I'm not actually going to write about the Epsilon fiasco as such here. I can think of at least two journalists who will be grateful for that, but I'm not going to let them off quite that easily, even though I can empathise with their ennui.
Larry Seltzer notes that he has received far too many pitches using Epsilon as a hook. I can sympathise with that: I'm bored out of my skull with it, and I don't do much more than skim Epsilon-related articles to see if they're worth flagging on a resources blog, with or without commentary. John Leyden asks "Is the Epsilon breach a massive distraction attack? Security industry obsessing over it , maybe giving bad guys unopposed time and space." Well, I'm not sure that security researchers are spending a lot of time on the Epsilon breach: we're certainly not diverting resources into it that would otherwise be spent on something more "relevant". But I can see that if you gauge the industry's current focus by its marketing activity, you might have cause to worry.
Sometimes it's salutary, if not comfortable, to step back a bit and see the whole canvas. Researchers don't usually do direct marketing: not, at any rate, at the same stage in their careers. But we're all (journalists, educationalists, researchers, marketers, PR people) basically making a living from something being sold, and subject to pressures we don't always appreciate, but that's the game we're in.
PR is trying to give you what they think you want, guys, because that's how the brand gets exposure. And I have enough direct contact with the media to know that what the press wants is not always what interests me. Or, clearly, @lseltzer, @jleyden, @BrianHonan or @imaguid, all of whom seem to think the same way as I do about the overblown nature of this particular threat. But it's presumably what the customer wants, or the media interpretation of that.
Well, what does the customer want? Well, certainly advice about minimizing the threat, whatever it is. And several people have taken the opportunity to give some good generic anti-phishing advice, and I guess there can't ever be too much of that, however repetitive it gets. And most of my own commentary has been an attempt to give a realistic assessment of the significance of the threat. It may not be as interesting as diving into the internals of sophisticated malware, but it reaches (and directly affects) a lot more people than the 80-page papers. :-/
David Harley CITP FBCS CISSP
ESET Senior Research Fellow