In 1998, I bashed President Clinton’s speech where he made a hysterical assertion that “[criminals] extort money by threats to unleash computer viruses. If we fail to take strong action…” Clinton then announced a directive inspired by a flawed presidential report.

Eleven years later, President Obama repeated history in a speech where he made a hysterical assertion and then announced a directive inspired by a flawed presidential report.

Obama’s cyber­security speech is essen­tially the same as Bill Clinton’s speech 11 years ago — right down to the debut of a flawed presi­den­tial report…

In part 1 and part 2 of this series, I revealed Obama spouted an urban legend about cyber-terrorism and he spouted a bizarre “$1 trillion” guesstimate for computer crime.

But where did the president get this hysteria? Obama’s top intelligence advisor all but admits it didn’t come from government sources. Obscure footnotes in the president’s report reveal:

• Obama’s “$1 trillion” guesstimate came from a McAfee press release — a company not involved in economic assessments.
• Obama’s urban legend that “cyber attacks have plunged entire cities into darkness” came from a SANS newsletter that cited a CIA analyst who gave absolutely no details whatsoever.

This forces us to ask two philosophical questions. First, why didn’t Obama’s cybersecurity report cite a respected government economics expert? Second, why didn’t Obama’s cybersecurity report directly cite the CIA analyst who gave absolutely no details whatsoever?

Remember this, folks. Obama’s “$1 trillion” guesstimate comes from McAfee, the very same company that insists email spam contributes to global warming — and that secretly armed China with computer viruses at a time when the White House ironically feared China would attack the U.S. with computer viruses.

The flaws in President ClintonObama’s cybersecurity report fail to impress me, and the hysteria in President ClintonObama’s speech fails to move me. Enough said.

Let’s begin with a straightforward statement. McAfee expert Francois Paget got duped by a YouTube video, he went “nutty professor,” and he wrote a hysterical blog about it on McAfee’s official website (archived here).

And then, just for good measure, Paget touted a new McAfee product that can protect you from being duped— protect you from the hysteria he— protect you from the threat he concocted— oh, never mind.

It disturbs me that Francois Paget got duped so easily. Memo to Paget: click here.

Wired pundit Kevin Poulsen exposed Paget’s stupidity in a rather blistering story. Poulsen reveals a German “viral video” production firm conceived the “Blair Witch” script to promote (get this!) a conference for video gamers.

It disturbs me that Paget got duped so easily. A quick glance at the video stats reveal it’s been watched more than a million times in just the last half-year. Clue, anyone?

If this was a genuine SCADA attack, all the SCADA hype-meisters out there would have pounced on this video the very day it came out. Why, then, would Paget be the first expert to label it a SCADA attack a half-year later? How could he not realize this?

Did Paget do basic research to learn where this SCADA attack took place? No. Did Paget do basic research to learn which hacking group took credit for this SCADA attack? No. Did Paget do basic research to learn how this hacking group pulled off their SCADA attack? No. Did Paget do basic research to learn…

Hey, you know what I just did? I did some basic research on Paget for this column. “Basic research, Rob? That’s amazing!” Thanks for the facetiousness but, really, it was nothing. Anyway, I came across Paget’s LinkedIn profile (or at least a cleverly disguised hoax profile which, according to Paget, is as good as the original.) He’s worked at McAfee since at least 1993 when he—

—waitaminit, I just got an email from the Frenchman. It reads:

“Dear Rob, I heard that you work for the CIA. Can you give me some details on how NCIS agent Timothy McGee hacked into your CIA network so easily? TIA! All my love, Francois.”

Even worse for Paget’s stupidity level — you can watch the YouTube video in high def. That’s what we call “a subtle clue.” Al Qaeda’s movie studio couldn’t possibly match Hollywood’s infinite resources to produce HD video. Heck, you can’t even watch this staged remote-control diesel engine attack in high def.

(Hmmm. You know, I couldn’t have bashed Paget so easily if he’d used the diesel engine attack video. Lucky me.)

The production company calls it a “viral video.” Sadly, Paget got infected. And McAfee spread the virus through their official blog. Much to the production company’s delight, I’m sure.

