Truth About Computer Security Hysteria

Sasser worm (May 2004 hysteria)

Category: misconceptions about genuine threats

Headlines around the world warned of the spread of multiple variants of the Sasser worm. "Sasser's toll likely stands at 500,000 infections," a typical headline reads. Vmyths notes security experts have tended to make guesses in the same ballpark — ranging from 200,000 to one million infected computers.

Panicky firms have damaged them­selves over the years in a trend known as "pre­cau­tion­ary dis­con­nects." In the latest example, Fin­land's third-largest bank vol­un­tarily made itself Fin­land's smallest bank — be­cause they didn't trust their "anti­virus solu­tion" to pro­tect them in a time of crisis.

News stories at first identified those who made guesstimates, but the current batch of stories no longer directly cites sources for these figures. "500,000 to one million infected PCs" is now widely accepted by the media as if it were a fact rather than a conjecture.

A News.com story penned by Rob Lemos pointed out that "while [these] numbers sound overwhelming, the compromised PCs make up a fraction of a percent of the computers connected to the Internet." Vmyths agrees with Lemos' assessment.

Many security experts failed to predict the Sasser worm would focus more on home computers than business PCs. The reasons for it are obvious in hindsight to these experts, so Vmyths must ask a rhetorical question — "why didn't security experts predict the obvious?" And speaking of predictions...

Security experts didn't agree on what day they thought the Sasser worm would achieve "peak activity." American experts predicted it would peak on Monday "as millions of workers bring their laptops back to their offices, after using them over the weekend to access the Internet from relatively unsecured home locations." On the other hand, experts who live outside the U.S. predicted Sasser would peak on Tuesday due to long holiday weekends in some parts of the world.

(Conflicting accounts of the worm's spread make it difficult to gauge the accuracy of these predictions at the time of this writing.)

Panicky firms have damaged themselves over the years in a trend known as "precautionary disconnects." In the latest example, an AFP newswire revealed "Sampo, Finland's third largest bank, closed its 130 branch offices across the country to prevent the Sasser Internet worm from infecting its systems... 'We decided to close our offices as a precaution, since we knew that our virus protection hadn't been updated,' Sampo spokesman Hannu Vuola [said]." In other words, Finland's third-largest bank voluntarily made itself Finland's smallest bank — because they didn't trust their "antivirus solution" to protect them in a time of crisis.

Contrary to widespread reports, Australia's "RailCorp" railway system may not have been hampered by the Sasser worm. CEO Vince Graham was quoted as saying the company's most recent woes "could very well be a matter related to a virus getting into [RailCorp's] system." Graham did not confirm anything, and other officials conceded they didn't really know what caused RailCorp's most recent problem. This is an important distinction. Vmyths readers may recall security experts incorrectly blamed a computer worm for the U.S. electrical blackout of 2003.

Vmyths has observed new buzz phrases in the media's coverage of the Sasser worm. For example, did you know there is now a "network telescope" which can peer into "the dark matter of the Internet"? Click here for details.

Normally, Vmyths would expect to see "global damage estimates" for the Sasser worm, courtesy of a company known as mi2g. (Click here for details on this firm's antics.) However, mi2g has remained oddly silent since mid-April. Still, Vmyths will watch for mi2g to add Sasser's costs to their astronomical tally for virus damages.

Will U.S. extradite Sasser author?

We predict the fearmongers at mi2g will soon slap an astronomical dollar value on the Sasser worm. The U.S. alone will account for a few billion of mi2g's guesstimate. This leads us to ponder an interesting question:

Will the Justice Department try to extradite the author of the Sasser worm? Will he stand trial on American soil for a multi-billion-dollar crime?

1. U.S. feds never sought extradition for Jan de Wit (aka "OnTheFly"), who released the Kournikova virus in February 2001. A Dutch court convicted him for the crime but he remains free of a U.S. indictment.

2. U.S. feds never sought extradition for the four Israeli teenagers who released the Goner virus in December 2001. They remain free of a U.S. indictment in Israel.

3. U.S. feds never sought extradition for any of the suspects behind the ILoveYou virus in May 2000. Reonel Ramones, Onel de Guzman, and Irene de Guzman remain free of a U.S. indictment in the Philippines despite the successful completion of a much-publicized worldwide manhunt.

4. U.S. feds never sought extradition for Mike Calce (aka "Mafiaboy"), a then-14yr-old hacker whose e-commerce attack (supposedly) very nearly destroyed Amazon.com, Yahoo!, eBay, CNN, and other U.S.-based firms in February 2000. Calce was found guilty in Canada for the crime but remains free of a U.S. indictment.

5. U.S. feds never sought extradition for acknowledged Chernobyl virus writer Chen Ing-Hau for "destroy[ing] thousands" of U.S. government, military, corporate, academic, and personal PCs in April 1999. He remains free of a U.S. indictment in Taiwan.

Remember your history lessons. Stay calm. Stay reasoned. And stay tuned to Vmyths.

Last updated: 2004/5/11