SCO Mydoom: complaint to BBC re intemperate coverage

Thu Feb 5 15:24:00 UTC 2004

Material below is FYI....! 

Very rapidly, 

Tom = Tom Karmo

((FYI-COPY))
Universal Coordinated Time (= UTC = EST+5 = EDT+4): 20040205T142503Z

Dear BBC Feedback 
(http://news.bbc.co.uk/2/hi/help/3281777.stm): 

(A) Your North America Business Correspondent Stephen Evans
today crosses the line separating reporting from commentary 
in his "Linux cyber-battle turns nasty",           
offered as a bylined factual piece
at http://news.bbc.co.uk/2/hi/business/3457823.stm.

In exploring, as it is appropriate, even necessary, for him to do, 
the possibility that the Linux community is at the bottom
of the Mydoom denial-of-service attack on SCO, 
he uses language 
("sacred principles", "as they would see it")  
inconsistent with BBC reader expectations
of courtesy and impartiality: 

* ((QUOTE)) the 
wrath of internet zealots who believe that code should be
free to all (open source)((/QUOTE))

* (QUOTE))SCO is the big, bad company that violates one of their
sacred principles, as they would see it((/QUOTE))

(B) I would like to call your attention to inadequate depth in 
Mr Evans's sentence on the technicalities of the SCO denial-of-service
attack: 

((QUOTE)) It's hard to see how any website could withstand that kind of
clever evil.((/QUOTE)) 

It has been claimed on slashdot.org that the attack was a TCP/IP
SYN flood, and that simple means have been available since the late
1990s for coping with such a flood. If the slashdot allegation 
were to be true,
then SCO, claiming as it does to be a victim,
would be in a difficult position. A quick check of the 
Computer Emergency Reponse Team document 
www.cert.org/advisories/CA-1996-21.html casts doubt on the slashdot
allegation. Nevertheless, 
Mr Evans should not have published 
his sentence without first scanning slashdot (a necessary precaution in
handling any cybercrime story), then phoning a security firm to ask
whether the blocking of SYN-flooding is easy or difficult. Mr Evans's
final draft should have read something like 
((HYPOTHETICAL-QUOTE))
According to Dr A.Guru,
head of TCP/IP Analysis Services at London-based security consultancy
Sophoteros PLC, 'Even current best security measures    
will not deflect that kind of clever evil.' 
((/HYPOTHETICAL-QUOTE)), 
or even
((HYPOTHETICAL-QUOTE))
According to Dr A.Guru,
head of TCP/IP Analysis Services at London-based security consultancy
Sophoteros PLC, 'Even current best security measures,   
like the portsentry tool, 
will not deflect that kind of clever evil.' 
((/HYPOTHETICAL-QUOTE)), 

(C) Finally, I should try your patience by repeating for you
some astute, even if semiliterate,
feedback from a recent slashdot writer, probably
already in your BBC feedback-form mailbox. The feedback is on the
publicly accessible Web at
((LINEBROKEN_URL))
http://slashdot.org/articles/04/02/05/
0818229.shtml?tid=106&tid=185&tid=187&tid=88  
((/LINEBROKEN_URL)): 

((FEEDACK))
I would like to make a rather strong complaint regarding Stephen Evans's
article "Linux cyber battle turns nasty", as featured as a front-page
article on the 5th of Feburary.

This article is presented as a factual piece, not an opinion column, and
draws patently incorrect conclusions. Whilst the MyDoom virus does
indeed target SCO and (in it's -B varient) Microsoft, the main payload
of this virus is a spam gateway.

As someone whos main source of income deeply involves computer security,
I find it insulting that Mr. Evans has apparantly made no attempt to
research the history of these forms of virii, nor has he apparantly
contacted any reputable anti-virus company regarding it. Meanwhile he
postulates claims such as "it [revenge] must be one of the theories at
the top of any investigator's list", and "in the case of the MyDoom
computer worm, the motivation seems clearer". I find it very bad
reporting that these claims are made WITHOUT actually asking any of the
investigators opinion of the virus. It is a widely expressed opinion
(see 'references' at the end of this message) by these security
professionals that the Denial of Service attack is the SECONDARY
function of the virus, and not at all related to it's true purpose. A
simple search on Google, let alone contacting even local London- based
security firms such as mi2g, would easily prove how factually incorrect
this article is. In fact, to be harsh, it is a downright lie against
common knowledge and opinion.

It is current common understanding in the anti-virus community that this
virus is indeed designed specifically to facilitate commercial spammers,
and that the inbuilt Denial of Service attack against SCO and Microsoft
are a secondary effect and not intended as part of the original design.

Current monitoring of activity through infected machines indicate that
the spamming functionality appears to be used by a very organised group
of individuals, indicating the virus was possibly contract-coded.
Current belief holds that the Denial of Service payload was added by
said contracted coder.

As such, I do not belief it fair, nor good reporting, to use a proproted
factual article to attribute the secondary (and in my opinion far easily
avoidable!) of the virus as it's "purpose". The secondary effects may
indeed by the result of a Linux user seeking revenge, but is currently
understood to be more of a diversion from the viruses demonstratable
true intent. There is a long tradition of this type of 'smoke screen' in
many viruses intended for commercial benefit, as Mr. Evans would no
doubt have discovered if he had researched the article more instead of
using it as a pure propeganda platform and drawing unconfirmed
conclusions.

I request that the article either be re-labeled as an OPINION piece,
removed, or an more factually correct article be posted.

References:
These other news sites, containing articles by researchers willing to do
actual research, contain quotes from reputable security and virus
research firms confirming the opinion above:

  http://thewhir.com/marketwatch/myd012704.cfm
    - Contains opinion by London-based firm mi2g

  http://www.msnbc.msn.com/id/4113278/
    - Contains quotes from researchers at well-known antivirus developer
      F-Secure and Symantec

  http://www.ajc.com/business/content/business/0104/ 28worm.html
    - Contains quotes from various other computer security researchers 

((/FEEDACK)) 

After mailing this present letter to you via the BBC Feedback form. 
I will take some minor steps to help colleagues
monitor the BBC: I will mail copies to the Toronto Linux User
Group, to the Editors' Association of Canada listserv
(reaching editors in diverse trades, in most cases
freelance), the (Toronto) _Globe and Mail_, and Ross Anderson
(a Reader in security at the Computer Laboratory, Cambridge). 

(Canadian readers, and Ross Anderson: Please forward this mail as
necessary, as we work to maintain journalistic rigour at the BBC.) 

Sincerely, 

Dr Toomas Karmo
+1 416-971-6955
verbum-qazKcTl6WRFWk0Htik3J/w at public.gmane.org 
http://www.metascientia.com 
((/FYI-COPY))

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml