Homeland Virus Alerts – What Happened?

By | February 4, 2004

The big anti-virus vendors often stand accused (rightly) of exaggerating the danger and impact of viruses; Not surprising they do that, they make money out of protecting people from viruses. But why would the U.S. government do it?

Here’s a great piece by Mary Landesman of about.com complaining about US CERT, a newly formed partnership between the U.S. Department of Homeland Security’s National Cyber Security Division and the CERT Coordination Center (CERT/CC) run by Carnegie Mellon University. After quoting their blurb — “We have taken great care to be accurate, fair, and honest about the security risks you face, and we feel a tremendous professional obligation to bring you the best, most trustworthy advice we can to help you protect your systems” — she then quotes their first alert (TA04-028A), which was sent out twice: “MyDoom.B Rapidly Spreading”.

Er, no. MyDoom.A — the original version — was big, . MyDoom.B, in her words, is “barely a blip on the radar”. Here’s the data so far:

  • Sophos: er, one copy.
  • Messagelabs: er, 7 copies.
  • Trend Micro: er, 1 copy.

You get the idea. MyDoom.A was big. MyDoom.B is not. So what went wrong? Well it’s early days, so perhaps we can put it down to teething troubles. But it’s not that simple. What I find a bit disturbing is that US-CERT, it appears, have not so much corrected their error as pretended it never happened. The original, incorrect, alerts can only be found on other sites (Google search) but only an ‘updated’ version (without the ‘rapidly spreading’ bit) can be found on US-CERT. Good that they’ve realised their error, but they don’t seem to be acknowledging it: The revision history for this report refers only to a version on Feb 2 that “Updated hosts file and www.microsoft.com information, changed heading formats”.  Nothing about “removing misleading and horribly incorrect information about spread of virus”. From where I’m sitting (and I may be wrong here), this looks like someone has tried to forget the original reports ever existed.

There are, quite obviously, a few problems with this. What happens to all those folk who have acted on the original reports? I can see it posted at more than 300 sites, where presumably people are cowering under their desks, switching off computers, and wearing gas-masks. How are these people going to know the original report was wrong if you pretend it never existed?

It’s all about credibility. Commercial anti-virus firms do a good job of analysing viruses and a slightly less good job of quickly updating your software so you don’t get infected. They also try to give an accurate idea of how far and how fast the virus is spreading. But do we believe them when they put out press releases saying how much damage viruses cost? Not usually, because we know these folk make money based on how big the problem is. The whole point of something like US-CERT is to bring some impartialitiy to the scene. But that’s not going to work if a) the original reports are horribly wrong and b) if the error is compounded by not ‘fessing up to the error and letting people know what you’ve corrected.

I’ve sought clarification from US-CERT.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.