I interrupted the employee. "Sir, you have it completely wrong. That virus doesn't exist. It's the latest hoax."
"Oh, no," the employee replied. "We've got e-mail reports from our sales headquarters telling us to keep our eyes open for it."
To which I countered, "Some upper-tier sales manager has been duped and is telling you BS. McAfee Associates and others have issued public statements dismissing that virus as a hoax. What you've described simply cannot be done by any virus. Period."
I then turned my attention to the customer. "Stop listening to this guy. You don't have this magical virus he's describing because it simply doesn't exist. You have some other problem with your video monitor."
|What credentials does this salesman hold in the field of computer viruses? He may have flipped burgers at a McDonald's restaurant two weeks ago for all we know.|
What credentials did this salesman hold in the field of computer viruses? He may have flipped hamburgers at a McDonald's restaurant two weeks earlier for all we know. Right now he sells merchandise at a computer store -- does this qualify him to give advice about computer viruses?
MOST PEOPLE WHO claim to speak with authority about computer viruses have little or no genuine expertise. Some virus experts describe it as "False Authority Syndrome" -- the person feels competent to discuss viruses because of his job title, or because of his expertise in another computer field, or simply because he knows how to use a computer.
I want you to question the credentials of anybody who talks about computer viruses. Indeed, I want you to question my credentials in this field!
The U.S. Air Force highlights the concept of False Authority Syndrome in Tongue & Quill, their official publication on effective writing:
"Nonexpert opinion or assumed authority -- Don't be swayed (or try to sway someone else) based on the opinion of an unqualified authority. The Air Force is chock-full of people who, because of their position or authority in one field, are quoted on subjects in other fields for which they have limited or no experience."
|In a word...|
|ultracrepidarian: (n., adj.) a person who gives opinions beyond his scope of knowledge.|
Computer salesmen, consultants, repairmen, and college computer teachers often succumb to False Authority Syndrome. In many cases a person's job title sounds impressive, but his or her job description at most may only include references to vague "computer security" duties.
Network administrators typically fall into this category. Most hold the title of "company virus expert" simply because their job description includes network security. They may have no real education in computer security, but their experience in the field of computer networking gives them confidence when talking about the unrelated field of computer viruses.
People who suffer from False Authority Syndrome too often assert conclusions from insufficient data and they habitually label their assumptions as fact. Quoting again from Tongue & Quill:
"We jump to conclusions from too little evidence; we rely too much on 'samples of one' (our own experience); something happens twice the same way and we assume the ability to forecast... Unfortunately, our natural desire is to make positive, solid statements, and this desire encourages the asserted conclusion."Consider the case of Gary L. Allen. Writing in a letter to Computerworld, he offered his analysis of 1992's worldwide Michelangelo virus scare. Allen listed his virus-fighting credentials: "I am an MIS manager, and we found Michelangelo on disks distributed by one of our software vendors, and it never made it into our local-area network."
Allen went on to say: "If we had not been prompted [by the media] to scan [for the Michelangelo virus]... it surely would have made it onto the network hard drives and from there who knows where."
|This network administrator checked for a virus because the press told him to do so!|
Shocked by his statement (and trying to regain control of the lecture), I asked what would happen if fire swept through the firm's building. No sweat: they kept backups off-site and had purchased contingency contracts for just such emergencies. I responded, "Well, there you go. If a virus ever gets on your computers, burn your building to the ground and your problem is solved!"
The audience laughed -- but I fumed. I would fire this man on the spot if he worked for my company! I don't want anyone on my payroll who would instantly put everyone out of work due to his own pompous ignorance.
|For your info|
Computer security personnel at Scott Air Force Base, Illinois attended a job-related course in early 1995. The course included a special handout: Russell & Gangemi's Computer Security Basics, a book last updated in 1992. Computer books typically have short lifespans: many will disappear from store shelves within a year. But Computer Security Basics serves as an industry reference and you could still find it at Waldenbooks stores in mid-1996.
|"BBSs spread most viruses"|
This contradiction sounds minor on the surface; in reality it perpetuates a common virus myth. Specifically, it helps fuel a myth among computer security personnel. Russell & Gangemi also recommend readers to the "Computer Virus Industry Association," an organization widely dismissed before the book's first publication as a publicity front for antivirus mogul John McAfee.
|the "Gulf War" virus|
Wolfgang Stiller, an internationally recognized virus expert and author of the "Integrity Master" antivirus program, says "computer security experts today -- people who deserve that title -- tend to have a good background on how viruses operate. They can dispense some good advice." But he chooses his words carefully when asked to comment on virus expertise among computer security personnel.
"They're a little more likely than the average person to understand viruses," Stiller notes. "Some would say they're a lot more likely to understand them, but I've met a fair number who don't know a thing about viruses, or, even worse, they've got misconceptions. In light of the fact they are computer security experts, their misconceptions carry a lot more weight than the average person. Errors are much more damaging when they come out of the mouths of these people."
Stiller sums up False Authority Syndrome among computer security experts: "Put me on a panel with a computer security person, and I won't claim to have his level of security expertise. But the computer security guy will invariably claim to have my level of virus expertise. How can you convince the audience in a diplomatic way that he doesn't?"
(Stiller offers an interesting analogy: he wonders about the policemen who vouch on TV for The Club®. Do the officers specialize in car-theft investigations -- or do they write traffic tickets?)
