Truth About Computer Security Hysteria
Lots of trivia about Chernobyl — but few facts
Monday, 24 April 2000
ANTIVIRUS FIRMS STARTED raising the alarm about Chernobyl's first-anniversary trigger date. Three press releases weep about the 1999 catastrophe and I suspect more will appear later today or tomorrow. Fear sells, you know.
Oddly, the experts can't decide on an estimate for Chernobyl's carnage last year. Central Command's press release tells reporters "it was reported that over 500,000 computers had data loss and severe computer damage." F-Secure's press release goes four times higher: "according to the latest statistics, over two million PCs suffered data loss." An ICSA newsletter waffles by noting "the virus reportedly caused damage to between 500,000 and 2ámillion PCs." Panda's press release doesn't even offer a guesstimate.
Naïve government officials impregnated reporters with a massive urban legend about the Chernobyl virus. Antivirus firms promote it as "fact" for a simple reason — fear sells.
"It was reported"?
"According to the latest statistics"?
Waitaminit. Why can't antivirus firms agree on how many PCs died twelve months ago? Why do they tell reporters what reporters said? Why do they rely on arbitrary estimates & statistics instead of hard empirical evidence? ICSA touts its "yearly virus prevalence surveys," yet even they can only tell us what reporters said about Chernobyl.
Let's regroup. What exactly do we know about Chernobyl?
We know quite a bit about Chernobyl and its malicious author — but we don't know how many PCs went belly-up last year. Na´ve government officials impregnated the media with wild "estimates," and the media gave birth to a massive urban legend. This led me to predict one year ago we might never learn the true number.
Anecdotes? Rumors? Sure, we've got plenty. Virus fighters at Fortune firms swear they personally lugged PCs to the dumpster. Someone in your office probably knows "a friend's sister" who tearfully lost a master's thesis to Chernobyl one week before her turn-in deadline. West coast importers swear a Pacific Rim cargo ship reversed course to return its load of PC parts. PC makers swear the importers started gouging clients after reading hysterical newswire reports.
The Flying Dutchman story remains my favorite virus rumor. Believe me, I tried to track down the cargo ship just to scoop the antivirus firms! Motherboard prices did jump in anticipation of increased demand — yet prices immediately dropped back to normal, so I started asking why. I'm not making this up: one spokesman congratulated his firm for reducing motherboard prices so quickly. He claimed they wanted to help devastated users get back on their feet.
- We know malicious virus writer Chen Ing-Hau lives in Taiwan and constructed Chernobyl while in college.
- We know college officials gave him a demerit for writing a malicious virus.
- We know he later entered Taiwan's military to fulfill a two-year draft requirement.
- We know Chernobyl triggered its malicious payload during his enlistment.
- We know Taiwanese police interrogated malicious virus writer Chen Ing-Hau while he served in the military, and
we know he confessed
to writing it.
- We know from his confession "he created the highly vicious virus ... in order to make a fool of the
software providers, from whom he had bought antivirus programs that proved useless" against other viruses
which plagued him at college.
- We know Taiwanese officials filed no charges against him, because none of the island's
22ámillion inhabitants stepped forward to lodge a complaint.
- We know malicious virus writer Chen Ing-Hau wrapped up his draft commitment about a half-year after the media
stopped hounding him.
- We know at leastá20 Taiwanese firms competed to hire him, and we know Wahoo International Enterprise won
the recruiting war. They ironically hired him as a hardware tester.
- We know FBI NIPC didn't bother to indict malicious virus writer Chen Ing-Hau for supposedly destroying
"thousands" of U.S. government, military, corporate, academic, and personal PCs.
You know it's bad when ICSA turns to the media for wildly oscillating figures.
(I wanted to praise the spokesman and his company by name, but my notes from last year are incomplete. Too bad.)
Don't get me wrong: I believe Chernobyl's wrath exceeded Michelangelo in terms of sheer numbers. I just don't see hard empirical evidence of an Asian meltdown. C'mon, you know it's bad when ICSA turns to the media for wildly oscillating figures! Virus experts can augment vague press releases with tear-jerking anecdotes — but the plural of 'anecdote' is not 'data.'
Why, then, do virus experts promote the Chernobyl urban legend as fact? Why do they tell reporters what reporters said about the virus? Why do they rely on arbitrary estimates & statistics instead of hard empirical evidence?
Answer: fear sells. "Fact" is a four-letter word in the antivirus industry.