Truth About Computer Security Hysteria
With managers like these, who needs hackers? (v3.0)Rob Rosenberger, Vmyths co-founder
Thursday, 30 December 1999
WHAT DO PORSCHE, West Group, Glaxo Wellcome, Volkswagon, PacifiCare Health Systems, the U.K. Employment Service, the U.S. Defense Finance & Accounting Service, and the Washington State Dept. of Health have in common?
You guessed it: they all fear unknown Y2K viruses.
Porsche acknowledged it on their website in multiple languages. "For technical and security reasons, the Porsche web server will shut down from noon 12.31.1999, to 3:00 pm 1.1.2000." You'll appreciate the irony of the "more performance" banner in this website snapshot.
The Defense Finance & Accounting Service will likewise shut down their website as a precaution. Reuters quoted a spokesman who remarked "you really don't know who's out there and what they're trying to do." (A result of "bad intel," sir.) Another spokeswoman confirmed the Pentagon now approves of precautionary retreats. "If commanders or individual (military) installations feel this is warranted, they have that option."
Can you imagine this philosophy in a real-world military clash? "Did I withdraw my men from the battle zone because of guerrilla attacks? No, sir: we pulled out because the environment just didn't feel safe. Cpl Wingnut thought he heard a noise..."
The Financial Times of London reported "some of UK's largest companies are blocking electronic mail over the New Year in a bid to thwart the arrival of a threatened wave of up to 200,000 computer viruses... Glaxo Wellcome, the pharmaceuticals giant, and the car manufacturers Vauxhall and Volkswagen are among the big companies planning to block e-mails."
The story mentioned a spokesman who refused to discuss whether Ford would invoke a precautionary disconnect. Personally, I assume they won't. My source inside Ford hasn't complained of irrational security decisions.
Financial Times reporters should talk to West Group instead. They sell access to a popular case law database known as Westlaw. Security Coordinator Dave Hedblom told employees in an email:
To minimize Y2K-related problems, all incoming and outgoing external Internet e-mail will be held beginning Friday, December 31, at 10:00 a.m. On Saturday, January 1, at 6:00 a.m., West Technical Services will assess whether it is safe to enable e-mail messages that were sent over the Internet. The amount of time Internet messages are held will depend on our anti-virus vendor's ability to provide software that can detect and clean Y2K viruses.
St. Louis University law student Sarah Holdener smirked at Hedblom's decision to imprison email. "It limits your ability to use Westlaw," she asserted. This screen snapshot validates her claim.
Hedblom may suspend e-habeas corpus beyond New Year's Day if he considers it prudent. This guy must wield incredible authority at his company! I can already hear the courtroom banter: "Your Honor, Prosecution needs a continuance until Westlaw returns to full operational capability..."
The U.K. Employment Service took it one better. This automated reply arrived after I sent a test email:
Your e-mail entitled
Talk about paranoid overreaction! They quarantined a text message with no attachments. Wouldn't you like to ignore everybody's email for a week? (And can't anyone in this industry spell "millennium"?)
You wonder why Americans look down on the healthcare provider industry? A PacifiCare Health Systems customer received this automated response:
Due to the anticipated increase of email transmitted computer viruses forecast by Anti-Viral experts, PacifiCare Health Systems is taking the following measures. During the critical Y2K email Virus period of December 17th, 1999 through January 7th, 2000 all Email sent to PacifiCare Health Systems Inc. will be held for seven days, scanned with the latest anti-viral signatures, and then delivered. Please do not re-send your email message as it will be held as well. If you need to get your information to your contact, please contact them by phone to arrange other methods. Thank you for your patience.
PacifiCare, too, quarantines text messages with no attachments.
The Washington State Dept. of Health also overreacted, though not as bad. A spokeswoman confirmed they are "not allowing attachments to come into the agency [over the new year] because of the concern about viruses." Email will flow unhindered if it carries no attachments.
On a positive note, the Financial Times said British Aerospace "was running e-mail as normal but watching out for specific viruses — [a spokesman proclaimed] 'we have a very good idea where a lot of these are coming from or could come from." Nokia's computer security team has a firm grip on sanity, too, according to a rumor I heard. Good for them!
Network Associates back-pedaled a little in a New York Times story about the Y2K virus threat. " 'Nothing happened over Christmas, which may be a pretty good indication that nothing major will happen on Jan. 1,' said Vincent Gullotto."
Computer security personnel spend years making headway in their companies. They slowly build up a position of authority in their organization. When they finally get a chance to exercise real power, what happens? They let media hysteria cloud their judgment.
You probably paid through the nose this year to improve your Internet connectivity — and now a Chicken Little turns it off & on like a light bulb. Frustrating, eh?
Rational and irrational security personnel will feel the sting of this fiasco. Even if they preached sanity, they'll still suffer guilt by association. Irate users will paint them with a wide brush as "the boys who cried 'there might be a wolf!"
Years of build-up effort, flushed down the toilet ... by people who read Weekly World News instead of Information Security magazine. What a waste. I hope the computer security world learned something from it all.
Now if you'll excuse me, I need to take a shower. Or at least wash my hands. Know what I mean?