Can you hear it? Amid the deafening silence that was the the Conficker nonevent of April Fools' Day, you should be able to detect an echo from the past. It started as a quiet murmur, but over time, it will build to a crescendo that could make Conficker the most dangerous malware IT has ever seen.
It's the sound of Y2k all over again.
You remember Y2k. The early warnings. The dire predictions. The concerned harrumphings by pundits. The apocalyptic pronouncements by fearmongers. And at last, the nonevent.
And then the choruses of "I told you so", "I knew it was just hype", and "It was all a hoax."
Nothing happened, so there must have been nothing all along. It was never anything more than a scheme by consultants to pocket hundreds of billions of dollars. We wuz robbed!
Those post-Y2k know-it-alls didn't let reality disturb their confidence. Nothing happened? Well, actually, things had been happening for years. Systems had been tested for what would happen on January 1, 2000 – and they failed. But because they'd failed during tests in 1999 or 1997 or 1995, they were fixed long before zero hour arrived.
As the millennium approached, there were more failures – scattered bits of faulty interaction between code that had been fixed in incompatible ways. Those, too, were caught and corrected.
And a lot of IT professionals spent New Year's Eve, the big night, in datacentres, ready to leap into action if something catastrophic happened.
It didn't. There were scattered problems – including system failures at two nuclear power plants in Japan – but everyone was ready for such things. And because the predictions of catastrophe were predicated on lots of critical systems failing at once in exactly the same way with no preparation or safety net, no one seemed to notice the minor glitches.
No wonder people got cynical. They were promised apocalypse. They got a pot of nothing.
Which brings us back to Conficker. It was all over the mass media a week ago – most notably on 60 Minutes, which played up the direst predictions. On the big day, cable news channels breathlessly waited for signs of a digital Pearl Harbor. They never appeared. April Fools!
The "I told you it was a hoax" dismissals have started again. And that should worry us in IT.
Y2k was a non-event because we fixed the problem. But with Conficker – well, we haven't fixed anything.
We thought April Fools' Day was some kind of deadline, because that date was hard-coded into the new version of Conficker. But just because that date has passed, that doesn't mean Conficker is any less dangerous.
Conservative estimates put the size of the Conficker botnet at more than two million PCs. That's one heck of a botnet. And it's still out there: a controlled, coordinated threat in the hands of people who, we hope, just plan to use it to make money with spam.
And there's no Y2k-like deadline, no event horizon. So hearing reporters, bloggers and professional harrumphers compare Conficker to Y2k should make us a little nervous.
And hearing security researchers brag that we made it through, that Conficker's creators have failed and all their work has gone for naught, should make us more than a little queasy.
That's the sound of Y2k. The sound of complacency — of people who believe that we've won and think that because nothing happened, there never really was any threat.
There was. And there still is.