First, we'd like to apologize for sending out an old V&S Watch last week. There actually was an issue for 11 January and it did not repeat material from April last year. (You'll find it online here)
This week's articles deal with virus warning hype, virus impact cost hype, possible hype surrounding security in Microsoft and Oracle products and another reprieve for the suspected writer of the LoveLetter e-mail worm.
Giga-hype over Gigger virus
A completely uninteresting and un-newsworthy e-mail worm had undue media attention heaped on it during the week. JS/Gigger.A@mm to give it its full technical name, is basically an amalgam of several other previously common and/or problematic mass mailing script viruses. As such, several antivirus products could detect it the moment it was written because of its incorporation of common virus code routines -- despite the angst-ridden, 'misunderstood genius' stereotype, few virus writers are technically advanced programmers and mostly rely on copying existing code and modifying it to produce their 'masterpieces'.
Generic and heuristic detection techniques capable of detecting 'new' viruses, made from previously common viruses in this way, are generally found in major antivirus products. Thus, JS/Gigger was detectible by several virus scanners before it had been written. This alone would account for it failing to 'take off' when it was released, and such was the case.
However, spurred by tales of massive file system damage and the threat that a victim's hard drive may be reformatted at the following system startup, several media outlets jumped on Gigger as the uber-virus of the week. Hype has a place in the modern world -- advertising, and sporting events, come to mind -- but it certainly is not helpful to hype moribund, going nowhere viruses such as Gigger. For one thing, to pick a virus or Trojan for special media treatment just because it has the potential to cause greater than usual system damage by deleting files or disk formatting focuses on the wrong issues. Users should not run any untrusted programs to start with. If computer users do not know what a program does and are not reasonably assured that it was obtained via legitimate means from a trustworthy developer they should not run it.
Further, users who depend on virus scanners to 'protect' them from viruses should update their products very regularly and not just when there is a media scare about some devastating new virus. There are thousands of all but forgotten programs in the world, many of them viruses equally banal as Gigger, that do more or less what Gigger threatens -- let us hope the media responsible for the giga-hype over Gigger do not decide to trot one of these out each week in the belief that scaring their readers or viewers in some way helps them...
In case you think this piece is unnecessary cynical, please check the 'threat list' at MessageLabs (a large e-mail ASP that provides virus scanning of all e-mail that passes through its service) and the Trend Micro 'World Virus Tracking Center' summary report (links below). As this issue of the newsletter was finalized for mailing, these sites show that their respective virus scanning services have not seen a single Gigger e-mail this month or in the last seven days.
Guess what a virus attack costs...
Computer Economics is a widely quoted source of estimates for damages caused by computer viruses. In fact, it is pretty much the only source of such estimates. Within the antivirus industry, and among critics of the industry, Computer Economics' estimates have been the source of much incredulity, with most commentators suggesting they grossly exaggerate the real costs. It is true that many antivirus vendor presentations about the dangers posed by viruses and other malware often use Computer Economics' damage estimates, but hopefully most corporate product evaluators are savvy to the differences between reality and marketing or PR material...
A recent article from The Register (the tongue-in-cheek, irreverent IT news site) highlights some of these feelings. The comments it quotes from Computer Economics vice president Michael Erbschloe suggest some animosity between his company and the antivirus developers. Aside from linking to the article at The Register site, we've included a link to another article critical of the 'absurdly accurate' estimates of Computer Economics.
Lies, damned lies and anti-virus statistics - The Register
Alleged LoveLetter writer cleared again
The Philippines Department of Justice (DOJ) has effectively cleared Onel de Guzman, alleged writer of the LoveLetter virus and its associated password stealer, for a second time. A DOJ prosecutor has dismissed a motion for reconsideration of the case, filed by the National Bureau of Investigation.
`Love Bug' suspect gets off the hook -- again - ITNetCentral.com
Gates: 'Our products should emphasize security right out of the box'
Bill Gates has sent a memo to all Microsoft employees emphasizing that security has to be made a higher priority than new functionality and neat features. The company memo was also officially released to the media to publicly emphasise the strength of Gates' newfound conviction that security issues are paramount. From a PR perspective, the memo has obvious precursors and implications. Various senior Microsoft staffers have been using the phrase 'trustworthy computing' of late. That phrase was also used in this Gates memo and a recent speech Gates made at the 2002 International Consumer Electronics Show (also linked below). Expect to read and hear it more in future Microsoft publicity material -- if nothing else, it may be hoped to act as antidote to the bad publicity Microsoft received over Code Red and Nimda in late 2001, and recently over the UPnP vulnerability in XP.
Whether this is just PR or the genuine launch of a security initiative has, of course, fuelled much debate among observers and commentators. It is certainly not the first time in the last year or so that we have heard that security is now to be emphasised more than ever in MS products and security and software quality is to be improved. On the other hand, Microsoft is stopping 7,000 of its developers from doing any coding in February to put them through code security training and to provide security awareness training. Of the multitude of questioning responses Gates' memo has drawn, we have chosen to link to Richard Forno's commentary, which also carries a copy of Gates' memo.
Gates calls for 'trustworthy computing' - InfoWorld.com
Speech: 2002 International Consumer Electronics Show - Microsoft.com/billgates/
Commentary (includes memo text) - InfoWarrior
Oracle's 'unbreakable' hyperbole questioned
Oracle has made quite an advertising campaign based on its 'Unbreakable' claim and the phrase 'Can't break it. Can't break in.' CEO Larry Ellison placed heavy emphasis on the product's reputed security advantage over its competitors late last year, at the time raising questions whether such a public campaign might not prompt the 'bad guys' to turn their attention to the database server product. In fact, last week's issue of this newsletter reported two security patches for Oracle 9iAS that were discovered before Ellison's speech.
Worse, it turns out that these are just the first two of many such bugs
discovered by UK security researcher David Litchfield. A rash of patches
for those bugs are currently under development at Oracle, but the
admission raises further questions about the suitability of the
'unbreakable' marketing slogan. The linked article, by Kevin Poulsen of
Security Focus delves further into these issues.
Breakable - SecurityFocus.com