Slashdot Mirror
Virus Cost Estimate For 2001 Tops $10 Billion
Snootch writes: "CNN has a story on the costs of virii - they're absolutely collossal, and remember that the $10 billion figure is just *so far this year*...scary. The article gives a pretty good breakdown by virus, and while it says little else that the average /. reader won't know by now, it's an interesting read all the same. To quote Red Dwarf's Kryten, 'Smug Mode,' but I note that every single one mentioned in the article, bar one (Code Red), was a client-side Outlook virus ..."
"My other thought was this: Considering that according to the article, nearly half the money was spent cleaning infected systems out, then the virus-checker industry, and therefore the implications of Symantec's recent patent, are even bigger than I realised ... *gulp*" Of course, estimates like these are often made by people with vested interests in the effect such numbers have, and there are a lot of costs that are very tough to estimate accurately -- like sysadmin time.
Considering Code Red's favorite food, that's pretty much a clean sweep for Microsoft, isn't it?
I guess they do bring something to the total user experience that you can't get from anyone else.
Gotta run. A whole bunch of people hae sent me files they need my advice on.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Lost productivity includes time spent by system users and support and helpdesk staff on virus issues that takes them away from their regular responsibilities
This sentence should read "arbitrary figure made up to inflate costs of viruses". What the hell are "regular responsibilities" if they don't include helping users get rid of viruses. We all know that viruses are annoying, cost a little bit of money, etc etc - but even if each and every computer ever affected by a virus this year was attended by a tech charging 50 bucks an hour (and who needs an hour to get rid of sircam?!), we're looking at a 3 billion dollar bill. Not 10 billion.
It's yet another hype article. Bring in a story queue which we can moderate, like Kuro5hin, because the newsworthy to nonsense ratio is worsening all the time.
btw, the plural of viruses is... well, I just wrote it. Look at the latin root of "virus" and you'll understand. Or just google for "virii" (34k hits) vs "viruses" (1.4m hits). Nuff said.
What looks better to Joe Consumer:
1. "New and Improved Security makes sure that port scanners are unlikely to determine services running on your system, thereby helping the internet work faster for most people"
or
2. "Fancy new Paperclip tells you funny jokes!"
The second will get them more sales a lot faster than the first.
I demand a million helicopters and a DOLLAR!
...have one reason and one reason only. Those in the appropriate industries like to have a lot of attention to these overblown cost estimates, so that the next time they're lobbying Congress for some law that will hand over more and more power over individual conputer users to "responsible" corporations, Congress will see the huge cost of not passing the legislation, and bang, we've got the next DMCA, or individual-restricting "internet security" law, or whatever.
I agree that viruses cost money. Time, productivity, equipment, and work is all lost when a virus hits your system. There are real losses. But these gigantic estimates that keep coming up -- Bullshit. They're estimates made by pegging every conceivable factor to one end of the scale. Have a security person on staff? Estimate that 100% of the cost of keeping that person on staff is due to "viruses," and add it into your cost estimate. Hell, I'm sure that they add in 100% of the time employees spend by the water cooler during a virus infection. "They can't work because there's a virus on their computer!" Of course, this assumes that when there is no virus, employees spend 0 time by the water cooler.
These estimates are probably less bullshit than the estimates that the RIAA, MPAA, BSA, and AAP come up with due to losses from piracy. I saw one in the paper, where you would have to assume that every illegal MP3 downloaded from the internet would have to then be passed on to 10 other people who would have definitely bought the CD, but did not because they received the free MP3. Obviously, a completely bullshit estimate, but there it is, Congress sees it, and no responsible person can then argue that we don't need laws to stop this economic hemorrhaging.
Note: I have no actual evidence to back up my conspiracy theory. But I do believe beyond a doubt that the cost estimates we read for these things are hugely overblown, and you do have to admit that such overestimating such cost estimates could potentially benefit those trying to provide positive spin for DMCA-like corporate-graft legislation.
-Rob
I think perhaps this is an argument for diversity more than it is an argument against Microsoft.
