---------------------------------------------- | Interview with Becky Worley, TechTV reporter | | by Gigabyte [Metaphase VX Team] | | | | May 2003 | ---------------------------------------------- I think sometimes it's nice to look at things in another way. Not through the eyes of a virus writer, virus collector, hacker or something alike, but of someone who gets to deal with viruses in a totally different way. As you may remember, in the previous issue of this zine, I interviewed Sarah Gordon, and this time, I talked to Becky Worley. She works for TechTV, in TechLive, a nightly 1/2 hour magazine show about technology. Becky also told me you're welcome to e-mail firstname.lastname@example.org with any feedback or thoughts on anything mentioned in the interview. And here we go.. - First of all, when did you start reporting about security, hacking and such and what was your motivation to do so? In 2001, I was hosting a computer help and how-to show, "Call For Help" on TechTV . Our news show, TechLive wanted to do some of our content for their show. Since viruses are the most consistently evolving element of computer how-to, they seemed like a fitting subject. I began doing a daily segment called Security Alert to keep people abreast of new viruses, scams, and ways to stay safe: patches, techniques, and software. - Which topics do you find the most interesting? The social engineering used in viruses: what psychological methods are being used to hook victims. (actually this brings up an interesting question- what do you guys call the people who double-click executable virus files? - victim, dumb- ass, subject???? I digress... ) I think virus social engineering is an incredible indicator of global consciousness, e.g. Shakira worm, World Cup soccer virus, 9/11 World Trade Center photos, SARS info, Avril Lavigne. - Did your PC ever get infected with a virus? If so, which one(s), how did you react, were you angry, and how did you solve the problem? I haven't gotten any viruses in the last 5 years. I keep thinking how embarrassing it would be to get infected. But then again so many techniques employed by skilled virus writers take the user out of the equation; circumventing the need for double-clicking an attachment through software holes and network vulnerabilities. I am a nut about patching my software, I use an AV scanner, have firewalls installed, and I try to scan everything I download off P2P networks. But I am lazy or forgetful just like everyone else, so I'm sure I could get a virus even though I'm supposed to know better. - Ever got hacked? Part of why I like writing for the masses about technology is that I'm not pretending to be an uber-geek. I am a knowledgeable computer user, but my network at home is not elaborate, I don't have any websites up except for the one I use for school (I'm getting a Master's degree at Stanford in a program called Learning Design and Technology. It's through the Computer Science and Education departments, and it aims to "better use tech to teach" and "teach tech better." I also try to keep a low profile, (is doing an interview with a virus writer's zine a good idea if you're trying to keep a low profile?). I write about viruses, I try to help people avoid infection, but I'm not pointing fingers at specific people. I think releasing viruses into the wild is destructive, but innovating code is a form of invention. If you use a worm to install a key-logging, data-stealing trojan then I consider you a bad guy. If you figure out how to breach security measures in Internet Explorer with a proof-of-concept virus, then I think you're doing a service for the greater good. Nothing's exactly black and white, though. I just know I'm trying to help people like my mom save time and energy staying free of viral infection. So the answer is no I haven't been hacked, although TechTV, my employer has had its fair share of attacks. - How many hackers, vxers (virus writers and collectors) and alike have you spoken to? Well I guess it depends on how you define hackers. Let me start by answering the question honestly. Not enough. But some would say these count:: Adrian Lamo, Kevin Poulsen, Kevin Mitnick, Steve Wozniak, Linus Torvalds, Gigabyte, the Deceptive Duo. This is a really good question: unlike traditional TV reporting, viruses and security issues make it tough to offer people on both (all) sides a chance to speak about the issue. For example. A prominent businessman is accused of embezzling money from a large corporation. As the TV reporter assigned, I have 2 hours before my deadline to get soundbites from the businessman (or his lawyer), the Prosecuting attorney, and the wronged party (the company from whom the money was embezzled). I can look up all their phone numbers and set up shoots to get comment if they all want to talk. That would be a lead story in a newscast- you get 4-5 hours total to make it happen including contacting and setting up interview subjects, doing the shoot, writing the piece, voicing the track, and editing the final product. That story would get 1 minute and 30 seconds of air time. For the security reports I do, I have 45 minutes- tops to put together a report about a new trend or virus. This includes writing a web article. In the end, this item will only get 25 seconds of air time in the show. This is just a very small part of my job. The constraints of maxed out reporters and hard to find virus writers makes getting clear, well-rounded perspectives difficult. As a cop out, I feel the code sometimes speaks for itself. That's the comment I try to infer from either the writer or the person who seeded the virus. - How many have you met in real life and who? Kevin Poulsen, Kevin Mitnick, Steve Wozniak, Linus Torvalds, Adrian Lamo (like I said earlier, not enough) - When you first went to interview such a person, did you go there with the idea you were going to talk to some kind of 'criminal'? Explain. Not at all, except for the deceptive duo- they knew they were pushing the bounds of criminality. Others in my list are fairly mainstream. - Has your opinion changed? I would make a horrible prosecuting attorney because I'm sure people have reasons for everything they do. But I will repeat my belief that releasing a virus in the wild is destructive. Putting viruses in the hands of other people who will release it into the wild seems equally irresponsible. I just see this from the perspective of an average computer user: if a victim loses a term paper and flunks a class as a result of a virus, or has their identity stolen, or fears viruses so much they don't maximize the incredible potential of their computer and the