The Code Red hype Hall of Shame

Experts achieve 'exponential growth' of idiocy


Lemme tell ya 'bout
The snakes, the fakes,
The lies, the highs....
   --Tribe

We've had no end of entertainment these past weeks with the Code Red and Code Red Junior IIS worms. Vast battalions of 'security experts' paraded themselves eagerly before the press, trotting out their finest doomsday quotes for a shot at fifteen minutes of fame. Meanwhile, legions of well-groomed, academically-inclined twinkies armed with tape recorders and Masters' Degrees in journalism greedily sucked them up, and obediently generated the most laughable headlines predicting that Code Red would break the Internet.

Yes, it's been fun, but all good things must come to an end. Now that the worm has slowed and the US military has reluctantly stood down from DEFCON ONE, those amusing headlines, sadly, are drying up. So we thought this a good moment to review the fabulous claims that our esteemed peers have been disseminating.

But first things first.

Internet survives triple threat

While Code Red was making headlines it never deserved, two concurrent threats to Internet stability went largely unreported. These were the 'Sircam' Outlook worm, which gobbled up a tremendous amount of bandwidth, and an underground fire in Baltimore which obliterated a fat swath of Internet backbone on the US East Coast.

I personally received over 200 copies of Sircam, which often included large files -- many over 5mb, and two whoppers over 20mb.

So while Code Red was reportedly bringing Western Civilization to its knees with its Net-destroying scans, the Internet was also fighting off Sircam and a major backbone fracture. And it handled all three assaults simultaneously with just the sort of resilience it was designed to have.

Snakes and Fakes

We're still at a loss to explain how eEye Digital Security, which discovered and publicized the .ida hole that Code Red and Code Red Junior exploit, has managed to escape questioning by the press for its part in the whole fiasco. Indeed, their role is tantamount to a pharmaceutical company unintentionally releasing a disease germ.

Company staff pick apart IIS on a daily basis looking for obscure holes which their 'Secure IIS' product can fix, and then publicize them aggressively to market their products. It's an awkward situation: they profit from security holes, yet they publicize security holes. And as usual, eEye 'Chief Hacking Officer' Marc Maiffret was making a gigantic fuss on every security list I subscribe to about the .ida hole just weeks before Code Red appeared.

It's possible that Code Red would never have been developed if eEye hadn't made such a big deal about the .ida hole. Of course we'll never know if a more modest approach to putting the word out would have altered the course of events, but the possibility certainly exists and is worth considering.

The fact that eEye profits from the very security holes it discovers should have been an issue in the media's Code Red coverage; but to date only The Register has seen fit to raise it, as we did from the beginning of our Code Red coverage, here, and again here.

For the most part Maiffret has been a media darling, explaining Code Red to the rest of the IT press in terms which they can understand and which neatly avoid controversy. And that's perfectly natural; he'd be a fool to blow the whistle on himself. The disgrace here is the utter lack of imagination and technical savvy among the IT press, who ought to have challenged eEye's strange combination of threat discovery, publicity seeking, and solution marketing.



Next we have the Computer Emergency Response Team (

CERT

) Coordination Center at Carnegie Mellon University, and the FBI's National Infrastructure Protection Center (

NIPC

). While both deserve honorable mention for not hyping the Code Red danger half as badly as the press, they clearly emphasized the wrong aspects of the worm.

As we've pointed out several times, the .ida hole which the worm exploits can yield system-level access to an intruder. This is a far more important threat to Internet security than the fact that it scans aggressively and packets Whitehouse.gov once a month. Unfortunately, CERT and NIPC decided to push the scanning and packeting (DDoS) threats a lot harder, probably because they realized that most media twinks would simply fail to recognize the significance of the real threat.

It was a bad call. While they did need to mobilize the press to publicize the worm in hopes of reaching sleepy admins who hadn't yet patched their machines, they let a very significant security problem go largely unreported, while emphasizing a puff item which the press would be more likely to run with.

People depend on CERT for hardcore security threat assessment; and NIPC's new Director, Ron Dick, has his hands full restoring the Center's credibility, after his predecessor, Michael Vatis, squandered it in pursuit of headlines and photo-ops. Instead, they helped fuel the Code Red hysteria, though, we sense, with some reluctance and possibly with a touch of some very redeeming embarrassment.



