Don't Get Security Sucker-Punched
Is the devil you knowand expectbetter than the one you don't?
Consider this: You run into person No. 1let's call her Melissaon the street. Without warning, Melissa hits you in the face and then proceeds to beat you up as you lie on the ground.
Then, person No. 2, Michelangelo, walks up to you and calmly states that in two weeks time, at exactly 2 p.m., he will beat you up. Then he walks away.
Now, while neither is a pleasant scenario, I have a feeling that the majority of people would rather run into Michelangelo than Melissa.
While there is definitely fear and trepidation about the impending date Michelangelo gives you, at least you can do something about it. You could make sure that a couple of big friends are with you at the appointed time, or take martial arts training, or notify the authorities, or just get out of town. At least you can prepare in some way. With Melissa, you are down on the pavement getting beaten up before you even know what hit you (literally).
Likewise, it's easier to deal with a computer virus or worm that purports to hit on a certain day rather than one that just hits. The latter is the one you really need to worry about.
But, strangely enough, people take the opposite attitude with these viruses. Try to tell someone about a dangerous new virus, and you're likely to get little interest. You'll get responses like, "Yep, I hear those viruses are nasty. That reminds me, I need to patch my system and update my anti-virusmaybe I can get around to that next week."
However, if you say that the same virus will hit on a specific datesay, April 1people get a lot more interested. "Wow, it's like a time bomb! What do I have to do to protect my system right away?!"
To a large degree, this phenomenon is driven by those of us in the media. Tell a reporter, especially a general media reporter, about a dangerous new virus, and he or she will see it as just another in a long line of viruses. But tell the reporter that the virus will do something dastardly on a specific date, and suddenly the reporter is much more interested in telling the story.
Personally, I tend to be of two opinions on this.
As someone who has been writing about security for a long time and who is often frustrated that people and businesses don't take computer security seriously, I welcome anything that gets people to sit up and pay attention to security.
But I also get frustrated that the people who pay attention to these time bomb viruses spend most of their time being blase about security or actively ignore basic security practices that would protect them from just about anything.
Oh well, if you can't beat them, join them. Maybe we in the security community should embrace this time bomb obsession and regularly report that there are viruses and worms that will take effect on a specific date.
I can see it now. People, I must warn youthere's a dangerous virus out there. [Snore.] It will steal data from your computer and compromise your identity. [Whatever.] Ummm, it will also find every embarrassing picture and e-mail on your system and send them to your parents. [Uh oh!] And it will look at your iTunes list and tell all your cool friends that your favorite artist is Engelbert Humperdinck. [Oh no!] And it will take effect on Mother's Day! [Ahhhh! Call ITwe need to protect my system!]
OK, if I did this I would be fudging the truth a bit. But it might get people to pay attention to security. And that's definitely better than an unexpected punch in the face.