Like many Windows professionals I laughed out loud when I read the headline, Cybercriminals create botnet using Macintosh computers. I swear, I heard angels sing! I was so excited, I couldn’t read the bloody thing! Symantec, in a brilliant stoke of comedy, published their discovery of the “iBotnet” and made me fall off my chair.

It just doesn’t get much better than this.

Like one CBC reader wrote, Where is your messiah now?

But the stars of this comedy show are the Apple fanboys. One distraught CBC reader and Macintosh user claimed, “no one has made a virus for MacOS X that can successfully propogate [sic] in the wild,” even though Sophos consultant Graham Cluly wrote about something called Leap-A three years before the fact.

I tell you, the sight of Apple fanboys in denial over the findings of real virus experts fills my heart with joy.

---

It doesn’t get much better than this. Here’s Apple’s legions of fanboys screaming foul at Symantec, just because they discovered the thing and they’re using it to sell Mac anti-virus software. And to top it all off, we have Apple pulling a 2007 anti-virus advice web page, only to say, “um, since no system can be 100% immune from every threat, running anti-virus software may offer additional protection.”

Like so many Windows professionals I want to run up to my blog and write about rolling on the floor laughing at all of the Steve Jobs worshipers. Okay, so I have a weakness for kicking religious fanatics when they’re down.

We need to take the high road here. Windows pros deal with this every day, and now that Mac pros are dealing with it, we need to help.

With no Vista viruses in two years, maybe they can learn something from us.

Unfortunately, this is not the professional way. Windows professionals deal with ignorant users and moronic designs every day, and now that Mac professionals are dealing with the same morons, we should sympathize.

After all, Symantec is an undisputed champion of selling fear, and it is dreadfully easy to avoid Mac malware, and it is stupid to download pirated software in the first place; Macintosh PCs even use Intel processors these days. So aside from the name of the system, what is really so different between them and us?

---

I’m not saying give them special treatment. Only that it’s time to treat these former fanboys with the respect and humility they deserve, and help keep them malware-free and save them from bad design. After all, with no Vista viruses in two years, maybe they can learn something from us.

Related Links:

• Mac malware tide on the rise — The Register
• Apple anti-virus advice was nothing new — The Register (Yep, same, tired old advice)
• Apple in Denial: Mac anti-virus support advice disappears off Apple website — Sophos

Intelligence officials use the term “stovepipe” to describe “several ways in which raw [computer security] intelligence information may be presented without proper context… The lack of context may come from a particular group, in the [computer security] structure, selectively presenting only that information that supports certain conclusions.”

Multiple employees spout their personal opinions on McAfee’s official Twitter account. How long will this lack of corporate discipline continue?

In short, a “stovepipe” problem can lead to mass hysteria. And I’ve got a sneaking suspicion Twitter will help foment hysteria when the next media-darling worm or virus comes along.

On the corporate side, the context of any tweet about the latest worm will quickly get lost in the din of tweets about booth bunnies, white papers, and the occasional vetting failure.

“What’s a vetting failure, Rob?” It occurs when a company doesn’t limit / review official communications before release. For example, multiple non-PR employees use McAfee’s Twitter account to broadcast their own personal opinions. Their lack of discipline is a vetting failure in the making as we can see in this example from 27 Apr 09:

McAfeeAvertLabs: Hi! If you think I add value to your network, do drop me a recommendation at http://mrtweet.com/McAfeeAv… Much appreciated!

McAfeeAvertLabs: we just started following @MrTweet…. might take a few days! my bad!

Then, of course, McAfee tweets commercial advertisements (aka “spam”). This fact raises two philosophical questions. First: does a mature firm in the computer security industry need to advertise to offset the cost of a free service like Twitter? Second: why do some reporters feel compelled to subscribe to computer security spam?

It’s only a matter of time before we learn McAfee’s offi­cial stand on abor­tion & gun control…

On the personal side, the computer security experts themselves seem far too wrapped up in their own celebrity status. The context of any tweet on the latest worm will get lost in the din of tweets about their speaking engagements and the bad airline food they endured. Check out these actual tweets from computer security experts:

• Mark Sunner (MessageLabs): “if you loved the lion the witch and the wardrobe et al then you will find this book mesmerizingly insightful http://www.planetnarnia.com/”
• Costin Raiu (Kaspersky Labs): “Tried a Segway for the first time, with the very nice chaps from segwaybooking.com.”
• Graham Cluley (Sophos): “can’t believe i missed watching Dr Who live again.. what kind of fan am i anyway? thank goodness for the pvr…”
• Mary Landesman (antivirus.about.com): “Time Warner: yeah, our service sucks, but we’re a monopoly so we’ll just charge more and give less. Congressman fights back. http://tiny …”
• Mikko Hypponen (F-Secure): “Hey, since when has Twitter automatically converted ‘normal’ links to Tinyurls? My previous tweet should have pointed to f-secure.com…”
• Costin Raiu (Kaspersky Labs): “20 people at the Shuntaint presentation, where is everybody else?”