Internet, I think that's lame. - Do you think the general public sees us as criminals? What about people who have more technical knowledge, do they share the same ideas? Yes, the general public thinks you are criminals. The more technical community probably believes in your criminality even more acutely. The saying Noblesse Oblige comes to mind: those who have great skills and talents should use them for the benefit of others. Good VXers have an opportunity to do something amazing with their skills. (I'm starting to sound like an old-fart. I should shut up and just tell you about my job- enough with the message-right?) - Do you think virus writers are a lot like the stereotype some AVers (like Graham Cluley) and media describes? Stereotypes are for the narrow-minded. And no, I don't think you are all pimple-faced teens, horny and hopped up on Red-Bull. That being said, Graham has an opinion and as a member of the media I often quote him. If VXers had a PR machine like Sophos does, I'd probably be writing about the fact that AVers are all over-fed corporate nerds using fear to make a buck in this crappy tech economy. - Do virus writers and hackers give a paranoid impression, when talking to media people? Adrian Lamo is an interesting case here because he chooses his words carefully, refusing to be shoe-horned into a 10 second, simplistic sound-bite. So his paranoia is more about being misrepresented by us shallow TV people. - Do you think there's a way vxers can help change the way people think about them? If so, how? Not to kiss up to the interviewer, I actually thought Sahay was an unique experiment. A disinfecting virus. Not that the average Joe will be able to process what was unique, but I thought it was interesting. Your average computer user fears viruses and thus, fears virus writers. They don't have the time to process the intricacies of who wrote the code, for what reasons, and how it eventually landed on their PC. They just fear the code and the coder. - Have you met any AVers? If so, are they really the way they behave on the Internet, and do you think they have very negative views on virus writers? I don't know the VX- antichrist Graham Cluely personally. But Steve Trilling from Symantec is a great guy. He used to be a stand-up comedian, and he's very thorough, professional and helpful. - Did you actually learn things from all the TechTV reportages you did? Did hackers and virus writers teach you anything? (technically and/or socially) The whole reason why I am a reporter is because I love to learn about new things. I get paid to be a student. I have to admit that it's intimidating to offer my opinions here because I am not trying to be a virus expert, not even amongst reporters (there is a whole cadre of guys that just write about viruses, I can't go as deep so I am much more on the surface of VX issues). There are so many people who know more about the subject than I do; I just have the task of translating what I do learn into digestible, entertaining, informative blurbs that help people wrap their heads around the virus (and security) issues at hand. So I learn all the time, and sometimes the hard way, making mistakes that are pointed out by our incredibly knowledgeable viewers. Each new virus teaches me something about viruses- Code Red & Nimda about Network shares and DDOS attacks, Klez about spoofing, Sircam about social engineering, Duload about the use of P2P networks. - If you had a son/daughter and he/she would become a good and well known virus writer, what would you do? hmm, I guess it would depend on what she or he did with the viruses and how they innovated the craft. There is no doubt in my mind that VXers are incredibly creative, but I guess you'd have to ask each person why they release their viruses and what it does for them. I'd like to know more about that motivation. Writing viruses must fulfill you on some level- why? Oversimplifying very complex issues fulfills me on some level- why? I'd have to ask that of my kid to determine whether they were doing something worthwhile or destructive. If they were writing a virus that tried to identify kiddie porn and then erased it off hard drives, I could get behind that. - Do you think Microsoft is (partly) responsible for all these virus outbreaks? Yes and no. Microsoft has to do more to release software free of vulnerabilities. They also have to make the windows update process less invasive, more automated. They need to release software that defaults to the safest settings and do a better job educating their customers about the responsibilities of keeping software up to date. But I will say that Microsoft has come a long way quickly. I actually think they are doing a good job handling disclosure issues. When a vulnerability is reported to them, they are very quick to respond and acknowledge the person or organization who discovered the hole. I have come across other companies that could learn a thing or two from Microsoft's struggles. http://www.techtv.com/news/security/story/0,24195,3417248,00.html - Which antivirus software do you prefer? Is it working well for you? I use Norton on one computer, TrendMicro's office scan on another. I will say the corporate version of Office scan is much less invasive and seems to eat system resources less than N.A.V. - Do you ever read virus related articles or e-zines? If so, are they pro or anti virus? - Do you think publishing viruses in e-zine helps keep virus writers from releasing them into the wild? - Do you think the wildlist is (partly) responsible for the spreading of viruses? (for example because virus writers may try to make it into the list) - Anything else you'd really like to mention? I'm not going to answer the above questions for one reason, I'm not the right person to make that kind of a judgement. I can tell you how hard it is to educate people about viruses through the media. I can explain the difficulties of condensing the technicalities of a new virus into 25 seconds of copy. I can give you examples of viruses I have covered because their social engineering involved a visual I could make into interesting TV. Or point out that innovative viruses without a visual hook often don't make air. I could tell you that I don't understand why bright, talented people would dedicate their energy to the creation of viruses that ultimately scare newbies away from computing. But really all I can say is that I'm on a journey to understand the phenomenon of viruses. Unfortunately in the main-stream community of television journalists, very few have the inclination or the time to really understand the viruses that they report.
Back to index