---

Let’s run with this absurdity, shall we? Let’s pretend Paget got duped by the trailer for the new movie “Pontypool“:

Last week, I discovered a video posted on YouTube. We can see an entire town getting infected by a virus that spreads via the English language. Two guys having a conversation can spread the virus! I have some doubts about the technical aspects of a virus spreading through the spoken word. But fake or not, the video confirms that terrorists have got their eyes on lexicon viruses. Perhaps the first demo was just for fun, but the others will have less juvenile goals. An attack can involve nationwide damage, a terrible effect on the public’s morale, and huge financial losses. Modern language is more vulnerable than ever…

Or hey, what if Paget got duped by the movie “Eagle Eye“? Or what if he got duped by this episode of “Fringe“? Or what if he got duped by the movie “Fatal Error“?

It’s a “viral video.” Sadly, Paget got infected. And McAfee spread the virus through their official blog…

Or — good grief, what if Paget got duped by the new “Land of the Lost” comedy? “I have some doubts about the technical aspects of using tachyons to travel instantly through time and relative dimensions in space. But fake or not, this movie trailer confirms that terrorists have got their eyes on TARDIS machines…”

(“Uh, Rob. You mixed up ‘Land of the Lost’ with ‘Dr. Who.’” I did? Crud. I should have done basic research before I wrote that last paragraph. But no matter! Paget will agree with me that the Enterprise is the same as the Jupiter II and Joey from “Friends” was as good a starship driver as Sulu was in “Galaxy Quest.”)

Run with it, folks! Make up a parody of Paget’s blog and post it as a comment to this column. Or post it on your own blog and throw me a pingback. Let’s tear a pound of flesh out of this hysteria-monger.

---

If we follow Paget’s {ahem} “logic,” then the solution to our woes is simple. We just need to get McAfee to sponsor these horrific viral videos.

Seriously! If you’re a fan of the TV show “24,” then you know Cisco firewalls stand strong while everything else of a cyber nature collapses as part of a diabolical Hollywood plot line. The only reason Cisco firewalls are impenetrable is because Cisco sponsors the show.

So. By Paget’s {ahem} logic, if McAfee sponsored every SCADA attack video, then our problems would be solved!

“I have some doubts about the technical aspects of a firewall standing up to a SCADA attack just because McAfee sponsored the video production. But fake or not, those videos will confirm that terrorists cannot get past the security of McAfee software…”

You know what’s really sad about all this? Every absurdity in this column passes muster if we follow Paget’s {ahem} logic.

Folks, something bad is happening at McAfee. First David Milam goes insane; now Francois Paget. And I finally understand why.

Last week, you see, I discovered a video posted on YouTube. It shows how an entire company can get infected by a disease that spreads via the act of breathing. Two guys breathing the same air can spread the disease! I have some doubts about the technical aspects of a disease spreading this way. But fake or not, the video confirms that terrorists have got their eyes on making us suffer this disease…

Intelligence officials use the term “stovepipe” to describe “several ways in which raw [computer security] intelligence information may be presented without proper context… The lack of context may come from a particular group, in the [computer security] structure, selectively presenting only that information that supports certain conclusions.”

Multiple employees spout their personal opinions on McAfee’s official Twitter account. How long will this lack of corporate discipline continue?

In short, a “stovepipe” problem can lead to mass hysteria. And I’ve got a sneaking suspicion Twitter will help foment hysteria when the next media-darling worm or virus comes along.

On the corporate side, the context of any tweet about the latest worm will quickly get lost in the din of tweets about booth bunnies, white papers, and the occasional vetting failure.

“What’s a vetting failure, Rob?” It occurs when a company doesn’t limit / review official communications before release. For example, multiple non-PR employees use McAfee’s Twitter account to broadcast their own personal opinions. Their lack of discipline is a vetting failure in the making as we can see in this example from 27 Apr 09:

McAfeeAvertLabs: Hi! If you think I add value to your network, do drop me a recommendation at http://mrtweet.com/McAfeeAv… Much appreciated!

McAfeeAvertLabs: we just started following @MrTweet…. might take a few days! my bad!

Then, of course, McAfee tweets commercial advertisements (aka “spam”). This fact raises two philosophical questions. First: does a mature firm in the computer security industry need to advertise to offset the cost of a free service like Twitter? Second: why do some reporters feel compelled to subscribe to computer security spam?

