Inciting Fear for Fun and Profit
For the most part, I enjoy security research. The exception, however, seems to be in dealing with the relatively clueless of our field.
We’ve all met them. The foremost example: the users who’ve been trained that anti-virus is the only tool necessary for security. The ones that make you feel like you’re talking to a parakeet. “ANTI-VIRUS! ANTI-VIRUS! ANTI-VIRUS!”. When you inform them of a new vulnerability in a product they use, having yet to hear of patching, most will just run to update the AV and keep at it. They see nothing as a threat. These folks are dangerous. Thankfully, though, vendors are beginning to get the idea, and moving more toward making simple ignorance less of a threat to the internet-at-large. We still have a long way to go, though, so other issues certainly need to be dealt with in the interim.
Perhaps one reason why users react so sluggishly to things is because, no matter who you are, someone will tell you that every bug, virus, exploit, worm, etc., that is uncovered is a grave threat to your systems and will cause them to be taken over by invaders who will steal your credit card number, post your life story to the web, and turn your computer into an evil zombie that will destroy everything in its path at the push of a button. When I read so-called “information” from leading industry fear-mongers, I feel like I’m watching a crappy Sci-Fi movie.
Folks out there are predicting the end of the world. What now, you ask? Well, the Windows WMF bug, of course. Didn’t you know that the WMF bug is going to lead to the “mother-of-e-mail-worms” that will devastate e-mail and render it completely useless? What’s that, you say? A user still has to double-click an attachment, and most would do that anyway? Apparently, that doesn’t matter to some so-called industry “experts”. The worms are coming and they’re going to kill us all!!!
When you present evidence to dispute the claims of these types, they simply devise an old theory with no relevance to the world and go on with their claims. These types are almost as much of a threat to the security of the internet as the malware itself. Welcome to the world of the media slut. The sole purpose of this mind-boggling new species is apparently to expand its own following by desperately trying to convince the rest of the world that they are under constant, grave threat.
I’ll share with you now a few gems from those of media slut fame. You can decide which ones sound familiar (care to guess who they’re from? There’s a couple of familiar names…):
We could see the mother of all worms here. My big fear is we’re going to wake up in the next week or two and have people warning users not to read their e-mail because something is going around that’s extremely virulent.
We’re expecting a virus to appear at any moment, an email-borne virus, because, when you open the email, your viewer shows an image. That can install malware on your machine.
It [a worm] has the ability to propagate very quickly, and that it does not require any direct user interaction. I mean, there are many vectors that will get this thing into people’s machines… the good news is there’s something that anyone who knows about this… can do immediately. It’s possible to unregister Windows’ handling of the vulnerable DLL. What will happen is that, in Windows Explorer, the image thumbnails that Windows Explorer would normally show, they will stop functioning. But you want them to stop functioning…
The exploitation code has gone like wildfire across the Internet. So… do this immediately. … The word really needs to get out about this. …This is a big, bad problem.
How simple this is to do on a web page or through email, here at the beginning of 2006, is just astonishing. While there have been many unpatched vulnerabilities for Windows over the years, some with effective exploits available, nothing quite reaches the magnitude of the situation we’re in today.
You heard them… unplug… power down, and… run for the hills!
We can always hope that, one of these days, the reality will dawn on these so-called researchers, media-driven as they are, that one vulnerability will not bring down the internet. Unfortunately, I can’t hold my breath on that one, and it’s about as likely as the “mother-of-email-worms” appearing. Nevermind the facts. Those don’t matter. The messiahs are on a mission to save us all from our computers.