On Feb 5, 2002, InfoSec News (ISN) posted a Verton piece to the mailing list. It outlined how Verton was duped into writing a bogus story. The next day, Verton replied and ISN posted his brief reply admitting he was 'had'. Regardless of being duped, I had additional questions that were not answered by "yes I was duped" and posted to the mail list. My mail was polite and inquisitive, yet slightly inflammatory. Rather than stepping up and answering the questions, Verton replied to me offlist insulting me instead.
From: Dan Verton (Dan_Verton@computerworld.com) To: security curmudgeon (jericho[at]attrition.org) Date: Fri, 7 Feb 2003 09:57:18 -0500 Subject: Re: [ISN] Terrorist group claims responsibility for Slammer I could go though all of this line by line and respond, but it is obvious from your tone and wording that you are being true to form and interested in little more than tearing a man down, rather than really debating the issues. I don't want to be associated with soft people like that. Of course, there are areas of this episode where I made mistakes and should have done things differently. But there are things that I did correct. And there are also areas of this episode that go beyond the pale, go beyond any excuse of carryingout a "journalistic experiment" and raise questions in my mind and the minds of many others about the state of mind of somebody who would go as far as McWilliams went. There's a fine line between being an asshole and just having a lot of time on your hands. And I'm not sure where you or McWilliams fall in that equation.
The following day, Rick Forno from the Infowarrior List wrote Verton a well worded and polite mail asking him to clarify what 'cyberterrorism' was exactly. Verton opted to ignore that mail.
From: Richard Forno (rforno[at]infowarrior.org) To: Dan Verton (Dan_Verton@computerworld.com) Date: Sat, 08 Feb 2003 09:31:44 -0500 Subject: Hey Dan - quick question Dan -- I know you're getting swamped with this whole defacement thing between you and McWilliams, but if you have a minute sometime, I'd like to know what exactly you think 'cyberterrorism' is, and why it's such a gloom-and-doom scenario for the world, especially since you're the most prominent reporter using the term, I think. Eg, from your response to this week's events, you write: : Although the hoax this week taught me a valuable lesson about the nature of : information on the Internet, it's less clear that McWilliams' scheme has : done anything to advance the understanding of cyberterrorism -- one of his : stated reasons for conducting the hoax in the first place. The fact is that : real terrorist organizations around the world do run Web sites. The : Palestinian terrorist group Hamas is a prime example of a terrorist group on : the Web. There are many others, including, until last March, : Harkat-ul-Mujahideen. Running a website isn't 'cyberterrorism' even if it's run by established terrorist organizations, nor is using the internet for communications between terror cells, both of which you imply in your article last week. No matter what McWilliams may or may not have done, nothing he did could be remotely construed as 'cyberterrorism' by anyone with half a clue about the topic. As I tell students each month at NDU, cyberterrorism is a myth that sounds spooky because the USG and media don't understand the reality of today's environment. In two years, I've not received any challenges to this claim, and plenty of supporters in classroom discussons on the matter from the O-5 and above levels. Even Marcus Sachs - a senior staffer under Clarke at the WH - told E-Week right after Slammer hit and the media was scrambling for an angle, "We'd rather characterize terrorism as something that physically kills people. There was no lasting damage done to the infrastructure. We'd like to see the term cyber-terror dropped." I mean no offense to you personally and the journalistic beat you're making for yourself, but I think the whole issue is journalistic sensationalism that has unfortunately made its way to the highest levels of our government (eg, Sen Shumer, AG Ashcroft) and thus serves as a self-licking ice-cream cone for everyone, from politicos to vendors and the media. Accordingly, this issue gets distorted and hyped, and those who CAN make a REAL DIFFERENCE in raising national information assurance levels - in government and industry - have a much harder job getting their points across to justify effective security improvements since the waters are so damn muddied with hype and FUD. That's why I'm asking you for what exactly you think 'cyberterrorism' is, and why you think it's so vital to sound the siren on it. Hope you're well otherwise. Respectfully, rick