It’s only a matter of time before we learn McAfee’s offi­cial stand on abor­tion & gun control…

On the personal side, the computer security experts themselves seem far too wrapped up in their own celebrity status. The context of any tweet on the latest worm will get lost in the din of tweets about their speaking engagements and the bad airline food they endured. Check out these actual tweets from computer security experts:

• Mark Sunner (MessageLabs): “if you loved the lion the witch and the wardrobe et al then you will find this book mesmerizingly insightful http://www.planetnarnia.com/”
• Costin Raiu (Kaspersky Labs): “Tried a Segway for the first time, with the very nice chaps from segwaybooking.com.”
• Graham Cluley (Sophos): “can’t believe i missed watching Dr Who live again.. what kind of fan am i anyway? thank goodness for the pvr…”
• Mary Landesman (antivirus.about.com): “Time Warner: yeah, our service sucks, but we’re a monopoly so we’ll just charge more and give less. Congressman fights back. http://tiny …”
• Mikko Hypponen (F-Secure): “Hey, since when has Twitter automatically converted ‘normal’ links to Tinyurls? My previous tweet should have pointed to f-secure.com…”
• Costin Raiu (Kaspersky Labs): “20 people at the Shuntaint presentation, where is everybody else?”

Yes yes yes, I’ll grant you the fact these experts opened their own personal Twitter accounts. Yes yes yes, I’ll grant you the fact they can say just about anything they want. But it doesn’t change the fact their tweets lack focus.

McAfee uses Twitter for spam to help pay for all those free tweets they send out. Their own web­site just can’t sup­port their PR needs…

To put it simply: computer security tweets lack focus at both the personal and corporate levels. And that’s bad news for us. Undisciplined experts can easily generate hysteria with a “speak first, thinkignore later” tweetitude.

On the bright side, reporters might soon get tired of all these unfocused tweets … and stop following the potential hypemongers.

Take computer security reporter John Leyden, for example — his Twitter account follows McAfee Avert Labs and MessageLabs bigwig Mark Sunner and Sophos bigwig Graham Cluley. Do you honestly think Leyden cares about McAfee’s official stand on abortion or Sunner’s latest book review for Home Schooling magazine or Cluley’s inability to time-shift a TV time traveler?

It’s only a matter of time before Leyden himself realizes he doesn’t care about these unfocused tweets … and stops following the potential hypemongers. Let’s just hope he stops following them for the right reasons.

(I suspect he will, given the fact he follows the Vmyths Twitter account…)

---

Vmyths suffered a similar problem in the early 2000s when I expanded this website both to critique the antivirus industry in general and to serve as an outlet for my computer security humor.

Tabloid repor­ters may follow a com­pu­ter secu­rity expert’s unfocused blogs & tweets.

Re­spec­table jour­nalists must stop the practice.

I finally launched SecurityCritics and HumorControl so Vmyths could return to its paladin roots.

But hey, let’s not overlook the fact I myself lack focus in my totally personal blog. I opine on everything from computer security to local gas price gouging to the amazing poker hands I’ve been dealt to a newly minted word to describe Wikipedia.

The key here is that I don’t view my personal blog as something that will change the world and I don’t see myself as wrapped up in my own celebrity status. (Well, except maybe here I do, but that’s it.)

I try to change the world through my focused efforts at Vmyths, SecurityCritics, and (yes!) HumorControl. If you subscribe to my personal blog, I urge you to review all of your blog/tweet subscriptions to see which ones lack focus. If any other computer security experts out there claim they don’t use Twitter to change the world, then be sure to cancel your subscriptions to their tweets as well.

Remember those hysterical chain-letter emails? Now imagine hysterical chain-letter tweets … from the experts themselves.

If, on the other hand, you subscribe to my personal blog because you’re that totally amazing lover who gently cradled me in her arms during that horrific time of grief after my wife died … yes honey, you follow my blog for all the right reasons and I can’t thank you enough for our wonderful midwestern tryst and I could sure use another digital snapshot of you as the previous one got, uh, “messed up” along with my keyboar—

—ahh, but you’ll notice I lack focus in the previous paragraph. {ahem} Let’s not digress. (And let’s not tell anyone about my keyboard spills, okay? Thanks, I appreciate it.)

Let’s hope the rest of the computer security industry realizes their lack of focus on Twitter … before they plunge into an intelligence stovepipe when the next media-darling worm or virus comes along.

I don’t recall mentioning it before on this website but, when I give lectures, I sometimes talk about the fact I send stamped envelopes to the people I lambaste in my most vehement critiques.