"Thinking the problem was a virus, the tech[nician] tried a number of virus scanners, all negative. He then tried to reformat the hard disk... He claimed that the [hard disk] was ruined, and that a virus had done it."In a nutshell, the repairman used two or more programs to detect viruses on the laptop. None of these programs found a virus. The repairman then tried to reformat the laptop hard disk -- but the attempt failed. So he claimed a virus physically destroyed Parker's hard disk.
Genuine experts on CompuServe dismissed the repairman's conclusion. Parker now wonders if the repairman made up the story. Did he feel compelled to give his customer an important-sounding excuse for why the drive failed?
Parker got off easy: his hard disk failed during the laptop's warranty period. But his experience raises important questions. How many repairmen incorrectly told customers to fork over money because they claimed "a virus physically destroyed the computer"? How many computer users believed it?
"I have personally had two contacts with viruses in 15 years of working with computers. The first encounter caught me completely off-guard. I was prepared for the second."Mayer wrote the story from the perspective of a regular user. He believes the magazine picked him to write it because of his first-hand user experience with viruses. And to his credit, Mayer consulted with a genuine virus expert while writing the article.
Syndrome vs. the
And there you have it: panic is justified if you think your computer might have a virus. So says a nationally recognized computer salesman.
Even "computer-literate" mainstream reporters commit serious blunders when they write stories about viruses. Numerous reporters logged onto CompuServe, GEnie, Prodigy, and America Online during the Michelangelo scare and posted messages to "all." Each message asked the same question: "Want to be interviewed for a story on the Michelangelo virus?"
These reporters didn't search for experts -- they went on a "cattle call" for frightened computer users. One USA Today reporter, expecting an avalanche of calls, asked people not to tie up his phone unless he or she actually got hurt by the Michelangelo virus on its upcoming March 6 trigger date.
Consider the tragic accident where actor Christopher Reeve broke his neck. The mainstream media quickly turned to spinal-injury specialists for comment. Why didn't they ask a podiatrist if Reeve will ever walk again?
Podiatrists can diagnose walking disorders and they easily outnumber spinal-injury specialists. But a podiatrist offers the wrong expertise in Christopher Reeve's case. The press recognizes this difference. Change the topic to computer viruses -- now they'll quote almost anybody with a job in the computer industry.
|the "Dying Boy" story|
Newspaper reporters talk to these people to get details (and quotes) for a story. This means the press feeds information to virus pseudo-experts, who gladly regurgitate it for other reporters, who write more stories about viruses, which other pseudo-experts read... thus creating an endless circle of misinformation and a never-ending supply of "instant experts."
This same survey concluded with a sad statistic: it estimates two-thirds of employees tasked with computer security duties have inadequate knowledge about computer viruses.
Jeff Duntemann, editor of Visual Developer magazine, likens this trend to what he calls the Green Paint Factor. "If you want to extol the virtues of a can of green paint, and the best you can say is that it's green -- well, it's probably not good paint." If you want to quote Ed Foster about computer viruses, and the best you can say is that he edits a weekly computer publication...
Duntemann continues: "The job of a computer magazine editor [or reporter] is to know a little about a lot in the computer field. He has a considerable breadth of knowledge but not a serious depth of knowledge, except perhaps in a couple of very narrow specialties."
Why, then, does the mainstream media quote people in the computer press? Duntemann believes computer-industry reporters (and editors in particular) can speak and write well. "If you can turn a good phrase about a subject, whether or not you know anything at all about it, then you have a good chance of being labeled an expert," he notes. "Especially by people who know nothing at all about that subject."
|Who gets picked?|
|"Office virus experts"|
"Marcello," a typical user who took a hoax for real, posted a message on CompuServe warning users not to read any messages with "Good Times" in the subject line (lest they contract the so-called Good Times virus). Ironically, Marcello used the words "Good Times" in the subject line of his own warning message!
|the "Good Times" virus|
|"FCC modem tax" legislation|
False Authority Syndrome contributes significantly to the spread of fear & myths about computer viruses. Many pseudo-experts tell users to erect defensive barriers where viruses seldom attack, often leaving typical lines of attack exposed.
Widespread myths & misinformation also convince people to fear safe methods of computing and to put their trust in less-safe methods. In her 1993 book Rx PC: The Anti-Virus Handbook, Janet Endrijonas claims "approximately 70 percent of all viruses are boot sector viruses." Wolfgang Stiller and other experts ventured estimates above 90% as late as 1996.
|For your info|
|False "virus alerts" on
major online services
In his book Inside the Norton Antivirus, Peter Norton dismisses the myth about the dangers of downloaded software. "Bulletin boards do more to spread the awareness of viruses [emphasis added]... The primary method of communication concerning viruses is through BBSes [sic]." Robert Slade, writing in his book Guide to Computer Viruses, goes even further:
"If I had to choose one viral myth that contributed most to the unchecked spread of [viruses] that exists today, it would be that of the 'safety' of commercial software... The feeling of false security relies on three assumptions: (1) that [software downloaded from BBSs] is a major viral vector, (2) that commercial software is never infected... (3) that there are no viral vectors other than software."
|It really happened|
|Employee fired when
his computer didn't
have a virus
Ross Greenberg earned international fame as one of the pioneers in IBM PC antivirus software. He went into semi-retirement in his mid-30s. Greenberg continues to lecture about viruses, wrapping up with a simple analysis of how he made his fortune: "I'd still be slaving away at a desk for another 25 years if people backed up [their computer data] and kept a cool head."
|It really happened|
|Antivirus firm calls
an old program a
'new' Trojan horse