Slashdot Mirror
Virus Cost Estimate For 2001 Tops $10 Billion
Snootch writes: "CNN has a story on the costs of virii - they're absolutely collossal, and remember that the $10 billion figure is just *so far this year*...scary. The article gives a pretty good breakdown by virus, and while it says little else that the average /. reader won't know by now, it's an interesting read all the same. To quote Red Dwarf's Kryten, 'Smug Mode,' but I note that every single one mentioned in the article, bar one (Code Red), was a client-side Outlook virus ..."
"My other thought was this: Considering that according to the article, nearly half the money was spent cleaning infected systems out, then the virus-checker industry, and therefore the implications of Symantec's recent patent, are even bigger than I realised ... *gulp*" Of course, estimates like these are often made by people with vested interests in the effect such numbers have, and there are a lot of costs that are very tough to estimate accurately -- like sysadmin time.
Considering Code Red's favorite food, that's pretty much a clean sweep for Microsoft, isn't it?
I guess they do bring something to the total user experience that you can't get from anyone else.
Gotta run. A whole bunch of people hae sent me files they need my advice on.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
What looks better to Joe Consumer:
1. "New and Improved Security makes sure that port scanners are unlikely to determine services running on your system, thereby helping the internet work faster for most people"
or
2. "Fancy new Paperclip tells you funny jokes!"
The second will get them more sales a lot faster than the first.
I demand a million helicopters and a DOLLAR!
...have one reason and one reason only. Those in the appropriate industries like to have a lot of attention to these overblown cost estimates, so that the next time they're lobbying Congress for some law that will hand over more and more power over individual conputer users to "responsible" corporations, Congress will see the huge cost of not passing the legislation, and bang, we've got the next DMCA, or individual-restricting "internet security" law, or whatever.
I agree that viruses cost money. Time, productivity, equipment, and work is all lost when a virus hits your system. There are real losses. But these gigantic estimates that keep coming up -- Bullshit. They're estimates made by pegging every conceivable factor to one end of the scale. Have a security person on staff? Estimate that 100% of the cost of keeping that person on staff is due to "viruses," and add it into your cost estimate. Hell, I'm sure that they add in 100% of the time employees spend by the water cooler during a virus infection. "They can't work because there's a virus on their computer!" Of course, this assumes that when there is no virus, employees spend 0 time by the water cooler.
These estimates are probably less bullshit than the estimates that the RIAA, MPAA, BSA, and AAP come up with due to losses from piracy. I saw one in the paper, where you would have to assume that every illegal MP3 downloaded from the internet would have to then be passed on to 10 other people who would have definitely bought the CD, but did not because they received the free MP3. Obviously, a completely bullshit estimate, but there it is, Congress sees it, and no responsible person can then argue that we don't need laws to stop this economic hemorrhaging.
Note: I have no actual evidence to back up my conspiracy theory. But I do believe beyond a doubt that the cost estimates we read for these things are hugely overblown, and you do have to admit that such overestimating such cost estimates could potentially benefit those trying to provide positive spin for DMCA-like corporate-graft legislation.
-Rob
I think perhaps this is an argument for diversity more than it is an argument against Microsoft.
From my point of view, an argument for diversity is an argument against Microsoft. My beef with Microsoft is not I don't like their stuff-- it's that I can't choose to use something else and have the pleasure of completely ignoring them. People still send me attachments in Word format, or require that presentations be in PowerPoint format. Web extentions still work on Windows only. I can freely ignore the Mac in everything I do. Windows users can freely ignore Linux in everything they do. But nobody can completely ignore Microsoft, simply because it's so prevalent.
And, to the topic at hand, that includes viruses. I know of servers running sendmail on a Unix box that had to go out of their way to delete SirCam messages from users' mailboxes, because they were huge and filling up the space available. This happens because most of the E-mail sending world is using Microsoft products.
Although the vindictive part of me would love to see Microsoft wither and die, in reality that's not what I want. What I want is for them to no longer be a monopoly or a near-monopoly. I want file formats and communications protocols to be open standards, so that anybody can develop software (proprietary or not) that will let users communicate with other users, each using whatever the hell he wants. And, then, yes, I want it so that no single virus are security hole can so easily affect 90% of the internet all at once.
All of this diversity is at the moment squelched by Microsoft. An argument for diversity is the strongest, and most important, argument against Microsoft as it exists today. The cost of viruses is only the most obvious and urgent manifestation of this. There are more severe long-term costs of a monopoly on something so basic as computer infrastructure.
-Rob
It's rather interesting watching slashbots make smug comments about "Microsoft worms" and "Outlook viruses" when the two most damaging worms that have occured this year could have appeared on any platform.
Code Red
The Code Red worm is a typical worm that exploits a buffer overflow just like the Morris Internet Worm and the Ramen worm before it. Either of the aformentioned worms could have done what code red did once they had 0wn3d the boxen, they just happened not to.
Heck, I've toyed with writing a proof of concept *nix verison of Code Red using wu-ftp vulnerabilities, rpc.statd vulnerabilities, telnetd vulnerabilities, sendmail vulnerabilities and even BIND vulnerabilities. Of course, I haven't gone much further than deciding what exploits to use and glancing at some source since I'm busy with school at the moment and more importantly I don't want to go to jail.
Sircam
The Sircam worm spread either through social engineering or across unprotected network shares. Neither of these requires Outlook. It didn't grab addresses out of the address book and instead grabbed them from the user's web cache. Sircam also didn't use the client mailer to mail itself out but instead included it's own mail program.
Thus all Sircam needed to spread was clueless users. This only thing Microsoft-y about this worm is that it ran on Windows.
All the above said, it is truly sad that on almost all popular platforms we are stil dealing with a 30 year old security problem whose causes and solutions have been known from probably before a sizable number of the slashdot population was born.
Even more ridiculously I am forced to do engineering work on a 64 MB Win 98 machine. When I tried to at least get more memory for the machine I was told that I didn't qualify: Engineers were considered in the same category as secretaries as far as their computer usage.
If it weren't for the (personally owned) Linux box I keep on my desk I couldn't get much useful work done.
The people who do the actual work at NASA are the sharpest group of people I've ever had the pleasure of working around - but like most places the upper management has more than its fair share of 'clueless techno ignorants' making decisions.
At least our computers are behind a firewall - so they don't get hacked all the time - but there are enough technically unsophisticated people (managers, secretaries etc.) on computers that viruses remain a problem.
Is the patch you mention really a "security patch" or is it a "service pack" or is it "an upgrade"???
Perhaps the "morons" are a little ticked off at "security patches" that also include a bunch of other stuff that has no business being in a "security patch"
"security patch = security patch"
"security patch != service pack"
"security patch != update"
Maybe we have discovered a significant (albeit minor) explaination why Joe User has not bothered to keep up with all the latest "security patches" because they are not security patches. Instead the secuirty patch is bundled with other stuff creating a "non-security patch"
I believe Juanita
Exactly. The latest Microsoft Internet Explorer "service pack" DISABLED another company's software (QuickTime). This kind of sneakiness makes upgrading impossible for the average user. You must be technically knowledgeable and well-informed to defend yourself against this kind of behavior.
Bush's education improvements were