too screwed up.

The original Mr. SchadenFreude, Marc Maiffret of eEye Digital Security gets to generously proclaim for Reuters' designated cyber-trouble feeb-of-the-day: "definitely there's a lot of fear-based marketing." Indeed, and he was furnishing it. In two appearances for Zogg-Doofus! "That's what I mean when I say, 'Boom!'" said SchadenFreude in one example. "If [Code Red] goes along what it's looking like, parts of the Net will go down."

And then, the best Maiffret screeching of all, captured by The Register on July 20: "the Internet is about to shut down and you're bickering about nonsense."

Of course, the lancing perception that Reuters doth provide the masses somehow manages to overlook these.

Actually, it's the perfect example of white-bread media posturing. "See, we can have this wonderful polite discussion about hype and the relative merits of the regular yelling of 'Fire!' in a crowded theatre." And then it blithely consigns to the fringe, one whole voice of protest. Paragraph eighteen, two words, "manufacturing hysteria."

And, of course, no proper superciliousness permitted. No really discouraging words for corporate-security America. Blame only FBI NIPC who were possibly egged into it by the same helpful lads who were working the media on the catastrophe angle.

The last big objection. No one discusses how the Internet just might not be that important in the lives of the average American. The impression must be created that if it blows (and, of course, the message always: "inevitably it will"), we're all going to go down in flames. No one questions this assumption.

On Sunday, the Los Angeles Times published a long story on the breakdown of various necessary services which included the statistic that "average Americans spent only 122 hours on-line last year" which is only about 3.5 percent of the time "devoted to media, including radio, TV and newspapers." This in the context of a brief discussion that the import, or promise, of high-tech services, is a bit over-rated.

It would also, doubtless, be refreshing to see the results of a poll which asked the questions: Which potential bad thing concerns you more? Emergency room service that now can ping-pong you between hospitals if you ride an ambulance or require you to wait eight hours for diagnosis and treatment? Or alleged "meltdown of the Internet" by Code Red?

Reuters even quotes the original Code Red fearmonger as one of the voices of probity. It's just too screwed up.

HOW 'BOUT MORE annoying anecdotes from the physical world?

In another piece from the Los Angeles Times, the people who live on the slope of Mt. Etna in Nicolosi seem to worry less about molten lava gutting their town than the self-absorbed media-addicted nuts in America who turn software and hardware trouble into a psycho-neurotic fetish. Some are philosophical about nature and the inability to do much about it. Others are glad Mt. Etna is an active volcano because it means tourism. To another, it's a job ... sweeping up ashes in the town square, a job one can sing a song to. Some hold prayer vigils. Not much hype in evidence, though.

At least you can go out and put yourself in the hospital if you get too close while sight-seeing the lava. But with Net excrement, there's no physical cost, only funny money quotes, tropical monsoons of florid handwringing, predictions of the end of things.

[Editor's note: the Code Red worm carries roughly one-seventh the power of a Mt. Etna eruption.]