Abstract: Many people in the computer field sound confident when they talk about computer security — yet very few have adequate knowledge of this technically obscure subject. Most fall prey to what some experts call “False Authority Syndrome,” and it contributes significantly to the spread of fear & myths about computer security. This seminal treatise from 1997 persuades readers to question the credentials of anybody (including the author!) who claims to speak with authority on this subject.
Full edition in PDF format
True story. A couple of years ago I dropped by the Software Etc. store in Fairview Heights, Illinois just to browse. Another customer had come in before me and told an employee about a problem with his video monitor. The employee warned the customer he had contracted a newly discovered computer virus, which he proceeded to describe in great detail.
I interrupted the employee. “Sir, you have it completely wrong. That virus doesn’t exist. It’s the latest hoax.”
“Oh, no,” the employee replied. “We’ve got e-mail reports from our sales headquarters telling us to keep our eyes open for it.”
To which I countered, “Some upper-tier sales manager has been duped and is telling you BS. McAfee Associates and others have issued public statements dismissing that virus as a hoax. What you’ve described simply cannot be done by any virus. Period.”
What credentials did this salesman hold in the field of computer viruses? He may have flipped hamburgers at a McDonald’s restaurant two weeks earlier for all we know.
I then turned my attention to the customer. “Stop listening to this guy. You don’t have this magical virus he’s describing because it simply doesn’t exist. You have some other problem with your video monitor.”
What credentials did this salesman hold in the field of computer viruses? He may have flipped hamburgers at a McDonald’s restaurant two weeks earlier for all we know. Right now he sells merchandise at a computer store — does this qualify him to give advice about computer viruses?
Most people who claim to speak with authority about computer viruses have little or no genuine expertise. Some virus experts describe it as “False Authority Syndrome” — the person feels competent to discuss viruses because of his job title, or because of his expertise in another computer field, or simply because he knows how to use a computer.
I want you to question the credentials of anybody who talks about computer viruses. Indeed, I want you to question my credentials in this field!
The U.S. Air Force highlights the concept of False Authority Syndrome in Tongue & Quill, their official publication on effective writing:
Nonexpert opinion or assumed authority — Don’t be swayed (or try to sway someone else) based on the opinion of an unqualified authority. The Air Force is chock-full of people who, because of their position or authority in one field, are quoted on subjects in other fields for which they have limited or no experience.
(As this Air Force publication notes, False Authority Syndrome can attack people in all fields of expertise.)
Computer salesmen, consultants, repairmen, and college computer teachers often succumb to False Authority Syndrome. In many cases a person’s job title sounds impressive, but his or her job description at most may only include references to vague “computer security” duties.
Network administrators typically fall into this category. Most hold the title of “company virus expert” simply because their job description includes network security. They may have no real education in computer security, but their experience in the field of computer networking gives them confidence when talking about the unrelated field of computer viruses.
People who suffer from False Authority Syndrome too often assert conclusions from insufficient data and they habitually label their assumptions as fact. Quoting again from Tongue & Quill:
We jump to conclusions from too little evidence; we rely too much on “samples of one” (our own experience); something happens twice the same way and we assume the ability to forecast… Unfortunately, our natural desire is to make positive, solid statements, and this desire encourages the asserted conclusion.
Consider the case of Gary L. Allen. Writing in a letter to Computerworld, he offered his analysis of 1992’s worldwide Michelangelo virus scare. Allen listed his virus-fighting credentials: “I am an MIS manager, and we found Michelangelo on disks distributed by one of our software vendors, and it never made it into our local-area network.”
Allen went on to say: “If we had not been prompted [by the media] to scan [for the Michelangelo virus]… it surely would have made it onto the network hard drives and from there who knows where.”
This network administrator checked for a virus because the press told him to do so!
Allen made “positive, solid statements” as Tongue & Quill notes. Amazingly, this network administrator says he checked for a virus because the press told him to do so! Allen also assumes the Michelangelo virus “surely would have” infected his network drives. Virus experts could easily debate this, but why must they debate him in the first place? Allen’s own words expose him as a “virus pseudo-expert.”
I once lectured about viruses to a small group of businessmen in 1991. A network administrator stood up at one point and proclaimed his company (a law firm) would literally close its doors for good “if a destructive virus of any type gets on our system.” They would sell the office equipment; the secretaries would find new jobs; the lawyers would take their filing cabinets to other firms. The company would fold if even one destructive virus infiltrated their network.
