"What's New" Newsletter (SecurityCritics.org
<
http://SecurityCritics.org> and Vmyths.com <
http://Vmyths.com> )
Taking a critical look at the computer security industrial complex since
1988 (that's right: 1988)
{1 December 2010}
In this issue:
* Top item of the month
* Other items of note
* Humor control
* The editor's notepad
Want to join or leave this mailing list? Click here
<
http://newsletter.SecurityCritics.org> for instructions...
Top item of the month
Irony, anyone? A third cyber-terror expert has died at the hands of
physical terrorism. Iran's top expert on the Stuxnet worm died when
assassins rigged a bomb on his car. The deathly score now stands at
three-zip... Click here <
http://Vmyths.com/2010/11/30/stuxnet-2>
for the horrific irony. Want to follow Vmyths on Twitter? Click
here <
http://Vmyths.com/2009/04/19/twitter-2> for important details on
what we do (and don't) use Twitter for...
Other items of note
"Pianist oil heir, $6 million extortion scheme, and computer viruses."
Reporters will beat a path to your door if you can use all three in a
single sentence. The only problem is, there is NO computer virus angle
to this story... Click here <
http://Vmyths.com/2010/11/09/bedi>
for enlightenment.
Remember that magical "printer virus" in the 1991 Gulf War? A
storyboard on a WWII ship tells a tale that ends almost exactly the same
way... Click here <
http://Vmyths.com/2010/11/28/wwii> for an
update on an ancient foolishness.
Which is worse — the recent wikileak of 251,000 U.S. State
Department cables, or Operation Buckshot Yankee? If you said "Buckshot
Yankee," you're right! Read this <
http://Vmyths.com/2010/08/27/oby-2>
if you answered wrong.
Humor control
They say a picture is worth a thousand words. Well, this graphic
<
http://SecurityCritics.org/2009/02/20/crm/wrong-aoa> shows "cyber"
groupthink vs. reality... Enjoy.
Computer security experts post a lot of unrelated tweets via their
Twitter feeds. Check out this doozy from Graham Cluley (Sophos): "Don't
visit the @Peerindex blog link I tweeted earlier today. It's been
compromised with malicious scripts." Also, check out this cute one from
Per Hellqvist (Symantec): "Sorry for not tweeting in a while. Tweetdeck
broke and I haven't had time to reinstall. Lazeee... sorry" (Hellqvist
is a huge Vmyths fan. HyperHi, Per!)
The editor's notepad
Sometime around 1999, I obtained a rare (and I do mean rare) redacted
copy of an FBI video via a Freedom of Information Act request. Its
title? "Solar Sunrise: Dawn of a New Threat." Wired investigative
reporter Kevin Poulsen obtained the director's cut
<
http://www.youtube.com/watch?v=bOr5CtqYnsA> from one of myriad
sources; he uploaded it to YouTube as part of his neo-review of the
video.
(I love Poulsen's prose and I strongly recommend you read everything he
writes. Ah, but I digress.)
I watched "Solar Sunrise" thrice again (!) for its riveting
dramatizations and its Hollywood re-enactments. The FBI actually paid
child actors to play the roles of the children who stand at the very
center of this "Wargames is real!" video. Heck, even U.N. Secretary
Kofi Anan appears in a cameo.
Poulsen is right: "Solar Sunrise" is the FBI's best movie to date. A
narrator starts off by lecturing how three children nearly destroyed the
United States' ability to inspect Iraq's program to build weapons of
mass destruction. "Damage to [DoD computer] systems could halt the flow
of transportation, personnel, and medical supplies," the narrator
explains. Video scenes reminiscent of "Top Gun" play in the background.
Then, an overlay of Brigadier General Francis X. Taylor
<
http://www.af.mil/information/bios/bio.asp?bioID=4904> , who drops a
"WUC"-bomb in FBI NIPC's commercial at the 1:10 mark:
"It certainly was ... a wake-up call for many of our leaders, both
uniformed and otherwise in our governments [sic], that this is
potentially a very major threat to our ability to execute our missions."