My very best envelopes contain things like the original first draft of my column with markups or perhaps the original audio script with markups. My wife used to keep a stash of Hershey bars in the fridge and I’d purposely lick the envelope flap with a chocolate-stained tongue — a hidden symbolic insult that “my job forces me to taste the brown-tinged guesstimates you keep pulling out of your butt.”

If an envelope doesn’t merit my brownish spit, then it will probably only contain a printout of my published column. I’ll highlight the person’s name with a marker and I’ll toss in one of my business cards. Then I’ll microwave a cup of chicken noodle soup before I lick the envelope — a hidden symbolic insult saying “get well soon.” It’s my version of a get-well card.

Then I go brush my teeth. Or wash my hands. Or take a shower. Know what I mean?

This morning I received an email from … well, I know he’d appreciate the anonymity. Let’s just say he attended one of my military lectures and he’s been a fervent reader ever since. He applauded me for the comedy in my latest column, then asked “will you be sending [McAfee CMO David Milam] an envelope?”

Hmmm! I didn’t think about it until this email came in. But since he brought it up … I cooked a scrumptious bowl of Maruchan Ramen for breakfast. Chicken flavor. Seasoned just the way I like it with {burp} oregano & chives plus a hint of crushed red pepper.

Milam will receive my envelope sometime this week. Let’s hope he gets well soon. After all: a mind is a terrible thing to waste…

Antivirus vendor McAfee issued a truly bizarre report that claims spam releases 17 million metric tons of CO² into the atmosphere each year.

Pardon me while I repeat the previous sentence: “spam releases 17 million metric tons of CO² into the atmosphere each year.”

Irony, any­one? McAfee’s press coverage re­leased 104.37K tons of CO² into the atmo­sphere. It’s the equi­va­lent of 46,500 Vmyths colum­nists de­bunking McAfee’s cal­cu­la­tions since 1988…

My jaw hit the floor when McAfee trumpeted this absurdly precise cause-and-effect between spam and greenhouse gases. My first thought was, “which world-renowned experts on greenhouse gases vetted this report?”

{sniff} I smell a massive pile of False Authority Syndrome here, folks. This paltry 12-page “scientific” report blames unsolicited commercial emails for 1/500th of all the carbon dioxide pollution we humans spew into the atmosphere each year. The “references” section itself is a scant one page long. Heck, the title page takes up as much space as the references!

Listen to me carefully — you are tin-foil-hat insane if you actually take this report at face value. Ask the men with the butterfly nets to drive you to their happy town. Oh, and click here for some important advice.

How on earth did an antivirus firm come up with this idea in the first place? I’m guessing McAfee’s chief marketing officer, David Milam, scores way better drugs than the rest of us. I can only imagine the pitch he gave to a smoke-filled board room:

“Look, guys. You’re the board of directors, right? You know spam burns a lot of finance and productivity among our customers. Well, my kids were watching Sesame Street the other day and {inhales deeply} Oscar was burning some trash in his garbage can {exhales} and that really pretty human chick walks by, you know the babe I’m talkin’ about, right? Well, she starts chiding Oscar for adding greenhouse gases to the atmosphere. And I’m thinking {inhales deeply} spam is a waste of electricity and {exhales} power plants burn a lot of fossil fuel and I’m thinking, wow, spam must be a big reason why we spew greenhouse gases into the air! So I think it’d be a great idea to spend some money to hire a climate change consultant and a spam expert…

I swear I don’t make this stuff up — McAfee’s report declares their “state-of-the-art spam filter” software can eliminate nearly one out of every 500 particles of CO² humanity releases into the atmosphere each year. I quote directly from McAfee’s report:

If every inbox were protected by a state-of-the-art spam filter [like the one McAfee sells], organizations and individuals could reduce today’s spam energy by approximately 75 percent or 25 TWh per year. That’s equivalent to taking 2.3 million cars off the road.

Folks, if that’s not computer security hype, then I don’t know what is.

---

Let’s enjoy ourselves for a moment, shall we? Let’s take McAfee’s absurdist claims at face value and take the logical next step.

McAfee’s report actually claims their spam filtering product can eliminate nearly 1/500th of all greenhouse gases currently released into the atmosphere each year. But as we all know, spam’s not the only computer security problem we’ve got out there.

Take March Madness, for example: it threatens the survival of our planet with greenhouse gases and it destroys billions of U.S. dollars in lost productivity. McAfee could issue a “green” report saying:

If every computer was protected by a state-of-the-art March Madness filter, organizations and individuals could reduce today’s wasted energy by approximately 75 percent per year. That’s equivalent to taking 2.3 million cars off the road.

Or take political TV advertising, for example: it threatens the survival of our planet with greenhouse gases and it destroys billions of dollars of hard-earned money. McAfee could issue a “green” report saying:

If every television was protected by a state-of-the-art political advertising filter, organizations and individuals could reduce today’s wasted energy by approximately 75 percent per year. That’s equivalent to taking 2.3 million cars off the road.

“C’mon, Rob. That’s absurd.” Exactly my point. And so is McAfee’s report.

Memo to McAfee CMO David Milam: my “tin foil hat” assessment applies to you. Click here for some important advice…

I showed you way back in early February how the antivirus firms remained calm & cool during a round of media hoopla over the Conficker / Downadup worm. Nearly two months has passed since then. It’s now the end of March … and the antivirus firms remain calm & cool.

In other words: nothing has changed.

In all that time, IBM’s Internet Security Systems never raised its Internet threat level above “normal.” In all that time, Kaspersky Labs never raised its assessment of the worm above “moderate risk.” In all that time, McAfee never raised its global threat condition due to Conficker / Downadup. In all that time, the SANS Internet Storm Center never raised its Internet threat level above “green.” In all that time, Symantec never raised its ThreatCon due to Conficker / Downadup. In all that time, Trend Micro never posted a medium- or high-risk alert over the worm.

And what about antivirus vendor Sophos? Well, in the days leading up to this latest hoopla … they fretted more about Russian brides than the Conficker / Downadup worm.

I still can’t recall a time in the last twenty years when when so many antivirus firms remained so calm during a media circus. A second media circus, no less. Color me stupified.

I’ve written on computer security hysteria for twenty years and I can tell you this: the U.S. federal bureaucracy has never produced a good economic figure for computer security damages. It’s all about hype, not accuracy.

The problem isn’t in the size or the scope of the numbers. Rather, the feds can’t settle on a ballpark figure and they refuse to show their homework. I believe the former problem stems from every bureaucrat’s desire to mouth their very own brown-tinged guesstimate … and we know the latter problem stems from every bureaucrat’s desire to overclassify their use of public domain knowledge sources.

Obama’s intel chief can do nothing more than quote wild dollar values spouted by two com­panies — one of them not even involved in eco­nomic assess­ments.

The latter problem encourages a bizarre situation that begins when Fearmonger “A” confidently gives reporters a number he pulled out of his butt, and no reporter calls him on it. Fearmonger “B” reads it in the newspaper and says “I’ll use the number from ‘A’ as my own ballpark figure,” and no reporter calls him on it. Fearmonger “C” reads both numbers online and says “I’ll average the numbers from ‘A’ and ‘B’ when I give lectures,” and no reporter calls him on it. Fearmonger “D” finds those three numbers in a Wikipedia citation and says “I’ll normalize the values from ‘A’ and ‘B’ and ‘C’ in my master’s thesis,” and his professor doesn’t force him to disclose where the “raw data” came from…

For the very longest time — and by that I mean for well over a decade — no one bothered to collect empirical data for their guesstimates, not even the feds. But hey, a complete lack of data never stopped bureaucrats from pulling numbers out of their butts and using newspaper stories as their primary source of expertise. Pray tell, who can forget White House cyber czar Richard Clarke’s famous flip-flop before a senate sub­committee in 2002?

We estimate that last year alone, $12 billion were required to clean up the mess from [cyber] attacks in the U.S. economy…

And yet we don’t know that officially, and I can’t tell you officially the names of these banks and companies that were hit, because the only way we know is through the rumor mill.

Let me repeat myself, folks. The U.S. federal bureaucracy has never produced a good economic figure for computer security damages. It’s all about hype, not accuracy.

Okay, so now along comes Barack Obama with his “open” government. He picks Dennis Blair as his top intelligence advisor. Blair gives his first congressional briefing almost seven years to the day after Richard Clarke’s famous flip-flop. What kind of numbers does Blair’s solar calculator yield?

“Ferris Research estimates that the total cost of spam and all of the types of fraud that take advantage of spam’s impact is $42 billion in the United States and $140 billion worldwide in last year, while McAfee estimates that global companies may have lost over $1 trillion worth of intellectual property to data theft in 2008.”

