My doom passed, and fortunately, I’m still standing.
Sorry, make that Mydoom. The latest Worst Virus Ever — bigger than SoBig.F, messier than Melissa, a deeper hue than Code Red — made a spectacular splash at the end of January, its impact still rippling out well into last month. At one point,
security company F-Secure estimates, almost a third of e-mail traffic was being generated by the worm.
Conspiracy theories circulated. The original variant was designed to launch a distributed denial-of-service attack on the Web site of the SCO Group, which has been embroiled in legal tangles with distributors and users of the open source Linux operating system. SCO fingered the open source community. Open sourcers pointed right back, noting the sympathy it engendered for embattled SCO. Whatever — the Web site eventually succumbed.
Security firms scrambled. Microsoft offered a $250,000 reward for information leading to the identification of the culprit (a later variant targeted Redmond). The technology press devoted the news and analysis space that a threat of this magnitude warrants.
Yet somehow, it seems, the reaction on the ground was a little jaded. Maybe it’s because we’ve long since stopped opening executables we aren’t expecting (but a large number of people did). Maybe it’s because we’re becoming inured to the social engineering that’s part and parcel of effective virus propagation (but a lot of people aren’t).
It may be we feel like we’ve seen this movie already. To use the well-worn highway metaphor, you curse the first few potholes; you mumble a little under your breath at the next few; then you don’t react at all, and before you know it there’s more pothole than road.
This is virus fatigue, and it’s very dangerous. Consider a recent U.K. study, as reported in The Register, that found two-thirds of office workers don’t know basic prevention measures, a third say they’re too busy to apply them, and more than half say they wouldn’t be particularly bothered if they encountered an attack.
It should prompt debate about whether the Internet is a safe place for companies to conduct business.
Risks from the Internet aren’t limited to viruses. There’s spam, of course. The newest filtering techniques spawn the newest workarounds, until business-critical messages aren’t getting through and offers for fuller, plumper lips are. Free-floating pornography is a legal liability, as is use of corporate e-mail that doesn’t accord with company messaging policy.
If the only truly secure computer is one that’s turned off, does it follow that the best protection for corporate systems is absolute isolation from the Internet?
I’ve often pondered a business-traffic-only lane on the information highway, one where users are restricted, registered, specifically identified and easily held accountable for misuse and abuse, a lane separate from the free-for-all.
Some miscreant, I’m sure, would find an on-ramp.