Good FUD Vs. Bad: Is There Really A Difference?
A couple security bloggers suggest CSO Senior Editor Bill Brenner spreads FUD in a column that's supposed to be anti-FUD. Why he agrees -- to a point
By Bill Brenner , Senior Editor
March 18, 2009 — CSO —
Thick skin is a necessity for any writer. It doesn't matter if they cover security, politics or do restaurant reviews. There will always be readers who disagree with an article's thesis, and some will do so bitterly. That fact has been amplified in the last few years with the rise of the blogosphere.
My policy is to always respond privately to someone who takes me to task over a column or article. Whether they agree with me or not, they're taking time to offer feedback and for that I'm always grateful. Publically, I'll respond when the feedback is reasoned and shrug it off when someone drags the debate into the gutter with name-calling.
Two recent blog posts deserve the public response here.
The first was a post in the Emergent Chaos blog -- one of my favorites -- called "Who Watches the FUD Watcher" by someone calling himself Mordaxus.
Mordaxus didn't care for one of my recent FUD Watch columns about fallout over security vendor breaches, which I said was appropriate. [See: Security Vendor Breach fallout Justified]
"Brenner watched the FUD as he spreads it," he wrote. "Spare us the gotcha â¬¦ How can we possibly trust CSO Online as a supplier of security knowledge when they can't even compose a simple paragraph?"
He then asked why FUD Watch is "creating the very sort FUD they claim to watch?"
I responded in the comments section, thanking him for the feedback and offering him the opportunity to take me to task in a column that could run on CSOonline. We run columns under the banner of "Industry View" and this sort of thing fits the mold.
I haven't heard back from him yet, nor have I gotten a response to an e-mail extending the same offer to tranquilo, keeper of the tactical-it blog.
"Brenner's article was sloppy," he wrote. "He characterized Chess's definition of penetration testing as "the art of probing company networks in search of exploitable security holes that can then be fixed." This clearly refers to network penetration testing, but the rest of the article mixed quotes about network penetration tests and application penetration tests. It's pretty easy to fabricate drama when you're asking your sources two different questions. Did I mention our community needs a common framework?"