Technology

The latest issue of the Skeptical Inquirer (March/April 2006) features an article titled “Hoaxers, Hackers, and Policymakers: How Junk Science Persuaded the FBI to Divert Terrorism Funding to Fight Hackers” by Carolyn Meinel. The descriptive text on the first page (between the article title, subtitle, and author’s name) says “Hoaxers warned of an imminent and deadly electronic Pearl Harbor. Consequently, the FBI diverted resources and attention away from terrorism and toward fighting hackers. This may have contributed to the September 11, 2001, attacks. Use of critical inquiry and the scientific method could have avoided this misdirection." While most of the article appears to me to be accurate and its conclusion about treating claims from self-proclaimed computer security experts with scrutiny is sound, the article itself contains unsubstantiated arguments (in particular the arguments of the title and subheading) and comes from a self-proclaimed hacking expert of questionable credibility. Meinel’s article is in three sections–an introductory section about the title, a section about specific claims made by two hackers, and a section on “critical analysis of e-terrorism.” I find little to criticize in the latter two sections, except for its implication that Peter Neumann’s testimony before Congress was unfounded (Neumann is a highly respected expert on computer risks, the editor of the RISKS Digest, and author of the book Computer-Related Risks, 1995, The ACM Press). Meinel begins by describing Fred J. Villella bringing hackers “Dr. Mudge” (Pieter Zatko, though Meinel never mentions his name) and “Se7en” (“Christian Valor”, who was indeed exposed as a chronic fabricator as Meinel claims in the second part of her article) to meetings of federal policymakers where they warned of “a looming electronic Pearl Harbor.” The most notable such meeting was testimony before the Senate Governmental Affairs Committee on May 19, 1998, where the above-mentioned Neumann testimony took place, and where Mudge testified that he could make the Internet unusable with less than thirty minutes of effort. Meinel argues that this testimony “may have contributed to an entrapment scheme” by the FBI against hacker “Chameleon” (Marc Maiffret, now “Chief Hacking Officer” of eEye Digital Security) as a way to show that “hackers were actually collaborating with enemies of the U.S.” But she provides no evidence of a connection between the testimony and the action. She falsely states that “books (Penenberg 2000; Mitnick 2005) hyped the raid [on Maiffret] to say that hackers were in league with al Qaeda.” Neither of these two books says that. Adam Penenberg, in his book Spooked: Espionage in Corporate America (with Marc Barry, 2001, Perseus Books), writes that “Hackers are always on red alert for the FBI. In fact, when Maiffret was contacted over the Internet by the alleged terrorist Khalid Ibrahim, a member of Harkat-ul-Ansar, a militant Indian separatist group on the State Department’s list of the thirty most dangerous terrorist organizations in the world, he assumed Ibrahim worked for the feds.” Kevin Mitnick, in his book The Art of Intrusion (2005, Wiley, pp. 32-34), raises the possibility that Khalid Ibrahim was part of an FBI operation, but questions it on the ground that only Maiffret received any money from him. On the other hand, he points out that Maiffret told Wired News “he had not provided any government network maps” and wonders why, despite his confession to accepting money from an terrorist-connected individual (Mitnick writes “foreign terrorist”), no charges were ever filed. Then, he writes “Perhaps the check wasn’t from Khalid after all, but from the FBI.” (As an aside, Mitnick’s book states that few know the true identity of “Chameleon,” but Penenberg’s book had already published his identity in 2000.) Perhaps Maiffret avoided prosecution by agreeing to work with the FBI, as other hackers have done (such as Justin Tanner Petersen, “Agent Steal,” whose story is partly told in Jonathan Littman’s The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen, 1997, Little, Brown). The specific argument of the title and subheading–that the testimony of these hackers led to a diversion of funding that may have contributed to the success of the 9/11 terrorist attacks–is stated in a single paragraph in the second column of the first page of the article (p. 32). In that paragraph, Meinel states that cyberspace czar Richard Clarke’s formation of the National Infrastructure Protection Center (NIPC) diverted funding increases “earmarked against terrorism to hire FBI agents for the hacker beat.” This diversion of funds led to only $4.9 million spent by NIPC on counterterrorism, and it therefore lacked the resources to follow up on Phoenix FBI agent Ken Williams’ warning about al Qaeda members training at U.S. flight schools. This argument assumes that NIPC, rather than the FBI’s counterterrorism unit, is the organization which should have followed up on Williams’ memo. It also overlooks the role of the FBI’s incredibly antiquated computer systems, which technophobe FBI Director Louis Freeh had refused to take steps to upgrade (with Congress withholding $60 million in funding for FBI’s IT infrastructure between 1998 and 2000 because of its failure to produce a credible upgrade plan). Not until July 2000, when Freeh appointed Bob Dies to begin work on an overhaul, did Freeh address the issue. The result was that the FBI had 42 separate database systems that could not be searched simultaneously and many agents had computers that did not work or could not display images or connect to the Internet. Many agents used home computers in order to receive email photo images of suspects from local police departments. (See the “Missing Documents” chapter of Ronald Kessler’s The Bureau: The Secret History of the FBI, 2002, St. Martin’s Press. Similar observations are made in the “9/11” chapter of James Bovard’s The Bush Betrayal, 2004, Palgrave Macmillan. Bovard cites (p. 27) a Los Angeles Times story that reports the FBI diverting $60 million in funds earmarked for IT upgrades in the year 2000 to be used for staffing and international offices. The fact that the dollar figure is the same in Bovard and Kessler may indicate that Bovard is misdescribing the same $60 million Kessler mentions.) By contrast, NIPC’s entire budget (PDF) was under $20 million per year through 2000, and Bush requested a budget of $20.4 million for NIPC in 2001. (This is not to say that NIPC was effectively using what funds it had–it wasn’t. But Meinel’s complaint that only $4.9 million of NIPC’s budget was spent on counterterrorism should be put in context–that was a quarter or more of its annual budget.) These IT failings and the other failures reported in the 9/11 Commission Report and elsewhere strike me as more plausible reasons for the U.S. government’s failure to avert the 9/11 attacks than trying to pin it on the hackers who testified before Congress in 1998 about the dangers of cyber attacks. Ironically, in October 2001 an article arguing that the Code Red worm demonstrates that there really are significant risks of Internet-based attacks on U.S. infrastructure (“They would be far worse than not being able to make bids on eBay–potentially affecting product manufacturing and deliveries, bank transactions, telephony and more. Should it occur five years from now, the results could be a lot more severe.”) appeared in Scientific American. The author of this article, “Code Red for the Web,” was Carolyn Meinel. It’s more surprising to me that Skeptical Inquirer published an article by Carolyn Meinel at all. Meinel’s author description printed in SI states: ...