Shocked by his statement (and trying to regain control of the lecture), I asked what would happen if fire swept through the firm’s building. No sweat: they kept backups off-site and had purchased contingency contracts for just such emergencies. I responded, “Well, there you go. If a virus ever gets on your computers, burn your building to the ground and your problem is solved!”
The audience laughed — but I fumed. I would fire this man on the spot if he worked for my company! I don’t want anyone on my payroll who would instantly put everyone out of work due to his own pompous ignorance.
Sadly, ignorant network administrators all too often perpetuate myths about the dangers posed by computer viruses. Ken Hall, a manager at Georgia Tech’s Financial Data Technology Office, wrote a typical story for Atlanta Computer Currents magazine in response to the Michelangelo scare of 1992. Hall’s seventh paragraph touts a common myth: “Traditionally, viruses have infected computers that have downloaded programs form [sic] dial-up bulletin boards.” Experts have worked for years to squelch this myth and others, but pseudo-experts like Hall greatly outnumber them.
Computer security experts
Some people hold a rare position in large companies where their entire job title is “computer security.” It’s not just an additional duty. Their job covers the whole range of security issues, from teenage hacking to espionage, from fires to natural disasters — and of course computer viruses. You’ll find False Authority Syndrome here as well.
Computer security personnel at Scott Air Force Base, Illinois attended a job-related course in early 1995. The course included a special handout: Russell & Gangemi’s Computer Security Basics, a book last updated in 1992. Computer books typically have short lifespans: many will disappear from store shelves within a year. But Computer Security Basics serves as an industry reference and you could still find it at Waldenbooks stores in mid-1996.
Russell & Gangemi mention the shareware program “Flu_Shot” by name on page 88 and tell readers they can obtain it “from both commercial and public domain sources,” i.e. from BBSs. Yet on page 87 the book warns readers to “be wary about new public-domain or shareware programs… Don’t allow users to install software obtained from [BBSs].”
This contradiction sounds minor on the surface; in reality it perpetuates a common virus myth. Specifically, it helps fuel a myth among computer security personnel. Russell & Gangemi also recommend readers to the “Computer Virus Industry Association,” an organization widely dismissed before the book’s first publication as a publicity front for antivirus mogul John McAfee.
Computer security personnel don’t just read books — they watch training videos, too. ViaGrafix, a company specializing in computer training videos, markets a video about computer viruses. Produced in 1992 and still sold as of June 1996, the ViaGrafix video touts the mythical story of the “Gulf War virus.” Again, this only helps fuel myths among computer security personnel.
Wolfgang Stiller, an internationally recognized virus expert and author of the “Integrity Master” antivirus program, says “computer security experts today — people who deserve that title — tend to have a good background on how viruses operate. They can dispense some good advice.” But he chooses his words carefully when asked to comment on virus expertise among computer security personnel.
“They’re a little more likely than the average person to understand viruses,” Stiller notes. “Some would say they’re a lot more likely to understand them, but I’ve met a fair number who don’t know a thing about viruses, or, even worse, they’ve got misconceptions. In light of the fact they are computer security experts, their misconceptions carry a lot more weight than the average person. Errors are much more damaging when they come out of the mouths of these people.”
ultracrepidarian: (n., adj.) a person who gives opinions beyond his scope of knowledge.
Stiller sums up False Authority Syndrome among computer security experts: “Put me on a panel with a computer security person, and I won’t claim to have his level of security expertise. But the computer security guy will invariably claim to have my level of virus expertise. How can you convince the audience in a diplomatic way that he doesn’t?”
(Stiller offers an interesting analogy: he wonders about the policemen who vouch on TV for The Club®. Do the officers specialize in car-theft investigations — or do they write traffic tickets?)
Network administrators and computer security personnel may hold some of the best job titles, but they don’t have a lock on the market when it comes to virus pseudo-experts. The list also includes computer consultants & repairmen. In one example, CompuServe user Rob Parker posted a message in early 1995 lamenting his laptop’s dead hard disk:
Thinking the problem was a virus, the tech[nician] tried a number of virus scanners, all negative. He then tried to reformat the hard disk… He claimed that the [hard disk] was ruined, and that a virus had done it.
The next time your computer does something weird, ask yourself: “How would I react if I’d never heard about computer viruses?”
In a nutshell, the repairman used two or more programs to detect viruses on the laptop. None of these programs found a virus. The repairman then tried to reformat the laptop hard disk — but the attempt failed. So he claimed a virus physically destroyed Parker’s hard disk.
