First, I thought of something like “Paranoia Run Amok”. Why? The purpose of this post originally was to serve to clarify what my opinions are (at the moment, anyhow) regarding the origin of spam and computer viruses. In a previous post I raised the issue that possible blog comment spam might have originated from the “Word Cloud phenomena that propagated (memed?) through the blogosphere a few months ago. In the comments that ensued from this post, I expressed a pretty strong opinion about the relationship between spam/viruses and the companies that profit from defeating the same. Here is what I wrote:
In my more paranoid moments, I can’t help but think that there is a connection between the growth of spamming, and the companies that profit from “defeating” it. If my paranoiac reasoning is correct, than there never has to be any sales closures for the product being hawked, as this is not the motive for the spam in the first place, but merely a pretext for the sale of anti-spam products.
Similarly, I sometimes feel the same paranoid suspicions regarding the source and motivations behind virus outbreaks. It seems that if one wanted to “follow the money trail” of these activities, one should not overlook the fact that many companies have built their entire business model on selling annual subscriptions to products and services designed to “defeat” these ever-growing threats.
Microsoft has built an empire on a simple premise: Provide a product that every computer owner perceives that they need (Windows), and then create a managed version update program to get these same owners to upgrade to the latest, greatest OS (witness Windows, Win95, Win98, WinMe, WinXP, and Vista, not to mention all the flavors of WinNT that have come down the pike). If companies such as Symantec, McAfee and others can persuade everyone that they must not only buy their products, but also constantly renew their subscriptions, than they will have effectively “one-upped” the Microsoft business model. I guess only time will tell if I am being paranoid, or if I am simply being prescient.
As I thought about this comment, I began to feel as if I might have been overreacting, even though I had so clearly peppered my remarks with words like paranoid, suspicious, and paranoiac. And so my original intent was to somehow soften the tone of my opinion on this issue a little bit with this post. And then something happened.
I read a computer magazine which referenced an article titled “The Antispyware Conspiracy“, which addressed a portion of this issue in a direct manner. After reading this article, I began to feel that maybe I wasn’t being so paranoid after all. But the author of the article began with the following statement:
“Since the release of the first antivirus products many people have believed in a conspiracy theory where antivirus companies generate their own market by paying virus writers to develop and release viruses. I don’t subscribe to that theory and trust the major security vendors, but recent trends show that there’s a fuzzy line between second-tier antispyware vendors and the malware they clean.”
This article seems to point a finger at some second-tier antispyware vendors, but is quick to absolve the major security vendors of any complicity. And as I thought about this more, one thing kept popping to mind – maybe the major players ARE paying virus writers to develop and release viruses! Not directly, of course. I am not suggesting that executives within Symantec or McAfee direct any campaign to unleash viruses on the computing world. In fact, I would be the first to suggest that the executives within these companies realize that any involvement in such schemes would be fatal to their own best interests, and I further believe that the intentions and motivations of these executives are pure.
This apparent contradiction on my part can be explained by considering the following simple observation. Name any other industry that contains this unique dynamic – any individual employee within the “malware prevention industry” can guarantee his very own job security by propagating the malware they are hired to defeat. Imagine this employee spending just 1 hour per week developing his malware, and you can imagine the havoc he/she could inflict. Now multiply this dynamic by the number of employees in this industry (hundreds? thousands? tens-of-thousands?).
If you think I am too suspicious, let me tell you a true story. Some years ago, I was called upon to render a professional opinion regarding a computer system and associated software programming for a client who owned a chain of glass companies. The logo of this company was a little boy at play. If you looked closely at the logo, you would see that the little boy had a slingshot hanging from his back pocket. I asked my client about this, and he replied with the following tale. He (I’ll call him Mr.X) began his career as an employee of a glass company. In 1971 Southern California experienced a large earthquake, and there was more glass replacement business to go around than anyone could handle. Mr.X decided to go into business for himself, and for a while, all was good. Eventually, the earthquake damage in the area was repaired, and Mr.X found himself wanting for business. Arming his son with a slingshot, ammunition, and instructions to shoot up windows in a neighborhood, Mr.X would than saturate the same neighborhood with fliers advertising his glass repair company. No wonder I am now suspicious of business by nature!
So I now face three questions –
A) Are there any other industries that contain the same dynamics that are at play with the malware industry?
B) Am I being overly paranoid with respect to the malware industry?
C) What should I have entitled this post?