p1@arkham.wimsey.bc.ca (Rob Slade) (03/12/91)
Recently, Stratford Software has started a new online information service called SUZY. (The service is active in Canada, and is in beta testing for users in the United States.) SUZY operates along lines similar to those of the Prodigy service and the PLC BBS network in that "vendor" supplied software must be used on both host and terminal; you cannot just dial up SUZY with your favourite communications package. This has allowed Stratford to market SUZY as the ultimate in "user friendly" services; the user does not need to know anything about protocols for connection, the "terminal" software deals with all network connections and everything from installation to email is done with a menu driven interface. (It is now even "rodent compatible.") (Lest I be seen as too enthusiastic here, I suspect everyone on this group would find the lack of functionality somewhat restrictive. Long time net users will demand features it can't yet provide, but it certainly is the kind of system that any "naive" user could access without difficulty.) I manage the data security/anti-viral topic area (referred to as an "Information Network", or "IN") called INtegrity. Any SUZY user can look at the information in the INs, but, as they "leave" the area, they are asked if they want to "join". This simply puts them on a mailing list that can be used to send announcements to the "members" of an IN. If they want to "join", they hit <ENTER>, if not, they hit <ESC>. Using figures from a month ago, the number of SUZY users who have joined INtegrity stood at 170. Some others will have dropped in and looked around, but deliberately left themselves off the list when they left the IN. (We "INkeepers" have no access to that information.) The number of accounts on SUZY a month ago at about 6000. However, research I have done indicates that less than 15% actually use the system more than once a month. Interestingly, this figure has remained unchanged since SUZY was released. That means that less than 900 accounts were "active" at the time. What does this mean to you, and to data security? It means that less than 3% of all, and 20% of *active* SUZY users care enough about data security to join the anti-virus IN. This is the *real* reason that computer viri are so widespread today: people do not realize the danger. Those of you who have studied viral characteristics, and virus protection and functions, will realize how easy it is to protect yourselves against most viri. But if the majority of users think they are safe, and do not take *any* precautions, then viri have a fertile breeding ground to grow and spread in. As my wife says, it shows not only how few people understand technology, but how few even understand the concepts of public health. I have been careful about identifying my affiliation, and describing the situation for a reason. When I first posted this on VIRUS-L, I got flamed by someone who someone who said my observation was invalid because a) SUZY is a pay system, b) he knew of at least three BBSes where people were interested in viri and c) my IN wasn't any good anyway. SUZY is a commercial system, and this is the reason I chose it for my figures. It is marketed to both home and business users, and therefore gives a better "cross section" of the "whole" user community, not just the "home users and hackers". It is also promoted as "the system for the rest of us" as Apple would say, and again provides access to novice as well as expert users. (Weighted a bit heavily to the novice side, but then so is the general user community, wouldn't you say?) I know of a number of local BBSes that cater to interest in viral programs as well. I support three of them myself. But I selected those boards on the basis of their interest, and it would be very strange if the user population there represented the general population. By the sales figures, those who use a modem at all almost automatically put themselves in the upper 10% of computer users. (Am I going to take John's advice about improving my IN? I'd be delighted. Unfortunately, it seems he doesn't use the system. Odd ...) I am coming to find, though, that it is often the "experts" who give those of us who are working in this field the most trouble, vis this recent exchange: Message #1678 - Anti-virus forum Date : 07-Mar-91 19:24 From : Stephen Fryer SF> I mostly have problems with the computers the instructors SF> use; instructors are at least as good at spreading viruses SF> like Stoned since many of them seem to think their more SF> exalted status (socially and educationally) makes them SF> immune to such things. My response? Oh, yes. I've seen this all too often. Actually, I'm not so sure that it's as much conceit, as a kind of frightened fatalism. They probably are aware that they don't know much about virus protection, but in this business everybody has to be an expert on everything, so they just ignore it and hope it will go away. Strange reaction in my view, but then again, how do they get the facts? Courses are few and far between, and most of the books are not very strong on how to protect yourself (besides being "technically" out of date the instant they go to press.) Forget the media. (InformationWeek printed only four articles on viri during 1990. Computing Canada published a "Computer Security" issue in November of 1990, and printed only two articles on viri, both so general as to be almost useless. I had submitted five articles to CC for that issue, and the one they picked was on how to "define" a computer viral program.) But again, I agree with Stephen's assessment; it's the "experts" who are often the greatest problem. (Last government office I worked in, the first disinfection I had to do was on the system support operator's machine. He had infected himself while trying to do a disinfection for someone else! Recently, in teaching in a microcomputer lab at a local school board I found that two computers were infected. I informed the lab manager, with some difficulty, and returned the next week to find that not only were they not disinfected, but a third had joined them.) I mean, with respect to information on computer viral programs you can't *give* it away. Quite literally. Cheap courses I give through local school boards get cancelled due to lack of registration. Mid-priced courses I run through the Federal Business Development Bank just squeak through. It's the expensive ones that the Center for Advanced Professional Development has me do that reach the "break even" point for registrations two months before the course dates. (So if you *have* to swap disks with someone, make sure he's wearing an expensive suit. :-) This is the first time since I started working with computers that the attitude of the general public has really had me baffled. People must surely realize by now that viri are real, not just the "scare tactics" of the security industry. The two biggest problems the world faces today are ignorance and apathy. But people don't know that, and they just don't care ... Robert Slade
mrs@netcom.COM (Morgan Schweers) (03/15/91)
Greetings,
I'll put forth my own opinions about the computer virus apathy problem
here.
The major problem that I have seen is how to disseminate information to
the public without being seen as trying to promote scare-tactics. The truth
is that the only people I've known who are aware of the viral threat fall
into two basic categories...
1) People working in the anti-viral field. This includes people such as
the original author, as well as people like myself (a programmer).
2) People who have been infected by a virus. (It rarely actually means
anything the first time. When they reinfect themselves the third and fourth
time, THEN it finally filters through to them that these things are a PROBLEM!)
There are people who REFUSE to believe that their system could have a
problem like viruses. It's these people who *smear* people in the first
category. (The classic "It's unknown? FEAR AND LOATHING!" reaction.) The
major problem, in the past, has been that these people have had *MAJOR* voice
in the media.
In all honesty, your odds of getting a virus are *FAR* less than the odds
of your hardware going bad or conflicts in your software. A bit of common
sense SHOULD prevail in worrying about viruses. Those of us in the anti-viral
field understand this, and try to make it clear. The only words that the media
hears, however, is the ones that have emotional impact. "VIRUSES CAN DESTROY
YOUR HARD DRIVE!" "COMPUTER VIRUSES VIOLATE YOUR PERSONAL SECURITY!"
"COMPUTER VIRUSES ARE THE CAUSE OF THE PARKING PROBLEM IN DOWNTOWN DETROIT!"
I think everyone will agree that what the media wants is 'sound bites' or
'catch-phrases' that they can bludgeon the people with. None of the AV people
I know are doomsayers, but I've seen reporters take clear and simple things
they have said and turn it into 'your life is in danger!' type stories.
I'd like to hear people's suggestions to the solving of this problem. I,
being actively involved in the fight against computer viruses, have thought
this topic out. Some fresh ideas would be nice.
To recap: Viruses *ARE* real, *SHOULD* be looked out for, but *SHOULD NOT*
be feared. It doesn't take much to tell a user what to look for. It takes
even less to tell them to do backups often. The problem is that they *DON'T
BELIEVE* because of past hype. (Also because of the "I'm invulnerable!"
attitude.)
Morgan Schweers