Truth About Computer Security Hysteria
Virus panics until the world obeys!
George C. Smith, Ph.D.,
Sunday, 28 May 2000
I was in Maui a week or so ago defending and observing the infrastructure. (I saw that smirk!)
While I was there, the San Francisco Examiner ran an above-the-fold story about NewLove virus
"raging" through the Internet. In the past few weeks, viruses are always "raging." It was
said to be decimating the infrastructure a mere two weeks after LoveBug.
I checked the infrastructure on the west side of Maui. It was pretty good. ATM's worked. Planes carrying
tourists came in. Business bizzed. T-shirt shops in LaHaina, all using computers, sold crummy T-shirts in bulk.
Car rentals rented. The restaurants overcharged. All computerized. Maui was red hot.
Predictions of infrastructure doom were falling on deaf ears. Oh sure, plenty of people saw the news. But
did they care? Empirical evidence suggested not.
Fast forward to Pasadena on Saturday, May 27. Another virus is "raging" through the Internet, set
to take advantage of the Memorial Day weekend. How do I know? AP, the NIPC and a couple anti-virus
companies said so. They must be right! Right? Page your network administrator! Send a blizzard of e-mail
I asked the neighbors, who were barbecuing, if they had been frightened by NewResumeNotBugLoveButSortaLikeMelissa.
They were enjoying the weekend and would not obey. I went to the supermarket. No problem — bought peel-and-eat
shrimp. Maybe computers were going to get corrupted at the start of the work week, but for now, it looked like
everyone was going to PARTY 'TIL THE WORLD OBEYED!
So here's the crux of it. I made the point during LoveBug that people didn't really want to do anything productive
about computer viruses except make a mass concerned noise and run around pretending that their hair was on fire.
Get ready for more alarms, I predicted. They're coming your way, I said. No one really cares enough.
Viruses are too great as publicity ops for Congress, computer pundits and security firms.
Info-war with viruses is Hell! But never so hellish it can't be used for an advertorial...
It took merely a week for my prediction to come true. I would have guessed more than a month.
So, my questions are these:
- What should be the function of anti-virus companies and/or NIPC virus-stoppers? To stop viruses and educate
about them? Or just to alarm on them? If it's the latter, we're paying too much for the service. Any yahoo can
start a computer virus warning service. Multiples of viruses are published each day and it's not much serious work
at all to issue publicity statements on handfuls that fall into your hands. There's no barrier to entry. Who
should do it? The government? The corporate sector? Anybody and everybody, the more the merrier?
If you want anti-virus companies and/or NIPC to stop viruses more effectively, or educate about them, why aren't
they? It's not like the currency in computer viruses has passed a technological milestone utterly baffling to
virus-hunters. This stuff was well understood years ago.
Do you feel educated about computer viruses? "They're bad stuff; practice safe hex, keep your anti-virus
software up to date," doesn't cut it.
OK. Write Michelangelo or any other "popular" virus of your choice in pseudo-code statements. That is,
construct a logical decision tree written in -plain, jargon-free English- that describes the stepwise action of the
virus when it is executed. If you can't, that's OK, too.
- How do media, NIPC and press release alarms every three days about whatever new virus has been sampled from a
virus-writer's collection serve the greater good? Be precise, give examples.
Do they result in less viruses in circulation or more? Do you think virus-writers are stimulated by public
attention, by a "jazz" received from knowing authority figures are huffing and puffing about them? Or
are virus-writers running for cover, vowing to mend their evil nerd ways, fearful that they will soon be dispatched
to the trashpits of Gehenna by an angry mob. Do you think most virus-writers take the statements of law
enforcement and Congress seriously? If not, what are the implications for policy or laws aimed specifically at
Do you think frenzies over computer viruses artificially cock expert and journalistic reporting on the subject?
- If the same "experts" have said the same thing about computer viruses before government bodies for
the past four years — and they have, trust your friendly interlocutor on this one — what can be said, using
observation and critical sense, about the effect and nature of the debate on the subject? That it does no good?
Or that it does lots of good? Or is it impossible to measure? Who benefits directly from these regular circular
discussions? Do you feel "experts" are accurately describing the precise degree, intensity and nature of
the computer virus threat?
- When do you think the "infrastructure" of the US will fail -catastrophically- due to a computer
virus? (OK — I'll make this easy. When do you think a computer virus will make something like half of Los Alamos
burn down in a day?) Explain.
Try to avoid over-reliance on computer security jargon or impressive-sounding but vague wonk-speak.