[LINK] The Code Red hype Hall of Shame
Sun, 12 Aug 2001 11:42:09 +1000
The Code Red hype Hall of Shame
By Thomas C Greene in Washington
Posted: 09/08/2001 at 12:25 GMT
Lemme tell ya 'bout
The snakes, the fakes,
The lies, the highs....
We've had no end of entertainment these past weeks with the Code Red and
Red Junior IIS worms. Vast battalions of 'security experts' paraded
eagerly before the press, trotting out their finest doomsday quotes for a
at fifteen minutes of fame. Meanwhile, legions of well-groomed,
academically-inclined twinkies armed with tape recorders and Masters'
in journalism greedily sucked them up, and obediently generated the most
laughable headlines predicting that Code Red would break the Internet.
Yes, it's been fun, but all good things must come to an end. Now that the
has slowed and the US military has reluctantly stood down from DEFCON ONE,
those amusing headlines, sadly, are drying up. So we thought this a good
moment to review the fabulous claims that our esteemed peers have been
But first things first.
Internet survives triple threat While Code Red was making headlines it
deserved, two concurrent threats to Internet stability went largely
unreported. These were the 'Sircam' Outlook worm, which gobbled up a
tremendous amount of bandwidth, and an underground fire in Baltimore which
obliterated a fat swath of Internet backbone on the US East Coast.
I personally received over 200 copies of Sircam, which often included large
files -- many over 5mb, and two whoppers over 20mb.
So while Code Red was reportedly bringing Western Civilization to its knees
with its Net-destroying scans, the Internet was also fighting off Sircam
major backbone fracture. And it handled all three assaults simultaneously
just the sort of resilience it was designed to have.
Snakes and Fakes We're still at a loss to explain how eEye Digital
which discovered and publicized the .ida hole that Code Red and Code Red
Junior exploit, has managed to escape questioning by the press for its part
the whole fiasco. Indeed, their role is tantamount to a pharmaceutical
unintentionally releasing a disease germ.
Company staff pick apart IIS on a daily basis looking for obscure holes
their 'Secure IIS' product can fix, and then publicize them aggressively to
market their products. It's an awkward situation: they profit from security
holes, yet they publicize security holes. And as usual, eEye 'Chief Hacking
Officer' Marc Maiffret was making a gigantic fuss on every security list I
subscribe to about the .ida hole just weeks before Code Red appeared.
It's possible that Code Red would never have been developed if eEye hadn't
made such a big deal about the .ida hole. Of course we'll never know if a
modest approach to putting the word out would have altered the course of
events, but the possibility certainly exists and is worth considering.
The fact that eEye profits from the very security holes it discovers should
have been an issue in the media's Code Red coverage; but to date only The
Register has seen fit to raise it, as we did from the beginning of our Code
Red coverage, here, and again here.
For the most part Maiffret has been a media darling, explaining Code Red to
the rest of the IT press in terms which they can understand and which
avoid controversy. And that's perfectly natural; he'd be a fool to blow the
whistle on himself. The disgrace here is the utter lack of imagination and
technical savvy among the IT press, who ought to have challenged eEye's
strange combination of threat discovery, publicity seeking, and solution
It's not enough to have good intelligence, the principal thing is to apply