Yes yes yes, I’ll grant you the fact these experts opened their own personal Twitter accounts. Yes yes yes, I’ll grant you the fact they can say just about anything they want. But it doesn’t change the fact their tweets lack focus.

McAfee uses Twitter for spam to help pay for all those free tweets they send out. Their own web­site just can’t sup­port their PR needs…

To put it simply: computer security tweets lack focus at both the personal and corporate levels. And that’s bad news for us. Undisciplined experts can easily generate hysteria with a “speak first, thinkignore later” tweetitude.

On the bright side, reporters might soon get tired of all these unfocused tweets … and stop following the potential hypemongers.

Take computer security reporter John Leyden, for example — his Twitter account follows McAfee Avert Labs and MessageLabs bigwig Mark Sunner and Sophos bigwig Graham Cluley. Do you honestly think Leyden cares about McAfee’s official stand on abortion or Sunner’s latest book review for Home Schooling magazine or Cluley’s inability to time-shift a TV time traveler?

It’s only a matter of time before Leyden himself realizes he doesn’t care about these unfocused tweets … and stops following the potential hypemongers. Let’s just hope he stops following them for the right reasons.

(I suspect he will, given the fact he follows the Vmyths Twitter account…)

---

Vmyths suffered a similar problem in the early 2000s when I expanded this website both to critique the antivirus industry in general and to serve as an outlet for my computer security humor.

Tabloid repor­ters may follow a com­pu­ter secu­rity expert’s unfocused blogs & tweets.

Re­spec­table jour­nalists must stop the practice.

I finally launched SecurityCritics and HumorControl so Vmyths could return to its paladin roots.

But hey, let’s not overlook the fact I myself lack focus in my totally personal blog. I opine on everything from computer security to local gas price gouging to the amazing poker hands I’ve been dealt to a newly minted word to describe Wikipedia.

The key here is that I don’t view my personal blog as something that will change the world and I don’t see myself as wrapped up in my own celebrity status. (Well, except maybe here I do, but that’s it.)

I try to change the world through my focused efforts at Vmyths, SecurityCritics, and (yes!) HumorControl. If you subscribe to my personal blog, I urge you to review all of your blog/tweet subscriptions to see which ones lack focus. If any other computer security experts out there claim they don’t use Twitter to change the world, then be sure to cancel your subscriptions to their tweets as well.

Remember those hysterical chain-letter emails? Now imagine hysterical chain-letter tweets … from the experts themselves.

If, on the other hand, you subscribe to my personal blog because you’re that totally amazing lover who gently cradled me in her arms during that horrific time of grief after my wife died … yes honey, you follow my blog for all the right reasons and I can’t thank you enough for our wonderful midwestern tryst and I could sure use another digital snapshot of you as the previous one got, uh, “messed up” along with my keyboar—

—ahh, but you’ll notice I lack focus in the previous paragraph. {ahem} Let’s not digress. (And let’s not tell anyone about my keyboard spills, okay? Thanks, I appreciate it.)

Let’s hope the rest of the computer security industry realizes their lack of focus on Twitter … before they plunge into an intelligence stovepipe when the next media-darling worm or virus comes along.

I showed you way back in early February how the antivirus firms remained calm & cool during a round of media hoopla over the Conficker / Downadup worm. Nearly two months has passed since then. It’s now the end of March … and the antivirus firms remain calm & cool.

In other words: nothing has changed.

In all that time, IBM’s Internet Security Systems never raised its Internet threat level above “normal.” In all that time, Kaspersky Labs never raised its assessment of the worm above “moderate risk.” In all that time, McAfee never raised its global threat condition due to Conficker / Downadup. In all that time, the SANS Internet Storm Center never raised its Internet threat level above “green.” In all that time, Symantec never raised its ThreatCon due to Conficker / Downadup. In all that time, Trend Micro never posted a medium- or high-risk alert over the worm.

And what about antivirus vendor Sophos? Well, in the days leading up to this latest hoopla … they fretted more about Russian brides than the Conficker / Downadup worm.

I still can’t recall a time in the last twenty years when when so many antivirus firms remained so calm during a media circus. A second media circus, no less. Color me stupified.

Reporter Brian Krebs, writing in his Washington Post blog, revealed details of a worldwide fake-antivirus scam that defrauded credit card holders out of tens of millions of dollars. In a follow-up, Krebs reported the embarrassing media exposure led Visa & MasterCard to give up their unwitting involvement in the scam.

Okay, I’ll bite. Why didn’t the anti­virus industry offer a bounty to catch the crimi­nals behind this huge anti­virus scam?

Various news outlets have regurgitated the story and at least one antivirus vendor gave it some spin in their corporate blog. But one key issue left untounched … is why fake-AV scams grew so obscenely successful.

To me, the answer is simple. Two decades of hysteria convinced everyone to take it on blind faith that antivirus software is the fo shizzle answer to our online woes.

It’s no wonder that computer users will blindly trust an antivirus product that pops up on their screen saying “alert, alert, your PC is infected!” A fake-AV scam will demand $x9.95 to clean up the viruses it finds — which is exactly the same amount a legit antivirus firm will charge if you want their product to do exactly the same thing.

