A bunch of hysterical computer security stories popped up on my radar in the last few days. A huge bunch. I mean really huge. {sniff} Do I smell an annual hacker conference?

You can always count on hysteria before & during a global hacker conference…

I thought for sure the global economic recession would hit them in the digital pocketbooks … but, no. Untold numbers of elite hackers and government middle-managers with discretionary budgets have descended on Las Vegas to impress each other with their hilarious hijinxs and their nonchalant predictions of a looming cybergeddon based on some lecturer’s byte-tacular discovery he made while toying around with a debugger after clocking out from the evening shift at Taco Bell.

You can always count on hysteria before & during a global hacker convention — especially the siamese twins known as “Black Hat” and “DEFCON.” Panelists & presenters alike go shopping every year at this time for reporters who will breathlessly pre-announce the horrifying lectures they’ll give in a nonchalant fashion to their fellow hackers and to government middle-managers whose agency budgets let them play the role of a hacker.

“C’mon, Rob. Nonchalant lectures about terrorist hacker methodologies that supposedly threaten all of the inner planets of our solar system?” Look, folks, I just expose the hysteria; I never said it makes any sense.

No doubt the House of Lords will call for the closure of all British intelligence agencies after hackers discovered a vulnerability in MI5’s public website. No doubt Congressman Edolphus Towns will demand prison for LimeWire CEO Mark Gorton over the heinous crime of marketing the P2P software that was used to leak a Google Maps route to Michelle Obama’s safe house. And I still can’t explain how security celebrities Dan Kaminsky & Kevin Mitnick escaped death when their websites got hacked.

On a sidenote — and I swear I don’t make this stuff up — the theme for this year’s Black Hat / DEFCON shindig is pasty white boys lip-syncing to African American hoodlum tone poems. In keeping with the theme, the organizers even slapped together a “Security B-Sides” conference for “speakers whose programs weren’t accepted by Black Hat.”

No joke — the theme for this year’s Black Hat / DEFCON shindig is pasty white boys lip-syncing to Afri­can Ameri­can hoodlum tone poems…

“A digital rave, Rob?” Exactly. But without all the underage girls so willing to strip naked and make out with each other while you watch. At a Las Vegas convention, you gotta pay for that kind of fun.

Say, you know what would be super really ironic? Waking up to hear Robin Meade say “North Korea’s elite military hacking unit remotely logged into the Hoover Dam’s SCADA controls, unleashing trillions of gallons of water that drowned one hundred of the world’s greatest hackers plus more than a thousand government middle managers attending a rap music party at a computer security conference in Las Vegas…”

Ah, but I digress.

So, anyway. You’ll understand the context of the question if your government middle manager neighbor comes home from his week-long trip to ask “did the ‘Obama Mama’ die yet?” He’s just convinced that a horrifying BIND 9 vulnerability has combined with a leaked top secret P2P file to guarantee the death of the First Lady…

---

Oh! I almost forgot to tell you. The top secret Google Maps route to Michelle Obama’s safe house leads to—

“Let me guess, Rob. It leads to Congressman Towns’ local hangout, right?” ExactlyUh, I can neither confirm nor deny your belief.

A truly amazing story in Wired reveals that “Rep. Peter Hoekstra (R-Michigan), the lead Republican on the House Intelligence Committee, said the U.S. should conduct a ’show of force or strength’ against North Korea for a supposed role in a round of attacks that hit numerous government and commercial websites this week.”

“A show of force?” Sure, let’s do that. Our vaunted U.S. military electron defenders can counter-attack North Korea with that horrifying new “DAOS weapon system” we’ve heard so much about. And Obama can pick John McClane to lead the counter-attack. Yeah, that’ll strike some fear in Kim Jong-il!

Study all the faces I circled in the photo you see here. It certainly looks like HoaxsterHoekstra held an impromptu press conference … yet the crowd is filled with Asian (!) reporters. Go figure.

Wouldn’t you like to know how many of them knew in advance this guy would drop an amazing soundbite about North Korea?

Ironically — and you know how much I love irony — the general concensus right now is that North Korea didn’t orchestrate the horrifying cyber-attack that killed millions thousands hundreds dozens zero people around the world. But hey, that didn’t stop HoaxsterHoekstra from demanding a retaliatory military strike against a warlord nation run by a completely insane narcissist who suffered a bit of brain damage right before he showed the world how much he likes to play with nuclear weapons.

I really hate to say this, folks, but HoaxsterHoekstra’s verbal antics might plausibly help convince North Korea to resume war with the United Nations, thus sending thousands of soldiers to their deaths on both sides of the DMZ, possibly leading all the way up to a series of nuclear tit-for-tats—

—all because one federal employee unwittingly disabled a firewall. This, sadly, may be HoaxsterHoekstra’s legacy as a civil servant of the United States. “Hurray.”

(Memo to the Asso­ciated Press copy­right enforce­ment team: I high­lighted the Asian reporters in Susan Walsh’s photo­graph under the “criticism” clause of the U.S. Fair Use Doctrine. Thanks for understanding.)

Dear Howard (may I call you Howard?),

Long time no talk. Waitaminit, when’s the last time we ever gabbed on a phone? You never call, you never write. But enough chit-chat. Let’s discuss your new chairman position at US-CERT.

