I am fond of suggesting that Y2k was perhaps the biggest success story in informaiton security history, and yet we are ridiculed for it. I was surprised recently to see Larry Seltzer’s eweek article ridiculing it (way after the fact, eh?) on eweek. Here is his conclusion:
"Y2K taught us lessons that will always be applicable: Don’t believe everything the experts tell you, and be especially skeptical of worst-case predictions for technology."
This is pretty disappointing. I would much rather have had him say something more astute like "experts should be careful about how they present their analysis and/or findings" but that is a bit boring, I guess.
That is my big takeaway – that FUD actually does sell, but once you succeed in selling it, and implement the proper controls, you have changed the future. I am really sorry (not) that Larry didn’t see more disaster – how boring to see "the lights still on, the planes still aloft and the computers still running" – nothing to write about.
I agree that Y2K was oversold, what I wonder is what would have happened if it wasn’t? As it is, we now have somebody suggesting that security experts be ignored. (Btw, a "worst-case"scenario is intended to be… well, uhh… a "worst-case" scenario, not a likely one). Keep in mind that hundreds of millions of lines of code were reviewed and many tens of thousands of date functions were rewritten (my estimate).
I will take Mr. Seltzer’s advice in ignoring the "experts" when I read things like these tidbits of FUD:
"with an overall number like that, there will be many days where 95 percent or more of all e-mail is spam. No matter how good filters are, more and more is going to get through."
"We’ll need some new metric to quantify this, but I think the average number of vulnerabilities reported per month in 2005 will increase substantially over 2004."
"It’s not hard to imagine attacks on Mozilla and Firefox originating with spam messages aimed at them."
"I’ve seen an increase recently in the cleverness of these attacks and I think the attackers have barely scratched the surface of what is possible. So, look for another large increase in the volume of phishing attack e-mails, but look especially for an increase in the quality of the attack."
Bah! What do experts know?