I recommend Michael Santarcangelo’s “Security Catalyst” podcasts, which can be subscribed to at no charge via iTunes or Yahoo Podcasts. He’s got additional information and links related to the shows at the Security Catalyst website. Michael, who I met a few years back through a consulting engagement that was a “death-march project,” is a sharp, witty, and well-spoken advocate of and educator for good computer security.

Bruce Schneier reports on how a house in Valparaiso, Indiana was incorrectly valued at $400 million due to a single-keystroke error by an “outside user” of Porter County’s appraisal records. This incorrect valuation led to an expectation of $8 million in property taxes due from that homeowner, which led to a erroneous increase of budgets and even distribution of funds. Now the Porter County Treasurer has had to ask 18 governmental units to return funds–the city of Valparaiso and Valparaiso Community School Corp. have been asked to return $2.7 million, which will leave the school system with a $200,000 budget shortfall. The number of errors here is huge–first of all, an external user shouldn’t have access to change budget data at all, let alone by a typo which caused the user to invoke “an assessment program written in 1995” which “is no longer in use, and technology officials did not know it could be accessed.” Second, there should have been checks on the data to identify anomalies like a house suddenly jumping in value to $400 million. Third, there should have been checks on the accuracy of budget numbers before the disbursement of funds. And I’m sure I’m only scratching the surface–it sounds like they’ve got some serious IT infrastructure issues.