I, uh … well, okay: I expected Blair to pull numbers out of his butt. Instead, he all but admits the entire U.S. intelligence community lacks data concerning one of the five most important threats America now faces. The mighty Blair himself can do nothing more than quote wild dollar values spouted by two companies—

—one of them not even involved in economic assessments. What’s wrong with this picture?

---

We’re talking about the new head of U.S. intelligence, a career naval leader with underlings who knew well enough to publish a detailed Congressional statement less than a month after he took the oath of office. And yet these underlings couldn’t muster up the nerve to ask the Commerce Department for authoritative figures from a government statistician with a PhD in economics?

We’re getting bad intelligence from the head of U.S. intelligence, folks. And bad intel is worse than no intel at all.

I wish someone on the committee had asked Blair how McAfee derived that $1+ trillion guesstimate. The transcript of his response might read something like this:

“Well, uh, you see, these guys, they— they analyze malicious software code all day long. And I imagine a lot of the damage was caused by the offensive cyber warfare technology that McAfee freely turned over to the Chinese government right under our very noses. So, um, they’re eminently qualified to be global claims adjusters. If I was, you know— an, an insurance firm, and these ‘combat coders‘ at McAfee told me that I owed the world over a trillion dollars— I’d certainly be inclined to believe the accuracy of their figures…”

Obama took office on a mandate to “change” government. And yet he picked an intelligence director who takes computer security rhetoric at face value. That’s straight-up status quo, folks.

Memo to Dennis Blair: I cannot believe you cited McAfee. Seriously, Admiral: your underlings let you down. Ask the NSC to brief you on McAfee’s deep involvement in arming China with cyber smallpox technology. You’ll discover the NSC called me in March 2001 for details. Called my home. At 7am…

The media seems to have walked away from the Downadup worm. Oh, sure, they still write stories … but today’s headlines fail to whip up any excitement. The key to it all? Major antivirus vendors continued to remain blasé after the column I wrote more than two weeks ago.

I honestly don’t re­mem­ber when so many anti­virus firms re­mained so calm during a media circus…

Take McAfee, for example. They finally changed their “breaking advisory” notice — yet as before, it makes no mention of Downadup:

“Microsoft has posted their Advance notification for the February 2009 bulletin release (releasing February 10). This release will include two ‘Critical’ updates (Internet Explorer and Microsoft Exchange). Updates for Microsoft SQL Server and Visio will be includef [sic] as well. All four bulletins carry a potential impact of remote code execution.”

“Potential impact”? What could be more potential than bazillions of infected zombie machines all waiting for their devilish master to command them? It almost defies description to see McAfee this calm.

Indeed, I honestly don’t remember a time in the last twenty years when so many antivirus firms remained so calm during a media circus. Color me stupified.

A new headline at PC Magazine calls the Downadup worm an “epidemic.” Other news outlets have latched onto the story with similar weasel words and trigger phrases. If you take the “growing exponentially” claims at face value, then throw away your PC right now because we’re doomed. Experts predict this worm will infect at least 8.7 billion PCs by Sunday.

The antivirus firm behind the hype is now offering prizes to people who test their new product. “Wow, that’s really cool!” F-Secure doesn’t want all that global media exposure to go to waste, you know…

(“One computer for every dollar the ILoveYou virus cost, eh Rob?” Exactly! You’re catching on.)

In other words, I may have been mistaken in yesterday’s “died on the vine” comment. The media has waited a very long time to orgasm over a virus story and I once again wonder if they can hold back their ecstasy…

…Except there’s a tiny little problem. The antivirus vendors just don’t seem interested in it!

Take Symantec, for example — they actually lowered their ThreatCon status today from “2″ (elevated) to “1″ (normal). Kaspersky Labs still describes Downadup as a “moderate risk.” Neither McAfee nor Trend Micro has updated their alert pages. SANS continues to show a “green” Internet threat level. About.com virus expert Mary Landesman tackled a different subject in today’s column.

And F-Secure…

Hmmm, F-Secure. You know, I don’t think F-Secure will like the rest of my column.

F-Secure — the antivirus firm behind the “nine million” estimate — announced they released a “Removal Tool” for the Downadup worm. Oh, and be sure to check out their new beta security product! “Feedback enrolls users into prize giveaways,” F-Secure bragged. “We recently received another batch of our very popular laptop stickers, so as a bonus, we’ll pass along a stack to Tomi [from the Customer Involvement Team].”