We also heard a great deal of FUD from Security outfit

TruSecure

's 'Surgeon General', Russ Cooper, who claimed hysterically to any twinkie journo who would listen that Code-Red-infected machines would scan so aggressively that the Internet would experience "a meltdown."

"If it does slow down as I expect it will, then you won't even be able to get to Microsoft's site to install the patch," Cooper said. "I expect that to happen."

Well, it didn't. Over a million users successfully downloaded the patch, and the rest of the Internet kept humming right along.

And what has TruSecure got to sell us? Why, network security services, of course.



We mustn't forget

GRC

founder Steve Gibson, who warned in hyperbolic multi-colored lettering that Code Red's "'growth line' is actually exponential!"

We have to point out that only numbers can increase exponentially and infinitely. Worm infections can't. Since there's a finite number of unpatched IIS machines, the worm eventually keeps hitting already-infected boxes. After a while we get a diminishing return.

Gibson tried to argue that the infection's growth would be immense and sustained. But as early as 3 August the rate of its spread had begun to decline sharply, because the likelihood of finding a fresh (i.e., unpatched and uninfected) target had fallen off -- well -- 'exponentially!'



It didn't take long for veteran tech columnist Robert X. Cringely to

get infected

with Gibson mania.

"Some experts believe nothing will happen at all but I believe that's just plain wrong," Cringely writes.

"The information I will use to support this assertion was acquired either from those, like Steve Gibson, who have disassembled and examined the Code Red worm or from the officials charged with fighting it, including sources at the CERT data security coordination center at Carnegie-Mellon University, eEye Digital Security, in law enforcement, and at several very large corporations."

Funny how most of those sources are enshrined here in our little Hall of Shame....

"And what happens on the 20th, when the attack cycle begins," Cringely asks rhetorically. "It depends on the number of infected machines and the nature of the chosen target, but the worst case says the Internet simply comes to a standstill and we go back to watching TV and talking on the phone until the 28th day of the month and potentially until every 28th day of the month thereafter."

Yeah, right.



Finally -- saving the best for last -- we have well-known security hustler Carolyn "Happy Hacker" Meinel, who actually got a most amusing piece of

Code Red flatulence

published by

Scientific American

, which, if anyone's wondering, is a middlebrow publication which prides itself on its cutting-edge technical savvy.

Naturally, Meinel hits all the hot buttons, from bio-warfare analogies to terrorism to DDoS attacks, to cyberwar with China:

"According to the official Chinese publication People's Daily, 'Soon after the mid-air collision was an all-out offensive on Chinese Web sites by US hackers.... By the end of April over 600 Chinese Web sites had come under fire or totally broke down.... Many hackers' organizations known as China Honkers Union and Hackers Union of China promptly responded in an all-out cyberwar against their US counterparts May 1 to 7. Clearly People's Daily was eager for China to take credit for attacks through May 7. But it has been silent on Code Red."

Now that's some Grade-A FUD. All that background clearly meant to get us thinking that China had something to do with Code Red, followed by a little caveat, which, by its placement, is calculated to suggest that the Chinese are only being sneaky with this one, rather than beating their chests as they normally do.

Meinel even went so far as to suggest that eEye created and released the Code Red worm as a publicity stunt, as this editor's note explains: "An earlier version of this story included a quoted speculation that eEye Digital Security might have been involved in the creation of the Code Red worm. EEye denies any such involvement. We apologize for including that inadequately supported statement in our report."

Yes, The Register is skeptical of eEye's peculiar role in the .ida hole/Code Red debacle, but to suggest that they actually created and released the worm is pure sleaze journalism -- or Classic Meinel, if there's a difference. ®

Related Stories

Son of Code Red is born
Code Red hysteria - $8.7bn in damage estimated
Code Red Tribulation is nigh, Steve Gibson warns
Washington mobilises against Code Red resurgence
Internet survives Code Red
IIS worm made to packet Whitehouse.gov


Other stories you might like

  • FTC urged to protect data privacy of women visiting abortion clinics
    As Supreme Court set to overturn Roe v Wade, safeguards on location info now more vital than ever

    Democrat senators have urged America's Federal Trade Commission to do something to protect the privacy of women after it emerged details of visits to abortion clinics were being sold by data brokers.

