Vmyths reader Sean P. Reiser published a great anecdote about False Authority Syndrome. He describes an incident that could have played out on an episode of “Friends.” At a restaurant gathering, a woman (let’s call her “Phoebe”) ends up berating a man (let’s call him “Sean”) with a healthy dose of fear, uncertainty, and doubt:

“The person on my right said, ‘your bank is right you should change your account, it’s the only way to be safe.’ I replied, ‘I’m not sure, [but] I’m pretty sure that paypal obfuscates the bank account and credit card information in their interface.’ She looked at me and then said, ‘it’s not that, you don’t know what was attached to the transaction so they could track it back. They could track the transaction through the banking system based the the size of the transaction.’ I sort of nodded because I knew where this was going…”

Sean’s column describes a situation I run into all the time. It’s not enough for Phoebe to win the debate — Sean must lose.

“I sort of nodded because I knew where this was going…”

Imagine you’re sitting in the restaurant with Sean & Phoebe. You know he’s got two decades of IT experience. One of your buddies turns to him, perhaps knowing he’ll empathize & advise with a level head. Suddenly Phoebe berates Sean for not adding a pinch of hysteria to spice up his meal. You look on as Sean graciously lets Phoebe win the debate.

Don’t ask yourself “who’s the IT expert at this table?” You need to ask “who’s more competent at this table?”

Is it Phoebe for saying “jump overboard because we don’t know the danger”? Or is it Sean for saying “I can’t rattle enough facts off the top of my head to know if you should jump overboard”?

If you’re sitting in a restaurant and Phoebe blurts out “you need to close your checking account immediately,” do you honestly think the victim’s local bank will be open at that late hour to do all the necessary paperwork? “Good grief, I hate to eat & run but time is of the essence! I’ve got to call my bank’s 24hr cybercrime hotline and get them to haul a notary public out of bed so I can scribble my signature on a half-dozen forms to close my checking account before Snidely Whiplash delivers my death blow. Does anyone have a ballpoint pen I can borrow? I need to press hard on each form because I’ll be making three copies. Now where did I put my second form of identification?”

There’s some­thing about com­pu­ter crime that turns first-world societies into super­sti­tious cave­men — and False Authority Syn­drome per­pet­u­ates it.

If the bank already told you “we’ll reverse the fraudulent transactions on your account,” then a few more hours won’t make any difference. You’ve got time enough to do some research on PayPal fraud. So just relax and enjoy your dinner.

(Waitaminit. “Enjoy your dinner”? How can you pay for your meal after Snidely Whiplash forged your digital signature and transferred your life savings to a Swiss account and pilfered the deed to your home & property and declared himself the sole beneficiary on your life insurance policy? Ah, but I digress…)

Listen to me, folks. I once unexpectedly closed a checking account when my wife passed away. It absolutely positively sucks to do it. First you write a check out of the old checkbook to open the new account. Then you file paperwork with your employer to auto-deposit your wages to the new account. Your employer invariably disclaims “it may not take effect this coming payday” and you end up worrying your paycheck might evaporate into thin air. Then you balance the old checkbook 93 times in a row because you fear something will bounce if you’re off by a single penny. Then you wait for the new checks to arrive. Someone’s got to pay for the cost of printing those checks and the bank will debit it from your new checkbook, assuming of course you left enough in the account to cover it. Later, your safe deposit box goes into arrears because your bank forgot to make you do the paperwork to assess the fees from your new checking account. Then your bank asks you for more time off work so you can sign the papers to accept 31¢ of interest that accrued before you closed out the old checkbook…

Come, now. Who would willingly put themselves through this rigmarole based on the advice of a friend sitting in a restaurant who breathlessly insists “better safe than sorry”?

Sadly, too many people will put themselves through this kind of rigmarole. They don’t care enough to collect the facts before they overreact.

There’s something about computer crime that turns first-world societies into superstitious cavemen — and False Authority Syndrome perpetuates it. Quoting myself on the most effective way to combat this problem:

“I want you to question a person’s expertise if he or she claims to speak with authority… This way we can prevent all the ‘blind leading the blind’ techno-babble. And we can reduce the number of people who believe all the myths out there.”

Ah, but questioning a person’s expertise is often easier said than done. Sean can’t exactly tell a waiter “the chef put too much FUD in my friend’s meal.” (He’s not filming an episode of “Friends” if you catch my drift.) It would increase tension in the group if he called out Phoebe’s expertise right there in the restaurant.

I’ve come to realize you can’t always question someone’s expertise at the most opportune time. For example, I’d warn you to never call out your CIO while he’s on stage talking about “his” new email security policy. Take it from me: you’ll make a powerful enemy if you raise your hand and say “sir, your firewall ‘workaround’ would be labeled as an incorrect answer on both the CISSP test and the CompTIA Security+ test…” Ah, but again I digress.

