Code Red and the Risk of Crying Wolf By Elinor Mills Abreu

SAN FRANCISCO (Reuters) - The Internet did not melt down in the wake of the ``Code Red'' threat, as the most dire forecast had predicted it might, in the most recent in a string of tech scares to come off with more of a whimper than a bang.

Did the network security industry cry wolf?

Even though the way Code Red largely fizzled brought to mind the anticlimax that followed months of Y2K warnings, most experts say these high-profile risks have been contained because of the hype they generate, not despite it.

``Even if Code Red was a dud ... it doesn't mean the Internet is any safer. It just means we got lucky,'' says Bruce Schneier, chief technology officer of network monitoring firm Counterpane Internet Security.

With the year 2000 rollover, there were expectations that ''we would have to dig into our cellars and eat beef jerky,'' says David Perry, global director of education at antivirus company Trend Micro Inc. (Nasdaq:TMIC - news) ``Afterwards, that doesn't mean the whole effort was a fraud ... It just means it was successful.''

'FEAR-BASED MARKETING'

Certainly, security companies were quick to jump on the promotional bandwagon once Code Red was discovered.

Between July 19, when the first version of the worm spread like wildfire, and July 30, companies issued only about seven releases about the threat on Business Wire and PR Newswire.

Then, in the first week of August, a burst of some 15 press releases went out, hawking security products or services and offering expert comment. ``Pandora's Box is Open,'' read one.

Some experts were piqued by what they saw as fear-mongering.

``Definitely there's a lot of fear-based marketing,'' says Marc Maiffret, chief hacking officer of eEye Digital Security, who discovered the worm with others in his lab.

``If you cry wolf one time too many, the public will stop paying attention,'' says Elias Levy, chief technology officer at SecurityFocus.com.

Counterpane's Schneier also complains about self-serving publicity and points to the obvious motivations of security vendors to drum up interest in a threat their products can fix.

``Computer security is inherently based off fear,'' he said. ''There's a fine line between telling people how insecure the Internet is and selling fear. The line is so fine, I often don't know where it is.''

Even so, security on the Internet is so bad, there's plenty of margin for error, he says. ''On one hand, we don't want to cry wolf a lot,'' Schneier said. ''On the other hand, I'm always dismayed when my predictions of disaster come true.''

WORM OR FIRE TO BLAME?

When the Internet failed to crash, some scoffed that the worm was a non-event. Predictions about Internet events, however, are extremely difficult to make, and in the Code Red case even the experts argue over how to interpret the evidence trail.

For instance, the FBI (news - web sites), and other agencies warned that Code Red could dramatically slow Internet traffic, affecting millions of households and businesses.

In response, Rob Rosenberger, editor of the Vmyths.com Web site on virus hoaxes (http://www.vmyths.com) accused the FBI of ''manufacturing hysteria.''

But some now say the FBI's assessment could have been the result of overestimating of Code Red's initial impact.

While the FBI and others attributed an observed slowdown in the Internet on July 19 to the worm, others, including Web-tracking firm, Keynote Systems, noted that there was a more familiar hazard at work: a train wreck and tunnel fire in Baltimore that knocked out some ``backbone'' Internet connections, bogging down overall traffic.

``The real point is the Internet is so complex that we don't know how it works,'' said Schneier. ``We can't predict this kind of stuff. There are too many factors we don't understand; too many things going on that we can't model.''

Ted Julian, co-founder and chief strategist of security appliance firm Arbor Networks, says the intense publicity Code Red generated was deserved.

``It was merited from the perspective of raising awareness of these kinds of threats as ongoing and increasing,'' Julian says.

If it weren't for the widespread warnings, people wouldn't have known to patch their systems and the worm would have done more damage, said Alan Paller of the Systems Administrations, Networking and Security Institute (SANS).

Vendors ``didn't have to hype it,'' Paller wrote. ``They rode along -- and some, perhaps, went overboard in their self-promotion -- on the very real news that the general press covered in an unprecedented way.''

WORSE TO COME

Experts agree that Internet users got off easy with Code Red and that one day another worm, or some malicious program that works and spreads automatically, will come along and be much more devastating.

``This is not an anomaly. It's the shape of things to come,'' said Schneier. ``Code Red is just a symptom. It's yet another wake-up call.''

Coming up are programs that will not only spread and operate automatically, but will target routers and larger components of networks rather than just Web servers, experts said.

``Next year this will happen all the time and we will be used to it. And, that's what's unfortunate,'' said Schneier.

http://dailynews.yahoo.com/h/nm/20010806/wr/biztech_codered_dc_2.html

-- Martin Thompson (mthom1927@aol.com), August 06, 2001

Answers

See URL: http://www.drudgereport.com/flash7.htm

The Drudge Report claims Japan and other countries were hit hard -- FWIW. Snip of longer report:

"

XXXXX DRUDGE REPORT XXXXX MON AUG 06, 2001 12:31:09 ET XXXXX

IBM INTERNALS SHOW JAPAN HIT HARD BY 'CODE RED 2'

**Exclusive**

IBM technicians kept track of Sunday night's virus outbreak -- dubbed 'Code Red 2' -- and watched in awe as the bug knocked down systems worldwide, according to confidential communications obtained by the DRUDGE REPORT:

08/06/2001 10:53:40 AM EDT Richard ****/Poughkeepsie/IBM Update: A code red worm is suspected to have infected at least 400 IBM servers in Hursley, England. AT&T IPNet support is bringing up the links to EMEA and AP with port 80 filtered on inbound and outbound links. The San Francisco to Japan links have been up for about an hour with no degradation to the SF router. The MPN crossovers in EMEA also have had filters installed to prevent the 9. advertisements. Senior AT&T and IBM management have been involved and are providing hourly updates.

08/06/2001 12:12:56 AM MDT Peg ****/Denver/IBM Update: i have just been notified from boulder duty manager that the AT&T mpn network has gone down again in australia, canada, and japan the reported down time is 01:32 am edt japan has been isolated from the network and is assumed to be the source of the problem the new york backbone is in very bad shape and will remain "shakey" until all is rerouted there are still problems between north america and europe..."

-- Andre Weltman (aweltman@state.pa.us), August 07, 2001.