Vmyths.com

Hoaxes, myths,
urban legends

Columnists


Addictive
Update
Model

False
Authority
Syndrome


About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Rob Rosenberger

Asia thrown back to transistor age

Rob Rosenberger, Vmyths co-founder
Tuesday, 27 April 1999

ASIAN GOVERNMENTS SAY CIH "destroyed" or at least erased data on 200,000 to 300,000 PCs yesterday. Media reports put the American toll somewhere in the neighborhood of 70-100, yet circumstantial evidence indicates the U.S. number may actually wind up in the low four figures. Yes, yes, I honestly expected CIH to flop — but not for the reasons you might expect.

Anti­virus ven­dors have cried wolf for eleven years. Hey, it appears a wolf struck. Should we act surprised?

Virus experts emailed me last year about a major destructive event they predicted for 26 April. Each expert presented a reasoned argument; each expert based his hypothesis on empirical evidence. For the record:

  • Nick FitzGerald (Virus Bulletin), Jimmy Kuo (NAI), Snorre Fagerland (Norman), and Dan Schrader (Trend) warned of a big CIH event on 26 April. Schrader specifically focused on the Asian vulnerability.
  • Eugene Kaspersky (AVP), Robert Casas (ComSec), Graham Cluely[1] (Solomon's), and Alex Haddox (Symantec) didn't make an outright prediction but they did imply concerns about CIH on 26 April.

These guys worried seven months ago about what would happen yesterday. Why didn't anyone listen to them? Regrettably, antivirus vendors started crying about wolves eleven years ago — and their PR folks decide what to bring to the media's attention. Count the number of CIH press-release warnings issued last year, then check the number of CIH press-release warnings issued this month. Then count the press releases issued right after Melissa surfaced. You'll notice a trend.

I wanted to write an opinion piece in mid-April about those dire predictions. Then Melissa came along.

When the hysteria erupted, panicky users reached for the latest antivirus software. A primary condition for the experts' hypothesis disappeared as users cleansed viruses from their systems (CIH included). However, the media declared Asia an odd exception to the Melissa hysteria ... which means Schrader's prediction didn't lose its primary condition. I imagine he feels pretty frustrated with his accuracy.

To the best of my knowledge, Michelangelo held the record for the most number of computers wiped out in one day by one virus. CIH easily beats the record tenfold if the numbers coming out of Asia ring true. Hang on while I call Guinness...

Soft­ware com­panies accuse Asia of ram­pant piracy. I guess they didn't bother with anti­virus pro­grams before now, eh?

Pseudo-experts may cite Schrader's accuracy as "proof" of other experts' accuracy. Beware this fallacy. Demand to see empirical evidence of rampant worldwide CIH infections cleaned up as a specific result of the Melissa hysteria. Likewise, pseudo-experts may cite Melissa as an example of "beneficial" hysteria. Beware this rationalization. Panicky users represent a direct threat to their computers under any conditions — and they might heed the advice of pseudo-experts instead of genuine experts.


CIH PROBABLY BLEW away some critical U.S. government & military computers or data. We can therefore assume FBI NIPC Director Michael Vatis will issue an APB for the author. After all, he ordered a nationwide manhunt for the author of Melissa, a mediocre virus which basically just disrupted the flow of email over a weekend...

Please keep these things in mind if CIH directly affected you yesterday:

  1. if CIH overwrote your hard disk or your FlashBIOS chip, then shame on you for failing to practice "safe hex";
  2. if CIH attacked computers at your college or university, then shame on you for failing to protect them from uncaring students;
  3. if CIH deleted irreplaceable company data, then punish the employee(s) for failing to back up valuable corporate data;
  4. if CIH forced your company to buy new hardware for some reason, then charge it against the Computer Security Manager's account for failing to protect valuable corporate assets from malicious code;
  5. if CIH nailed you because the media didn't do enough to warn you, then shame on you for relying on the media to tell you when to check for viruses.

You know what I find curious? Reporters last month said a worldwide virus threat barely afflicted Asia's computer users; now the media says a nearly year-old virus devastated Asia's computer users. We need to find a way to combine Western resistance to CIH with Eastern resistance to Melissa.