Martin Geddes has a nice commentary on the vagueness of “net neutrality” and its implications (I previously commented on the subject here). He divides net neutrality advocates into bottoms, middles, and tops (based on layers, not giving vs. receiving). “Bottomistas” want neutrality on offered underlying protocols and aren’t happy just getting IPv4 (or just IPv6), and at the extreme would want a choice between ATM, Ethernet, their own Layer 2 protocol. The “middlemen” distinguish “raw IP” (which backbones carry, or perhaps which ISPs use internally) from “retail IP” (what the end user customer gets), and endorse neutrality on the latter. The “top” are comfortable with the kind of filtering done by many retail ISPs (e.g., port 25 filtering), but oppose filtering directed at particular service providers or applications. Geddes argues that the Internet isn’t really a thing, but a set of agreements between different entities that are each doing their own thing with their own property–and that “Internet Governance” itself doesn’t make much sense outside of IP address allocation and routing. He raises a host of interesting questions, like: Is neutrality a wholesale or a retail problem? What if the access infrastructure owner offers “neutral” IP connectivity, but no retail provider chooses to pass that on directly to the public without layering on some filtering and price discrimination?and Oh, and what’s so special about the Internet? Do other IP-based networks need neutrality principles? Do any networks? Should more network industries be forced to forego “winner takes all” rewards? Google looks awfully dominant at adverts, doesn’t it… I wonder if that ad network needs a bit of “neutrality”?These are the sorts of issues that need to be considered in formulating any kind of “net neutrality” that can actually be put into a statute or regulatory framework, and it doesn’t seem likely to me that it will be easy to come up with one that has broad appeal and doesn’t trample on private contract and property rights. I think Geddes may be right when he says neutrality is “an output, not an input." His post is well worth reading, as is the commentary from Brett Watson. UPDATE: Geddes has more at Telepocalypse.

A “Terrorism” bill in UK Parliament, as amended in the House of Lords on January 25, 2006, looks like it could have considerable impact on ISPs. The first section of the bill, titled “Encouragement of terrorism,” makes it a crime to publish a statement or cause another to publish a statement with the intended effect (or with recklessness to the possibility of such an effect) of directly or indirectly encouraging members of the public “to commit, prepare or instigate acts of terrorism or Convention offences.” “Indirect encouragement” means “the making of a statement describing terrorism in such a way that the listener would infer that he should emulate it." The second section of the bill, titled “Dissemination of terrorist publications,” is more problematic. It makes it a crime to disseminate terrorist publications “with the intention of directly or indirectly encouraging or inducing the commission, preparation or instigation of acts of terrorism, or of providing information with a view to its use in the commission or preparation of such acts” (or with recklessness to the possibility of such an effect). The definition of “dissemination of terrorist publications” is extremely broad, and includes those who “provide a service to others that enables them to obtain, read, listen to, or look at such a publication, or to acquire it by means of a gift, sale, or loan” and anyone who “transmits the content of such a publication electronically” or “has such a publication in possession with a view to its becoming the subject of conduct” falling within any of the preceding sections (including transmission). This means that mere possession of such material isn’t a crime, but possession with intent to transmit (e.g., hosting or having it in a location shared via P2P) is a crime, as is the transmission itself (if done with intent or recklessness). The proposed statute provides that someone accused of this crime has an affirmative defense by showing that the material does not express their views and did not have their endorsement and that it was “clear, in all circumstances of the conduct” that those two conditions were met–except in the case of a notification from a constable in section 3 (which applies sections 1 and 2 to “Internet activity”). This notification provision is similar in many respects to the Digital Millennium Copyright Act (DMCA) in the United States–if a constable provides notification to a “relevant person” that he is hosting “terrorist publications,” that person has two working days to take down the material, or else it is then deemed to have endorsed the publication (unless they have a “reasonable excuse” for their failure to take it down). Unlike the DMCA, there is no counter-notice provision. The section about Internet activity doesn’t define how the constable determines who to notify, or who is responsible for material located downstream of an ISP. If providers are responsible for anything downstream, then this could force an upstream provider to blackhole a server IP that provides many websites to many customers because of illicit content provided by one person. It’s also not clear whether a provider could be held responsible for material that it transmits but does not host–in which case this would force ISPs operating in the UK into acting as managed content filtering service providers for the UK government any time a constable designates online material as a “terrorist publication." The offense carries a maximum prison sentence of seven years. ...

The Federal Trade Commission today unsealed and announced its action in the U.S. District Court in Arizona against William Dugger (a/k/a Billy Johnson, d/b/a Net Everyone) of Hawaii (with a business address in Phoenix), Angelina Johnson (d/b/a Net Everyone) of Hawaii and/or Phoenix, and John Vitale (d/b/a Net Everyone) of Phoenix for sending CAN-SPAM-violating porn spam using compromised systems of uninvolved third parties. The Temporary Restraining Order announced today freezes their assets and requires their ISPs to disconnect all of their equipment from the Internet and deny them any access to it.