Genuine experts on CompuServe dismissed the repairman’s conclusion. Parker now wonders if the repairman made up the story. Did he feel compelled to give his customer an important-sounding excuse for why the drive failed?
Parker got off easy: his hard disk failed during the laptop’s warranty period. But his experience raises important questions. How many repairmen incorrectly told customers to fork over money because they claimed “a virus physically destroyed the computer”? How many computer users believed it?
Magazines, newspapers, TV
Paul Mayer, an expert on marketing for small software companies, wrote a regular column for a computer magazine. His editors once paid him to write an article on viruses. Mayer’s virus credentials appeared in the fourth paragraph:
I have personally had two contacts with viruses in 15 years of working with computers. The first encounter caught me completely off-guard. I was prepared for the second.
Mayer wrote the story from the perspective of a regular user. He believes the magazine picked him to write it because of his first-hand user experience with viruses. And to his credit, Mayer consulted with a genuine virus expert while writing the article.
Unfortunately, reporters in the mainstream media will quote almost anyone when it comes to viruses — and they habitually quote local people. A typical story illustrates this point. Published in the St. Louis Post-Dispatch during 1992’s worldwide Michelangelo virus scare, it quoted various local businessmen, among them:
- Craig Johnson, manager of a local Software Plus store;
- Ernest White, manager of a local Babbage’s store;
- Todd Jones, salesman at a local Software Centre store.
This problem afflicts TV reporters as well. An NBC Nightly News story at the height of 1992’s Michelangelo scare included an interview with a computer salesman. He mentioned his customers’ panic and the reporter asked if “the panic is justified.” The salesman responded: “yes.”
And there you have it: panic is justified if you think your computer might have a virus. So says a nationally recognized computer salesman.
Even “computer-literate” mainstream reporters commit serious blunders when they write stories about viruses. Numerous reporters logged onto CompuServe, GEnie, Prodigy, and America Online during the Michelangelo scare and posted messages to “all.” Each message asked the same question: “Want to be interviewed for a story on the Michelangelo virus?”
These reporters didn’t search for experts — they went on a “cattle call” for frightened computer users. One USA Today reporter, expecting an avalanche of calls, asked people not to tie up his phone unless he or she actually got hurt by the Michelangelo virus on its upcoming March 6 trigger date.
Consider the tragic accident where actor Christopher Reeve broke his neck. The mainstream media quickly turned to spinal-injury specialists for comment. Why didn’t they ask a podiatrist if Reeve will ever walk again?
Podiatrists can diagnose walking disorders and they easily outnumber spinal-injury specialists. But a podiatrist offers the wrong expertise in Christopher Reeve’s case. The press recognizes this difference. Change the topic to computer viruses — now they’ll quote almost anybody with a job in the computer industry.
Never underestimate the mainstream media’s role in the spread of False Authority Syndrome. Empirical Research Systems (a computer industry polling firm) conducted a survey in 1991 of corporate employees tasked in some way with computer security. 43% of respondents — almost half — formed their opinions about viruses just by reading newspapers!
Newspaper reporters talk to these people to get details (and quotes) for a story. This means the press feeds information to virus pseudo-experts, who gladly regurgitate it for other reporters, who write more stories about viruses, which other pseudo-experts read… thus creating an endless circle of misinformation and a never-ending supply of “instant experts.”
This same survey concluded with a sad statistic: it estimates two-thirds of employees tasked with computer security duties have inadequate knowledge about computer viruses.
The “Green Paint Factor”
Interestingly, mainstream reporters sometimes quote computer-industry reporters in stories about viruses. For example, the St. Louis Post-Dispatch story mentioned earlier also included a quote from InfoWorld editor Ed Foster.
A rule of thumb: the first employee attacked by a computer virus will quickly rise to the position of office virus expert. “Trust me, I know what I’m talking about. I’ve been there.”
Jeff Duntemann, editor of Visual Developer magazine, likens this trend to what he calls the Green Paint Factor. “If you want to extol the virtues of a can of green paint, and the best you can say is that it’s green — well, it’s probably not good paint.” If you want to quote Ed Foster about computer viruses, and the best you can say is that he edits a weekly computer publication…
Duntemann continues: “The job of a computer magazine editor [or reporter] is to know a little about a lot in the computer field. He has a considerable breadth of knowledge but not a serious depth of knowledge, except perhaps in a couple of very narrow specialties.”
