Around the end of the last decade, when I was working for a research organization in the UK, I used to write a monthly column on security for an in-house newspaper, and was rapped over the knuckles for telling this little story. I’ve probably changed the detail since then: I don’t keep everything I’ve written including shopping lists and notes to the milkman. (Unlike novelist Jack Trevor Story, or so he claimed in one of his more overtly autobiographical books.)
A man goes to collect his motor-car from a hypermarket parking lot in Helsinki. (Just trying for an international flavour here) As he walks in, he notices one of the market’s employees scattering large clumps of catnip round the car-park perimeter.
"Why are you doing that?" he asks.
"To keep the lions away," the employee answers.
"But there aren’t any lions in Helsinki!*"
"See how effective it is?"
I was talking about Y2K, of course, Common sense suggested that most of the dire prognostications of hundreds of thousands of Y2K viruses and other malicious activity were either taken out of context, misguided or intentional fearmongering, and that as long as you took every possible countermeasure against problems you could predict and anything you could think of that would mitigate what you couldn’t predict, the chances were that it would be OK. As, indeed, it mostly was. And I guess we’ll never know whether all those updates and expensive consultancies were worth the money many of us paid out, because we can’t rewind and try it again without all the outlay.
So here we are again. Another year, another round of prophecies of disaster, a few from the fringes of the AV industry, but most from outside it. Expressions of sympathy here to Graham Cluley of Sophos and Mikko Hypponen of F-Secure, who were "quoted" in a Doom and Gloom story by an English tabloid claiming that "Millions of computers around the world could go into meltdown on April 1 because of a deadly virus." Apparently the journalist concerned didn’t actually bother to contact Graham or Mikko, presumably because he knew they’d be too busy getting ready to rescue all those melting PCs.
The sad thing is that "old guard" researchers like Graham and Mikko, mindful of the over-hyped "media viruses" of the past (Friday 13th, Columbus Day), have actually gone out of their way to present a balanced view of the issue, which I’d probably define as "Take all reasonable precautions, but don’t panic." Whatever happens, it’s unlikely to be as dramatic as expected, like the comparatively few systems affected by the triggering of Michelangelo or CIH/Chernobyl. (By comparatively few, I mean hundreds or thousands rather than millions.) In this case, there may be no immediately noticeable impact at all.
What’s the betting that if there’s no drama, it will be taken as another example of hype from the very industry whose public representatives have been trying to "un-hype" the issue?
By the way, here’s a nice bit of unhyping from Joe Stewart. And it’s nice to see the industry get some credit for "calm-mongering" from Thomas Claburn and George Hulme of Information Week. To pick up on something George referred to, the reason that we don’t know exactly what, if anything, will happen on April 1st, despite having the code to analyse, is that the code doesn’t tell us. I guess that’s exactly what is piquing our curiosity.
* I’ve never been to Helsinki, but yes, it does have a zoo. However, I don’t think it has any large African mammals, as they don’t do well in that climate.
** Why did I get my knuckles rapped? Because the chief librarian*** objected to any hint that her team might not be in absolute control of the situation. A friend of mine was actually fired for talking about how the issue was being addressed in the same organization on a public mailing list, so I guess what saved me was the fact that the article didn’t make it to print.
*** No, I don’t know why the library were running the project rather than the IT team who looked after the computer systems, or the estates team who looked after the laboratory equipment. Feel free to make suggestions below, but there are no prizes on offer. .
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence.