MCAFEE SUCK!

Steve Gibson of gibsonresearch (grc.com) said this on security now! months ago, for a corporation of McAfee's size and capital access they should have been all over this as a security company, ages ago.

They continue like Symantec to prove that large corporations are not to be trusted for security anymore.

Bloated products, late advisories, crap customer support.

All hail Eset/Kaspersky etc!

*yawns* o noez vista be in trouble!

not rly.

HUh...

No proof, they just "believe" it to be. And no exploit totals because they're "holding on to it".

Yeah, that's nice. Let us know when you actually have something other than FUD to write about.

Thanks.

Not saying they're right or wrong in this case, but keep in mind that security companies earn a living through FUD.

Last I checked, PC_Tool, "FUD" stood for "fear, uncertainty, and doubt." If we've seen the problem for ourselves, then, there's not so much uncertainty. And since the problem is something we've faced before, I don't think fear is warranted.

Now, "doubt" could mean a number of things. There was reason to be suspicious that one of these problems was solved in 1999, and then later in 2003. Apparently there wasn't enough doubt to get the problem 100% resolved. But in the context of doubt that the problem can be solved, I'll have none of that, thank you. Just because you find me blowing a trumpet every now and then doesn't mean you should mistake me for hoisting a white flag. If you'd seriously think I'd have my readers running around yelling about the sky falling, then to borrow the wise words of Bugs Bunny, ye don't know me very well, do ye?

-SF "Daffy" 3

You totally mistook that. Not too terribly surprised.

The headline:

McAfee Warns of Zero-Day Rash in Wake of Patch Tuesday

What follows is pure speculation. A whole lot of "This could happen", or "this *could* be the case", but "we don't know for sure" or "We're not releasing that information".

When you warn someone, it is an attempt to incite fear prompting action on part of the person warned.

The uncertainty lies both on McAfee (Apparently they don't know for sure, but are more than happy to spread their version of things) and the reader, "ZOMG! This could happen to me! I better get McAfee on my system cuz they seem to know what they're talking about!".

As for doubt...it's redundant, re: uncertainty.

-PC-"Sylvester"-Tool

I always thought the "D" in "FUD" stood for "despair."

Nope. But you may use it any way you like. You could even call someone a FUD... "Ahh you're a Funny Ubber Dork."

That's fine and dandy, but unless BetaNews is getting a cut, we'd much rather skip the FUD.

Do you have any evidence to back up these little suggestions of yours, or do you just like to toss out...oh, what's the word I'm looking for?...suggestive allegations whenever you can't make an argument using facts?

-SF3

...and the pot calls the kettle black.

Wow.

The "facts" (or complete lack thereof) are in the article.

The entire article is nothing but "suggestive speculation", and you're either playing into their hands by thinking it's actually informative, or purposefully trying to further their lame attempts at sensationalism either because you couldn't find anything else to write about, or have some stake in their assumptions.

Since I can't imagine you'd purposefully spread this junk, I'm left with you either having had nothing else to write about at the time or that you actually played into *their* ...suggestive allegations.

You yourself hint at the absurdity of this article in the last sentence of the article.

Am I banned yet? :p

No, frankly I think you're just having a little fun trying to see which buttons you can push to get people riled up. Mine are pretty self-evident, and not difficult to find; maybe they're not even difficult to push.

There's no suggestive speculation in this article at all. None. I personally verified the existence of the four proof-of-concept threats which the McAfee Avert Labs report refers to. Found them, downloaded them, inspected them myself. And in fairness, that wasn't hard to do.

You have absolutely no idea how much real junk we have to plow through, and which we publish zero information about, upon deciding there's truly no news value in it, and that there's nothing to be concerned about. Though I do get the idea that you, PC_Tool, have both the intellectual capacity and the wherewithal to mount a serious rebuttal and challenge to stories you find objectionable or tasteless or of questionable value. Maybe I haven't been here long enough; perhaps you've done so in the past, and I just haven't read them. But instead, I see from you cleverly worded, though vacuous, responses full of empty accusations of spreading FUD or being on the take...which is sad, because I get the impression you're capable of a lot more.

-SF3

There's no suggestive speculation in this article at all.

Interesting...

engineers at McAfee's Avert Labs believe they may actually be learning about how to use timing to maximize their impact on the public.

Pure speculation on their part, is it not?

What hasn't been divulged thus far is how many exploits are in the wild - engineers may be holding onto this information for the time being.

They suggest but fail to provide anything further.

Yeah, you're right. There's nothing to see here. Let's move along, shall we?

But wait! There's more!

There, they said they're investigating a number of denial-of-service packages based around Microsoft Office, that appear to have been released yesterday,

Speculation again? Nah....couldn't be. Perhaps it just appears to be.

Or this?

a firm called Offensive Security, apparently presenting four proof-of-concept documents showing how document files

We think they are proof of concepts, but we don't know for *sure*, eh?'

Your own testing of that one proved it to be less than a sure bet:

What's particularly curious about our situation is that on our system, Word 2007 is hosted in a virtual machine, though the CPU exhaustion appears to be triggered in the host system, where Office 2007 is not installed.

It goes on and on really...

...and yet you're trying to tell me you personally verified them, when in your own article you state the results were basically inconclusive.

But instead, I see from you cleverly worded, though vacuous, responses full of empty accusations of spreading FUD or being on the take...which is sad, because I get the impression you're capable of a lot more.

That's brilliant. Appease the Beast. Hey, if you can't defend against his claims, perhaps you can win him over with tales of his unachieved potential.

