Slashdot Mirror
Virus Cost Estimate For 2001 Tops $10 Billion
Snootch writes: "CNN has a story on the costs of virii - they're absolutely collossal, and remember that the $10 billion figure is just *so far this year*...scary. The article gives a pretty good breakdown by virus, and while it says little else that the average /. reader won't know by now, it's an interesting read all the same. To quote Red Dwarf's Kryten, 'Smug Mode,' but I note that every single one mentioned in the article, bar one (Code Red), was a client-side Outlook virus ..."
"My other thought was this: Considering that according to the article, nearly half the money was spent cleaning infected systems out, then the virus-checker industry, and therefore the implications of Symantec's recent patent, are even bigger than I realised ... *gulp*" Of course, estimates like these are often made by people with vested interests in the effect such numbers have, and there are a lot of costs that are very tough to estimate accurately -- like sysadmin time.
I work in the Network Operations Center at one type of mission critical facility and most of our servers are Linux and Unix variants while these were fine we were still hit w/ code red (all the win2k desktops) bogged down everything our DNS servers were getting around 10,000 hits/hr (a lot for our internal servers) and all the extra traffic (probing for other IIS boxes) brought stuff down cause nothing could communicate over the network for about 12 min we pulled the plug on router that connects everything to the servers so that the servers could still communicate that started patching machines we lost about 12 min of productivity and another day of patching desktops. Luckily it happened around 8:00PM right as I was getting ready to leave so I was right they to pull the plug to separate the networks and than we called people in and started patching the win2k boxes
This must be Thursday, I never could get the hang of Thursdays.
Considering Code Red's favorite food, that's pretty much a clean sweep for Microsoft, isn't it?
I guess they do bring something to the total user experience that you can't get from anyone else.
Gotta run. A whole bunch of people hae sent me files they need my advice on.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
My feeling is that most of these are Microsoft-based worms because that is the most popular platform. (And perhaps the users are less concerned about computers than we are.) There have been plenty of exploitable holes in pine, for instance; it's just that not enough people use the same version of pine for a successful worm to be built around it.
I think perhaps this is an argument for diversity more than it is an argument against Microsoft.
I'm inclined to believe that the figure of $10 billion is little more than a wild guess. But since we're spending time trying to put a price on lost time and data, I have a different question along the same general lines:
Disregarding viral infections, how much money does American business lose annually to Windows crashing?
Schwab
Editor, A1-AAA AmeriCaptions
I'm not going to say viruses don't cost money....
But I have little faith on the 'loss valuations' put forth like this.
If I have to disinfect all 50 computers in here over the course of a year, I'm not going to claim my company 'lost' any money, even though my time IS worth money. I would have been here, and been paid, regardless of the virus being here or not.
The same goes for cost valuations done because of website defacements 'cracking' etc.... they are rarely rooted in reality, but instead rooted in a numbers game to make it seem worse than it is.
Geez, you would think that on /. people would know that Sircam was not Outlook specific. I had a friend (who is rather computer illiterate) who doesn't even use outlook and stilll managed to spread the virus. Sircam doesnt just use the outlook address book for viruses, it looks through your temporary internet files for anything it seems like an email address (this is the reason why Tacoboy would whine like a sissyboy about the gigs of email he was gettign from sircam). Sircam require outlook to propogate, it had its own internal SMTp engine. Sircam was not outlook specific, merely windows specific. And i am sure that it would be really easy to make a port to linux (but i could be mistaken since i know jackshit about programming or unix). The true innovation of the sircam virus was its social engineering aspect. People are always curious to open documents, even if they know that it wasnt meant to be sent to them.
Hello? SirCam? It's an executable. It's mentioned in the article. It's a Windows executable, but it will happily infect people running Eudora on Windows, supposing of course that they are dumb.
It is another victory for the guys at Redmond, of course.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
What looks better to Joe Consumer:
1. "New and Improved Security makes sure that port scanners are unlikely to determine services running on your system, thereby helping the internet work faster for most people"
or
2. "Fancy new Paperclip tells you funny jokes!"
The second will get them more sales a lot faster than the first.
I demand a million helicopters and a DOLLAR!
...have one reason and one reason only. Those in the appropriate industries like to have a lot of attention to these overblown cost estimates, so that the next time they're lobbying Congress for some law that will hand over more and more power over individual conputer users to "responsible" corporations, Congress will see the huge cost of not passing the legislation, and bang, we've got the next DMCA, or individual-restricting "internet security" law, or whatever.
