Truth About Computer Security Hysteria
Lots of trivia about Chernobyl — but few factsRob Rosenberger, Vmyths co-founder
Monday, 24 April 2000
ANTIVIRUS FIRMS STARTED raising the alarm about Chernobyl's first-anniversary trigger date. Three press releases weep about the 1999 catastrophe and I suspect more will appear later today or tomorrow. Fear sells, you know.
Oddly, the experts can't decide on an estimate for Chernobyl's carnage last year. Central Command's press release tells reporters "it was reported that over 500,000 computers had data loss and severe computer damage." F-Secure's press release goes four times higher: "according to the latest statistics, over two million PCs suffered data loss." An ICSA newsletter waffles by noting "the virus reportedly caused damage to between 500,000 and 2ámillion PCs." Panda's press release doesn't even offer a guesstimate.
Naïve government officials impregnated reporters with a massive urban legend about the Chernobyl virus. Antivirus firms promote it as "fact" for a simple reason — fear sells.
"It was reported"?
"According to the latest statistics"?
Waitaminit. Why can't antivirus firms agree on how many PCs died twelve months ago? Why do they tell reporters what reporters said? Why do they rely on arbitrary estimates & statistics instead of hard empirical evidence? ICSA touts its "yearly virus prevalence surveys," yet even they can only tell us what reporters said about Chernobyl.
Let's regroup. What exactly do we know about Chernobyl?
We know quite a bit about Chernobyl and its malicious author — but we don't know how many PCs went belly-up last year. Na´ve government officials impregnated the media with wild "estimates," and the media gave birth to a massive urban legend. This led me to predict one year ago we might never learn the true number.
Anecdotes? Rumors? Sure, we've got plenty. Virus fighters at Fortune firms swear they personally lugged PCs to the dumpster. Someone in your office probably knows "a friend's sister" who tearfully lost a master's thesis to Chernobyl one week before her turn-in deadline. West coast importers swear a Pacific Rim cargo ship reversed course to return its load of PC parts. PC makers swear the importers started gouging clients after reading hysterical newswire reports.
The Flying Dutchman story remains my favorite virus rumor. Believe me, I tried to track down the cargo ship just to scoop the antivirus firms! Motherboard prices did jump in anticipation of increased demand — yet prices immediately dropped back to normal, so I started asking why. I'm not making this up: one spokesman congratulated his firm for reducing motherboard prices so quickly. He claimed they wanted to help devastated users get back on their feet.
You know it's bad when ICSA turns to the media for wildly oscillating figures.
(I wanted to praise the spokesman and his company by name, but my notes from last year are incomplete. Too bad.)
Don't get me wrong: I believe Chernobyl's wrath exceeded Michelangelo in terms of sheer numbers. I just don't see hard empirical evidence of an Asian meltdown. C'mon, you know it's bad when ICSA turns to the media for wildly oscillating figures! Virus experts can augment vague press releases with tear-jerking anecdotes — but the plural of 'anecdote' is not 'data.'
Why, then, do virus experts promote the Chernobyl urban legend as fact? Why do they tell reporters what reporters said about the virus? Why do they rely on arbitrary estimates & statistics instead of hard empirical evidence?
Answer: fear sells. "Fact" is a four-letter word in the antivirus industry.