Shostack + Friends Blog Archive


Who Watches the FUD Watcher?

In this week’s CSO Online, Bill Brenner writes about the recent breaks at Kaspersky Labs and F-Secure. You can tell his opinion from the title alone, “Security Vendor Breach Fallout Justified” in his ironically named “FUD watch” column.

Brenner watched the FUD as he spreads it. He moans histrionically,

When security is your company’s business, even the smallest breach is worthy of scorn. If you can’t keep the bad guys out of your own database, how can customers reasonably expect that you’ll keep theirs safe?

Oh, please. Spare us the gotcha. Let me toss something back at Brenner. In the quote above, he says, “theirs” but probably meant to say “them.” The antecedant of “theirs” is database, and Kaspersky isn’t strictly a database security company, but an anti-virus company. “Them” is a much better turn of phrase, and I hope what he meant to say. How can we possibly trust CSO Online as a supplier of security knowledge when they can’t even compose a simple paragraph? And how can we even trust your own tagline:

Senior Editor Bill Brenner scours the Internet in search of FUD – overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items.

Why is FUD Watch creating the very sort FUD they claim to watch? Who watches the FUD watchers? I do, I suppose.

Is my criticism unfair and picayune? Yup.

People make mistakes, even Kaspersky and F-Seecure. And heck, even CSO Online. I forgive you.

Brenner came very close to writing the article that should have been written. If even the likes of Kaspersky and F-Secure fall victim to stupid things like SQL injection, what does that say about the state of web programming tools? How can mere mortals be safe if they can’t?

The drama about these breaks is FUD. It shows that no one is immune. It shows that merely being good at what you do isn’t good enough. It means that people need to test, verify, buy Adam’s book, read it, and act on it.

The correct lesson is not schadenfreude, but humility. There but for the grace of God, go all of us.

5 comments on "Who Watches the FUD Watcher?"

  • Mr. X says:

    Very nice post!

  • tranquilo says:

    Brenner’s article spawning the “Pen Testing: dead in 2009” meme was equally sloppy. He kept mixing Network Pen Testing with Application Pen Testing, making a mess of the whole argument.
    It was good, in a way: his article was so sloppy, it prompted me to (finally) start a weblog and add my voice. Click through, you’ll find the first post in my archives similarly ripping him apart.
    Perhaps I should add Brenner to my blogroll, just to keep tabs on his FUD. We all know the CSO crowd needs it.

  • techydude says:

    Whilst what you say is quite fair & correct, from the perspective of a 2-year Kaspersky customer (protecting exchange+server+clients) who’s also endured a configuration console that only it’s mother could possible love, and at least 2 instances of bad definitions being delivered that resulted in Windows system files critical to booting being quarantined on most of my workstations (and, with plain US-English WinXP clients it’s not like we were an obscure corner case!), and also discovering that the current version of the SPAM filter introduced the ridiculous notion of a pre-populated dumb phrase blocker burried deep within the config that was deleting heaps of legitimate emails, learning of Kaspersky’s spate of website hacks and now database leakage was simply the last straw. We’re jumping ship.

  • Anon says:

    Great write-up. I’m a CISO and I have a real disdain for the information security media, and I use the term “media” loosely. There are too many conflicts of interests with these trade magazines for them to have any credibility.

  • Bill Brenner says:

    A bit of clarification: First, your comment about my being sloppy. I wrote “theirs” instead of “them” because I was referring to their (possessive) databases. Could the sentence have been constructed better? Perhaps.
    That aside, I respect, understand and appreciate your feedback. The goal of my column is to not only point out what I see as FUD, but what I see as justified attention. I call it as I see it, understanding that I may not always be right and that people will disagree with me.
    To that end, I welcome you to write a guest column on CSOonline. Use it to take me to task some more if you wish. In the end, our goal is to offer a variety of viewpoints.
    Take care,

Comments are closed.