I agree that viruses cost money. Time, productivity, equipment, and work is all lost when a virus hits your system. There are real losses. But these gigantic estimates that keep coming up -- Bullshit. They're estimates made by pegging every conceivable factor to one end of the scale. Have a security person on staff? Estimate that 100% of the cost of keeping that person on staff is due to "viruses," and add it into your cost estimate. Hell, I'm sure that they add in 100% of the time employees spend by the water cooler during a virus infection. "They can't work because there's a virus on their computer!" Of course, this assumes that when there is no virus, employees spend 0 time by the water cooler.
These estimates are probably less bullshit than the estimates that the RIAA, MPAA, BSA, and AAP come up with due to losses from piracy. I saw one in the paper, where you would have to assume that every illegal MP3 downloaded from the internet would have to then be passed on to 10 other people who would have definitely bought the CD, but did not because they received the free MP3. Obviously, a completely bullshit estimate, but there it is, Congress sees it, and no responsible person can then argue that we don't need laws to stop this economic hemorrhaging.
Note: I have no actual evidence to back up my conspiracy theory. But I do believe beyond a doubt that the cost estimates we read for these things are hugely overblown, and you do have to admit that such overestimating such cost estimates could potentially benefit those trying to provide positive spin for DMCA-like corporate-graft legislation.
-Rob
vymths.com typically has debunkings of numbers like this.
It's definitely recommended reading for any geek. The introductory section is here.
I don't buy these numbers. These exorbitant figures are created from generous estimates of downtime, repair costs, and so forth. In addition, they take into consideration elements only tangentially related; I think that anybody with their Michael Shermer hat on can tell that a more serious inquiry than this is required.
(But, then again, this would be good fodder for anti-Microsoft arguments. Now how ethically responsible would that be?)
These damage numbers are like the damages claimed in the "Hacker Crackdown" - somebody cracks into the phone company, copies one document, and gets nabbed for 'damages' to the tune of $80,000 - it later turns out that that figure included:
1. A technical writer had been hired to research and write the E911 Document. 200 hours of work, at $35 an hour, cost : $7,000. A Project Manager had overseen the technical writer. 200 hours, at $31 an hour, made: $6,200.
2. A week of typing had cost $721 dollars. A week of formatting had cost $721. A week of graphics formatting had cost $742.
3. Two days of editing cost $367. `
4. A box of order labels cost five dollars.
5. Preparing a purchase order for the Document, including typing and the obtaining of an authorizing signature from within the BellSouth bureaucracy, cost $129.
6. Printing cost $313. Mailing the Document to fifty people took fifty hours by a clerk, and cost $858.
7. Placing the Document in an index took two clerks an hour each, totalling $43.
Bureaucratic overhead alone, therefore, was alleged to have cost a whopping $17,099. According to Mr. Megahee, the typing of a twelve- page document had taken a full week. Writing it had taken five weeks, including an overseer who apparently did nothing else but watch the author for five weeks. Editing twelve pages had taken two days. Printing and mailing an electronic document (which was already available on the Southern Bell Data Network to any telco employee who needed it), had cost over a thousand dollars.
But this was just the beginning. There were also the hardware expenses. Eight hundred fifty dollars for a VT220 computer monitor. Thirty-one thousand dollars for a sophisticated VAXstation II computer. Six thousand dollars for a computer printer. Twenty-two thousand dollars for a copy of "Interleaf" software. Two thousand five hundred dollars for VMS software. All this to create the twelve-page Document.
So using the same rule, you can see these adjusters running around asking, "Was this PC infected by a virus last year?", "yes", "Ok, that's one $2000 PC and one $100 Outlook License, plus one hour labor, lets see, that comes to $2220 lost productivity, NEXT!".
try { do() || do_not(); } catch (JediException err) { yoda(err); }
It's rather interesting watching slashbots make smug comments about "Microsoft worms" and "Outlook viruses" when the two most damaging worms that have occured this year could have appeared on any platform.
Code Red
The Code Red worm is a typical worm that exploits a buffer overflow just like the Morris Internet Worm and the Ramen worm before it. Either of the aformentioned worms could have done what code red did once they had 0wn3d the boxen, they just happened not to.