Yeah, that might work.

Scott, I don't mean to pick on you, really. It's nothing personal. I just call 'em as I see 'em, and as I read this story, all I see is conjecture, supposition, and baseless assumptions.

Well, that's better. At least you're itemizing your claims and spelling them out, which is better than you started out with. Has anyone ever told you getting at the heart of your complaints is like pulling teeth?

1) The Avert Labs' belief that malicious writers may be timing their releases to maximize their window of opportunity. You say it's speculation. No, I think there's considerable evidence to back this up. Now, what's questionable (and what I'd hoped you would question, because it's a much more interesting concern than the ones you've brought up thus far) is whether the Offensive Security proofs-of-concept qualify as a timed-release capsule of opportunity maximization, or is it another security engineer boasting about his capabilities?

Because you see, another reason a security engineer - as opposed to a truly malicious writer - might want to use Patch Tuesday is because that's when all the admins in their target audience are awake. In other words, it might be less about maliciousness and more about PR. I left unanswered the entire question of whether Offensive Security is malicious or helpful, even if in a self-serving way. But you didn't pick up on that, perhaps because you were too busy with the typical FUD and on-the-take allegations. Now there's some free ammunition if you want it.

2) Holding onto the information about how many exploits were reported in the wild. If you've ever covered a police press conference, you know that the police PR rep will deliberately withhold some information. If reporters ask a question about whether something that fills in the blank could be accurate, the rep is often instructed to say, "We don't comment on speculation." Now, that's what speculation means: the supposition that certain things can be facts without any confirmation or evidence to that end.

The apparent deductions I'm presenting are not exactly 100% conclusive yet, but they're reasonable based on the evidence there is at the moment. So it's better than speculation, but I add "apparently" to underscore the fact that it's not crystal clear yet. That's not spreading fear or doubt; that's being honest.

3) "Appear to have been released yesterday." There's no speculation there. Based on the reports from customers, we can draw a reasonable conclusion.

I think you're problem is with my word "apparently," which means "based on what we're seeing." You interpret this to mean the statement itself is speculative. No, I'm saying you can draw a reasonable deduction based on the evidence you're seeing, even though evidence may yet be presented to the contrary. Bit of a difference there between speculation and deduction.

4) When you say, "Appease the Beast," PC_Tool, the beast you're referring to is (apparently) yourself. Perhaps some of the other folks around here who parody your posts by pretending to be you and mimicking your posts like adolescents writing notes behind your back (I've often turned their post values down - it's so much white noise and wasted bandwidth) have actually managed to inflate your measure of self-importance, but clearly with a useless gas that you can't use to fuel a real rocket to get you anyplace.

If you truly want to be a "beast," then why not challenge something worth challenging - even in this story - rather than just hurling rather small, though still irritating, stones in the general direction of what from your vantage point apparently is the big, looming evil? Seriously, we could use some genuine, well-thought-out debate around here. Where do you stand, PC_Tool, on the question of who's most responsible for malicious code: the security engineer who discovers the problem, the guy who copies the problem and creates an exploit, or the company whose software contains the problem to begin with? And before you answer "#3," what's your solution? How would you rectify this? What steps would you take to make sure this can't happen?

If you truly want to be The Beast, you need to start doing some serious growling.

-SF3

Well, that's better. At least you're itemizing your claims and spelling them out, which is better than you started out with. Has anyone ever told you getting at the heart of your complaints is like pulling teeth?

Yes, in my first post, I left out the quotations form the article, assuming, had anyone actually just read it, they'd make the connection.

What gets me, Scott, is that you're still doing the same thing you did in the article. Prime example:

No, I think there's considerable evidence to back this up.

Not in the article, and not in your response to me. Instead, you immediately jump off of that to something else entirely...(whether the Offensive Security proofs-of-concept qualify as a timed-release capsule of opportunity maximization...)

If you've ever covered a police press conference, you know that the police PR rep will deliberately withhold some information.

Information vital to an ongoing investigation, perhaps. There is *nothing* vital about the number of exploits other than the fact that it might actually be helpful to know or to lend credibility to their assertions.

I'm saying you can draw a reasonable deduction based on the evidence you're seeing,

...and yet in your article and comments we see *none* of that evidence. What we see, based on the information int he article is that some ponce created proof-of-concept viruses and is lead from that by some fantastical leap of logic to believe it implies some correlation with Patch Tuesday.

When you say, "Appease the Beast," PC_Tool, the beast you're referring to is (apparently) yourself.

You give me way too much credit. I was not referring to the Biblical figure, or trying to associate myself with such things. I was simply referring to the methods used to try and tame an unruly creature, which from your patronization of me in your post above that I was referencing, I figured you were attempting.

As to the concerns you think I should have had regarding the article, had it not been so irritatingly worded, those questions would have been immediately apparent, and I think that's our conflict here, as with a few of your other articles I've taken issue with. Perhaps it's merely the writing style. Perhaps it's the nature of the topics in question, but I am beginning to believe it breaks down to a simple disconnect between myself and your writing style. I've always been of the facts & figures, to the point and K.I.S.S. philosophy and I think it's just that your writing style doesn't lend itself well to that mindset.

I'm looking for information and details, while you seem to posit your views and let the details fall where they may.

I must admit, I do admire how you've always been quick to defend your articles, even when I'm the one on the attack.

If you truly want to be The Beast, you need to start doing some serious growling.

The beastliness has faded. We've probably spent too much time on this as it is. If you're willing, I suggest we let this drop and go on to more important things. I'm sure you have other work to do as well as I.