Society’s addiction to inferior antivirus software is now so embedded into our computing norms — the battle cry “get yourself some antivirus software” has become so mantra — that all of society sternly refuses to question its validity.

This scam’s obscene success stems from anti­virus experts who screamed bloody murder for the last two decades … and com­pu­ter repor­ters who gladly quoted all the hype.

Fake-AV scammers aggressively demand you pay for their antivirus software. And the entire computer security industrial complex aggressively demands you buy & use antivirus software. So when it comes to fake-AV scams, the computer security industrial complex isn’t part of the solution—

—it’s actually part of the problem.

And it’s been part of the problem for fully two decades. You can thank the hype-meisters for the obscene success rate for fake-AV scams.

Okay, now here’s some food for thought. You may recall Microsoft offers six-figure rewards for information leading to the arrest & conviction of certain virus writers. Why didn’t the antivirus industry pony up a reward to shutter this huge antivirus scam?

---

You’ll notice I call it a “fake-antivirus scam” when everyone else on the planet calls it “rogue antivirus software.” Now, I’ll admit definition #4 for “rogue” tackles this very subject—

—yet definition #1 sums up any number of legit employees & companies in the antivirus industry. I insist “rogue” is the wrong word … and I’ll bet you this expert agrees with me.

My original notion for this column centered on the media hysteria I expected from F-Secure’s huffing over variants of the Downadup worm. Quoting from a (level-headed) story in The Register:

[The Downadup worm] that attacks a patched vulnerability in Microsoft Windows, is making exponential gains if estimates from researchers at F-Secure are accurate. They show 6.5 million new infections in the past four days, bringing the total number of machines it has compromised to almost 9 million. The astronomical growth stunned some researchers, although others cautioned the numbers could be inflated since the counting of infected computers is by no means an exact science. Most agreed F-Secure’s estimate was certainly plausible and if it proved to be correct, represented a major development in the world of cyberthreats.

6.5 million newly infected PCs, you say? All of them whacked in a four-day period? Hmmm. The timing of this makes me wonder how many of those PCs showed up under the plastic tannenbaum.

Yet it would seem my worries about hysteria have died on the vine. Consider the following:

The media yawned when F-Secure claimed the Downadup worm tallied another 6.5 million PCs in a four-day period…

• The SANS Internet Storm Center continued to display a “green” Internet threat level;
• Symantec continued to hold at “ThreatCon 2” with no mention of the Downadup worm;
• McAfee didn’t even mention it in a “breaking advisory”;
• ISS maintained an “AlertCon 1” with no mention of the Downadup worm;
• Sophos technovangelist Graham Cluley raised little more than an eyebrow in his corporate blog; and
• About.com antivirus guide Mary Landesman devoted only two paragraphs in her blog.

Only Kaspersky Labs seems to have given F-Secure some shrift when they announced a virus alert on their website. Yet they only identified it as a moderate risk. So, uh … let’s call it “short shrift” and leave it at that.

The media, too, seems to have collectively yawned over F-Secure’s declaration. One CNN Headline News anchor — dare I say it? — almost smirked while reading from the teleprompter. (In all fairness, it isn’t the first time a CNN mannequin has smirked or spoken in an upbeat tone about a devastating computer virus attack.)

This non-media circus reminds me yet again of Aesop’s fable of the boy who cried wolf. F-Secure, on the other hand, will doubtless call up the Cassandra fable to dismiss any accusations of wolf-crying.

One quote in The Register’s story leapt out at me for its irony:

“This thing has gotten way out of hand,” said Paul Ferguson, a security researcher for anti-virus provider Trend Micro who has spent the past several weeks tracking the worm’s progress. “It seems pretty spectacular to me that there could be that much growth.”

I dismiss Ferguson’s quote as ironic because Trend Micro’s “vinfo” page hasn’t declared a medium- or high-risk alert. How can we take him at face value when his company doesn’t even wail about it on an alert page?

---

Antivirus vendors and computer news reporters have certainly suffered a drought of hysteria in the past few years — and I myself fret that we’re due for another hystericane.

F-Secure will doubtless call up the Cassandra fable to dismiss any accusations of wolf-crying…

Why, then, hasn’t the Downadup worm generated “the perfect storm” of media hysteria?

The answer may lie in an amazing buildup to America’s “double major holiday.” Yesterday was Martin Luther King Jr. Day while today sees the inauguration of Barack Obama. News organizations appear highly focused on the orgasm of festivities in Washington, DC—

—and the media’s infatuation with U.S. politics may have simply overshadowed everything else of importance.

“You sound a bit facetious, Rob.” Yeah, okay: you caught me. Longtime readers will recall the fact government experts reminisce about the Nimda worm as a global catastrophe that cost billions of dollars and that would have qualified as one of the worst acts of cyber-terrorism ever caught on tape. And those experts still bemoan the fact it didn’t get much airplay … because it came just one week after the equally devastating physical terrorism of 9/11/01.

First Nimda; now Downadup. This leads me to ask a philosophical question. “Why do the world’s most devastating computer security attacks always seem to take place when reporters are too preoccupied to give it the attention it truly deserves?”