Truth About Computer Security Hysteria
Amazingly, we even survived the real millennium!
Rob Rosenberger, Vmyths co-founderThursday, 4 January 2001 HAPPY NEW MILLENNIUM, century, decade, year, month, whatever! {hic} I wanted to wish you good tidings on Monday, but ... well, you know.
Free publicity when you predict a virus catastrophe. More free publicity when you proclaim nothing happened. I love this industry!FBI NIPC once again drank coffee on the New Year's virus night watch, whereas I once again got rip-roaring drunk on champagne. (Mmmm, coffee sounds good right about now.) I kissed a bunch of women under the mistletoe when Richard "digital Pearl Harbor" Clarke told you to kiss the Internet good-bye. And, once again, a predicted armageddon failed to materialize. IDG reporter Joris Evers summed it up in the first 14 words of a story filed on Tuesday. "You were warned about holiday viruses, but the warning may not have been necessary." Waitaminit, did I speak too soon? A credulous story published the day after New Year's warns "computer hackers thwarted by the extra vigilance and security of last year's millennium bug scare are believed to have resumed their attempts to sabotage companies and organisations this year." Independent Online reporter Charles Arthur quoted "Kent Anderson, the director of IT security for Control Risks, [who] said: 'We have monitored some discussions on a website where Russian hackers have been talking about taking advantage of the fact that staffing will be low during the holiday. We do see this as a security threat.' " This guy wants us to go to INFOCON Delta because some hackers reflexively bragged in a chat room? Ha! I wrote a column about gullible wolf-criers. Now where did I put that URL? Ah yes, here it is. (Picture Anderson as the guy on the left.) McAfee tried to distance themselves from their own New Year's fearmongering. Evers quoted spokesmodel Marius van Oers, who proclaimed "there was absolutely no outbreak of viruses this morning. We did not get any problem reports at all from Europe or Asia. I expect it to stay quiet." Thankfully, Evers noted McAfee's role in the fearmongering. "The company issued a news release in late December saying over 1000 users had been affected by 'holiday-oriented viruses.' McAfee 'cautioned' that several of the viruses were designed to hide and then affect computers on or around Christmas day." van Oers dismissed his firm's fearmongering: "you can see this as a proactive warning; the chance of anything actually happening is pretty slim. If we don't put out warnings and a virus does hit, our customers will be indignant." Ah, of course. So why didn't McAfee give us a two-week advance notice about Melissa or ILoveYou? Man, I love this industry. The same people who predict a virus catastrophe get even more free publicity when they proclaim "nothing happened." An editor's note in the latest SANS bulletin (the System Administration, Networking, and Security Institute) confirms they saw no attacks. Their reasoning? "Sometimes heightened monitoring and visibility can be a deterrent." Yes, and fearmongers rationalized it the same way last year when their predictions tanked.
Why not make a few predictions? The media won't hold my feet to the fire if I prove wrong...
I SEE SOME patterns emerging here. Indeed, I'll go so far as to make predictions for future holiday seasons:
- Antivirus firms will issue "media advisories" (i.e. thinly disguised press releases) to warn about the horrors of holiday-oriented über-viruses; and
- Anti-hacking firms and FBI NIPC will issue "media advisories" (i.e. thinly disguised press releases) to warn about the horrors of holiday-oriented über-hackers; and
- When their predictions collapse after the holidays, they'll take the bananas out of their ears and proclaim victory against all the paper tigers out there.