Heck, I've toyed with writing a proof of concept *nix verison of Code Red using wu-ftp vulnerabilities, rpc.statd vulnerabilities, telnetd vulnerabilities, sendmail vulnerabilities and even BIND vulnerabilities. Of course, I haven't gone much further than deciding what exploits to use and glancing at some source since I'm busy with school at the moment and more importantly I don't want to go to jail.
Sircam
The Sircam worm spread either through social engineering or across unprotected network shares. Neither of these requires Outlook. It didn't grab addresses out of the address book and instead grabbed them from the user's web cache. Sircam also didn't use the client mailer to mail itself out but instead included it's own mail program.
Thus all Sircam needed to spread was clueless users. This only thing Microsoft-y about this worm is that it ran on Windows.
All the above said, it is truly sad that on almost all popular platforms we are stil dealing with a 30 year old security problem whose causes and solutions have been known from probably before a sizable number of the slashdot population was born.
Even more ridiculously I am forced to do engineering work on a 64 MB Win 98 machine. When I tried to at least get more memory for the machine I was told that I didn't qualify: Engineers were considered in the same category as secretaries as far as their computer usage.
If it weren't for the (personally owned) Linux box I keep on my desk I couldn't get much useful work done.
The people who do the actual work at NASA are the sharpest group of people I've ever had the pleasure of working around - but like most places the upper management has more than its fair share of 'clueless techno ignorants' making decisions.
At least our computers are behind a firewall - so they don't get hacked all the time - but there are enough technically unsophisticated people (managers, secretaries etc.) on computers that viruses remain a problem.
All of these articles that I have been reading lately discuss Code Red and Code Red II in the past tense. Its still out there folks and its still attacking systems. I just ran a scan of my log file for one of my systems and the following IPs attempted to attack the webserver (which is running Linux/Apache and doing just fine):
216.175.70.25 which attacked at 31/Aug/2001:04:16:29 PST
61.129.37.165 which attacked at 31/Aug/2001:10:47:55 PST
216.254.153.209 which attacked at 31/Aug/2001:13:58:40 PST
62.110.109.5 which attacked at 31/Aug/2001:14:01:40 PST
216.75.67.200 which attacked at 31/Aug/2001:14:25:52 PST
216.210.235.68 which attacked at 31/Aug/2001:14:32:04 PST
216.254.2.43 which attacked at 31/Aug/2001:19:13:21 PST
195.128.198.2 which attacked at 31/Aug/2001:20:40:38 PST
200.204.61.28 which attacked at 31/Aug/2001:21:09:45 PST
ip244.54.136.216.in-addr.arpa which attacked at 31/Aug/2001:22:30:24 PST
209.88.144.24 which attacked at 31/Aug/2001:22:52:19 PST
209.88.144.24 which attacked at 31/Aug/2001:22:53:36 PST
216.72.50.157 which attacked at 31/Aug/2001:22:54:32 PST
61.175.90.219 which attacked at 01/Sep/2001:01:18:38 PST
24.176.223.88 which attacked at 01/Sep/2001:01:25:49 PST
216.224.75.34 which attacked at 01/Sep/2001:01:49:07 PST
212.38.187.178 which attacked at 01/Sep/2001:02:45:22 PST
Now the number of attacks goes down on the weekenend and up during the week, which suggests that most of these addresses (if not all of them) are simply DHCP desktop boxes run by morons who are too stupid to download and install a patch that has been widely mentioned in the news. But the fact remains that this worm is out there and active on a ton of systems and should *not* be spoken of in the past tense.
Just my 0.45 Cents Canadian...
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
I won't be a judge of whether the $10 Billion is an accurate figure. Consider what wold happen if damages was awarded to MS victims? (excluding punitive damages):
Some Microsoft figures:
Annual Sales: $25 billion
Annual earnings before taxes: $11 billion
Profit: 7.7 Billion
This shows us that MS contributed approximately 0 dollars to the economy. That's what I call a well put together scam. If punitive damages were awarded, MS would soon be history, and Billy Boy would move from his mansion to some shelter.
While the lottery is a tax on the mathematically challenged, MS is a tax on the computer illiterati.
-- Another senseless waste of fine bytes.
Exactly. The latest Microsoft Internet Explorer "service pack" DISABLED another company's software (QuickTime). This kind of sneakiness makes upgrading impossible for the average user. You must be technically knowledgeable and well-informed to defend yourself against this kind of behavior.
Bush's education improvements were