Debunking Kelly Martin
Written by Gordon Fecyk, 9/18/2005
These words launched the Anti-Windows Catalog. You'll find attitudes like this throughout the computer security industry, but none seem to stand out more than this man's:
Kelly Martin has been working with networks and security since 1986, and he's [the] editor for SecurityFocus, Symantec's online magazine.
Martin also describes himself as a "techno-utopian," an unabashed fan of Apple's Macintosh, a multi-platform computer security professional, a cyber-terrorism expert (Aren't we all?), a victim of bank fraud (so he MUST know what he's talking about, right?), a virus statistic analyst, and let's not forget, a critic of Microsoft.
That's just from the last two years, according to SecurityFocus archives. At least I can say I was consistent since 2003, and my company has a track record to prove it.
To be a fair critic of Martin, I'll stick with what I found since 2003.
Much of the focus on malicious code so far has looked at some of the most popular software products on the Internet and how these might be compromised en-masse [...] -- but Witty clearly shows that even products without very large install bases can be [affected], a mere day after an exploit is announced.
This is important because it shows he and I agree on this fact: That it doesn't matter how unique your applications are, or how unique your operating system is, or how unique your web browser is. You negate that uniqueness the moment you connect to the ultra-common Internet.
Done? Good. Let's start with the list services that Martin himself moderates. This quote is from InfoSec News circa 2003:
Getting lots of spam? Perhaps Majordomo is partly to blame.
Martin was proud to tell his visitors: Fortunately we don't use majordomo here at SecurityFocus. Too bad his own list software had its own problems. Twice. Didn't his e-mail admins learn from the flood of e-mail during Melissa's onslaught in 1999? We'll come back to Melissa in a little while -- that's the crowning glory of it all! Yet this beginning already proves his 'witty' point from 2004: That it doesn't matter what you use!
Not only can spyware be installed on a fully patched Windows machine running the latest anti-virus software, spyware companies have been known to find, use and exploit undiscovered [Internet Explorer] vulnerabilities to their advantage and for financial gain. [Emphasis mine.] In the Internet community that I grew up with, one that existed long before the Web, that kind of activity would never have been allowed to sustain.
Of course! In other words, Martin blames capitalism for the destruction of his Internet community!
Spyware is largely (though not exclusively) an Internet Explorer problem. And like it or not, Internet Explorer, the swiss-cheese of the Internet, commands about 80% of the world's browsing. But individuals can freely switch to Firefox or Opera and effectively bypass the spyware problem, at least for now.
The "techno-utopian's" vision of "techno-utopia" clearly excludes Windows users:
I've read comments from people who've said they've been using Microsoft Internet Explorer for many years and have never encountered a single case of spyware. Oh really? My response to that is very simple: what planet are you living on?!
Memo to Mr
One of our mail admins made a big mistake today and we lost all the mail on one of the outgoing SecurityFocus mail servers... all of our 31 mailing lists were affected including this one. [...] Playing around with production machines as 'root' is a very bad way to learn from your mistakes.
Yes, indeed. It is a very bad way to learn. Something I've tried to teach Windows 2000 and Windows XP users for years, now.
Last year I was the victim of identity theft, a sobering reality in today's world. An unscrupulous criminal managed to social engineer his way past the formidable security checks and balances provided by my credit card company, my bank, and one of my investment accounts.
Yet the fraud victim still found a way to blame Microsoft for it: There were 4,496 new Microsoft Windows viruses discovered in six months, or an average of 24 new viruses every day. Even though he couldn't cite this
There is almost no consumer-level technology left where viruses and malicious code has failed to appear. [...] Mobile phones are becoming a vector of attack. They have modern CPUs, built-in Bluetooth wireless technology, and data transfer across multiple networks. Many even ship with Java.
Phones with Java technology? My goodness! That means... write once, infect anywhere! And hey! if every other mobile device runs Java except for those running Microsoft's PocketPC OS, guess who's safe from Java viruses?
Okay, okay, okay. I'll admit there are no Java viruses. However, modern wireless telephones with data capabilities come with their own version of Openwave's Mobile Browser. It's not Java, it's not ActiveX, but it ships in over one billion handsets worldwide! Talk about an incentive for virus and spyware writers! Yet you wouldn't hear it from the 'witty' Mr
Just because one can afford a fast computer and a broadband connection, it doesn't mean he has any idea what he's doing - like the guy who can afford a Ferrari and then slams into the back of a bus.
If the Internet is now ubiquitous and owned by nobody, then it's the ISPs who should play a major role in securing their chunk of the network.
For vendors to share the blame [...] they must take ownership of the monsters that they have created, particularly on the desktop. But it will never happen, and they'll never share the blame.
Nor should they have to. Nor should the Internet providers who provide the connections, nor should the users who have to put up with the dishonest antics of their peers.
Kelly Martin is a computer security professional since 1986, a "techno-utopian," and the editor of a security vendor's mouthpiece magazine. Yet he missed Melissa's ultimate security lesson in 1999, and forgot his lessons from Witty in 2004:
Popular anti-virus software failed to do its job.
He blamed the user for not watching out for their own safety. He blamed the vendor for selling the tools. He blamed the phone companies and cable companies for providing the network. Yet he didn't blame his benefactors for the lax security products they sell. After admitting, however fast [anti-virus] updates were released, it was far too late, he quietly forgot it.
Now you tell me: Why is Symantec's mouthpiece mag editor really blaming Microsoft? You think about it.
Recently Edited Categories:
All trademarks are property of their respective owners.