From my point of view, an argument for diversity is an argument against Microsoft. My beef with Microsoft is not I don't like their stuff-- it's that I can't choose to use something else and have the pleasure of completely ignoring them. People still send me attachments in Word format, or require that presentations be in PowerPoint format. Web extentions still work on Windows only. I can freely ignore the Mac in everything I do. Windows users can freely ignore Linux in everything they do. But nobody can completely ignore Microsoft, simply because it's so prevalent.
And, to the topic at hand, that includes viruses. I know of servers running sendmail on a Unix box that had to go out of their way to delete SirCam messages from users' mailboxes, because they were huge and filling up the space available. This happens because most of the E-mail sending world is using Microsoft products.
Although the vindictive part of me would love to see Microsoft wither and die, in reality that's not what I want. What I want is for them to no longer be a monopoly or a near-monopoly. I want file formats and communications protocols to be open standards, so that anybody can develop software (proprietary or not) that will let users communicate with other users, each using whatever the hell he wants. And, then, yes, I want it so that no single virus are security hole can so easily affect 90% of the internet all at once.
All of this diversity is at the moment squelched by Microsoft. An argument for diversity is the strongest, and most important, argument against Microsoft as it exists today. The cost of viruses is only the most obvious and urgent manifestation of this. There are more severe long-term costs of a monopoly on something so basic as computer infrastructure.
-Rob
It's rather interesting watching slashbots make smug comments about "Microsoft worms" and "Outlook viruses" when the two most damaging worms that have occured this year could have appeared on any platform.
Code Red
The Code Red worm is a typical worm that exploits a buffer overflow just like the Morris Internet Worm and the Ramen worm before it. Either of the aformentioned worms could have done what code red did once they had 0wn3d the boxen, they just happened not to.
Heck, I've toyed with writing a proof of concept *nix verison of Code Red using wu-ftp vulnerabilities, rpc.statd vulnerabilities, telnetd vulnerabilities, sendmail vulnerabilities and even BIND vulnerabilities. Of course, I haven't gone much further than deciding what exploits to use and glancing at some source since I'm busy with school at the moment and more importantly I don't want to go to jail.
Sircam
The Sircam worm spread either through social engineering or across unprotected network shares. Neither of these requires Outlook. It didn't grab addresses out of the address book and instead grabbed them from the user's web cache. Sircam also didn't use the client mailer to mail itself out but instead included it's own mail program.
Thus all Sircam needed to spread was clueless users. This only thing Microsoft-y about this worm is that it ran on Windows.
All the above said, it is truly sad that on almost all popular platforms we are stil dealing with a 30 year old security problem whose causes and solutions have been known from probably before a sizable number of the slashdot population was born.
The problem here is that in Microsoft Office "opening a document" actually means "running an application," which is evil, twisted, and just plain wrong.
UNIX would be rife with similar holes to Mirosoft products if it used a wacky binary file format that random shell commands would be run from if you attempted to cat(1) the file...
I hate these so called 'reports' that don't even care to share their methodology for determining costs. I mean, it said that clean up costs include "x, y, z" and lost productivity inlcludes "a, b, c".... but what exactly was included, who did they interview and how did they come up with number of companies affected?? Also, does this include the cost of protecting computer systems (eg, with antivirus software) that don't get infected?
===> An eye for an eye makes everyone blind - MG
First of all, I would like to know how these news stories keep coming up with monetary figures to represent mostly intangible concepts. Sure, there's a scientific way to go about it, but I know that I wasn't surveyed, so the results of such a process are at least flawed.
Secondly, I have three distinct and conflicting views about virii. Mostly, I find them a nuisance and a pain in the ass to deal with. I also find them entertaining. It's like a great big joke, we get to watch M$ hang its ass in the wind - and we get to see M$'s fervent supporters run around like headless chickens for a while. I also find virii to be a necessary part of our daily electronic lives.