(Pardon me while I scrape the wince off my face. Seriously: whenever I need a dose of Prepara­tion H, I just think back to my cute little CIO altercation and zap! my butt cheeks seal up like a space station airlock. Hmmm, too much info?)

So, yes: I think Sean did the right thing when he deferred to Phoebe. Great job, dude.

Personally, I would’ve jumped up out of my chair and shouted “good grief, where do you bank and who’s got a ballpoint pen?!? We need to take you right now to the nearest branch office so you can close your checking account before Snidely Whiplash strikes a death blow!” But hey, that’s just me…

A mentor asked me to review a chain-letter virus alert he received from a good friend. The subject line reads “Worst computer virus confirmed by Snopes.”

This particular chain letter traces to a non-expert at Sherwin-Williams. He received it from one of his colleagues at another firm, who received it from… Well, you get the picture. My mentor asked me (in so many words) an obvious question:

"Why should I trust a computer virus alert from a guy who makes paint?"

Come on — would you hire a computer security expert to paint your house? That’s not his field of expertise!

This chain letter warns everyone about a “Postcard from Hallmark” computer virus. The hysterical tone of the email is effective. This chain letter succeeds in spreading for two important reasons — it cites Snopes.com as a source and it gives you a link you can click on to confirm it.

You will find some hoax alerts that claim Snopes.com “verified” it. Always check out a chain letter’s “facts” before you believe it.

Let’s say you work at Sherwin-Williams. A good friend forwards a computer virus alert to you. He/she says Snopes.com confirmed the virus exists. He/she gives you a link to prove it. You click on the link and, sure enough, Snopes.com says “true.” So you forward it to your coworkers & friends as a random act of kindness—

—and then Sherwin-Williams winds up on Vmyths because their employee(s) spread hysterical chain letters.

I wrote back to my mentor with an obvious reply to his obvious question. “If the email actually includes a link to Snopes.com … and if that link actually points to the supposed virus alert … then yeah, it’s true. HOWEVER. You will find some hoax virus alerts out there that claim Snopes.com verified it.” Always check out a chain letter’s “facts” before you believe it.

To say “Sherwin-Williams makes paint” is like saying “the Pope is a Catholic.” It’s a big understatment. Sherwin-Williams makes a lot of different coatings for plastics, metal, and wood in the automotive, aerospace, construction, industrial, and maintenance coating sectors.

“Waitaminit, Rob. You’re a computer security expert. Why are you telling us things about a paint manufacturer?” Thank you for hitting the nail on the head! You realized that’s not my field of expertise…

“Another media fiasco.” What else can you say about the worldwide hysteria surrounding Y2K viruses? I haven’t watched something take a dive like this since the last Don King fight.

Let’s summarize why the world succumbed to Y2K virus hysteria in 1999:

1. All other things being equal, fearmongers scream much louder than skeptics.
2. The media has a fetish for juicy computer virus stories.
3. The media explodes in a big virus orgasm every 3-4 years.

The media explodes in a big virus orgasm every 3-4 years. The last one occurred in 1996. Add three or four years… um, carry the one… eureka!

Let’s see, the last big orgasm occurred in 1996. Add three or four years… um, carry the one… eureka! Now let’s summarize how the Y2K virus hysteria came about:

1. The antivirus industry grew jealous of all the Y2K hysteria.
2. Fearmongers started to co-opt the Y2K hysteria.
3. Michael Vatis turned the FBI into a virus hype machine.
4. Reporters took fearmongers at face value like they always do.
5. Antivirus firms kicked Y2K virus hype into high gear on 1 Nov 99.
6. Y2K experts read (or perhaps just heard?) stories about all the predicted Y2K viruses.
7. Y2K experts started telling reporters “we did our job, we’re OK for Y2K, the only threat left is the virus armageddon, God save us all.”
8. Reporters embraced Y2K experts as Y2K virus experts. They didn’t realize those Y2K experts suffered from False Authority Syndrome.
9. Pseudo-experts around the globe ordered (and ordered and ordered and ordered and ordered!) temporary network shutdowns to avoid a deluge of Y2K viruses.

In the end, though, Y2K viruses failed to materialize. It mirrored another miserable failure known as the 1997 Valentine’s Day Massacre.

Whew! Enough summaries. Now I can get long-winded.

FBI NIPC director Michael Vatis arguably made the single biggest impact on Y2K virus media hysteria. How could reporters resist the lure of a G-man? His agency burst onto the scene with a Melissa manhunt involving every single FBI field office in the country. NIPC publicized a manhunt for ExploreZip’s author and they even urged citizens to report ExploreZip infections to the nearest FBI office.