An open letter to Howard Schmidt, a former White House cyber­space secu­rity advisor who returned to Wash­ing­ton as chair­man of US-CERT

We’ll begin with the obvious. As a whole, the antivirus industry dismisses CERT/CC as a naïve little sister who gets injured every time she tries to play football with her big brothers. I don’t make this claim lightly. Worse: the antivirus industry views US-CERT as the siamese twin to CERT/CC. I myself hold neither agency in high regard due to their co-dependent relationships with some of the dead wood at DHS.

Richard Pethia’s leadership at CERT/CC certainly annoys me — but I felt a lot better about US-CERT when you got tapped for the chairmanship. I’m an unabashed fan of yours and I ain’t afraid to admit it. Call me crazy but I like you. So if you don’t mind, I’d like to advise you on three big issues you should focus on during your tenure.

First, we need another roundtable meeting to bring government computer security analysts together with the Fortune 1000 CISOs. My sources say you’ve tried to bring the corporate sector to Washington at least since mid-2004 so they can (in your own words) “articulate to the government” where they see the role of government. You’ll head in the right direction with this effort and you need to keep it up. Ignore anyone who thinks otherwise.

You’ll notice I didn’t say “conference” and I didn’t say “computer firms.” You specifically need a roundtable meeting with the Fortune 1000 CISOs. The U.S. corporate sector as a whole needs to tell the government what cybersecurity missions they can do all by themselves; what they can’t do all by themselves; and what they collectively need from the government. Conversely, the feds must reveal what cybersecurity missions they can do all by themselves; what they can’t do all by themselves; and what they need from the corporate sector. This explains why you need to set up a roundtable meeting rather than a conference.

And remember! You bestow true legitimacy on a meeting when you invite a true critic. Notice I didn’t say “me” and I didn’t include Vmyths. Richard Forno (InfoWarrior.org) would make an excellent choice, for example. I can name other critics if he declines.

You & I travel in some of the same circles, so let me point out a major issue for your roundtable meeting. You know many CISOs incorrectly fear the U.S. Freedom of Information Act (FOIA). A roundtable meeting may help to allay those fears. Government analysts are experts at assembling and sanitizing intelligence data. Computer security analysis is a realm best left to the intelligence community. You must make this clear to the corporate sector.

(I just hope those government cyber-analysts will someday realize their pecking order within the intelligence community. “Who needs HUMINT when you can monitor IRC chat rooms?” Bah. You don’t even want to get me started about the SQL/Slammer threat briefing you & Richard Clarke received at the White House. “This mIRC log conclusively proves a hostile nation-state ordered its über-warriors to blow up western civilization right after they finished the evening shift at Taco Bell!” Sheesh. I just hope you didn’t fall for such a shoddy intelligence briefing. Ah, but I digress…)

---

Second, US-CERT must continue to strive for a standard naming convention for viruses & worms. The industry’s historic lack of concern (and I do mean “lack of concern”) has reached a crucial point — not within the antivirus industry, but within the industry’s customer base. Critics want a single standard name for each virus. Customers want it, too. The U.S. government is a big antivirus customer. You gotta throw enough bucks at MITRE.org so they can get this project off the ground.

Trust me, Howard. Antivirus firms are lazy beasts. If Washington comes up with a virus naming convention, the global antivirus industry will moan & groan, but they will embrace it. And then they’ll usurp credit for it. But hey, that’s life.

Third, you need to reiterate the threat posed by our “blind trust in software firms,” as you yourself so eloquently put it. You’ve pointed out the P-Tech Software/Al Qaeda Terrorism investigation and the JECC Software/Aum Shinrikyo Terrorism investigation. This time, deep within US-CERT, you also need to point out how U.S. antivirus firms armed China for years under our very noses. Members of the antivirus industry now arm Cuba with viruses and they almost certainly arm North Korea, too. (Let’s hope your intelligence analysts already knew this.) We’d never trust some of these virus experts with the combination to a GSA safe, yet we blindly trust them to protect top secret government PCs. There’s something wrong with this picture and you know it.

Okay, now you know the three big issues you should focus on during your US-CERT tenure. Time for me to ramble incoherently for the next few paragraphs.

Amit Yoran struck me as an optimist who felt our top bureaucrats wanted to protect corporate infrastructures from suicide hackers. Neither you nor I (yet) subscribe to this view. We both realize the top bureaucrats need to nitpick over the political apparatus before they can police our corporate infrastructures. The bureaucrats lost sight of their true mission when they started fighting over turfs & budgets.

This explains why Amit Yoran resigned in frustration. He went to D.C. to guide cyber-security initiatives when in fact he should have guided the apparatus. Yoran was the wrong man for the job.

Poland’s Lech Walesa faced the same kind of problems you faced at Microsoft. Each apparatus needed someone to bring it back into focus. Granted, neither you nor Walesa got the credit you deserved for pulling the apparatus together during your tenures. But hey, you both realized what needed to be done and you did it. You were the right men for the job. This puts you above Amit Yoran.

Just remember: you’re starting over again and you’re quite a bit lower on the food chain this time around. Good luck.

So! Let’s end this on an upbeat note, Howard.

Your CERT/CC counterpart, Richard Pethia, missed Melissa’s ultimate lesson in 1999. The antivirus industry dismisses him as a myopic figurehead — but they don’t dismiss you so far as I know. To be specific, you helmed Microsoft’s security teams at the turbulent beginning of real change. More to the point, I know for a fact your teams recognized Melissa’s ultimate lesson the day it struck. Just be sure to get your virus expertise from real virus experts. (And I don’t mean myself.)

That’s it for me. Hope you enjoyed the holidays. Your unabashed fan, Rob.