Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Dismal Fortune 500 presence at VB2000 conference

Rob Rosenberger, Vmyths co-founder
Thursday, 5 October 2000 VIRUS BULLETIN 2000 proved a highly worthwhile conference. This year's theme: "sock puppets." I kid you not. The organizers asked IBM & Symantec to stop hawking their 6yr-old vaporware technology — so an argyle-clad forearm named "Bob" plugged it for them.
If somebody insists "our firm almost went under because of ILoveYou," ask why they didn't attend the industry's premier virus conference.
(I re-confirmed it yesterday. You still can't buy a product with Digital Immune System technology. Absolutely amazing.) I'd like to thank everyone who sought me out at the conference just to shake my hand. I honestly didn't know I had such a large fan club among the virus fighters! I really appreciated the kudos. On a sour note, Graham Cluley (Sophos) played Hide & Seek whenever I tried to introduce myself. Hmph. Perhaps next year his majesty will grant me an audience. And speaking of people I didn't get to see... I noticed a disturbing lack of attendance among the Fortune 500. What gives? ILoveYou inflicted some serious juju on the Internet (remember Tom Brokaw's touching eulogy?) yet many of the largest corporations didn't care enough to send their very best. Don't get me wrong: some powerful Fortune firms showed up at VB2000. Delta thankfully sent a warm body; Microsoft sent a whole team. Name badges existed for A.G. Edwards, BASF, CIGNA, Dun & Bradstreet, Exxon Mobil, Ford, Glaxo Wellcome, Liberty Mutual, Lockheed Martin, Lucent, Nokia, Nortel, Pfizer, State Farm, and Wells Fargo. Boeing and Prudential gave lectures about the antivirus lessons they learned in a large enterprise. Yet where were so many other Fortune firms? Notably missing on the attendee list: General Motors, Wal-Mart, General Electric, Hewlett-Packard, Sears, Merrill Lynch, Allstate, Aetna, USX, BellSouth, Raytheon, Dow Chemical, UAL, Goldman Sachs, TRW, FedEx, ADM, Anheuser-Busch, Monsanto, AFLAC, Paine Webber, America Online, Schwab, Nextel, .... "York County School Division" signed up two employees. Why can't a Fortune firm send one virus fighter to the industry's premier virus conference? You could see Disney World from this year's hotel — yet Walt Disney Corp. failed to make the attendee list. What gives? Did Uncle Scrooge balk at the registration fee? Government no-shows positively amazed me. The attendee list doesn't mention NavCIRT, DoD CERT, JTF-CND, nor even the original CERT®. What gives? I suppose those agencies haven't yet clawed their way out of May's big virus catastrophe. Better they should stay at home where they can do the most good. And why did the U.S. Marines go AWOL? They should attend more virus conferences, not less. A little-known fact: HQ USMC panicked during ILoveYou and shut down email worldwide "until further notice." As a precaution, I might add. Only later did HQ realize the catch-22 — they couldn't tell jarheads via email to re-establish email! The U.S. Marines forfeited part of their command & control structure for almost a day thanks to their own stupidity. Their absence at VB2000 greatly disturbed me.
Government no-shows positively amazed me. The attendee list doesn't mention NavCIRT, DoD CERT, JTF-CND, nor even the original CERT®. What gives?
(A tip of the hat goes to Britain's Ministry of Defence. James Bond's alma mater flew someone across the ocean for the two-day event. Good for them.)
I SEND EMAIL to virus experts when I need a reality check. This time I wrote to ask "why didn't more Fortune 500 firms attend VB2000?" Let's just say their answers didn't please me. Wolfgang Stiller (Stiller Research) summed up the most common response. "VB hasn't been properly marketed," he shrugged. Robert Vibert (Segura Solutions) agreed and noted the conference tailors its technical tracks toward virus experts. "Only recently have we seen presentations"annuls[1] of real value to those who fight viruses on the front line. I'll admit Virus Bulletin magazine needs to market its conferences better — but I won't accept ignorance as an excuse for a large firm. Fortune 500 security managers should know about this one. Period. One expert (name withheld by request) pointed out the need to keep up appearances. Going to VB2000 so soon after ILoveYou might give the wrong impression about a firm. I myself believe this kind of thinking drives the absurd "need" for secrecy in the virus world. But let's save this topic for a future rant. Demigod virus expert David Chess (IBM) stepped forward to defend the no-shows:
I think the biggest and wisest corporations are now well-enough set up that they consider virus protection to be just another routine thing that they do. Do we expect all big corporations to send their best IT people to an annual conference about backup software, or hard disk reliability, or fire-extinguisher design? Certainly there will always be some companies, and some particular individuals at companies, who have a particular interest in the subject and will come to VB for whatever reason, and benefit from doing so. But I don't think it's surprising that any particular company wasn't represented. Disney for instance probably has an a-v solution in place that's working well for them, and has no one on its IT staff who thinks viruses are a big enough deal that they have to attend VB to find out more. On the other hand, of course, in absolute terms this was I think the heaviest-attended VB ever, and I doubt many people were there as individuals! So the number of companies (Fortune 500 or not) that send people is probably not any lower than it's been in the past...
Chess makes a very strong point. His final paragraph also backs up comments about VB2000's marketing problem. And yet... Corporate virus fighters brag how Melissa and Chernobyl and ILoveYou almost destroyed the Internet. (Did I mention Tom Brokaw's touching eulogy?) They predict a future über-virus will make Mafiaboy look like a choir boy. If the Fortune 500 couldn't get a handle on viruses for the first 14 years, how on Earth did they turn it into "just another routine thing" in the last four months? No offense to Chess! His reply doesn't touch on the bipolar nature of virus hysteria. I just think Fortune firms should "walk the walk" if they "talk the talk." You know, we should compare DEF CON's attendee list to VB2000's. Let's see who didn't put his money where his mouth is.
NO-SHOW FORTUNE FIRMS might berate me for failing to attend the nine previous shindigs. "You recommend Virus Bulletin magazine," they'll protest, "yet you didn't go to their conferences before now. What gives you the right to chastise us?" What gives me the right? Hey, I refused to make money from my crusade for eleven years. Fortune firms treat conferences as a business expense; I couldn't do the same before now. I did everything as a labor of loveanger and I just couldn't afford to fly to places like Japan & Germany. ...Which brings me to the issue of "exotic conference locations." A business trip to Disney World might raise eyebrows at a small firm but it shouldn't deter the Fortune 500. They know "conference friendly" cities are popular for a reason. The IRS knows full well, too. Does your travel budget need a dose of Viagra? Experts claim many Fortune firms lost millions of dollars as a result of Melissa and ILoveYou. I spent roughly $2,500 to attend this year's premier virus conference. Borrow a calculator if you can't do the math in your head.
VB2001 will probably take place in Europe, so prepare your business case and renew your passport. Don't give me some lame excuse about an "overseas travel moratorium."
If Fortune firms can justify a trip to DEF CON, they can justify a trip to VB2001. It'll probably take place in Europe; prepare your business case and renew your passport. Refer to the previous paragraph if management whines about an "overseas travel moratorium." And I don't want to hear any BS from virus fighters who retired from the military. "I can't attend a conference infiltrated by Russian & Czech nationals." Or better yet: "I can't cross a U.S. border without the CIA director's written permission." Yeah, sure. My operatives in the State Department will authorize a waiver for you.
THIS NO-SHOW STUFF gives me some serious ammo. The next time somebody insists "our firm almost went under because of ILoveYou," I'll ask why I didn't see them at VB2000. What gives? God help anyone who admits "we blew our travel budget on DEF CON in Las Vegas."