Vatis jumped on the bandwagon when antivirus vendors first started to talk about a Y2K armageddon. “The long arm of the cyber-law” accused India, Israel, Ireland, and other countries (not all beginning with the letter “I”) of adding trap doors, viruses, and other malicious code to U.S. corporate software — all while getting paid to fix Y2K bugs. “ ’We have some indications that this is happening’ in a possible foreshadowing of economic and security headaches stemming from Y2K fixes, Michael Vatis of the Federal Bureau of Investigation told Reuters.”

These official FBI warnings laid a foundation of plausibility for Y2K virus hysteria. In reality, Vatis based his cries of alarm on a speculative report written by CIA analyst Terrill Maynard (on loan to NIPC). How could reporters resist the lure of a politically explosive CIA document? “This is our effort to [give] the public information that hopefully can be useful to people,” Vatis bragged to Reuters.

The media certainly found it useful. So did the computer security industry at large.

I urge— no, strike that. I order every CIO to “Monday-morning quarterback” the designated computer security person. Follow the checklist below.

Vatis appeared before a U.S. Senate panel at one point to caution how “in some instances, it may not be immediately apparent whether a service outage is the result of the ‘millennium bug’ or a computer intrusion.” This, too, helped lay a foundation of plausibility for Y2K virus hysteria.

A worldwide media fetish for virus stories provided the vehicle for government fearmongering. This insatiable fetish can cloud the minds of even the best reporters. Forbes senior editor Adam Penenberg, for example, exposed the Stephen Glass scandal, yet he got swept up in the “se7en” scandal — and he issued a public apology for it. Penenberg explained why his research methods failed him:

I called literally 10 law enforcement officials who said they studied under [se7ev] in one of his security courses. On the record, they would all vouch for se7en’s hacking skills. Off the record, they all said they knew what he was doing… I think the most important lesson I learned is that law enforcement doesn’t have a clue what really goes on in hacking circles; they are not good sources for this.

Read it again: “law enforcement doesn’t have a clue what really goes on in hacking circles.” So says an embarrassed senior editor at Forbes magazine. Vatis would later admit the FBI lacked real evidence to support his own fearmongering. (Why he admitted it remains unclear.)

I label Vatis the most influential fearmonger — yet he certainly didn’t spread government-sanctioned fear all by his lonesome. Deputy Secretary of Defense John Hamre also pitched in. White House National Security Council staff director Mark Montgomery donated to the Great Cause, as did Clinton Y2K czar John Koskinen and U.S. Senator Robert Bennett.

How could reporters resist the lure of so many powerful figureheads?

Hysteria quickly expanded around the globe. Y2K figureheads in every country offered their own cries of alarm. These officials many times proclaimed “we did our job, we’re OK for Y2K, the only threat left is the virus armageddon, God save us all.”

The press exploded with Halloween stories as the first “true” Internet armageddon loomed. Reporters told of 200,000 Y2K viruses and millions of Y2K hackers — all waiting for the midnight attack signal. Vatis armed FBI agents with packet sniffers & antivirus software in a last-ditch effort to save the world from Ultimate Evil.

If the best you can say about a virus expert is that he’s a U.S. Senator… well, he probably isn’t a very good virus expert.

In the end, though, nothing happened. Nothing! Some fearmongers avoided reporters on New Year’s Day; others brazenly extended their predictions. ISS spokesmodel Michele Norwood, for example, cautioned “Monday is the day” when workers everywhere would turn computers back on…

Vatis amazed his detractors when he triumphantly backpedaled almost a week after the fact. An Associated Press newswire unknowingly exposed the feminine side of FBI’s ballsy catastrophist:

For all the fear of New Year’s terrorism, the FBI opened no more investigations of computer crime and physical threats or violence than during a normal seven-day period. The FBI opened six investigations of computer crimes and 12 investigations into physical threats or violence nationwide from Dec. 29 through Jan. 5, Mike Vatis, head of the FBI’s National Infrastructure Protection Center, said Thursday.

‘The level was not beyond the norm you would usually see in that number of days,’ Vatis said. ‘On neither side — cybercrime or physical threats — did we think the weekend activity was particularly unusual.’ Vatis said some new computer viruses were found but there were no significant millennium-related attacks during the seven days his office operated a command post inside the FBI’s Strategic Information and Operations Center in Washington. He also said there was no increase in attacks from overseas.

“No increase in attacks from overseas,” Vatis proclaimed. Say what? No increase in attacks from India, Israel, Ireland, nor any other country beginning with the letter “I”? No evidence of back doors & Trojan horses inserted under the guise of Y2K repairs? No Biblical flood of über-viruses released all at once on New Year’s Eve? No coordinated campaign of cyber-terror targeted at millions of innocent computers?

So much for NIPC’s “effort to [give] the public information that hopefully can be useful to people.”

