A Year-end Mailbag, 2002-12-16
"Why are you rambling?," and other feedback received by your anti-virus columnist.
Nick B., a sysadmin of a network of some national repute, writes to say he'd like to see some different -- more real -- figures attributed to losses due to computer virus-related troubles. So I called upon him to don his thinking cap for a minute and indulge me as chairman for a day of Economics-Schmeckonomics, a high-tech risk assessment firm I concocted to lend realism to the exercise.
Nick reckoned he could be as accurate as anyone from anti-virus PR firms in supplying numbers and I agreed. It turns out losses at Nick's enterprise are spread over a wide range of things: "imperfectly preventing viruses from coming in," hard disk failure (about "seven percent on our network" per annum) and other garden-variety pests. One of these was the brain sinkhole known as the JDBMGR.EXE hoax, a fake virus warning that mercilessly spawns phone calls from users who have balled up something by following its bogus instructions for removal.
For a network of 1,500 PCs, Nick tallies up real-life losses estimated using a capacity for honest horse sense you won't see duplicated in the National Strategy to Secure Cyberspace.
- Fifty dollars per PC on software, "plus one hundred per user for training plus another hundred on downtime caused by the anti-virus itself for a total of $ 225,000 USD."
- One hundred hard disk failures, at $300 per case for downtime, technician time and lost data. $30,000 -- -cha-ching-!
- Four hundred virus hoaxes dealt with: $30 per for sysadmin time, $30 for the user's -- $24,000.
- Three hundred copies of Bonzi and Gator deleted, fifty dollars per PC -- $15,000.
- One hundred phone calls from users panicked about hackers because they read pop-up ads and demand the information technology department do something to "Stop Our Computers Broadcasting An IP Address" because "Hackers Can Use This To Start Attacking Our Computers." Thirty dollars per case for sysadmin time, thirty for users' time -- $6,000.
Friction and Noise
The total comes to $300,000 per year or $200 lost per PC on the network. But the value of 100-page Word documents lost due to stupid bugs is incalculable, he adds finally.
These losses were and are serious business, stealthily pilfered from everyone's pockets when extrapolated to cover the whole nation. Absent them, there would potentially be enough monetary gain for everyone on our U.S.-centric network to buy themselves the initial makings of a new home entertainment system. It's obvious bad news for the holiday shopping season and if you multiply the gross amount by 1,000 for sport it becomes millions. A hundred million here, a hundred million there, soon you're talking real money -- the friction and noise, however amusingly delivered, of year-long error in our society.
To peel away the bulk of this, Nick recommended spending zero on a global site license for anti-virus software, a seemingly radical suggestion which, he adds, often causes people to spill their drinks. Instead, some astute blocking of attachments and two virus scanners -- one on a mail server and another on a proxy that handles the internal address book -- work pretty well.
"They don't break anything so our users don't think we have any security," Nick B. writes dryly. A few salaried people who know what they're doing is a requirement, though.
Snake Oil
I found another chestnut in the work of fellow columnist (back-scratching: American as apple pies and Omaha steaks) Richard Forno, who has become a jihadi in the cause of putting down cyber-terror-spouting infidels.
"Those that blindly accept continual reports of impending gloom and doom" for the prevention of dubious monetary loss are suckers, Forno indicates in a recent homepage rant. Such Paphlagonians -- Paphlagonia being a county where the very gullible reside -- will never be able to mount effective information security programs because they're always swayed by hogwash from "experts" aiming only to separate them from their money.
Said another way, one of the points made again and again is that "cyberterror threat and warning" is a synonym for snake oil. Forno sternly
Finally, as the last thought for the year, let it not be said I do not take seriously even the harshest commentary:
"I just read you article and it is long and not very insightful," observed one fellow acerbically. "Why are you rambling? I haven't been this bewildered in a while. I think you have something important to say and would like to know what it is."
Happy holidays!