"Potentially," Taylor says. Everyone in this video — even the
narrator! — couches his statements knowing three children freaked
out the United States military-justice-intelligence complex.
The pan shifts immediately to Defense Information Systems Agency vice
director then-Major General John H. Campbell
<
http://www.af.mil/information/bios/bio.asp?bioID=4904> , who drops a
bombshell of a different sort. You see, in the late 1990s, USAF
publicly insisted it only exercised command & control via a series of
robust encrypted non-repudiated networks. Here, Campbell admits what
the Air Force doesn't like to disclose:
"We do an awful lot of work by email and through unclassified
transmission of deployment information. And again, if you take one part
of that machine and disable it, you've got a real problem trying to make
a deployment operation take place."
Remember: Campbell admitted this ca.1999. Command & control problems
must have grown worse since then with the Pentagon's embrace of email.
I'm an old WWMCCS <
http://en.wikipedia.org/wiki/WWMCCS> programmer
myself, so — doing some hasty napkin math
<
http://blogs.msdn.com/b/onenotetips/archive/2008/05/09/napkin-math-in-o\
nenote.aspx> — I'll bet a soda we've suffered slightly more than
one major event in Iraq or Afghanistan where a base commander didn't do
as higher headquarters told him, all because his communications officer
failed to reliably monitor official command & control systems.
("But Rob, 'slightly more than one major event' would be two major
events." Yeah, I know. That's the problem with statistics — it
doesn't answer you with whole numbers. I'll only bet a soda on one.
Look at this napkin photo
<
http://www.myjourneytomillions.com/wp-content/uploads/2008/09/napkin-ma\
th.jpg> if you feel an urge to peer review my math: I did my
calculations based on four-month deployment rotations. Ah, but I
digress.)
Buried in the video at the 8:00 mark is a bomb of a different sort —
a leaker (now thought to have been inside FBI NIPC) jeopardized the
"Solar Sunrise" investigation by blabbing to the national media. The
narrator dances around this, saying only that "on February 25th, a new
crisis strikes the 'Solar Sunrise' investigation: the media makes the
story public." FBI NIPC wonk Scott K. Larson butts into the frame:
"once the case became public, a lot of thoughts came across'd our mind.
The first one, in particular, up in California, was to get to the sites
as soon as possible." Larson fades out of the frame; the narrator
continues:
"If the teenagers hear of the investigation before search warrants are
served, they can erase all evidence of their crimes. Racing against the
clock, investigators from a wide range of task force agencies converge
on a suburb of San Francisco. They reach the two [teenage] hackers'
homes at 6:30pm Pacific time, the same day the story hits the press."
"Wait, Rob," you interject. "This timeline doesn't make sense. How can
media coverage really be a 'crisis' if they obtained & executed search
warrants the same day the story hit the press?"
Actually, this timeline does make sense if you take both hysteria and
the eastern time zone into account. Let's say, hypothetically speaking
... oh, I'll just pick a name purely at random here ... um, we'll just
suppose entirely for the sake of argument that FBI NIPC's founding
director, Michael Vatis, curried favor with a producer at ABC News in an
effort to set up an interview with anchor Peter Jennings on "World News
Tonight." The producer would assign an investigative reporter, who
would call FBI NIPC's public affairs office in the early morning, which
in turn would talk to the case officers involved, who would promptly
freak out, and who would use the eastern time zone to their advantage to
get a judge's signature on search warrants they drafted in advance to
parlay at a more opportune time.
("You're treading on thin ice, Rob. Vatis has a law partnership in New
York." Yeah, yeah, where he specializes in Internet cases. Many people
think I get under Vatis' skin when in truth I just play the role of Nick
Norris to his Anti-Claus. Oh, sure, I could stab him with a
screwdriver, but he'd just bellow "I have no heart!" and then try to
beat me to death with his own ripped-off left arm
<
http://marvel.wikia.com/File:Anti-Claus_(Earth-8336).jpg> . Ah, but I
digress.)
And speaking of Michael Vatis ... he shows up at the 10:15 mark to
all-but-applaud the three teenagers for proving to naïve disbelievers
that "cyberspace has no boundaries." Hurray. Jot it down, folks.