    Women's healthcare is an especially thorny issue right now after the Supreme Court voted in a leaked draft majority opinion to overturn Roe v Wade, a landmark ruling that declared women's rights to have an abortion are protected by the Fourteenth Amendment of the US Constitution.

    If the nation's top judges indeed vote to strike down that 1973 decision, individual states, at least, can set their own laws governing women's reproductive rights. Thirteen states already have so-called "trigger laws" in place prohibiting abortions – mostly with exceptions in certain conditions, such as if the pregnancy or childbirth endangers the mother's life – that will go into effect if Roe v Wade is torn up. People living in those states would, in theory, have to travel to another state where abortion is legal to carry out the procedure lawfully, although laws are also planned to ban that.

    Continue reading
  • Zuckerberg sued for alleged role in Cambridge Analytica data-slurp scandal
    I can prove CEO was 'personally involved in Facebook’s failure to protect privacy', DC AG insists

    Cambridge Analytica is back to haunt Mark Zuckerberg: Washington DC's Attorney General filed a lawsuit today directly accusing the Meta CEO of personal involvement in the abuses that led to the data-slurping scandal. 

    DC AG Karl Racine filed [PDF] the civil suit on Monday morning, saying his office's investigations found ample evidence Zuck could be held responsible for that 2018 cluster-fsck. For those who've put it out of mind, UK-based Cambridge Analytica harvested tens of millions of people's info via a third-party Facebook app, revealing a – at best – somewhat slipshod handling of netizens' privacy by the US tech giant.

    That year, Racine sued Facebook, claiming the social network was well aware of the analytics firm's antics yet failed to do anything meaningful until the data harvesting was covered by mainstream media. Facebook repeatedly stymied document production attempts, Racine claimed, and the paperwork it eventually handed over painted a trail he said led directly to Zuck. 

    Continue reading
  • Florida's content-moderation law kept on ice, likely unconstitutional, court says
    So cool you're into free speech because that includes taking down misinformation

    While the US Supreme Court considers an emergency petition to reinstate a preliminary injunction against Texas' social media law HB 20, the US Eleventh Circuit Court of Appeals on Monday partially upheld a similar injunction against Florida's social media law, SB 7072.

    Both Florida and Texas last year passed laws that impose content moderation restrictions, editorial disclosure obligations, and user-data access requirements on large online social networks. The Republican governors of both states justified the laws by claiming that social media sites have been trying to censor conservative voices, an allegation that has not been supported by evidence.

    Multiple studies addressing this issue say right-wing folk aren't being censored. They have found that social media sites try to take down or block misinformation, which researchers say is more common from right-leaning sources.

    Continue reading
  • US-APAC trade deal leaves out Taiwan, military defense not ruled out
    All fun and games until the chip factories are in the crosshairs

    US President Joe Biden has heralded an Indo-Pacific trade deal signed by several nations that do not include Taiwan. At the same time, Biden warned China that America would help defend Taiwan from attack; it is home to a critical slice of the global chip industry, after all. 

    The agreement, known as the Indo-Pacific Economic Framework (IPEF), is still in its infancy, with today's announcement enabling the United States and the other 12 participating countries to begin negotiating "rules of the road that ensure [US businesses] can compete in the Indo-Pacific," the White House said. 

    Along with America, other IPEF signatories are Australia, Brunei, India, Indonesia, Japan, South Korea, Malaysia, New Zealand, the Philippines, Singapore, Thailand and Vietnam. Combined, the White House said, the 13 countries participating in the IPEF make up 40 percent of the global economy. 

    Continue reading
  • 381,000-plus Kubernetes API servers 'exposed to internet'
    Firewall isn't a made-up word from the Hackers movie, people

    A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they're potentially vulnerable to abuse.

    Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network.

    "While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface," Shadowserver's team stressed in a write-up. "They also allow for information leakage on version and build."

    Continue reading

Biting the hand that feeds IT © 1998–2022