"What's New" Newsletter (SecurityCritics.org and Vmyths.com)
Truth About Computer Security Hysteria
{25 February 2008}

IN THIS ISSUE:
"Whisper" data collection
Scandalabra
Other items of note
The editor's notepad
Humor control

-----------------------------------------------
Want to join or leave this mailing list? Visit
http://newsletter.SecurityCritics.org for instructions...
-----------------------------------------------

"WHISPER" DATA COLLECTION
The U.S. government is protecting the identity of a confessed cyber-
terrorist. WHISPER will pay $100 for court documents that reveal the
full name of the person who pled guilty in the U.S. District Court in
Los Angeles on 11 February for destroying the U.S. military's ability
to wage war. According to a story in The Register, court
documents "identified [him] only by the initials B.D.H. because he
was a juvenile when the crimes were committed. He is better known by
the handle 'SoBe' in internet relay channels frequented by hackers."
WHISPER will pay $100 for court documents that reveal this
terrorist's identity -- and your own identity will be protected at
ALL costs.

Are you a whistleblower or industry insider? Got a scoop or some
dirt on the computer security industrial complex? Email it to
Whisper@..., or mail documents to 1089A Alice Dr.
#311, Sumter, SC 29150. ALL sources will remain confidential.


SCANDALABRA
A story in The Register notes the Indian antivirus vendor "AVsoft
Technologies was attacked by unidentified miscreants in order to
distribute a variant of the Virut virus" on their website. Follow
http://Vmyths.com/mm/url/8/11.htm for the story...

Got something for the "Scandalabra" section? Send it to
Tips@.... All submissions will remain anonymous.


OTHER ITEMS OF NOTE
Which is worse -- the recent tornados that killed 50+ people, or a
computer virus? If you said "computer virus," you're right! Read
http://Vmyths.com/column/1/2003/5/8 if you answered wrong.


THE EDITOR'S NOTEPAD
We've all heard the mythical story of how Russia or the United States
nearly launched nuclear missiles when radar technicians mistook a
flock of geese for an ICBM attack. We've all heard the mythical
stories of how NATO or the Eastern Bloc nearly started a war when
photo analysts mistook a satellite dish for a missile silo.

Per NATO's charter, if you attack any of its members, NATO will
respond with its full might. Last year, the country of Estonia
LITERALLY pushed NATO to the brink of war with Russia -- all because
a hysterical political leader blamed the Russian government for
launching some computer attacks.

NATO bureaucrats hemmed & hawed until the attacks subsided. Then, of
course, those bureaucrats must have written a bunch of classified
documents on why NATO should lob nukes the *next* time Russian
computers invade a NATO member's IP space.

Okay, now let's flash forward. It's not been reported very widely,
but Estonia finally arrested a 20yr-old native and convicted him of
war crimes for attacking his government's website. No devious
Russian cyber-invasion -- just a local boy with a computer who
decided to teach his elected officials a lesson. This heinous war
criminal received a small fine that amounts to $1,640.

I say "it's not been reported very widely" even though Bruce Schneier
mentioned it in his monthly PR newsletter. I've battled computer
hysteria long enough to know the computer security industrial complex
will IGNORE Schneier on this point.

Computer security experts are a hysterical bunch. They act like cub
scouts who sit around a campfire trying to outdo each other with
scary bedtime stories. Oh, sure, computer security experts will
*subscribe* to Schneier's PR mailing list -- but they'd much rather
run around telling whoppers about how Russia invaded Estonia in a
daring cyberwar. They may only be able to cite a couple of media
sources, but that's more than enough for this industry. Dan Erwin,
the industry's top cub scout storyteller, said it best: "it's in the
press, so I can use it" as if it were fact.

When I say "it's not been reported very widely," I must point out
that Wikipedia has continued to report Russia's attacks on Estonia as
if it really happened. Its writer-volunteers continue to finger
Moscow for the "attack" long after experts dismissed it as
hyperbole. The Wikipedia article on "cyber war," for example,
blatantly declares "in April of 2007, Estonia was cyber-attacked from
Russia. This attack was the tip of the iceberg."

