Level 27
"Today, Nobody is Going to Attack You.", post by Johannes B. Ullrich:
1) Most attacks do not matter
2) Read "Security News" with caution
3) Security Tools are There to Confuse You

Happy reading :emoji_beer:


Staff member
Security software is designed to scare you.

The freeware platforms are a great example, the vendor wants their users to upgrade. Look at all the folks frantically renewing their 3p Antivirus software to "Stay Protected".


Level 22
The security companies in general, they feast on your paranoia with gluttonous enjoyment. And they fan the flames of each major ransomware attack reported by the press. Some go about it with more class and professionalism than others But they all do it, they need the business.

I bought Windows at retail; therefore, I paid for one of the most expensive malware filters around (SmartScreen). So, I might as well use it (and Defender, I guess) to my advantage. That's why MT has been so precious. Devs like Andy Ful make it exceedingly worth my while. (y)

Andy Ful

Level 65
Content Creator
Some reasonable points from the article worth mentioning:

"Don't get me wrong: You should stay up to date, and you should follow security news. But if you read about a new attack that is being discussed, ask yourself these questions:
  • Is this new? Many attacks are being re-discovered. For example, about once every six months, someone will make big news that you can exfiltrate data via DNS. The same is true for other attacks. Iran was reported to have used the Citrix vulnerability to breach corporations in February and then again in September. The attention span of the security community is about six months. Marketers have figured this out and will re-release a story every six months.
  • Is it relevant? Did you realize someone can watch your keystrokes by hovering a drone outside your window? Or by observing how fast your fan spins? Should you worry? Probably not. If a drone starts hovering outside my window, I am probably going to stop typing. There are many "neat" exploits like this. They make for attention-grabbing headlines and capture an audience during a talk but provide little actionable information.
  • Is it relevant to me? A new Mirai variant? Exposed RDP servers are a huge issue these days. But are you using RDP? Focus on what is relevant to you.
  • Trust but verify. Sadly, a lot of security news is outright wrong. If an article passed all the tests about: Test it yourself if you can and test mitigations. Sometimes these inaccuracies are just a matter of you running a different configuration then the author."
Anyway, this article and the above questions are not intended for average users. But, they should be useful for many MT members.:)(y)
Sadly, a lot of security news is outright wrong.

Every new security event is a marketing opportunity for software sellers. The accuracy or relevance of the event is, ironically, irrelevant to the software seller. I'm not saying that all software publishers are scoundrels. I'm only saying that most accept security news at face value just like everybody else. Then they re-purpose it for their own agenda.

Verifying and corroborating security news takes a lot of time and effort. Plus it is a rabbit hole many times. So nobody bothers.


Level 32
Content Creator
Malware Tester
Most of us (MalwareTips members) aren't gonna be attacked/targeted, but we shouldn't mislead users. Such threats as ransomware are a millionaire business and they don't care who you are, since most end home users will pay to recover their children and grandchildren pictures. They will not be individually attacked but as a group: "the group who has basic or not protection and clicks whatever you show them".


Level 28
Missiles do exist, but I think our homes are unlikely to be targeted. Looking up at the sky where the missiles fly, you can trip over the pebbles at your feet. For the average citizen, that is more realistic security.

I think the article introduced in the link is very meaningful in the forum that talks about security. Security is important, but over-emphasis can create paranoia and unnecessary anxiety.


Staff member
Even if you go home, leave the users to browse at will [...]
This diary is a bit of a "mental health" post. If you have been around in this industry for a while, you probably have developed a bit a similar approach to security, or you would have burned out.

This article is obviously meant for people who are responsible for the IT security of a company (as Andy Ful already pointed out not for the average user). I think the average user doesn't feel targeted or overwhelmed by security on daily basis. The average user is not burned out by security news and the pressure stay on top to defend their network. The average user only wants to buy a security solution once and then forget about it.

It would be a bad idea to tell such user that they don't even need to think about security while that's exactly what they are already not doing.

The main point here is to prevent burnout for professionals who already know what they are doing. Burnout is a big risk for professionals in this industry. So much so, there are special groups dedicated for mental health of IT sec professionals since a lot of them have common problems. Often security professionals are a one person team with too much work, too less time and lots of responsibility. Often neither their bosses nor users really understand what they are doing. If you are doing a good job, no one notices anything. All the feedback you get is users being annoyed by your security measures. You can only do things wrong. There is no glory in prevention.