Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

The federal government, independent virus researchers and the First Amendment

James Lipshultz
CryptNews [20]
November 1993

1
[Back to index] [Comments]

On June 28th (Vol.7, Issue 16, P.26) of this year, Federal Computer Week published an article by John Stein Monroe entitled "McAfee Champions Virus Protection". I must take exception to many of the statements ascribed to Mr. McAfee.

In the interview, Mr. McAfee asserts that:

"...the government is less willing than any other user group in the country to openly address its computer virus problem."

I cannot help but ask the following: How does it serve Anti-Virus Product Developers (AVPDs) to know the approximate number of microcomputer virus incidents affecting the federal government over the past year? Would the information be used to scare the public into thinking that they are doomed to some kind of virus-related catastrophe if they do not buy anti-virus software? I have to wonder if AVPD figureheads like Mr. McAfee are really crying out, like Henny-Penny, "THE SKY IS FALLING!" in hope of boosting sales.

Next, Mr. McAfee states that:

"By keeping mum, the government is making it difficult to contain the problem . . . Vendors and researchers who could help address the problems can't fight what they can't see. If the government doesn't open up and cooperate with the anti-virus community, knowledge of the viruses never reaches the research community. Before we can get our hands around the problem, [government agencies] must be open about the scale of the problem."

This argument is incredibly weak! Surely we are not so ignorant as to believe the last sentence in the quote? As I see it, Mr. McAfee is trying to say that if the federal government collectively gave accurate information on all virus infections, he and other vendors could then stop virus infections by using the statistical data collected (excuse me while I break away from the keyboard for a good long laugh!). What he really means is that this information would be used to promote his product so sales and stock prices would increase (simple Econ 101). Isn't that what good marketing and being in business is all about?

Other statements made in the interview illustrate an opinion I've held for quite a while: That there really is no big virus epidemic, contrary to what the public has been led to believe.

"Part of the struggle in the industry is convincing computer users that the problems exist," said McAfee. "Virus awareness has grown in stages . . . we have turned the corner a number of times."

The first turn, said McAfee, was in 1989, when the national press picked up the story of a virus expected to hit users nationwide.

But the virus, Datacrime, "did not amount to much of anything, which put off the press for some time."

The next turn came in February 1992, when several computer vendors shipped products infected with the so-called Michelangelo virus . . ."

At this point, Federal Communications Week failed to report that nothing significant happened then either! It must be hard to convince computer users they have a virus problem when major infections are rare. Of course, it doesn't help that the AVPDs themselves have been guilty of crying "Wolf!" a few times too many.

Two years ago analysts in the antivirus field were predicting a geometric explosion of viruses, with over 30,000 new variants forcast by the mid-1990s. Actual numbers have shown this to be erroneous. As for the Michelangelo virus, it's my understanding that Mr. McAfee himself was the source of the statement that 5 million machines would be infected by that virus in the USA alone . . .

It cannot be denied, however, that some companies have been seriously affected by computer viruses. On National Computer Virus Awareness Day, Federal Communications Week stated that Rockwell International and Nydex Corporation came forward to tell of their woes of infections in the hundreds. My questions to these companies would be:

What I am saying is that sloppy computer practices will sometimes net you a virus. A computer virus poses a negligible threat if the user possesses the fundamentals of common sense, ethics, and basic knowledge of computer operations.

I found the next comments by John McAfee in Monroe's piece to be self-serving and misleading; as inflammatory as if they had been made by some two-bit demagogue:

"But the greatest concern is the virus writer community itself, where the social incentive to write viruses far outweighs any legal disincentive . . . Individuals have collected into virus writing groups, with names such as Nuke, Schism [sic] and Terminator, and have set up electronic bulletin boards for disseminating their programs. These people can get access to such boards only when they have earned the right by successfully infecting a network."

How absurd! I sign-on to about two dozen virus BBS's across the USA, some of which are maintained by virus-writing groups while others belong to independent virus researchers. Not once have I been asked to do anything illegal to get full access on these boards! I have also noticed that if anyone posts a message advocating illegal activities, the board sysop first warns the individual to "cease and desist," then terminates that person's access if he/she persists in posting such messages. Individuals who post messages boasting of infecting PCs and networks, as Mr. McAfee avers, are considered "lame" and undesirable vandals.

When it comes to disseminating viruses, anti-virus product developers are no slouches themselves. If writing a program that replicates is made illegal, then most, if not all, of the anti-virus industry should be arrested for distributing viruses among themselves and to the public. They could start by arresting John McAfee for sending me over a hundred viruses in January of 1991 (I have all correspondence and original floppy disks sent by McAfee Associates, if they wish me to produce proof.) And how about the international trafficking of viruses? At the National Computer Security Association's Anti-virus Product Developer's conference in 1990, I witnessed Alan Solomon of S&S International, a British anti-virus company, hand out floppies which allegedly contained the latest European viruses to the "Good Old Boys Anti-Virus Group," as he and his colleagues joked and laughed like children in a candy store.

Moving on, Mr. McAfee's next comments are only statements of the obvious:

"But under current legislation, such operations are perfectly legal."

Like it or not, writing viruses is protected under our first amendment! I hope the ACLU will test it in court if the vendors do succeed in getting some computer illiterate Congressman to pass a law.

"The only crime is to introduce a virus on a system by subterfuge."

Of course, it is and _should_ be a crime. And yes, how true, when someone commits a crime it is illegal.

"Imagine if it were legal to steal an automobile."

What does stealing a car have to do with viruses? We are agreed that car theft and purposely infiltrating a virus into a system are both illegal. As much as I loath analogy in debate, since John McAfee has introduced this example I shall extend it. As a car owner, you protect your vehicle by installing safeguards to deter the thief. Similarly, you protect your PC from viruses by following a few simple, common sense tactics, including the use of an anti-virus product. In fact, those who own or use a microcomputer should be following these procedures as a matter of course, simply because there are so many other hazards which can harm the data stored on a PC. It seems that instead of an intelligent, articulate discussion of the issues, McAfee prefers to resort to cheap emotional pleas in order to elicit a Pavlovian response from the reader. I have not seen these tactics rivaled since the movie "The Trial of Billy Jack"!

"According to McAfee, society needs to tackle the problem with appropriate legislation. 'Until we address it nothing we do from a technical stand point is going to have a great long-term effect.'"

So far, virus protection vendors have done a reasonably good job of keeping up with the proliferation of viruses, McAfee said, but unless legal action is taken, "the anti-virus community will be overwhelmed."

I would like to direct John McAfee's attention to an article called "VIRUS MYTHS," written by Mr. Viktor Meyer-Schornberger of Ikarus Software, which appeared in the International Computer Security Association's March 1992 Virus News and Reviews journal.

The article references European analysts who extrapolated over 30,000 new viruses by the mid-1990s. It then goes on to state that the facts do not support such a conclusion. If "minuscule and insignificant variations among viruses are disregarded", the number drops to about 750.

This number included viruses which have never been found in the "real" world, are used for research purposes, or are extinct. Mr. Meyer-Schornberger estimates that of these 750 viruses, 10 percent pose a significant risk, 50 percent a very slight risk, and the remaining 40 percent, no risk at all "to the average computer user".

The article also refutes the myths of a worldwide virus pandemic, virus invisibility (stealth viruses), and an impending virus "Armageddon," which seems to be the thrust of Mr. McAfee's remarks.

John McAfee does his best to sound the alarm about the virus threat, yet he fails to do his homework. A study performed by the Jinbu Corporation in 1993, on threats to computer systems, illustrates my point. In the Jinbu study, losses attributable to computer viruses added roughly to 2 percent of the whole. The most notable part of the study showed that 50 percent of all losses were, and still are, attributed to user error. Based on John McAfee's reasoning, should we not then enact laws against human stupidity?

The last statement in Monroe's article is priceless:

"McAfee said he believes that laws will get through only when the problem is so severe that someone in a sensitive government agency, such as the Justice Department, has a virus problem of near-catastrophic proportions . . . 'At that point, I think we will see some legislation,' he said."

After such irresponsible statements by John McAfee, the Justice Department should discontinue its site license for his anti-virus software, which Justice has had for the past several years! Is McAfee hoping and praying for a catastrophe to happen to the Justice Department? Has he no faith in his own product's ability to stop viruses? The scope of any law passed as a knee-jerk reaction to the viral destruction of data at any major institution would be suspect, and comparable to the edict which unjustly interned Japanese-Americans at the outset of World War II.

Whether or not the federal government advertises virus infections will not materially affect the number of virus incidents one way or another. In fact, the federal government is heading towards as compliance with whjat is known as a C2 level of security. C2 in and of itself resolves the virus problem! All viruses are harmless in a fully implemented C2 environment! A C2 operating system will not release security controls to any software program. System resources such as memory are released back to the operating system upon logging off of any user on the system or network. A user introducing unauthorized software - or viruses - into the system should not even be able to execute the software, let alone write to the file server, without going through the system administrator. The bottom line is: The demand for anti-virus products will wane as systems become C2 compliant!

I find it repugnant that vendors want to control the public's behavior and freedoms when they cannot agree to a code of ethics among themselves.

Education and moral behavior, not legislation, are the answer to eradicating viruses. The anti-virus vendors should stick to research and development, programming and product enhancement - that's their field of expertise.

They should stay out of the legislative arena and leave our Constitution alone.

I value my freedoms highly; I hope others value theirs equally.

- James F. Lipshultz, Esquire

Special thanks to Frank Tirado for assistance in preparation of this article.

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua