Your CIO can reduce virus hoaxes in your firm. Here's how
Late one June night, the last day of EXPO, John McAfee, president of InterPath corporation, was burning up telephone lines across the country with his latest and greatest idea: the formation of a computer virus industry association. McAfee had laid his plans well. The association had a name, The Computer Virus Industry Association (CVIA), and a president, Mr. McAfee himself. A press release was already written and ready to go, announcing the members and their remarkable 90 percent industry market share.
As often happens, plans gang aflay and McAfee tripped over his own shoelaces. In his calls to prospective members, he recited a list of those developers "already in" the CVIA. Several of the people he called had been enjoying a beer together only hours before. McAfee's story did not ring true. At least five major developers, FoundationWare (Corporate Vaccine), Software Concepts Design (Flu Shot), WorldWide Data (Vaccine), RG Software (DiskWatcher), and Panda Systems declined to participate, based in part on what appeared to be McAfee's deliberate misrepresentation. Ross Greenberg, developer of the Flu Shot line of software, stated for the record, "I wouldn't call it a scam, but it sure as hell is one of the more unethical things I've witnessed."
The CVIA folks went ahead with their press release missing most of the major developers east of the Mississippi. They were also missing a few facts as well. CVIA promotional material stated that the group began with seven of the original eleven developers. Eleven minus the five companies listed above seems to yield six. The association also continued with its claim of 90 percent market share of anti-virus products, an impossibility in light of the product distribution of the nonparticipants, particularly Greenberg's FLU SHOT and the early PANDA products, CHK4BOMB and BOMBSQAD.
The CVIA's headquarters were located in the offices of McAfee's InterPath Corporation, as is the "National Bulletin Board Society," an entity owned by McAfee. Some suspicions were aroused by this coincidence, and it was discovered that the CVIA had not filed any of the appropriate documents to be classified as a not-for-profit organization.
Perhaps this lack of formal organization is understandable. The CVIA and McAfee himself were quite busy in that time period. Press releases from the CVIA flooded editors' and reporters' desks and scarcely a day went by that a John McAfee/CVIA quote did not appear somewhere in the media. McAfee also seemed to welcome the publicity, whether positive or negative.
In USA Today's "TECHTALK" column, a subhead read, "Computer world's virulent war of words." The reporter, Mark Leweyn, stated,
"Over the last few weeks, computer viruses -- rogue programs that destroy or alter information in a computer -- have been a hot topic in the media. Now two groups are embroiled in an acrimonious debate over who is the official spokesman on the subject. Over the last several months, a software maker, John McAfee, has taken on that role as head of a new group called The Computer Virus Industry Association. That didn't sit well with the software world's primary trade group, The Software Publishers Association, and its executive director, Ken Wasch.In a remarkable 2000-word "flame piece" (bulletin board users' talk for a highly emotional statement) on his NBBS board, McAfee exhorted any and all readers of his flame to copy it and load it on other boards. The flame was apparently in response to two things: the announcement by the prestigious Software Publishers Association (SPA) of the formation of a security group, and an extremely derogatory article in MIS Week entitled "Virus Industry Leader Assailed.""Wasch claims McAfee -- president of a firm that sells software to stop viruses -- is a huckster trying to scare people into buying his programs. In response, McAfee says the SPA is just scared all the talk about viruses will kill the sales of its 400-member companies. He says the SPA even asked him to join to shut him up. Last month the SPA formed its own virus group to spread information on the subject, but the war of words is not expected to end soon."
Leading with his chin -- and perhaps his philosophy -- McAfee stated, "Mark Twain's comments that noteriety [sic] is worth a million dollars in advertising and that no publicity is bad publicity if they spell your name right is [sic] absolutely true." McAfee's name was spelled right over and over again for several months that summer of 1988.
All of a sudden, however, both McAfee and the CVIA were conspicuous by their absence in the press. One reporter, bitten by using a McAfee quote that later turned out to be grossly inaccurate, stated flatly, "I wouldn't quote him again if he were reading straight from the Bible."
InfoWorld's "State of the Industry" columnist, Rachel Parker, took aim at the CVIA and fired under the headline, "Beware of Companies That Fan Flames of Computer Virus Fear" in the January 23, 1989, issue. Her parting shot: "The computer virus problem is real, and it represents some pretty mind-boggling problems. But addressing problems and trading on fear are clearly two separate items. If the Computer Virus Industry Association or any other trade group truly wants to help companies prevent virus attacks, they should find solutions, not exploit fear. Exploiting the fear that surrounds the unknown detracts from credible efforts, and casts a cloud of the entire industry."
Within a matter of weeks after the Lehigh incident, a small cadre of "experts" blossomed forth. Some, with their feet solidly planted on the ground of experience in computer and security issues patiently gave interviews to reporter after reporter but, as one highly regarded security maven put it, "I never get quoted because what I have to say is not sexy enough."
The "hot" quotes frequently came from self-serving sources and the media jumped on the sensationalism. One of the most egregious errors in fact came from an anti-virus software vendor whom the Associated Press quoted as saying that his company had documented over 300,000 cases of virus attacks. The reporter was confronted with the mathematical impossibility of such a statement: 300,000 cases multiplied by the unlikely minimum time of 10 minutes per case for documentation yields 50,000 person hours. One person working a 40-hour week would require 1250 weeks to complete the documentation project. Since "viruses" as they are now known were less than a year old at the time the statement was published, 25 people would have had to devote their 40-hour weeks to the project. At minimum wage, the cost of the project would have exceeded $150,000. Red-faced, the reporter and editor of the story recognized that they had jumped on a statement without using even five minutes and their own common sense to consider its accuracy.
Not surprisingly, the same quasi-expert put forth an amazing cost estimate for recovery from the ARPAnet attack in November of 1988, somewhere in the neighborhood of $100,000,000. While one hundred million dollars do not make much of a dent in the national budget deficit, such a widely quoted figure makes quite an impression on the impressionable, especially if he or she pays taxes.
Again, a little math applied against these specious figures casts severe doubt on their accuracy. According to the numbers supplied to the author by the "expert" in a telephone interview, 142 person and machine-time years were lost or expended in the 36-40 hours required for complete recovery of the systems involved. Get out your pencils.
|
