Truth About Computer Security Hysteria
With managers like these, who needs hackers? (v3.0)
Thursday, 30 December 1999
WHAT DO PORSCHE, West Group, Glaxo Wellcome, Volkswagon, PacifiCare Health Systems, the U.K.
Employment Service, the U.S. Defense Finance & Accounting Service, and the Washington State Dept. of Health
have in common?
You guessed it: they all fear unknown Y2K viruses.
Porsche acknowledged it on their website in multiple languages. "For technical and security reasons, the
Porsche web server will shut down from noon 12.31.1999, to 3:00 pm 1.1.2000." You'll appreciate the irony of
the "more performance" banner in this website snapshot.
The Defense Finance & Accounting Service will likewise shut down their website as a precaution.
quoted a spokesman who
remarked "you really don't know who's out there and what they're trying to do." (A result of
"bad intel," sir.) Another spokeswoman confirmed the Pentagon
now approves of precautionary retreats. "If commanders or
individual (military) installations feel this is warranted, they have that option."
Can you imagine this philosophy in a real-world military clash? "Did I withdraw my men from the battle zone
because of guerrilla attacks? No, sir: we pulled out because the environment just didn't feel safe. Cpl Wingnut
thought he heard a noise..."
The Financial Times of London
reported "some of UK's largest
companies are blocking electronic mail over the New Year in a bid to thwart the arrival of a threatened wave of up
to 200,000 computer viruses... Glaxo Wellcome, the pharmaceuticals giant, and the car manufacturers Vauxhall and
Volkswagen are among the big companies planning to block e-mails."
The story mentioned a spokesman who refused to discuss whether Ford would invoke a precautionary disconnect.
Personally, I assume they won't. My source inside Ford hasn't complained of irrational security decisions.
Financial Times reporters should talk to West Group instead. They sell access to a popular
case law database known as Westlaw. Security Coordinator Dave Hedblom told employees in an email:
"A Y2K virus might shut down our entire network over the new year. As a precaution, we will shut down our
entire network over the new year."
To minimize Y2K-related problems, all incoming and outgoing external Internet e-mail will be held beginning
Friday, December 31, at 10:00 a.m. On Saturday, January 1, at 6:00 a.m., West Technical Services will assess
whether it is safe to enable e-mail messages that were sent over the Internet. The amount of time Internet
messages are held will depend on our anti-virus vendor's ability to provide software that can detect and clean Y2K
St. Louis University law student Sarah Holdener smirked at Hedblom's decision to imprison email.
"It limits your ability to use Westlaw," she asserted.
This screen snapshot validates her claim.
Hedblom may suspend e-habeas corpus beyond New Year's Day if he considers it prudent. This guy must wield
incredible authority at his company! I can already hear the courtroom banter: "Your Honor, Prosecution
needs a continuance until Westlaw returns to full operational capability..."
The U.K. Employment Service took it one better. This automated reply arrived after I sent a test email:
Your e-mail entitled
Talk about paranoid overreaction! They quarantined a text message with no attachments. Wouldn't you like
to ignore everybody's email for a week? (And can't anyone in this industry spell "millennium"?)
You wonder why Americans look down on the healthcare provider industry? A PacifiCare Health Systems customer
received this automated response:
Y2K virus bogeyman
has been stored and will be transmitted on Wednesday 5th January 2000. Due to the heightened concern about virus
activity in the run up and during the Millenium period, Employment Service has disconnected its Internet mail
gateway. If you have any queries or difficulties please contact the e-mail recipient to arrange an alternative
method of delivery.
Due to the anticipated increase of email transmitted computer viruses forecast by Anti-Viral experts, PacifiCare
Health Systems is taking the following measures. During the critical Y2K email Virus period of December 17th,
1999 through January 7th, 2000 all Email sent to PacifiCare Health Systems Inc. will be held for seven days,
scanned with the latest anti-viral signatures, and then delivered. Please do not re-send your email message as it
will be held as well. If you need to get your information to your contact, please contact them by phone to
arrange other methods. Thank you for your patience.
PacifiCare, too, quarantines text messages with no attachments.
The Washington State Dept. of Health also overreacted, though not as bad. A spokeswoman confirmed they are
"not allowing attachments to come into the agency [over the new year] because of the concern about
viruses." Email will flow unhindered if it carries no attachments.
On a positive note, the Financial Times said British Aerospace "was running
e-mail as normal but watching out for specific viruses — [a spokesman proclaimed] 'we have a very good idea where
a lot of these are coming from or could come from." Nokia's computer security team has a firm grip on
sanity, too, according to a rumor I heard. Good for them!
Network Associates back-pedaled a little in a New York Times
the Y2K virus threat. " 'Nothing happened over Christmas, which may be a pretty good indication that
nothing major will happen on Jan. 1,' said Vincent Gullotto."
"The Y2K bogeyman called during your coffee break. He said 'boo.' "
SECURITY WILL SUFFER in the long run because of this fiasco. Why? Simple: a bunch of
tin-star sheriffs made an irrational decision to disconnect networks "just as a precaution."
Computer security personnel spend years making headway in their companies. They slowly build up a position
of authority in their organization. When they finally get a chance to exercise real power, what happens? They
let media hysteria cloud their judgment.
You probably paid through the nose this year to improve your Internet connectivity — and now a Chicken Little
turns it off & on like a light bulb. Frustrating, eh?
Rational and irrational security personnel will feel the sting of this fiasco. Even if they preached
sanity, they'll still suffer guilt by association. Irate users will paint them with a wide brush
as "the boys who cried 'there might be a wolf!"
Years of build-up effort, flushed down the toilet ... by people who read Weekly World News instead of
Information Security magazine. What a waste. I hope the computer security world learned something
from it all.
Now if you'll excuse me, I need to take a shower. Or at least wash my hands. Know what I mean?
I can see the headlines next week: "pseudo-experts
scared bitless by Y2K bogeyman!"