Hoaxes, myths,
urban legends




About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

Rob Rosenberger

Another urban legend in the making

Rob Rosenberger, Vmyths co-founder
Thursday, 29 April 1999

I BELIEVE USERS will write off an excessive number of computers as "physically destroyed" by CIH. We'll never learn the true number, either. The media will quickly raise Monday's event to urban-legend status, antivirus vendors will use it to sell more software, and I'll remain frustrated with all the shallow assumptions.

What do I mean by "the true number of physically destroyed PCs"? Put yourself in the shoes of a user sitting in front of a dinosaur just barely capable of running Windows 95. I know this may sound bizarre to people who get a new computer every other year, but you'll find 386 & 486 machines in many Fortune firms. Antivirus vendors still update their Windows 3.1 packages because a viable market still exists for them.

Did CIH trash your com­pu­ter? Con­grats! Your boss will give you a new PC as a re­ward for your care­less­ness. Every­one who prac­ticed "safe hex" will be punished with their same old dino­saur equipment.

So! There you sit, wondering why your Flintstone computer won't start up. Another old PC in your office exhibits the same problem, so you call the local repair guy. "Uh-oh, it sounds like you got attacked by the CIH virus," he says. "It physically destroys computers, you know..." As the morning drags on, you learn this deadly "mother of all viruses" can literally turn your PC into a doorstop.

You and the assistant manager march into the manager's office to pronounce your machines dead. "We need new PCs," you tell the boss. "The repair guy says they're doorstops now. There's nothing we can do to save them." Your computer doesn't even have a FlashBIOS — but you and your boss don't know this. He quickly reads the horror stories, lingers for a moment on the part about how CIH destroys motherboards in certain cases, then says "okay, we'll order new equipment."

Hurray! "While you're at it, we need new monitors and keyboards and mice and printers. I've told you for over a year I need a CD-ROM drive, so please make sure mine comes with one." Before the manager can complain, you say "and your assistant here needs a CD-ROM drive too." You hear a sigh, then "all right, find a typewriter and do up the paperwork for my signature."

You make no attempt to learn if you can put the dinosaur PCs back into production. Who can blame you? Even if someone reformatted the hard disk, you'd still find a way to rationalize all the new equipment. "Oh, this printer probably isn't why-too-kay compliant anyway..." In the end, your manager will blame a malicious virus for destroying perfectly good computers, monitors, printers, keyboards, and mice. The total cost of CIH will include the price of Office 97, laptops, 21" monitors, color printers, KVM switches, etc.

CIH's rampage will also "force" everyone to buy antivirus software they never before needed. Tack it onto the total bill.

IT DOESN'T SERVE the world's best interests to uncover the truth:

  • The truth doesn't serve antivirus vendors' best interests. Why would they want to deflate wild figures coming from the mouths of government officials? Remember, fear sells software in the computer security industry. Those figures make for great advertising.
  • The truth doesn't serve government officials' best interests. Why would they want to call a press conference in the name of accuracy? These numbers really don't make a difference.
  • The truth doesn't serve computer makers' best interests. They make a sale whenever someone throws away a perfectly good computer.
  • The truth doesn't serve victims' best interests. They get rewarded with a new PC for letting a virus infect their computers.
  • The truth doesn't serve computer repairmen's best interests. They can quietly reuse or cannibalize those perfectly good PCs.
  • The truth doesn't serve black market best interests. You can usually sell a perfectly good PC to someone.
  • The truth doesn't serve computer security managers' best interests. They can use inflated CIH statistics to further their cause.

The world won't care how many wrist rests and flatbed scanners get tacked onto CIH's bar tab. Everyone would have tacked those costs onto Y2K's bar tab anyway...