Sunday, February 19, 2006

Controversial hacker publishes cover story in Skeptical Inquirer

The latest issue of the Skeptical Inquirer (March/April 2006) features an article titled "Hoaxers, Hackers, and Policymakers: How Junk Science Persuaded the FBI to Divert Terrorism Funding to Fight Hackers" by Carolyn Meinel. The descriptive text on the first page (between the article title, subtitle, and author's name) says "Hoaxers warned of an imminent and deadly electronic Pearl Harbor. Consequently, the FBI diverted resources and attention away from terrorism and toward fighting hackers. This may have contributed to the September 11, 2001, attacks. Use of critical inquiry and the scientific method could have avoided this misdirection."

While most of the article appears to me to be accurate and its conclusion about treating claims from self-proclaimed computer security experts with scrutiny is sound, the article itself contains unsubstantiated arguments (in particular the arguments of the title and subheading) and comes from a self-proclaimed hacking expert of questionable credibility.

Meinel's article is in three sections--an introductory section about the title, a section about specific claims made by two hackers, and a section on "critical analysis of e-terrorism." I find little to criticize in the latter two sections, except for its implication that Peter Neumann's testimony before Congress was unfounded (Neumann is a highly respected expert on computer risks, the editor of the RISKS Digest, and author of the book Computer-Related Risks, 1995, The ACM Press).

Meinel begins by describing Fred J. Villella bringing hackers "Dr. Mudge" (Pieter Zatko, though Meinel never mentions his name) and "Se7en" ("Christian Valor", who was indeed exposed as a chronic fabricator as Meinel claims in the second part of her article) to meetings of federal policymakers where they warned of "a looming electronic Pearl Harbor." The most notable such meeting was testimony before the Senate Governmental Affairs Committee on May 19, 1998, where the above-mentioned Neumann testimony took place, and where Mudge testified that he could make the Internet unusable with less than thirty minutes of effort.

Meinel argues that this testimony "may have contributed to an entrapment scheme" by the FBI against hacker "Chameleon" (Marc Maiffret, now "Chief Hacking Officer" of eEye Digital Security) as a way to show that "hackers were actually collaborating with enemies of the U.S." But she provides no evidence of a connection between the testimony and the action.

She falsely states that "books (Penenberg 2000; Mitnick 2005) hyped the raid [on Maiffret] to say that hackers were in league with al Qaeda." Neither of these two books says that. Adam Penenberg, in his book Spooked: Espionage in Corporate America (with Marc Barry, 2001, Perseus Books), writes that "Hackers are always on red alert for the FBI. In fact, when Maiffret was contacted over the Internet by the alleged terrorist Khalid Ibrahim, a member of Harkat-ul-Ansar, a militant Indian separatist group on the State Department's list of the thirty most dangerous terrorist organizations in the world, he assumed Ibrahim worked for the feds." Kevin Mitnick, in his book The Art of Intrusion (2005, Wiley, pp. 32-34), raises the possibility that Khalid Ibrahim was part of an FBI operation, but questions it on the ground that only Maiffret received any money from him. On the other hand, he points out that Maiffret told Wired News "he had not provided any government network maps" and wonders why, despite his confession to accepting money from an terrorist-connected individual (Mitnick writes "foreign terrorist"), no charges were ever filed. Then, he writes "Perhaps the check wasn't from Khalid after all, but from the FBI." (As an aside, Mitnick's book states that few know the true identity of "Chameleon," but Penenberg's book had already published his identity in 2000.) Perhaps Maiffret avoided prosecution by agreeing to work with the FBI, as other hackers have done (such as Justin Tanner Petersen, "Agent Steal," whose story is partly told in Jonathan Littman's The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen, 1997, Little, Brown).

The specific argument of the title and subheading--that the testimony of these hackers led to a diversion of funding that may have contributed to the success of the 9/11 terrorist attacks--is stated in a single paragraph in the second column of the first page of the article (p. 32). In that paragraph, Meinel states that cyberspace czar Richard Clarke's formation of the National Infrastructure Protection Center (NIPC) diverted funding increases "earmarked against terrorism to hire FBI agents for the hacker beat." This diversion of funds led to only $4.9 million spent by NIPC on counterterrorism, and it therefore lacked the resources to follow up on Phoenix FBI agent Ken Williams' warning about al Qaeda members training at U.S. flight schools.

