Darren Waters, Technology Editor for the BBC News Web site, released a story this morning on spam and other malware, drawing upon a recent report released by Microsoft and follow-up interviews. The bottom line of the report is that for every thousand "clean" computers in the world, there are 8.6 that are in some way "infected." The report also claims that over 97% of all electronic mail messages may be classified as spam. This provides a sharp contrast with the analysis by Message Labs, which, according to senior analyst Paul Woods, concluded that 81% of electronic mail was spam. Either number is unpleasantly high, providing an excellent object lesson in the sorts of consequences that technology evangelists never seem to have time to consider.
Having often pursued Udi Manber's metaphor that spam detection and spam generation are locked in an "arms race," I have concluded that the best a user can do is keep the computer's software up to date, armed with the latest malware detection and prevention code. In this light one may wonder whether or not the publicizing of the Microsoft report was undertaken in an effort to encourage users to be more conscientious about such matters. Thus, Waters included the following quote from Ed Gibson, chief cyber security advisor at Microsoft:
If you don't update your software you are not just a hazard to yourself, you are hazard to others because you can be part of a botnet [if your computer is hijacked].
This reminded me of a favorite motto from the Sixties:
If you are not part of the solution, you are part of the problem.
Unfortunately, that message did not survive the Sixties very well. These days people seem to prefer a more warped version:
If you are not part of the solution, you can make the problem so bad that someone else will finally get around to fixing it.
This almost casts malware producers as latter-day Robin Hoods, more interested in exposing vulnerabilities (particularly in Microsoft software) than in highway robbery.
Wearing his Microsoft hat, Gibson does not see it that way. According to Waters, Gibson attributes the high level of spam to "traditional organised crime figures moving away from exploiting software vulnerabilities and 'targeting the weak link that is you and me'." This is the first time I had come across an association of organized crime with malware (although, in the pre-Internet days, I remember an Esquire article suggesting that some of the more notorious phone hackers were finding support for their activities among the criminal element in Las Vegas). It set me to wondering whether or not Microsoft was invoking the Bush Administration's "Global War on Terror" strategy to raise public consciousness (through fear) about malware. At the very least, Gibson should be examining the question of how much money is actually being made through malware and then asking whether, by the standards of organized crime, it counts for more than "chump change." Put another way, if you are a sociopath, you do not need the support of an organized group to exercise your sociopathy on the Internet. The evangelists wax over how the Internet empowers everyone; and, like it or not, "everyone" includes the sociopaths among us!
I agree with Gibson that all computer users should be conscientious about keeping their equipment protected against malware. However, I do not think that Gibson will achieve this by playing the fear card, primarily because the Bush Administration did such a good job of devaluing the public perception of that card. Unfortunately, the only other way to check if users are taking care of their equipment is to monitor that equipment; and I can imagine that most users (probably myself included) would find that dangerously intrusive.