Hoaxes, myths,
urban legends





About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

With managers like these, who needs hackers?

Rob Rosenberger, Vmyths co-founder
Friday, 24 December 1999 WHAT DO ALPHA Technologies, Iowa State University, Mid-American Energy, and the Swiss government have in common? Answer: media hype convinced them to stop using the Internet. They've joined the likes of the U.S. Air Force "Year 2000" Office.... "Alpha Technologies introduced the concept of reliable standby power to the cable television industry," notes CEO Fred Kaiser on his company's website. Ironically, his firm will need no backup network power on New Year's Day — because they'll use a corporate-wide precautionary disconnect to avoid unknown Y2K viruses. Network director Keith Batt sent an email to all users (including Kaiser) on Tuesday saying "Alpha Technologies servers, e-mail and dial-up capabilities will be unavailable ... from 8:00am on 12/31/99 to 8:00pm 01/02/2000... This down time will help ensure that we minimize our exposure to Millennium viruses." At least one employee dutifully forwarded it as an FYI to colleagues outside the firm.
"Curses!" shouted Snidely Whiplash. "Everyone shut down their computers on New Year's Day. I missed the only possible chance to plant a deadly virus on their systems..."
Batt obviously let the media hype sway him. "There are a great number of stories circulating about viruses that will become active at midnight of January 1, 2000," he admitted. He then offered a typical "better safe than sorry" rationalization: "while the actual likelihood of [a Y2K virus attack] is very remote, the downed systems should prevent these viruses from running." Employees' PCs need a precautionary disconnect, too. "We would also like to ask everyone to shutdown their desktop PCs when you go home for the New Years holiday weekend for the same reasons as described above," Batt urged. Logic says Batt should first get a handle on his company's virus problem. I'd suggest some virus metrics for starters — I mean, this guy doesn't even know if his firm's PCs have viruses. Shameful! (What antivirus software does Alpha Technologies use? It obviously doesn't work against Y2K viruses. Batt clearly must know this. He should purchase a better antivirus solution for his firm, no doubt about it.) Iowa State University and Mid-American Energy will shut down their networks as well. Iowa TV stations told of administrators scared bitless by the mere thought of a Y2K virus or Y2K hacker. A frightened (yes, frightened) Mid-American spokeswoman called the disconnect prudent because they don't want to face the possibility of another Melissa incident. A Reuters newswire says the Swiss government will go even farther. "E-mail sent to the federal administration over the year-end period would be deleted automatically to prevent system failures resulting from bugs put in mail messages." Ah, of course. Can you imagine Snidely Whiplash's frustration on Y2K Day? "Curses! Now I'll never get to attack those savvy firms! This was the only day I could plant a deadly virus on their PCs!" I swear, these people should stay off the Internet until they get their virus epidemics under control.
Coincidence? Yesterday, the A&E network ran an old "Law & Order" episode about an über-virus which killed some medical patients.
F-Secure (formerly Data Fellows) issued a press release this week which immediately won praise among computer security skeptics. Alpha Technologies, Mid-American Energy, the Swiss government, and Iowa State University would do well to read it:
[Our] research shows no increased activity on the part of the virus-writing underground in anticipation of the coming Y2K weekend... Many security companies have warned about the possibility of thousands of Y2K viruses appearing overnight, either intentionally spread over the new year or spread earlier but programmed to activate and do damage on or around January 1, 2000. Yet in actual fact, by the middle of December 1999, just ten viruses or trojans designed to do damage at New Year 2000 had been found, and of these only two were found in the wild, intended to cause damage to real users. "Of course there will be virus cases on New Year's Day 2000, just as there are virus cases on any other day of the year. But to date we have seen no indication that there would be anything out of the ordinary this new year," comments Mikko Hypponen, Manager of anti-virus research at F-Secure Corporation. "More important, if there are Y2K problems, most of them won't even be seen for several days, since the majority of users will celebrate their Millennium somewhere other than in front of a computer."
Can you believe an antivirus firm wrote this? F-Secure decided not to milk the cash cow of Y2K virus hysteria. They'll reap big rewards in about two weeks when the world uses 20/20 hindsight. F-Secure goes on to describe a forthcoming "Y2K virus clinic" similar to those planned by other antivirus firms. "People around the world [will] have a place to go for the latest information on hoaxes and minor issues, and can receive up-to-the-minute fixes for any real viruses that are uncovered." All at no charge. ("F-Secure will hold a Press Conference on the 1st of January 2000 ... to summarize the latest news on Y2K virus-related problems around the world." A rather boring event, I'll wager, punctuated only by reporters desperate for a storyline. I'll gladly participate by phone if I can recover from my Y2K hangover in time.)
A frightened spokeswoman said Mid-American Energy doesn't want to face another potential Melissa incident. Viruses can strike anytime, so — logically — Mid-American should leave their computers turned off. Forever.
Officials who ordered a Y2K shutdown as a virus preventive measure will try to justify their decisions after the fact. A "better safe than sorry" excuse won't hold water on 2 Jan 00, so they'll think up something else. They might claim something along the lines of "we overreacted because the whole world overreacted." Anyone who ever raised a teenager knows the correct response. "If Keith Batt jumped off a Cisco bridge, would you jump off a Cisco bridge too?" Embarrassed officials might dismiss their shutdown orders by saying "we needed to do it anyway to avoid unpredictable Y2K midnight rollover effects." This reasoning does make sense — yet again, it raises an obvious question. "Why didn't you just say so in the first place? Why did you give a foolish Y2K virus excuse?" Duh... Only the strongest ego will give the correct answer. "Okay, I admit it. I got swept up in the Y2K virus media fiasco. I wasn't thinking clearly."