Details dropped earlier today about a computer vulnerability that seriously threatens aspects of data center security. Dubbed “venom” by researchers who discovered it, the flaw lets an attacker burst out of a key piece of cloud infrastructure—virtual machines, which are basically instances of computers programmed onto other physical computers—and to, well, poison neighboring virtual machines.
The cyber security firm CrowdStrike that discovered Venom rolled out a sinister logo and slick website on Wednesday morning, helping to create buzz around the announcement. The move follows in the same vein as other high profile computer bug disclosures, like last year’s “heartbleed” vulnerability (which, by the way, 3-out-of-4 big companies still have not fully remediated).
With that branding behind it, the big bad bug has been catching attention online. The Twittersphere has been alight with commentary. See: “#VENOM.”
The chatter began yesterday with subtle remark posted by Dan Kaminsky, co-founder of the security firm White Ops and one of the researchers who worked with CrowdStrike to alert cloud companies about the bug. Those “in the know” may have recognized his hint of what was to come. As he tells Fortune: “My role in all this—it’s not my bug. CrowdStrike found this thing. Sometimes bugs find me and I go ahead and make sure information about them gets through. I played that role with this bug to make sure the right people knew about it—those being general-to-major cloud providers.”
Well, tomorrow is going to be…exciting
— Dan Kaminsky (@dakami) May 12, 2015
After the news broke, the majority of tweets about Venom fell into two categories: news updates, or comical jabs at the vulnerability’s marketing campaign. Nowadays, it seems, when discovered by the right folks, computer bugs can get the celebrity treatment. (See: the Venom site.)
Anyway, if you’re interested in the state of patches, go read my colleague Barb Darrow’s recap. If, on the other hand, you’re interested in the best wisecracks, please read on:
sigh… if you use a snake image for #VENOM , you could at least pick a venomous species #ThatConstrictorIsNotVenomous
— Josh Corman ♘ (@joshcorman) May 13, 2015
(Yes, Fortune intentionally used a non-venomous snake as this post’s photo. Haha!)
Ok, this is getting silly. #VENOMpic.twitter.com/LuvktB0xuZ
— Jan Schaumann (@jschauma@mstdn.social) (@jschauma) May 13, 2015
Website: ✔️
Scary name: ✔️
Awesome logo: ✔️CVE-2015-3456 looks legit. Better upgrade! http://t.co/JZ2sJr0H5o
— Aaron Patterson (@tenderlove) May 13, 2015
https://twitter.com/tottenkoph/status/598490113262292992
https://twitter.com/digitalsqand/status/598479769718558720
Some took jabs at media coverage:
https://twitter.com/JayCuthrell/status/598589241619165185
Including a gripe about Fortune‘s headline (hey!):
Award for the most atrocious tweet re: VENOM today. Ugh. https://t.co/gidIlNdZ2M
— Christofer Hoff (@Beaker) May 13, 2015
And others joked about the part of the virtual machine monitor’s code that was found vulnerable: its floppy disk emulator. “Who thinks to look at the floppy disk controller in QEMU?” Kaminsky asked when he spoke with Fortune. “But you’ve got to go find this stuff out!”
For those who are too young to remember, a Floppy Disk is the Save Icon, printed in 3D #venom
— Kris Buytaert (@KrisBuytaert) May 13, 2015
Jokes aside, at least one person waxed philosophical about why computer bug disclosure sites never seem to secure their traffic with encryption.
I don't understand what's so damn hard about using HTTPS on your vuln marketing page. http://t.co/DXErCebgFg#VENOM
— David Adrian (@davidcadrian) May 13, 2015
Please let the irony of http://heartbleed.com/ sink in.
Good? Okay. If you have more suggestions, feel free send them to the author on Twitter (@rhhackett) or post links below, and Fortune will consider including them here.
In the meantime, go patch your systems.
