Truth About Computer Security Hysteria
Correction: Internet to die on the real millenniumRob Rosenberger, Vmyths co-founder
Friday, 8 December 2000 I'D LIKE TO announce a small correction. The Internet will die on the eve of the real millennium. Those who predicted it would die last New Year's Eve stand humbly corrected.
Eric Hemmendinger, a security analyst at Aberdeen Group in Boston, says the agency's alert should be taken seriously because it comes from the government, not from security firms or antivirus software vendors warning of the end of the world as we know it. "What might be a little bit unusual about this is not what the warning is, but where it's coming from," Hemmendinger says. "When the federal government wakes up to a problem, they're usually not the first ones [to see it]. That means it's worth paying attention to.""Worth paying attention to"? Hemmendinger needs a reality check. We're talking about FBI NIPC, the jet-setting fearmongers who (I am not making this up) claimed every country beginning with the letter "I" would attack us last New Year's Eve. Uh, then again, perhaps I spoke too soon. A modem user tried to launch a Smurf attack against my T1 router as I composed this editorial. My firewall hardware stopped the attack, but good grief! NostradamISS and FBI NIPC were right all along! Yes, ladies and gentlemen, the Internet will be taken over on the millennium — "conquered," if you will — by a master race of 14yr-old hacker wannabees. It's difficult to tell from this vantage point whether they will destroy or merely enslave our PCs. One thing is for certain, there is no stopping them; the hackers will soon be here. And I, for one, welcome our new teenage overlords. I'd like to remind them that as a trusted website personality, I can be helpful in rounding up others to toil in their underground chat rooms. [Credit where due: I stole the previous paragraph from a Simpsons episode.]
YOUR LOCAL FBI office does not want to hear about generic hacking incidents. Seriously — I urge you to ignore NIPC's advice. Don't waste the valuable time of your nearest G-man. Your hacking incident must affect the stock market before the FBI cares about it. Waste NIPC's time if you wish, but leave the local guys alone. "Okay Rob," you retort. "Out with it. You must have a reason for saying this." Yes, I do. I drove to St. Louis this week and interviewed a retail business owner (name withheld) whose server recently got hacked. The culprit locked out an administrator account and disabled some applications so he could install an IRC daemon. A consultant figured out the obvious when he arrived on-site to learn why the server didn't work correctly. He (1) turned off the box, (2) ripped out its only hard drive, (3) told the owner to take it to the local FBI office as evidence, (4) installed another hard drive, and (5) got the server back up & running. The retail businessman followed NIPC's advice to the letter. "Okay, sure, I thought they'd put our drive in a desk drawer and that'd be the end of it" ... but he honestly expected an agent would go through the motions of taking a report. No such luck. The local FBI office told him they wanted absolutely nothing to do with it. "I told them it cost us money and it affected our commerce," the businessman said, but it didn't help. No criminal reports, no evidence collection, no nothing. Take it to the state/local police or simply reuse the hard drive, the feds told him. Just don't expect anything from the FBI. I met the businessman on a Monday afternoon, so I could've easily driven to the nearby FBI office for a corollary interview. But I didn't. You know why?
THE BUSINESSMAN I interviewed did find a sympathetic ear — at the office of his insurance carrier. They'll reimburse him for consultant fees and tangible lost commerce. "As far as they're concerned," he said, "it's just exactly like someone took a [baseball] bat to our server." This guy's storefront does very little "e-commerce," but he does need a server with Internet access to conduct most of his business. He made a savvy decision when he insured it. Enough said. Now if you'll excuse me, I need to prepare for tomorrow's face-to-face meeting with my local FBI office...