Preparing a presentation on the hype versus the reality of malicious software, I decided to take a break to read the Sunday paper and talk to the cat. Fortuitously, there was an article in the paper about "the rise of the bot," ideal, I thought, for some up-to-the-minute input for my presentation.
The piece in question was based on an interview with the US President's senior advisor on cybersecurity, Dr Peter Tippett. So I was somewhat surprised to find it gave me more material for the "hype" rather than "reality" section of my piece.
It started off innocently enough – bots on the rise, broadband a big issue, hundreds of probes a day. All standard stuff.
But then came the coffee-choking phrase "if you want to break the nuclear launch code...," the suggestion being that a bot net could be used to launch an unauthorised nuclear attack.
It went from bad to worse. Apparently, the big risk country is Brazil (strange, it didn't even make the top ten in Symantec's recent threat summary). Bots are used by most terrorist organisations, and when they're not starting Armageddon from your laptop, it's being used to launder drug money – apparently, it's difficult to launder money without computers.
Now, as well as being a security geek, I also regard myself as a fully signed-up member of the sceptical community. And one of the unwavering rules that sceptics follow is: extraordinary claims require extraordinary evidence.
The piece had not a single reference, citation or source. Using computers to crack nuclear "launch codes" is the stuff of science fiction (probably based on the 1983 film Wargames). A quick review of the openly available literature (such as http://www.cs.columbia.edu/~smb/nsam-160/pal.html) shows how stupid this suggestion is.
Money laundering certainly uses computers, but the current obstacles are predominantly legislative, not the use of home PCs. Terrorists might well be using bots (but we've yet to see a credible documented case of it), and they will continue to use whatever technology is available.
This sort of scaremongering is just what the security industry doesn't need. It diverts attention from the more mundane, but greater, risks and it brings the industry into disrepute.
The brevity of this column often restricts my ability to provide references, but I'm always happy to back up any claims with appropriate sources. Then again, I don't stand to make plenty of money from panicking CEOs and US Presidents.