I’ve been using the Firefox plugin from SiteAdvisor.com for a few days, and I think it’s a great idea. They’ve searched the web, downloaded content, and submitted unique email addresses on signup forms everywhere they find them, to see what happens. They then rate each site for malicious content and the extent to which it generates spam in response to a signup. This database is then used by their browser plugin to display icons next to Google and Yahoo search results indicating whether that site is green, yellow, or red regarding the type of content downloaded, the amount of email you can expect to receive from signing up at the site, and whether it links to other sites that are problematic. Their privacy policy is good–they don’t keep a record of who goes to what site. One feature I’d like to see them add is the ability to not make queries for certain domains (such as Intranet web pages–their current design allows them to map out internal corporate web structures which they should not be able to get). Their advisory board includes Avi Rubin, a well-known security researcher at Johns Hopkins University (and formerly at AT&T) who has done significant work on e-voting security, and Ben Edelman, formerly of Harvard Law School’s Berkman Center for Internet & Society, who is well-known for his research on Internet subjects such as domain name usage and China’s web filtering, as well as his lawsuit against web filtering company N2H2 to defend his right to research its blocking list. SiteAdvisor has a blog, too (though as of this moment it doesn’t have a valid RSS feed, according to Thunderbird). ...

As readers of this blog know, I’m no supporter of George W. Bush. I’ve never contributed funds or worked to support the campaign of a Republican. Yet I received this spam email from Jon Kyl, who is apparently concerned about competition from Arizona Democratic Party chairman Jim Pederson in the next election. It’s also interesting that Kyl’s jonkyl.com website is hosted in Canada, and his campaign webservers are hosted in New Jersey. Way to support your home state, Senator. From: “Senator Jon Kyl” [email protected] Date: Thu, 19 Jan 2006 23:57:14 -0500 Subject: I invite you to join my team… Today I am writing you for two reasons. One is to say thank you for your past support of President Bush and a second is to ask for your help. I am not asking for money. I am simply asking for your time and energy in helping my reelection campaign. First, thank you for your help in the 2004 election. Because of your hard work, we had a huge victory in Arizona. One of the key elements of victory was the organized force of Bush Volunteers who registered voters, made phone calls, walked neighborhoods, placed signs and bumper stickers, and helped get out the vote. It was a record setting year, and you were part of that team. Second, I want to ask for your help. As you may know, I am running for reelection to the U.S. Senate. My opponent is the former Chairman of the Arizona Democrat Party, Jim Pederson. He has personally bankrolled the Democrats’ efforts, including against President Bush, to date he has spent over $5 million on Democrats and their causes. He is a supporter of Howard Dean and Ted Kennedy and was a leader in John Kerry’s failed presidential campaign. Not surprisingly, John Kerry now is Pederson’s biggest contributor. That is why I need your help. Television and radio alone will not win this election. In order to be successful, we will need to replicate the Bush Volunteer program to run our grass roots campaign. We are currently recruiting volunteers from across Arizona to join our campaign as Kyl Captains. As a Kyl Captain you will be integral in our network of individuals who are willing to help on the campaign. Whether you prefer registering voters, working the phones, or just talking with your friends and neighbors, you will be a critical component of my campaign. Because Jim Pederson will spend what it takes on television, it is very important to have a strong and active Arizona Team on the ground, registering and getting voters to the polls. I am convinced it is the key to victory in November 2006. Please take a moment and visit www.jonkyl.com and sign up as a Kyl Captain. Your personal commitment to this campaign will make all the difference. It has been the greatest honor of my life to represent the people of Arizona in the United States Senate. With your help I hope to continue that public service. Again, thank you for your past work on behalf of the President and I look forward to working together in the future. Sincerely, Jon Kyl U.S. Senator P.S. If you have any questions, please feel free to call my office at (602) 840-0306 or visit: www.jonkyl.com P.O. Box 10246 :: Phoenix, AZ 85064 :: [email protected] Paid for by Jon Kyl for U.S. Senate/[email protected] ...

The Animaris Rhinoceros Transport is a type of animal with a steel skeleton and a polyester skin. It looks as if there is a thick layer of sand coating the animal. It weighes 2. tons, but can be set into motion by one person. It stands 4.70 meters tall. Because of its height it catches enough wind to start moving. MPEG video here. (From Jamie Zawinski’s blog.)

Grass Collective makes “moving art” which includes a DVD of Los Angeles traffic at nighttime. It’s pretty hypnotic. (Hat tip to BLDGBLOG.) Historical Comments Einzige (2006-12-09): Would that Google Earth looked that cool!:)