Debunking IT myths

would have had no chance.

Shaun Nichols: “Beating the Reds” was a bit like a magic phrase when it came to securing research funding in the 60s and 70s. This is likely how the idea got started.

Given that most of the early infrastructure for the Internet would have had trouble making it through a big earthquake, thinking that the Internet could emerge unscathed through nuclear Armageddon is rather laughable.

Add to this that by the 60s most of the country’s technological hotbeds, places like Minneapolis, San Jose and Boston were among the highest-priority nuclear targets for the USSR, and you’d have to get a pretty bleak outlook for ARPANET should WWIII have ever broken out.

On the plus side, you can rest easy knowing that should the Internet ever gain self-awareness and set itself on eliminating the humanity a-la SkyNet from the Terminator movies, it most likely wouldn’t survive either.

Myth: Virus companies write most malware

Iain Thomson: If you want to make a security software specialist spitting mad trot this one out at him or her. I’ve heard it everywhere, even from rational people who understand a little about computers. It’s not true and never has been.

There are actually very few proper malware writers. Until recently the vast majority of attacks came from script kiddies, who took someone else’s malware code, tweaked it slightly and then released it into the wild. This has changed slightly as malware has become more about profit but it is still the case.

Antivirus specialists are adept at spotting the hallmarks of the true virus writers, and if one of them started writing the stuff themselves it is highly likely that they would be spotted fairly quickly. But this ignores the key point about this myth.

The teams of antivirus researchers in the industry are driven people, in a way that makes the average coding geek look like a stoned slacker. They see themselves as the thin blue line between computers succeeding and failing and take unusual steps to do so. It’s one of the few industries where competitors share secrets.

Once a signature file for a specific piece of malware has been developed it gets emailed to all competitors who also share information (which is almost all of them — even Microsoft). That means that whichever security software you use you get roughly similar protection.

So what I hear you say, there are cases of firefighters who set fires just so they can be a hero and put them out. Well yes, but if one researcher suddenly started solving all these signature files without a good explanation then questions would be asked.

Shaun Nichols: This myth is insulting to both the good and the bad guys. I think a large part of it comes from a misunderstanding as to the nature of vulnerability disclosures and proof of concept code.

What usually happens is that a researcher discovers a vulnerability in a product. Said researcher then either directly contacts the company or contacts a third party, such as a TippingPoint, who then passes it on to the company who patches it. The researcher then usually releases a sample “proof of concept script to show that he or she actually did find the flaw. 99 per cent of the time, this is done before the public even knows about the flaw.

This, to some people, seems unethical. Why would one try and create ways to attack a system? The answer is because the bad guys are really smart people too. The “white hat” researchers who find and report vulnerabilities for a living are plugging holes that those who create malware and attack kits would otherwise find in time and exploit as “zero day” attacks for which there are no fixes.

The bottom line is that the bad guys really don’t need any help in finding flaws, and getting a vulnerability out in the open is almost always better than sticking your head in the sand and hoping nobody writes an exploit.