Why, then, does the mainstream media quote people in the computer press? Duntemann believes computer-industry reporters (and editors in particular) can speak and write well. “If you can turn a good phrase about a subject, whether or not you know anything at all about it, then you have a good chance of being labeled an expert,” he notes. “Especially by people who know nothing at all about that subject.”
John Q. Public
People without impressive job titles suffer from False Authority Syndrome, too. A user who contracts a virus, for example, will often turn around and confidently tell other people how to avoid them. He or she may even rise to the position of “office virus expert.”
False Authority Syndrome plays on two important desires. First, people genuinely like to help others; second, they like to feel in control of their computers. Users easily succumb to the effects of False Authority Syndrome when driven by these natural desires.
“Marcello,” a typical user who took a hoax for real, posted a message on CompuServe warning users not to read any messages with “Good Times” in the subject line (lest they contract the so-called Good Times virus). Ironically, Marcello used the words “Good Times” in the subject line of his own warning message!
At least one virus expert sent Marcello a playful reply telling him to “stop infecting people” with the Good Times virus. Confronted with details about the hoax, Marcello replied, “Thank you for your help, and I’m sorry, because I was duped, but anyway I was worry [sic] about my computer and a lot more from [sic] my job.”
Implications of False Authority Syndrome
Computer neophytes easily succumb to False Authority Syndrome. They feel more important by spreading the word about dangerous viruses. If someone else points out their errors, these people will often justify their actions in terms of fear. As Marcello noted in his apology, he feared both for his computer and for his job.
He probably didn’t mean to imply it, but Marcello may believe fear absolves his ignorance. After all, if he worried only about his own computer and his own job, then he already knew how to avoid the mythical virus: he could feel safe in his own office. But Marcello went a step further by telling others how to avoid the mythical virus.
False Authority Syndrome contributes significantly to the spread of fear & myths about computer viruses. Many pseudo-experts tell users to erect defensive barriers where viruses seldom attack, often leaving typical lines of attack exposed.
Widespread myths & misinformation also convince people to fear safe methods of computing and to put their trust in less-safe methods. In her 1993 book Rx PC: The Anti-Virus Handbook for example, Janet Endrijonas claims “approximately 70 percent of all viruses are boot sector viruses.” Wolfgang Stiller and other experts ventured estimates above 90% as late as 1996.
Boot sector viruses, by their nature, don’t travel in software downloaded from BBSs — yet pseudo-experts constantly point to downloaded software as the biggest avenue for the spread of boot sector viruses.
In his book Inside the Norton Antivirus™, Peter Norton dismisses the myth about the dangers of downloaded software. “Bulletin boards do more to spread the awareness of viruses… The primary method of communication concerning viruses is through BBSes [sic].” Robert Slade, writing in his book Guide to Computer Viruses, goes even further:
If I had to choose one viral myth that contributed most to the unchecked spread of [viruses] that exists today, it would be that of the ‘safety’ of commercial software… The feeling of false security relies on three assumptions: (1) that [software downloaded from BBSs] is a major viral vector, (2) that commercial software is never infected… (3) that there are no viral vectors other than software.
Thanks largely to False Authority Syndrome, users now often panic at the first sign of any odd computer behavior, sometimes inflicting more damage on themselves than a virus could do on its own (assuming they even had a computer virus in the first place).
Ross Greenberg earned international fame as one of the pioneers in IBM PC antivirus software. He went into semi-retirement in his mid-30s. Greenberg continues to lecture about viruses, wrapping up with a simple analysis of how he made his fortune: “I’d still be slaving away at a desk for another 25 years if people backed up [their computer data] and kept a cool head.”
I don’t want to dispel any particular computer virus myths someone may have told you — that’s not my goal here. Rather, I want you to question a person’s expertise if he or she claims to speak with authority on computer viruses. This way we can prevent all the “blind leading the blind” techno-babble. And we can reduce the number of people who believe all the myths out there.
- Most people have little or no expertise in the field of computer viruses.
- People with little or no expertise often fall prey to False Authority Syndrome.
- False Authority Syndrome contributes significantly to the spread of fear and myths about computer viruses.
Visual Developer editor Jeff Duntemann sums it up best: “If people exercised greater discretion in who and how and to what degree they place their trust, we would know more as a community — and we would know it better. There would be fewer paths for bad or phony knowledge.”