Truth About Computer Security Hysteria

Why does an Internet security firm hold press conferences by phone?

You abso­lutely must watch this TV report descri­bing the immi­nent com­pu­ter arma­geddon.  Reporter Jim Gold­man states Remote Ex­plorer "could have literally de­stroyed the Internet."

FIRST THE BAD news: Network Associates drummed up negative publicity for a major client just before Christmas.  Now the good news: Network Associates' stock price soared 22% just before Christmas, adding $1.1 billion to the value of outstanding shares.

Antivirus companies typically issue a press release when they discover a virus the media might find interesting.  Symantec sometimes goes farther, sending out a "Virus Advisory" press release so naďve reporters will take the bait.  Panda has experimented with a "Bug of the Month Club" PR newsletter, and various firms operate a ListServ just for press releases.

Network Associates (NAI) paved new ground just before Christmas when they called a press conference for a virus dubbed Remote Explorer.  VP Peter Watkins and researcher Vincent Gulatto^[1] spoke ominously of the world's first "network smart" virus.  At least one employee described it to reporters as "cyberterrorism" and general manager Gene Hodges went on the record to say "I don't think it's hyperbole to call it an information time bomb."  However, NAI stopped using IW terminology when other experts asked reporters to define "cyberterrorism."

Why did NAI resort to high-pressure tactics to "sell" their press con­ference to reporters?

NAI's press conference seemed weird for a couple of reasons.  First, it set a precedent for announcing a computer threat.  Second, it didn't coincide with the all-important release of a CERT or CIAC alert.  (CERT later downplayed the threat and CIAC still hasn't posted an alert on their website!)  Third, reporters didn't get to ask questions.  Fourth, NAI resorted to high-pressure tactics to "sell" the press conference to certain reporters.

Let's discuss the "cyberterrorism" issue first.  Frankly, Remote Explorer doesn't strike me as a spectacular weapon.  Myriad viruses do a better job of hiding their existence and/or screwing up data.  This virus doesn't even advance the state of the art — if anything, it finally caught up with technology.  (Perhaps I just expect too much from the world's first cyberterrorism virus.)

"What do you mean it doesn't advance the state of the art?  The stealthy Remote Explorer virus runs as an NT service!"  Yeah, big whoop.  NAI's antivirus products run as an NT service, too, just like hundreds of NT utilities on the market today.  Competing firms offer "network smart" utilities which can completely uninstall NAI products scattered across the network.  (Ask your antivirus vendor if you don't believe me.)  Why should we shudder in fear when a virus writer finally exploits the same techniques found in utilities Microsoft included with Windows NT?

A virus finally ex­ploits tech­niques found in hun­dreds of Win­dows NT utilities.  So?  Virus writers didn't ad­vance the state of the art this time — they caught up to it.

(Does anyone remember what "TSR" stood for in DOS?  "Terminate and Stay Resident" or, in layman's terms, "make your software part of the operating system."  This concept appeared in DOS viruses in the mid-1980s, yet it took virus writers this long to exploit it in Windows NT.)

Remote Explorer can spread itself over a network given the right privileges, but it doesn't seem to jump over boundaries with the kind of ease some reporters implied.  The Morris Internet Worm of 1988 did a better job, folks.  Given what we know at this point, even Sharefun.A (a Word macro virus) would do a better job at crossing network boundaries.

NAI WAITED FIVE days before offering a sample of Remote Explorer to competitors.  What took them so long?  As a core member of CARO, they must "immediately" send virus samples to all other core members of CARO.  A spokesman claims they just couldn't find enough time to send it out before then — yet they oddly advertised Remote Explorer disinfection services to potential clients on two of those days.

Competitors chide NAI for "[somehow] finding enough time to call a press conference" before they distributed copies of the virus, but I'll come to their defense on this issue.  PR wonks can't help antivirus researchers do their work faster, so they might as well do what they get paid to do.  However, I will chide NAI for increasing their tech support workload right before a major holiday.  Telephone announcements warned of longer support waits thanks to a flood of calls about Remote Explorer.

Can you name the in­for­ma­tion war­fare ex­pert who called Remote Ex­plorer "an in­for­ma­tion time bomb"?  (Hint: this is a trick question.)

NAI's excuse deflated when competitors finally received the virus on 22 December.  Symantec expanded their LiveUpdate service in just eight hours, sliding in under the west coast's midnight wire.  Other vendors proudly released an upgrade the next morning ("proudly" means they issued a press release).  Still, let the record show: NAI did much of the "up front" work to isolate/analyze Remote Explorer's code and they gave competitors precious time to prepare for its arrival.

And oh, the media circus!  CBS This Morning crowned Remote Explorer as the newest "mother of all viruses."  (Poor Win95.CIH, we hardly knew ya.)  Newswires & online services picked up on it too, yet the best hysteria probably came from San Francisco TV station KRON, which made Remote Explorer their top news story.  You must watch this TV report about NAI's valiant effort to postpone the Internet armageddon.  Actors Dustin Hoffman and Donald Sutherland actually have a cameo.  (I'm not making this up, folks.)  —High-tech business reporter— Jim Goldman states Remote Explorer —could have literally destroyed the Internet.—  Goldman later makes an observation in passing: —Incidentally, Network Associates' stock was way up on this news today.—

Not everyone fell for NAI's publicity stunt, however.  Kudos go to Charles Cooper (ZDNet), Tim Clark (c|net), and David Spalding (Hoax du Jour) for insightful analysis pieces.  The New York Times will probably run a report on the controversy next Monday, too.

Business Wire — a press re­lease dis­tri­butor — issued a press re­lease of its own con­cerning the Remote Ex­plorer virus.

So!  How did hungry reporters identify MCI Worldcom as the virus victim?  I haven't found a smoking gun ... but two distinct trails lead to NAI general manager Gene Hodges.  Evidence suggests he accidentally blabbed it to PC Week reporter Jim Kerstetter.  Even if Hodges didn't do it himself, someone at NAI almost certainly violated one of marketing's Ten Commandments: —Thou Shalt Not Smite Customers By Name.—

ALL IN ALL, it looks like NAI screwed up pretty bad in the PR arena.  (Again.)  In the short run, they alienated a large client and some valuable media folks.  (Again.)  In the long run, they added more to the —boy who cried wolf— problem which plagues computer security.  (Again.)  But there's always a bright side: NAI's outstanding shares increased in value by $1.1 billion during the media circus.

If I were the CIO at MCI Worldcom, I would demand a personal explanation from Network Associates CEO Bill Larson.  In my office.  —Wow, Bill, your stock options soared 22% in four days.  I wish we could rejoice with you, but we're still swamped with all the bad publicity you heaped on us...—

I leave you now with a relatively safe prediction.  —A Windows NT virus will someday carry enough code to uninstall NAI's antivirus products from remote locations.  The virus writer will base it on utilities long ago written by NAI's competitors.—  You read it here first, folks.  Remember to yawn when you finally learn of its existence.