That being said, the reason I find this article (and others like it) so disturbing is because we are seemingly paving the way for a whole new onslaught of legislation against computer virii. Let's be realistic: virii do -for free- what an entire industry fails to do with regularity - identify security holes. Almost 100% of the time, these holes are found in M$ products, which we all know are used by virtually every person in the online world. If virus writers didn't exploit these holes for their own entertainment, it would be much, much easier for malicious people to exploit these holes for their own gain and/or to the serious detriment of the victim.
Based on that, the only news in this article is found between the lines.
main(){char I,l,O[]={'-',1-1,0,(1<<5)-1,0+'-',-10-1,-10,11-0,
Even more ridiculously I am forced to do engineering work on a 64 MB Win 98 machine. When I tried to at least get more memory for the machine I was told that I didn't qualify: Engineers were considered in the same category as secretaries as far as their computer usage.
If it weren't for the (personally owned) Linux box I keep on my desk I couldn't get much useful work done.
The people who do the actual work at NASA are the sharpest group of people I've ever had the pleasure of working around - but like most places the upper management has more than its fair share of 'clueless techno ignorants' making decisions.
At least our computers are behind a firewall - so they don't get hacked all the time - but there are enough technically unsophisticated people (managers, secretaries etc.) on computers that viruses remain a problem.
Is the patch you mention really a "security patch" or is it a "service pack" or is it "an upgrade"???
Perhaps the "morons" are a little ticked off at "security patches" that also include a bunch of other stuff that has no business being in a "security patch"
"security patch = security patch"
"security patch != service pack"
"security patch != update"
Maybe we have discovered a significant (albeit minor) explaination why Joe User has not bothered to keep up with all the latest "security patches" because they are not security patches. Instead the secuirty patch is bundled with other stuff creating a "non-security patch"
I believe Juanita
However, if your company didn't have to worry about viruses at all, they wouldn't have to waste money employing you to disinfect their computers. That's probably a good $100k saved. Viruses add overhead to IT budgets in the form of technicians needed to disinfect computers and clean up the mess.
I wanna see new TCO figures with virus costs calculated in and then lets see if they even bother telling us about TCO anymore (wrt Linux,etc of course). Was one of their big arguments a few months ago, that TCO of MS products was actually lower than TCO of free software solutions. Haha.
Exactly. The latest Microsoft Internet Explorer "service pack" DISABLED another company's software (QuickTime). This kind of sneakiness makes upgrading impossible for the average user. You must be technically knowledgeable and well-informed to defend yourself against this kind of behavior.
Bush's education improvements were
At no point in this process does it rely on anything in Outlook that can be really called an "exploit", like a buffer overflow bug. Outlook itself is the exploit. The worm doesn't need to do anything that Microsoft hadn't planned for people to be able to do. There is only one step in this process that relies on human frailty. The rest of it is simple API calls to functionality that Bill and Co. decided to make available to executable email attachments. Outlook (anything that uses Microsoft's "Windows Scripting Host") is excellently designed to host worms and provide services to them as they infect a network.
Windows does give you a warning when you are about to open something that has executable content in it (HTML with JavaScript, Excel documents with VBA scripts, etc.). Microsoft has seen fit to cram executable content into so many different file types that every single attachment you ever open from anybody gives you this warning. It's like the boy who cried wolf. But this is the extent to Microsoft's approach to security. It doesn't stretch much further than the "hey, do you want me to run this?" dialog box (if they even give you that). They just don't take security seriously at all.
Now Microsoft is not full of stupid people. The decision to include executable content in emails must have raised alarm bells concerning security. They must have realized the vulnerable state they were putting everyone in. And how did they handle it? By reprogramming their OS and application suites to properly implement security and handle code from unknown sources with the appropriate level of caution? No, that would be too much work, and then people might complain that the security was getting in their way. So this is how they handle it: they put in a dozen lines of code that show you that little ubiquitous dialog box (unless you've checked "never show this dialog box again" on it before), and they extract a boolean from your confused and sorry ass. Then they branch there. If anything bad happens now, it's your fault.