Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

As read by the author

Because I'm the mommy, that's why!

As read by the author Rob Rosenberger, Vmyths co-founder
Friday, 4 January 2002

A VMYTHS READER who probably needs anonymity asked the following question:

My com­pany blocks Hot­mail and other Inter­net Mail sites, and gives the fol­lowing ex­pla­na­tion: "Un­for­tu­nately, Web based e-mail ser­vices cannot be opened be­cause of the poten­tial of viruses in­fecting the...net­work."  Is there reason to be­lieve this is a true state­ment, or an ex­cuse to keep us off Hot­mail for other reasons?
The old saying "be­cause I'm the mommy, that's why!" has turned into "because it pro­tects us from viruses, that's why!"
Good question!  Answer: "yes and yes."  We'll talk about the "other reasons" after we cover the issue of viruses.

Only a small handful of "freemail" sites bother to check email attachments for viruses.  Hotmail does it, for example, but their network sometimes fails to detect them.  When new viruses come out, the possibility exists for employees to infect their PCs via any non-corporate email account.

I said "non-corporate email" because this problem doesn't limit itself to just freemail.  I've worked in the past with network administrators who log into their home networks just to read personal email.  It also includes reserve military officers who can access email from civilian computers.  (The military runs plenty of antivirus software, but they habitually lose containment whenever a new virus comes along.  You can guess my opinion of home network email servers.)

So any employee could bring a virus into the company just by using any non-corporate email account.  This threat manifests itself in the real world for a rather obvious reason — few employees see it as their job to constantly update their antivirus software.  The more network users you have, the more you need centralized antivirus software management.

Hence many corporate, government, and military PCs automatically download the latest "approved" antivirus update every time an employee logs onto the network.  Employees generally can't stop these updates — they occur as part of the network "login script."  In theory, then, any employee who goes through this rigmarole should feel safe enough to access a Hotmail account.  Right?

A com­pany with cen­tralized anti­virus soft­ware manage­ment should feel safe enough to let em­ployees use Hot­mail.  Right?
In theory, yes.  In reality, no.  Shal­low thin­kers block Hot­mail to pro­tect their inferior anti­virus tech­nology.
In theory, yes.  In reality, no.

Let's suppose you & I work for a firm where they centralize the antivirus update process.  You & I get the latest approved antivirus update every morning when we fire up our PCs.  Immediately after you & I log in, you check your reserve military email and I check Hotmail.  And we both accidentally run an infected attachment on our PCs.  We wind up infecting the whole firm with a devastating über-virus — because the company's latest approved antivirus update doesn't detect it.

Who will take the fall in this scenario?  You & I will, of course.  But I insist it is not our fault.  Rather, it's a consequence of the firm's decision to deploy inferior antivirus technology.  Uh, let's just forget I wrote that.


A FIRM MIGHT block non-corporate email access as a tactical antivirus solution until they implement a strategic antivirus solution.

However, few companies care enough to face the fact they prefer an inferior antivirus technology.  They also don't care enough to punishquarantine "typhoid macro" employees.  Shallow thinkers will incorrectly ban Hotmail et al. as a long-term antivirus solution.

An unrelated circumstance can make this logic error work to the company's advantage.  Face it: your boss didn't hire you to answer personal or military email during work hours.  Logically, your firm would forbid non-corporate email access as a long-term productivity solution.  Hence firms feel justified for one correct reason and one incorrect reason when they block non-corporate email.

This leads to an obvious question.  Why would a firm give employees an illogical reason for a logical decision?

The answer boils down to politics.  Enforcers blame it on the scourge of viruses because it's not their job to defend management's policy against reading personal email.  The old saying "because I'm the mommy, that's why!" has turned into "because it protects us from viruses, that's why!"

Shallow thinkers use the threat of viruses to justify a multitude of non-virus policies just so you won't debate their decisions.  Some firms, for example, ban the popular SETI@Home screensaver as a security threat and/or as a bandwidth hog.  It is neither.  In reality management probably just wants to eliminate a nagging tech support problem — but if they admit it, some employees might debate the decision.

Many net­work gurus have special dis­pen­sa­tion to use Hot­mail at work.  It's so wide­spread among For­tune 1000 firms that I'd bet money on it.
Virus hysteria spawns from disinformation, you know.

Ironically, if you pressure your network gurus, you'll find many of them have special dispensation to use Hotmail and other non-corporate email accounts.  It's so widespread among Fortune 1000 firms that I'd bet money on it.  They'll give you two reasons for it:

  1. they occasionally "need" an external email account to test their internal email network (a legal no-no), and
  2. they "know" better than the average employee how to avoid viruses even though they use the exact same corporate-approved antivirus software.
If your network administrators give these reasons, tell them "Rob Rosenberger predicted you'd say that."