Waitaminit. Laptop stickers?!? Pardon me while I say “wow, that’s really cool!”

Folks, the press wants us to believe there’s a global “epidemic.” So what does F-Secure do with all the media attention they whipped up? Why, they turn it into an opportunity to recruit beta testers for a new product!

{sniff} Do I smell something familiar? Or did I just forget to the flush the toilet?

My original notion for this column centered on the media hysteria I expected from F-Secure’s huffing over variants of the Downadup worm. Quoting from a (level-headed) story in The Register:

[The Downadup worm] that attacks a patched vulnerability in Microsoft Windows, is making exponential gains if estimates from researchers at F-Secure are accurate. They show 6.5 million new infections in the past four days, bringing the total number of machines it has compromised to almost 9 million. The astronomical growth stunned some researchers, although others cautioned the numbers could be inflated since the counting of infected computers is by no means an exact science. Most agreed F-Secure’s estimate was certainly plausible and if it proved to be correct, represented a major development in the world of cyberthreats.

6.5 million newly infected PCs, you say? All of them whacked in a four-day period? Hmmm. The timing of this makes me wonder how many of those PCs showed up under the plastic tannenbaum.

Yet it would seem my worries about hysteria have died on the vine. Consider the following:

The media yawned when F-Secure claimed the Downadup worm tallied another 6.5 million PCs in a four-day period…

• The SANS Internet Storm Center continued to display a “green” Internet threat level;
• Symantec continued to hold at “ThreatCon 2” with no mention of the Downadup worm;
• McAfee didn’t even mention it in a “breaking advisory”;
• ISS maintained an “AlertCon 1” with no mention of the Downadup worm;
• Sophos technovangelist Graham Cluley raised little more than an eyebrow in his corporate blog; and
• About.com antivirus guide Mary Landesman devoted only two paragraphs in her blog.

Only Kaspersky Labs seems to have given F-Secure some shrift when they announced a virus alert on their website. Yet they only identified it as a moderate risk. So, uh … let’s call it “short shrift” and leave it at that.

The media, too, seems to have collectively yawned over F-Secure’s declaration. One CNN Headline News anchor — dare I say it? — almost smirked while reading from the teleprompter. (In all fairness, it isn’t the first time a CNN mannequin has smirked or spoken in an upbeat tone about a devastating computer virus attack.)

This non-media circus reminds me yet again of Aesop’s fable of the boy who cried wolf. F-Secure, on the other hand, will doubtless call up the Cassandra fable to dismiss any accusations of wolf-crying.

One quote in The Register’s story leapt out at me for its irony:

“This thing has gotten way out of hand,” said Paul Ferguson, a security researcher for anti-virus provider Trend Micro who has spent the past several weeks tracking the worm’s progress. “It seems pretty spectacular to me that there could be that much growth.”

I dismiss Ferguson’s quote as ironic because Trend Micro’s “vinfo” page hasn’t declared a medium- or high-risk alert. How can we take him at face value when his company doesn’t even wail about it on an alert page?

---

Antivirus vendors and computer news reporters have certainly suffered a drought of hysteria in the past few years — and I myself fret that we’re due for another hystericane.

F-Secure will doubtless call up the Cassandra fable to dismiss any accusations of wolf-crying…

Why, then, hasn’t the Downadup worm generated “the perfect storm” of media hysteria?

The answer may lie in an amazing buildup to America’s “double major holiday.” Yesterday was Martin Luther King Jr. Day while today sees the inauguration of Barack Obama. News organizations appear highly focused on the orgasm of festivities in Washington, DC—

—and the media’s infatuation with U.S. politics may have simply overshadowed everything else of importance.

“You sound a bit facetious, Rob.” Yeah, okay: you caught me. Longtime readers will recall the fact government experts reminisce about the Nimda worm as a global catastrophe that cost billions of dollars and that would have qualified as one of the worst acts of cyber-terrorism ever caught on tape. And those experts still bemoan the fact it didn’t get much airplay … because it came just one week after the equally devastating physical terrorism of 9/11/01.

First Nimda; now Downadup. This leads me to ask a philosophical question. “Why do the world’s most devastating computer security attacks always seem to take place when reporters are too preoccupied to give it the attention it truly deserves?”