Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Virus panics until the world obeys!

George C. Smith, Ph.D., Editor-at-large
Sunday, 28 May 2000 I was in Maui a week or so ago defending and observing the infrastructure. (I saw that smirk!) While I was there, the San Francisco Examiner ran an above-the-fold story about NewLove virus "raging" through the Internet. In the past few weeks, viruses are always "raging." It was said to be decimating the infrastructure a mere two weeks after LoveBug. I checked the infrastructure on the west side of Maui. It was pretty good. ATM's worked. Planes carrying tourists came in. Business bizzed. T-shirt shops in LaHaina, all using computers, sold crummy T-shirts in bulk. Car rentals rented. The restaurants overcharged. All computerized. Maui was red hot. Predictions of infrastructure doom were falling on deaf ears. Oh sure, plenty of people saw the news. But did they care? Empirical evidence suggested not. Fast forward to Pasadena on Saturday, May 27. Another virus is "raging" through the Internet, set to take advantage of the Memorial Day weekend. How do I know? AP, the NIPC and a couple anti-virus companies said so. They must be right! Right? Page your network administrator! Send a blizzard of e-mail warnings! Obey! I asked the neighbors, who were barbecuing, if they had been frightened by NewResumeNotBugLoveButSortaLikeMelissa. They were enjoying the weekend and would not obey. I went to the supermarket. No problem — bought peel-and-eat shrimp. Maybe computers were going to get corrupted at the start of the work week, but for now, it looked like everyone was going to PARTY 'TIL THE WORLD OBEYED! So here's the crux of it. I made the point during LoveBug that people didn't really want to do anything productive about computer viruses except make a mass concerned noise and run around pretending that their hair was on fire. Get ready for more alarms, I predicted. They're coming your way, I said. No one really cares enough. Viruses are too great as publicity ops for Congress, computer pundits and security firms. Info-war with viruses is Hell! But never so hellish it can't be used for an advertorial... It took merely a week for my prediction to come true. I would have guessed more than a month. So, my questions are these:
  1. What should be the function of anti-virus companies and/or NIPC virus-stoppers? To stop viruses and educate about them? Or just to alarm on them? If it's the latter, we're paying too much for the service. Any yahoo can start a computer virus warning service. Multiples of viruses are published each day and it's not much serious work at all to issue publicity statements on handfuls that fall into your hands. There's no barrier to entry. Who should do it? The government? The corporate sector? Anybody and everybody, the more the merrier? If you want anti-virus companies and/or NIPC to stop viruses more effectively, or educate about them, why aren't they? It's not like the currency in computer viruses has passed a technological milestone utterly baffling to virus-hunters. This stuff was well understood years ago. Do you feel educated about computer viruses? "They're bad stuff; practice safe hex, keep your anti-virus software up to date," doesn't cut it. OK. Write Michelangelo or any other "popular" virus of your choice in pseudo-code statements. That is, construct a logical decision tree written in -plain, jargon-free English- that describes the stepwise action of the virus when it is executed. If you can't, that's OK, too.
  2. How do media, NIPC and press release alarms every three days about whatever new virus has been sampled from a virus-writer's collection serve the greater good? Be precise, give examples. Do they result in less viruses in circulation or more? Do you think virus-writers are stimulated by public attention, by a "jazz" received from knowing authority figures are huffing and puffing about them? Or are virus-writers running for cover, vowing to mend their evil nerd ways, fearful that they will soon be dispatched to the trashpits of Gehenna by an angry mob. Do you think most virus-writers take the statements of law enforcement and Congress seriously? If not, what are the implications for policy or laws aimed specifically at them? Do you think frenzies over computer viruses artificially cock expert and journalistic reporting on the subject?
  3. If the same "experts" have said the same thing about computer viruses before government bodies for the past four years — and they have, trust your friendly interlocutor on this one — what can be said, using observation and critical sense, about the effect and nature of the debate on the subject? That it does no good? Or that it does lots of good? Or is it impossible to measure? Who benefits directly from these regular circular discussions? Do you feel "experts" are accurately describing the precise degree, intensity and nature of the computer virus threat?
  4. When do you think the "infrastructure" of the US will fail -catastrophically- due to a computer virus? (OK — I'll make this easy. When do you think a computer virus will make something like half of Los Alamos burn down in a day?) Explain. Try to avoid over-reliance on computer security jargon or impressive-sounding but vague wonk-speak.