IfWhen the world runs out of helium in 2035 and we finally send a
mining team to the moon, they'll set up an IPv6 satellite link and some
fool will hack into it, giving a 60-something Michael Vatis the impetus
to shove his dentures in his mouth just so he can shout "I told you so
in 1998 but noooooo, you listened to that idiot Rob Rosenberger and now
the whole mining team up there will die for sure because someone ran a
dmesg >ttysat0 command and now I won't get the MRI scans I need to save
my life because there isn't enough helium left on Earth to inflate the
magnets!" Then his dentures will shoot out of his mouth on live TV and
they'll cut to a PSA to raise funds for a statue of General of the Cyber
Army William Lord to commemorate his Medal of Honor-winning sacrifice
after coming out of retirement to lead U.S. troops into digital battle
in the FrancoMuslim-American cyber war of 2029. Ah, but I digress.
(I seem to digress a lot in this month's column. Ah, but I digress.)
The narrator drops another small bomb at the 11:10 mark about the
teenage mastermind who brought Washington to its knee-jerks:
"One year later, 'Analzyer' is indicted in Israel on charges of computer
crime. Prosecution is still pending. In California, both teens plead
guilty to violations of federal computer fraud and wiretapping laws.
Both boys are fined and sentenced to three years of probation with 100
hours of community service. They forfeit their computers and are barred
from accessing the Internet without adult supervision. As juveniles,
their legal punishment is relatively light, but this youthful escapade
may haunt them in other ways."
Washington will pressure Israel to send 'Analyzer' to the gallows but he
escapes the noose and, just like his little brothers in arms, he pays a
fine plus community service.
Then-civil servant Scott Charney comes into the frame sounding like FBI
NIPC made sure these boys will sing "Workin' at the Car Wash Blues
<
http://youtu.be/tLKhUnl_yhc> " in a few years when they finally turn
old enough apply for a job at Taco Bell. "If they're applying for jobs,
and they might of course want one in the computer security field..."
I'll let you speculate where Charney went with his cute predicate.
Believe it, folks: the narrator actually says "both teens plead guilty"
and "both boys are fined" and placed under "adult supervision." Teens!
Boys! Adult supervision! FBI NIPC helped produce this Hollywood video
as part of their insatiable desire to turn "Solar Sunrise" into a
crowning achievement for their upcoming coronation as Washington's new
kings of cyber.
And they actually wanted you to believe three boys constitute a "wake-up
call" for national cyber security.
So! Whatever became of "Solar Sunrise"? Washingtonians sometimes
reference it to this day — but the cognoscenti dismiss it as a
laughingstock example of how U.S. government hysteria can make mountains
out of anthills. Nowhere is this more telling than at Wikipedia, where
"Solar Sunrise" can't even muster up a page of its own.
"Rob, did we take away anything useful from 'Solar Sunrise'?" Yes, but
you might laugh it off when I say it out loud. We learned hysteria plus
gullibility threatens the cyber fabric of the U.S. government.
Jet-setting playboy Michael Vatis made it his #1 priority to crown
himself king of cyber enforcement, and he convinced both the Pentagon
and the intelligence community to join his Keystone Cops in a race to
stop Iraq's Elite Republican Guard from invading us with a deadly fork
while fork command.
That's enough for this edition. My best to y'all, and see below if
you're into Twitter. Please keep fighting the virus hysteria.
Rob Rosenberger
Rob@... <mailto:
Rob@...>
* False Authority Syndrome <
http://Vmyths.com/fas>
* How to spot a hoax computer virus alert
<
http://Vmyths.com/faqs/spot-a-hoax>
* Reduce virus hoaxes inside your company
<
http://Vmyths.com/faqs/help-company>
* Follow Vmyths on Twitter <
http://Vmyths.com/2009/04/19/twitter-2>
* Hoaxes NOT related to computer security <
http://www.Snopes.com>
* Comedy vs. virus hysteria? Believe it! <
http://HumorControl.org>
[Non-text portions of this message have been removed]
Offline 
Send Email