Truth About Computer Security Hysteria
The China Syndrome, part 3Rob Rosenberger, Vmyths co-founder
Tuesday, 3 April 2001 REUTERS HASN'T TOUCHED The China Syndrome story as of tonight. The Associated Press hasn't touched it. ZDNN and News.com haven't touched it. MSNBC hasn't touched it. Wired hasn't touched it. Newsbytes hasn't touched it.
Antivirus firms only notified the U.S. government of their actions. I've yet to hear anyone say "we gave a duplicate copy of the viruses to FBI NIPC." What gives?InternetCrimeNews didn't mention the Wall Street Journal exposé in their news roundup. Neither did Pete Moss Security News. Neither did the latest SecurityFocus newsletter. Neither did Security Wire Digest. Neither did SecurityPortal's Virus/Malware Digest. Fred Cohen, the father of computer viruses, yesterday posted a news digest on his information warfare discussion group. Cohen fretted (and I quote): "I am thinking seriously about issuing a warning about possible upcoming information warfare or intentional information attacks from China against the US." Yet nowhere in his news summary did he mention the trading-viruses-for-Chinese-market-access revelation. Mind you, I personally pointed out the story last Friday in Cohen's discussion group. LinuxSecurity.com didn't comment on the story in yesterday's weekly roundup. The fearmongers at SANS haven't commented on it, either. Nor has TechWeb News. Many computer security discussion groups remain silent about the Wall Street Journal exposé. No one has broached the subject on BugTraq or NTBugTraq, for example. Even Usenet's alt.comp.virus newsgroup remains relatively quiet about the matter. (Then again, I expected as much from alt.comp.virus — it's the antivirus industry's watering hole. Any commentary posted there would fall into the public record. Only gadfly Brien Barlev and a few others bothered to post anything at all related to the controversy.) It appears only the ISN mailing list bothered to mention the Wall Street Journal story as part of their security news digest, and someone forwarded it from there to the Focus-Virus mailing list. The Register chimed in this morning with scathing commentary. Add Vmyths.com and the Wall Street Journal, and you've pretty much got the complete lineup. An American spy plane and its crew remain trapped on a Chinese-controlled air base. The four-star general who runs U.S. Space Command last week warned China can easily wipe us out with a computer virus. You'd think reporters would mention the antivirus industry's debacle in passing in their stories... The ancestral Bush administration got swept up in a media frenzy over an "arms for hostages" deal. Why didn't computer industry reporters gorge themselves on a "viruses for antivirus market access" deal? Why didn't security fearmongers outside the antivirus industry gorge themselves on free publicity? Why didn't the cyberwar fearmongers in Washington go ballistic? Why, why, why didn't we need to issue a hysteria alert?
The father of computer viruses yesterday said "I am thinking seriously about issuing a warning about possible upcoming information warfare or intentional information attacks from China against the US." Yet he didn't mention the viruses-for-market-access story in his news roundup...I've got a quarter-million words swimming through my brain right now because of The China Syndrome. Yet it would seem only the Wall Street Journal and Vmyths.com and The Register have anything to say about it...
ON THE OTHER hand, everyone seems to have a say in the $10,000 virus-writing contest sponsored by GateKeeper. Boy, ZDNN covered that story with gusto! They quoted Vincent Gullotto (Network Associates) as saying "it is probably one of the most irresponsible things that someone could do." The story also quoted Susan Orbuch (Trend Micro), who said "this type of behavior is incredibly unethical." Two antivirus companies spit on the idea of writing viruses for profit, despite the fact they distribute viruses for profit. Such irony does not make my job any easier. So! Why would everyone remain silent about the China revelation? I banged my head on the desk until the answer finally tumbled out:
Remember the old saying, "only Nixon could go to China"? Think of it this way: only security vendors can go to China. Why would they want to upset the world's largest realm of untapped potential consumers?Indeed, if I push the White House's buttons too much, they might actually feel compelled to do something. Ugh! Who knows what atrocities they'll inflict on us via the antivirus industry? I really should drop this story, if only to save Internet users from the horror of a "virus technology oversight committee."
I WANT TO point out a glaring item to any red-blooded American who reads this column. You can see it in this excerpt from the Wall Street Journal story:
McAfee President Gene Hodges said that within 90 days of complying with the Chinese request, his company notified the U.S. government that it had provided the samples. "No specific concern was expressed" by the government officials that the company spoke with, Mr. Hodges said. He declined to say who or which U.S. government department his company contacted.I've yet to hear anyone say "we gave a duplicate copy of the viruses to FBI NIPC." Antivirus firms only notified the U.S. government of their actions. Why? Granted, Washington doesn't deputize antivirus firms like Beijing, but you'd think the industry could at least level the cyberwar playing field... The Wall Street Journal brought up another side of the coin:
It is also possible that the Chinese ministry could be looking to use the viruses to develop their own antivirus products at the expense of research done by foreign companies, although the authorities didn't seek access to the more useful source code that the software companies use to write antivirus products.I think I know why China didn't ask for source code — their much-feared "information warfare battalion" doesn't know enough to ask for the proper tools. They probably waste their time collecting viruses like all the other 14yr-olds out there. Every e-war unit needs a virus library for its dog-and-pony show... which leads us to the last sentence in the Wall Street Journal story:
[Commerce Undersecretary William Reinsch] added that the Bush administration may need to consider restricting in some ways the intentional export of malicious software to some countries.Restrict the distribution of viruses? Bah. The NSA fought for ten years to keep their encryption genie in the bottle. How can you possibly hope to contain a virus genie which has always roamed free? There aren't enough prisons, and there aren't enough armed guards, to detain all the 14yr-old hobbyists who write and/or distribute viruses. Let me wrap up with a repeat of what I said last Friday. "Antivirus firms didn't violate my personal code of ethics when they turned over their virus libraries to the Chinese regime." Now if you'll excuse me, I need to take some aspirin. I picked up a headache from banging my head on the desk... Waitaminit, I take it back. There are enough prisons with armed guards. Americans call them "schools."