in 
Infosec
Infosec InfoSec Attention Whores: When the Headline is More Important Than the Outcome
Monday, August 2, 2010 at 4:11PM
Just as there have always been information security researchers who prefer to quietly plod along releasing papers and vulnerability disclosures with little fanfare, there are also those that crave attention and the limelight. Despite their desire for fame, they are at least adding value to the community with their research.
There is a whole new breed of animal appearing - the infosec attention whore that adds no real value to the information security community, but is instead courting headlines in mainstream media. The easiest way to get the mainstream media's attention is a good old dose of fear, especially some that involves whatever the hotest new technology is.
Two cases specifically spring to mind recently:
Goatse Security with the 'iPad vulnerability', which turned out to be a much less newsworthy coding error on an AT&T website which leaked - shock horror - email addresses. Much hoo-haa was made around this, including an investigation by the FBI to, I quote, '...address the potential cyberthreat...'. A security researcher courts mainstream media about a flaw in the must-have hot new device, the public get misinformed and they demand action, then the limited resources of an agency which could be much better spending its time saving lives and protecting property are redirected to perform a pointless exercise.
More recently Ron Bowes of Skull Security, scraped information from 100 million Facebook pages that users had classified as publically available. Is this really showing a vulnerability in Facebook, or is it attempting to make a name for yourself by riding the coattails of the privacy concerns around Facebook? Accidently sharing too much information on the Internet is a dangerous thing and something we should be concious of. Johnny Long has long shown us the dangers of exposing the wrong kinds of data to the outside world through his Google Hacking website and book, without the all of the fanfare and teeth nashing this story caused.
The information security profession is often accused of relying on Fear, Uncertainty and Doubt to further our cause. Unfortunately we spend a lot of our time assessing risks that may happen and then preventing them from occuring, at which point everyone turns around and says 'I told you so, that wasn't a risk as it didn't happen' - the only time people notice security is when it gets in the way of business or it fails, its a thankless task sometimes.
By making huge headlines from vulnerabilities which, on balance, produce relatively little risk may wear the public down and damage their uptake about a really severe threat we may face in the future.
The information security industry should continue to have its rock stars, but we should ditch the sensationalists.
There is a whole new breed of animal appearing - the infosec attention whore that adds no real value to the information security community, but is instead courting headlines in mainstream media. The easiest way to get the mainstream media's attention is a good old dose of fear, especially some that involves whatever the hotest new technology is.
Two cases specifically spring to mind recently:
Goatse Security with the 'iPad vulnerability', which turned out to be a much less newsworthy coding error on an AT&T website which leaked - shock horror - email addresses. Much hoo-haa was made around this, including an investigation by the FBI to, I quote, '...address the potential cyberthreat...'. A security researcher courts mainstream media about a flaw in the must-have hot new device, the public get misinformed and they demand action, then the limited resources of an agency which could be much better spending its time saving lives and protecting property are redirected to perform a pointless exercise.
More recently Ron Bowes of Skull Security, scraped information from 100 million Facebook pages that users had classified as publically available. Is this really showing a vulnerability in Facebook, or is it attempting to make a name for yourself by riding the coattails of the privacy concerns around Facebook? Accidently sharing too much information on the Internet is a dangerous thing and something we should be concious of. Johnny Long has long shown us the dangers of exposing the wrong kinds of data to the outside world through his Google Hacking website and book, without the all of the fanfare and teeth nashing this story caused.
The information security profession is often accused of relying on Fear, Uncertainty and Doubt to further our cause. Unfortunately we spend a lot of our time assessing risks that may happen and then preventing them from occuring, at which point everyone turns around and says 'I told you so, that wasn't a risk as it didn't happen' - the only time people notice security is when it gets in the way of business or it fails, its a thankless task sometimes.
By making huge headlines from vulnerabilities which, on balance, produce relatively little risk may wear the public down and damage their uptake about a really severe threat we may face in the future.
The information security industry should continue to have its rock stars, but we should ditch the sensationalists.
Reader Comments