Truth About Computer Security Hysteria
Netscape letter bomb email threatCATEGORY: Overblown computer security threats
PC Magazine Internet Technical Director Larry Seltzer filed a sensationalist story on 10/2/96 titled "Open Any E-Mail Letter Bombs Lately?" It also appeared on PC Week's website under the less sensational headline "Browser-based E-mail clients can be dangerous." The story began with a dire warning:
"One of the most infamous virus scares in the past couple of years was the Good Times virus, which was supposed to infect PCs through e-mail. It was rightly dismissed as a hoax at the time, because simply reading an e-mail message couldn't damage a PC. Now, for the first time, the idea of a Good Times-like virus is a real threat. HTML code was recently posted on CompuServe that crashes Netscape Navigator...."All of the hype appeared to come from a single source: Richard M. Smith, then-president of Phar Lap Software, who discovered an obscure bug in Netscape Navigator 3.0. Smith admitted he held no credentials in the subfields of computer security at the time. (He is now an Internet privacy expert. See below.) But a lack of credentials didn't stop him from chastizing legit experts who wanted to dispel the Good Times hoax virus alert (see related link). In a public CompuServe message addressed to NCSA expert Mich Kabay, Smith proclaimed:
"Talk about bad timing for these so-called "experts"! Last weekend I discovered an HTML attachment that will crash the Email reader in the Windows 95 version of Netscape Navigator. Its the good time virus for real...."Genuine virus experts admonished Smith for breathing new life into the Good Times hoax. They also critiqued his claims about the bug's threat potential — and they admonished Smith for using the term "virus" to describe either the bug or the security threat it posed.
Netscape, too, downplayed the threat potential when reporters called for information & quotes. The company quietly released a Navigator patch on 10/9/96 to fix the obscure bug. They didn't even bother to mention it on their default home page.
Vmyths.com columnist George C. Smith (no relation to Richard) back then noted "this is a great example of the worst qualities one can find in computer security and virus misinformation. I'm convinced Richard's goal was to create a news story with himself somewhere in it." Others point out the fact he contacted the media before warning Netscape about the bug. The experts dismissed Smith as one more company bigwig who used hysteria to generate some free publicity.
In Smith's defense, many of the messages he posted on CompuServe simply didn't fit the model of a publicity stunt. It looked more like a severe case of False Authority Syndrome — Smith stumbled onto an obscure bug, thought of a way to exploit it, and then went completely overboard.
Years later, Information Security magazine asked Smith about the incident during an interview. He candidly acknowledged his stupidity and blamed no one but himself. Vmyths.com recently enlisted Smith's help in order to debunk the Aureate DLLs Trojan myth.
Last updated: 2000/10/2