Meanwhile, Deputy Secretary of Defense John Hamre expressed disbelief at the absence of a Y2K armageddon during a press conference:

[Hamre:] We experienced surprisingly little cyber activity during this period. That was a surprise to me. I had thought we would have encountered more than we did. There were some efforts by hackers in cyberspace to break into some of our systems, less than we normally experience on a weekend. Evidently, the lonely hearts out there in cyberland had something else to do and weren’t just banging on us all night! We did disconnect a number of potential penetration efforts before they could do any further damage to us; we simply unplugged them. So we didn’t have the problems that we had anticipated we may have in cyberspace…

[Reporter:] When you say there were fewer incidents than in a normal weekend, can you help us with the numbers? On a normal weekend you have a hundred, a thousand, ten thousand?

[Hamre:] You know, I’ll be happy to answer the question, but I honestly don’t have the data. I know we had four instances where we pulled the plug on some hackers that were trying to break in. You know, this is a problem that’s been growing. Almost every month it’s progressively, you know, more serious than it was the month before…

A Reuters newswire about Hamre’s press conference proclaimed “U.S. intelligence may have overstated Y2K threat.” The #2 man at DoD unexpectedly resigned one week later. (Anecdote: Hamre disciple Arthur Money did not get the nod to replace him.)

“Should we fire the fearmongers, Rob?” Hey, I won’t shed tears at their passing … but firing them won’t help right now. Face it: this industry sells itself almost entirely on fear because it works. Fearmongers grow like weeds in a computer security compost heap. Reporters and computer users must first learn skepticism. Then we can sever some heads!

I urge— no, strike that. I order every CIO to “Monday-morning quarterback” the designated computer security person:

1. Demand a report on every action (or inaction) taken to avoid the predicted deluge of Y2K viruses.
2. Justify every security decision whether or not it impacted the bottom line.
3. Demand to see proof if an employee alluded to “evidence” of a Y2K virus threat.
4. Refuse to accept press releases, news stories, or anecdotes as “evidence.”
5. Analyze where/how/why things went wrong. Did a paranoid VP override the authority of a sane manager?
6. Don’t accept childish excuses for irrational decisions.

Firing the fearmongers won’t help; they grow like weeds. Reporters and computer users must learn skepticism first. Then we can sever some heads!

Only the strongest ego will admit “I got swept up in the Y2K virus media fiasco.”

Let’s talk for a moment about general Y2K hysteria. Bear with me: it leads back to the Y2K virus media fiasco.

A rather humorous Associated Press newswire told how some computers displayed “19100″ by accident. The list of embarrassments included GartnerGroup (a prominent Y2K vizier) and the official timekeeper for the United States. Network Associates suffered a similar Y2K snafu when their website displayed “January 1, 3900.”

Although amusing on the surface, AP noted an important point in passing: “Y2K planners generally feared that ‘00′ would be interpreted by computers as 1900.” I searched the Internet for ‘19100′ and ‘3900′ in pre-Y2K stories & newswires. I found numerous (shall we say) non-mainstream references — yet practically no mainstream references.

Why not?

Did mainstream reporters perhaps quote the wrong Y2K experts?

Think about it. Who did the media most often quote in the “early days”? Answer: fearmongers. Who did they quote later? Answer: mainstream people who read fearmongers’ claims. They regurgitated what the fearmongers said. I believe “Y2K experts” fell into a trap of shallow thinking — by reading too many mainstream media reports about Y2K.

Hmmm. Didn’t I say the same thing years ago about “virus experts” who read too many mainstream media reports?

Never underestimate the mainstream media’s role in the spread of False Authority Syndrome. Empirical Research Systems (a computer industry polling firm) conducted a survey in 1991 of corporate employees tasked in some way with computer security. 43% of respondents — almost half — formed their opinions about viruses just by reading newspapers!

Newspaper reporters talk to these people to get details (and quotes) for a story. This means the press feeds information to virus pseudo-experts, who gladly regurgitate it for other reporters, who write more stories about viruses, which other pseudo-experts read… thus creating an endless circle of misinformation and a never-ending supply of “instant experts.”

This same survey concluded with a sad statistic: it estimates two-thirds of employees tasked with computer security duties have inadequate knowledge about computer viruses.

Let’s modify my original question. Did reporters perhaps quote the wrong Y2K virus experts? Think about it. Who did the media most often quote in the “early days”? Answer: fearmongers. Who did they quote later on? Answer: mainstream people who read fearmongers’ claims. They regurgitated what the fearmongers said.

Memo to Network Associates: I found a 1998 article for your Y2K manager.

Many reporters quoted Y2K experts about the threat of Y2K viruses. This leads to another important question — why did Y2K experts venture beyond the scope of their expertise?

Answer: they suffered from False Authority Syndrome.

CIOs should call Y2K experts onto the carpet, too. “The directors want to know why your Y2K analysis didn’t take ‘19100′ or ‘3900′ into account. You’ll speak right after the security manager presents the evidence he alluded to in his email server shutdown order…”