[LINK] The Code Red hype Hall of Shame

[Bernard Robertson-Dunn]

The Code Red hype Hall of Shame
By Thomas C Greene in Washington
Posted: 09/08/2001 at 12:25 GMT
The Register
http://www.theregister.co.uk/content/55/20908.html

Lemme tell ya 'bout 
The snakes, the fakes, 
The lies, the highs.... 
--Tribe 

We've had no end of entertainment these past weeks with the Code Red and
Code
Red Junior IIS worms. Vast battalions of 'security experts' paraded
themselves
eagerly before the press, trotting out their finest doomsday quotes for a
shot
at fifteen minutes of fame. Meanwhile, legions of well-groomed,
academically-inclined twinkies armed with tape recorders and Masters'
Degrees
in journalism greedily sucked them up, and obediently generated the most
laughable headlines predicting that Code Red would break the Internet.

Yes, it's been fun, but all good things must come to an end. Now that the
worm
has slowed and the US military has reluctantly stood down from DEFCON ONE,
those amusing headlines, sadly, are drying up. So we thought this a good
moment to review the fabulous claims that our esteemed peers have been
disseminating.

But first things first.

Internet survives triple threat  While Code Red was making headlines it
never
deserved, two concurrent threats to Internet stability went largely
unreported. These were the 'Sircam' Outlook worm, which gobbled up a
tremendous amount of bandwidth, and an underground fire in Baltimore which
obliterated a fat swath of Internet backbone on the US East Coast.

I personally received over 200 copies of Sircam, which often included large
files -- many over 5mb, and two whoppers over 20mb.



So while Code Red was reportedly bringing Western Civilization to its knees
with its Net-destroying scans, the Internet was also fighting off Sircam
and a
major backbone fracture. And it handled all three assaults simultaneously
with
just the sort of resilience it was designed to have.

Snakes and Fakes  We're still at a loss to explain how eEye Digital
Security,
which discovered and publicized the .ida hole that Code Red and Code Red
Junior exploit, has managed to escape questioning by the press for its part
in
the whole fiasco. Indeed, their role is tantamount to a pharmaceutical
company
unintentionally releasing a disease germ.

Company staff pick apart IIS on a daily basis looking for obscure holes
which
their 'Secure IIS' product can fix, and then publicize them aggressively to
market their products. It's an awkward situation: they profit from security
holes, yet they publicize security holes. And as usual, eEye 'Chief Hacking
Officer' Marc Maiffret was making a gigantic fuss on every security list I
subscribe to about the .ida hole just weeks before Code Red appeared.

It's possible that Code Red would never have been developed if eEye hadn't
made such a big deal about the .ida hole. Of course we'll never know if a
more
modest approach to putting the word out would have altered the course of
events, but the possibility certainly exists and is worth considering.

The fact that eEye profits from the very security holes it discovers should
have been an issue in the media's Code Red coverage; but to date only The
Register has seen fit to raise it, as we did from the beginning of our Code
Red coverage, here, and again here.

For the most part Maiffret has been a media darling, explaining Code Red to
the rest of the IT press in terms which they can understand and which
neatly
avoid controversy. And that's perfectly natural; he'd be a fool to blow the
whistle on himself. The disgrace here is the utter lack of imagination and
technical savvy among the IT press, who ought to have challenged eEye's
strange combination of threat discovery, publicity seeking, and solution
marketing.

-- 
It's not enough to have good intelligence, the principal thing is to apply
it
well.
-- Descartes
 
Regards
brd

Bernard Robertson-Dunn
Canberra Australia
brd@dynamite.com.au
brd@austarmetro.com.au