Dont Freak Out Over E-Jihad

By Larry Seltzer  |  Posted 2004-08-25 Print this article Print

Opinion: Unless you're a specific target, it's not worth focusing on unsubstantiated general warnings. The world is full of threats.

A rational approach to risk doesnt usually assume that everything that can go wrong will. But with computer security, and security in general lately, its tempting to do so. Security researchers generally assume that if an attack is possible, someone will do it. If a vulnerability can be exploited, someone will exploit it. And if its possible to make a canned version of the attack so that any doped-up teenager can do it, thatll happen too.

It doesnt always happen, of course. But it does happen a lot, and when a sexy attack comes along its a guarantee that it will happen. The best examples are the RPC/DCOM and LSASS vulnerabilities, after which it was inevitable that worms would be developed.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.
And, of course, we know all too well that the world has no shortage of people seeking to disrupt our lives and livelihoods and are happy to die in the process. Clearly we have moved, from a homeland security perspective, from an assumption that just because something is possible it isnt necessarily likely to happen to a much more cautious approach.

But what are we to make of threats like the warnings of e-jihad on the 26th? From the moment I saw the report in RIA Novosti it seemed far-fetched to me. I was immediately reminded of last years July 4 Web page defacement contest run by a supposed underground hacker group. It turned out to be a big fat nothing, as most serious analysts expected.

There have been many other false reports like this, but there have been some real attacks too, such as attacks by the hacker group Indian Snakes against Pakistani Internet resources.

How can you look at a report like this and not sound Joe Friday-serious about it? You have to. But you dont have to spend a whole lot of time on it. Certain organizations are more likely targets than others, and those should always have elevated security anyway.

The e-jihad and associated threats are all interesting for a variety of reasons, but I see nothing about any of them that should make you change the practices you should already be following.

Without being a direct target of attack you can still be a victim if the infrastructure on which you rely is taken out. For this reason its good to have backup connections through a different ISP, but even better, you need to know how to get business done with outside connections off altogether. Previous experience with attacks, such as the one against Akamai, shows that this can last for several hours. Its not the end of the world, and some things can go down temporarily.

So dont get worked up about these reports. Assuming anything happens at all, odds are it wont affect you. And even if it does, you can probably be prepared for it. And if you really do get massively attacked, you probably couldnt have done anything to stop it.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page:   More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel