On Feb 5, 2002, InfoSec News (ISN) posted a Verton piece to the mailing list. It outlined how Verton was duped into writing a bogus story. The next day, Verton replied and ISN posted his brief reply admitting he was 'had'. Regardless of being duped, I had additional questions that were not answered by "yes I was duped" and posted to the mail list. My mail was polite and inquisitive, yet slightly inflammatory. Rather than stepping up and answering the questions, Verton replied to me offlist insulting me instead.

From: Dan Verton (Dan_Verton@computerworld.com)
To: security curmudgeon (jericho[at]attrition.org)
Date: Fri, 7 Feb 2003 09:57:18 -0500
Subject: Re: [ISN] Terrorist group claims responsibility for Slammer

I could go though all of this line by line and respond, but it is obvious from
your tone and wording that you are being true to form and interested in little
more than tearing a man down, rather than really debating the issues. I don't
want to be associated with soft people like that.

Of course, there are areas of this episode where I made mistakes and should have
done things differently. But there are things that I did correct. And there are
also areas of this episode that go beyond the pale, go beyond any excuse of
carryingout a "journalistic experiment" and raise questions in my mind and the
minds of many others about the state of mind of somebody who would go as far as
McWilliams went. There's a fine line between being an asshole and just having a
lot of time on your hands. And I'm not sure where you or McWilliams fall in that
equation.


The following day, Rick Forno from the Infowarrior List wrote Verton a well worded and polite mail asking him to clarify what 'cyberterrorism' was exactly. Verton opted to ignore that mail.


From: Richard Forno (rforno[at]infowarrior.org)
To: Dan Verton (Dan_Verton@computerworld.com)
Date: Sat, 08 Feb 2003 09:31:44 -0500
Subject: Hey Dan - quick question

Dan --

I know you're getting swamped with this whole defacement thing between you
and McWilliams, but if you have a minute sometime, I'd like to know what
exactly you think 'cyberterrorism' is, and why it's such a gloom-and-doom
scenario for the world, especially since you're the most prominent reporter
using the term, I think.

Eg, from your response to this week's events, you write:

: Although the hoax this week taught me a valuable lesson about the nature of
: information on the Internet, it's less clear that McWilliams' scheme has
: done anything to advance the understanding of cyberterrorism -- one of his
: stated reasons for conducting the hoax in the first place. The fact is that
: real terrorist organizations around the world do run Web sites. The
: Palestinian terrorist group Hamas is a prime example of a terrorist group on
: the Web. There are many others, including, until last March,
: Harkat-ul-Mujahideen.

Running a website isn't 'cyberterrorism' even if it's run by established
terrorist organizations, nor is using the internet for communications
between terror cells, both of which you imply in your article last week.  No
matter what McWilliams may or may not have done, nothing he did could be
remotely construed as 'cyberterrorism' by anyone with half a clue about the
topic.

As I tell students each month at NDU, cyberterrorism is a myth that sounds
spooky because the USG and media don't understand the reality of today's
environment. In two years, I've not received any challenges to this claim,
and plenty of supporters in classroom discussons on the matter from the O-5
and above levels.

Even Marcus Sachs - a senior staffer under Clarke at the WH - told E-Week
right after Slammer hit and the media was scrambling for an angle,  "We'd
rather characterize terrorism as something that physically kills people.
There was no lasting damage done to the infrastructure. We'd like to see the
term cyber-terror dropped."

I mean no offense to you personally and the journalistic beat you're making
for yourself, but I think the whole issue is journalistic sensationalism
that has unfortunately made its way to the highest levels of our government
(eg, Sen Shumer, AG Ashcroft) and thus serves as a self-licking ice-cream
cone for everyone, from politicos to vendors and the media.  Accordingly,
this issue gets distorted and hyped, and those who CAN make a REAL
DIFFERENCE in raising national information assurance levels - in government
and industry - have a much harder job getting their points across to justify
effective security improvements since the waters are so damn muddied with
hype and FUD.

That's why I'm asking you for what exactly you think 'cyberterrorism' is,
and why you think it's so vital to sound the siren on it.

Hope you're well otherwise.

Respectfully,

rick



main page ATTRITION feedback