The specific Wikipedia article on the attack itself saw multiple
substantive updates this month -- yet *I* finally had to update it to
include the fact Estonia convicted a local man, 20yr-old Dmitri
Galushkevich, for launching the attacks from the comfort of his
home. The article on "cyber-terrorism" likewise fingered Russia
until I finally corrected it under Wikipedia's "be bold" policy.

I firmly believe cyber-war fearmongers have found their calling card
in Wikipedia. Contrary to popular belief, Wikipedia does NOT rely on
verifiability -- it relies on CONSENSUS which in turn relies on
verifiability. Our collective knowledge suffers greatly when the
consensus itself selectively ignores the truth. The consensus of
computer security experts on Wikipedia have ignored some of the most
important facts behind Estonia's attacks.

Banal computer security lecturers will go on to cite the Wikipedia
articles as a source, which will result in more computer security
magazine stories, which will worm their way into Wikipedia citations
as "verifiable" (notice I didn't say "authoritative") sources of
information -- until it finally turns Galushkevich into an "unperson"
thanks to a manipulation of the past that derives from a denial of
the truth.

Folks, if ever you could point to George Orwell's vision, here it
is. We need to find that woman in the Macintosh commercial who
throws the hammer at the screen ... and get her to throw it at the
computer security experts on Wikipedia.


...So anyway. At just twenty years old, Galushkevich is really still
a child. A kid with very few independent life experiences to draw
on. He's a gangly teenage hacker who, by right of age and perhaps a
few less zits, may have actually known the touch of a young woman by
the time he conquered Estonia.

So. Which is the greater threat? A flock of geese, or the radar
technician who mistakes it for a nuclear attack? A 20yr-old with a
computer, or the elected leader who mistakes his antics for a Russian
military invasion?

Absolutely true story: when I was Galushkevich's age, I wrote new
software for a NATO intelligence project known as "TGTS." We'd test
the software with targeting data for "Jeff's Corner Nuke Weapons
Store" and "Rob's Conventional Warheads." I lived in an Air Force
barracks one kilometer from the site of a recent terrorist bombing
that took out the Air Force headquarters building. I took bus tours
as often as I could just so I could flaunt myself to the terrorists,
and on those trips I'd sometimes realize how quickly the USSR could
jump out from behind the iron curtain.

So. Which is the greater threat? A 20yr-old hacker who might still
be living with his mother, or a 20yr-old Airman stationed on another
continent with deep access to NATO's targeting software?

Years from now I'll begin a column with "we've all heard the mythical
story of how a former Eastern bloc country ordered NATO to attack
Russia because computer technicians mistook one local teenage hacker
for a full-blown cyberspace invasion." And my readers will
say "oooh, that's almost as good as the story our dads told us about
a radar technician who mistook a flock of geese for an ICBM attack..."


HUMOR CONTROL
The SANS Internet Storm Center has raised its threat level
to "Orange" after the CIA notified them that hackers were behind
multiple undersea cable failures off the coast of Egypt. Reading
from a prepared statement, Alan Paller, CIA's top liaison at SANS,
quoted CIA senior analyst Tom Donahue, the world's leading authority
on outages, as saying "we have information, from multiple ships
outside the United States, of cable intrusions into Egyptian
utilities, followed by extortion demands. We suspect, but cannot
confirm, that some of these attacks had the benefit of anchor
knowledge. We have information that cyberattacks have been used to
disrupt cable equipment in several regions off the coast of Egypt.
Currently, the disruption has caused an outage affecting multiple
cities throughout Egypt. We do not know who executed these attacks
or why, but all involved anchor intrusions through the Internet."

-----------------------------------------------
Join the free all-humor computer security newsletter! Visit
http://HumorControl.org for details.
-----------------------------------------------

That's enough for this edition. My best to y'all. Please keep
fighting the virus hysteria.

Rob Rosenberger, editor
http://Vmyths.com
Rob@...

--------------- Useful links ------------------

A-Z list of computer virus hoaxes
http://Vmyths.com/hmul

How to spot a hoax computer virus alert
http://Vmyths.com/resource.cfm_id=19&page=1.htm

Reduce virus hoaxes inside your company
http://Vmyths.com/resource.cfm_id=20&page=1.htm

False Authority Syndrome
http://Vmyths.com/fas

Hoaxes NOT related to computer security
http://Vmyths.com/hmul/11

Comedy vs. virus hysteria? Believe it!
http://HumorControl.org