Vmyths.com

Hoaxes, myths,
urban legends

Columnists


Addictive
Update
Model

False
Authority
Syndrome


About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Statistical dowsing rods

Rob Rosenberger, Vmyths co-founder
Friday, 8 October 1999

A STORY ABOUT this year's Virus Bulletin conference identified some key issues vendors now face. "Antivirus software is quickly going the way of the browser," ZDNN reporter Rob Lemos declared in his opening sentence. He spoke to industry gurus who believe protection will soon "be free and ubiquitous." Well, perhaps not free: antivirus vendors may switch to "selling updates via the Internet at a monthly fee."

Various debates sprang up in a "Talkback" area where ZDNN readers can add their $0.02. However, those readers didn't seem to care about an issue mentioned near the end of the story — namely, the utter lack of virus metrics and related utilities.

"While finding and fixing viruses faster has captured[1] the interest of corporate network administrators," Lemos wrote, "an automated system's ability to collect data on the number of virus incidents is equally valuable, said one administrator at the conference, who asked to remain anonymous." I'll bet a soda he/she read my tirade on this very subject. "Currently, the best source of such data is the Wildlist, and even that volunteer site would like to see better and more accurate statistics, said Sarah Gordon, one of the directors of the independently maintained Wildlist."

We need something "more accurate" than the WildList? Hey, we need something accurate to begin with. The WildList doesn't accurately identify threats. It qualifies at best as a statistical dowsing rod. Nowhere do we see its limitations better than in the reports distributed before and after Melissa struck.

Virus metrics stopped evolving years ago when the Dirty Dozen list died out STOP You can see stagnation in the format of the WildList STOP It reads like a telegram by today's standards STOP

Not convinced? Try to find Asia's (supposed) demise in the reports distributed before and after Chernobyl struck. Try to find a looming media fiasco in the WildList report distributed before Hare flopped. Try to find a looming media fiasco in the report distributed before Remote Explorer flopped.

I don't mean to slam the WildList itself — it serves a specific purpose and each report identifies its limitations right up front. Problems occur because people read way too deeply into its way-too-little data. "It's the best dowsing rod we've got," they say. Yeah, and the best we've got sucks. Billion-dollar antivirus firms couldn't come up with anything to augment or replace it in the last six years?

Virus metrics stopped evolving years ago when the Dirty Dozen list died out STOP You can see stagnation in the format of the WildList STOP It reads like a telegram by today's standards STOP

Personally, I'd never bother to show the WildList reports to upper management. A vendor survey doesn't tell them squat about their virus problems. Gordon (IBM)[2] understands this: "it would be extremely useful to get reports" directly from antivirus software, she told Lemos. She said Big Blue[3] plans to look into it, too. (Note to Gordon: Trend Micro beat you to the punch.)

Virus metrics need to climb out of the evolutionary tar pit. For starters, Gordon's team could integrate the WildList concept directly into antivirus software. Why collect data by hand only from vendors when you can collect it automatically from every computer on Earth? Think of it: our PCs could generate reports at the local level and forward them to the WildList, which in turn could evolve into a near-realtime "weather map" of virus detections around the globe.

I tell you, TV reporters will orgasm the day they can "put the maps into motion" for viewers. {sigh} Why didn't antivirus vendors think of it before I did? I mean, come on — I swiped this idea from the Internet worm of 1988...