This argument assumes that NIPC, rather than the FBI's counterterrorism unit, is the organization which should have followed up on Williams' memo. It also overlooks the role of the FBI's incredibly antiquated computer systems, which technophobe FBI Director Louis Freeh had refused to take steps to upgrade (with Congress withholding $60 million in funding for FBI's IT infrastructure between 1998 and 2000 because of its failure to produce a credible upgrade plan). Not until July 2000, when Freeh appointed Bob Dies to begin work on an overhaul, did Freeh address the issue. The result was that the FBI had 42 separate database systems that could not be searched simultaneously and many agents had computers that did not work or could not display images or connect to the Internet. Many agents used home computers in order to receive email photo images of suspects from local police departments. (See the "Missing Documents" chapter of Ronald Kessler's The Bureau: The Secret History of the FBI, 2002, St. Martin's Press. Similar observations are made in the "9/11" chapter of James Bovard's The Bush Betrayal, 2004, Palgrave Macmillan. Bovard cites (p. 27) a Los Angeles Times story that reports the FBI diverting $60 million in funds earmarked for IT upgrades in the year 2000 to be used for staffing and international offices. The fact that the dollar figure is the same in Bovard and Kessler may indicate that Bovard is misdescribing the same $60 million Kessler mentions.) By contrast, NIPC's entire budget (PDF) was under $20 million per year through 2000, and Bush requested a budget of $20.4 million for NIPC in 2001. (This is not to say that NIPC was effectively using what funds it had--it wasn't. But Meinel's complaint that only $4.9 million of NIPC's budget was spent on counterterrorism should be put in context--that was a quarter or more of its annual budget.)

These IT failings and the other failures reported in the 9/11 Commission Report and elsewhere strike me as more plausible reasons for the U.S. government's failure to avert the 9/11 attacks than trying to pin it on the hackers who testified before Congress in 1998 about the dangers of cyber attacks. Ironically, in October 2001 an article arguing that the Code Red worm demonstrates that there really are significant risks of Internet-based attacks on U.S. infrastructure ("They would be far worse than not being able to make bids on eBay--potentially affecting product manufacturing and deliveries, bank transactions, telephony and more. Should it occur five years from now, the results could be a lot more severe.") appeared in Scientific American. The author of this article, "Code Red for the Web," was Carolyn Meinel.

It's more surprising to me that Skeptical Inquirer published an article by Carolyn Meinel at all. Meinel's author description printed in SI states:
Carolyn Meinel is a consultant and science writer. She has assisted the Defense Advanced Research Projects Agency (DARPA) with its Intrusion Detection Evaluation Program and its Cyberadversary Workshop, and consults for Systems Advisory Group Enterprises, Inc. (www.sage-inc.com), the Institute for Advanced Technology (www.iat.utexas.edu/), and the Santa Fe Institute (www.santafe.edu/). She may be reached at [email address omitted to prevent spam].
Not mentioned are Meinel's books, web pages, and hacker conference appearances to teach hacking skills or her two articles in Scientific American ("How Hackers Break In... and How They Are Caught" in October 1998 and "Code Red for the Web" in October 2001). The existence of the latter two publications no doubt lends her credibility (and may have helped persuade SI to publish this latest article), but the content of some of her hacker training works and parts of the October 1998 Scientific American article serve to diminish it. The October 2001 article seems pretty accurate to me, and was selected for publication in Matt Ridley's Best American Science Writing 2002 volume. That article, as already observed, does point out the possibility of an "electronic Pearl Harbor," so Meinel avoids self-criticism as being a contributor to 9/11 failures under her own argument only by the month-post-9/11 publication date.

Meinel has long been a controversial character in hacker circles, as can be seen by Googling her name on the web and Usenet (you can search the latter with Google Groups). She also has a degree of infamy from her former marriage to Scientology critic Keith Henson. Henson, who was successfully prosecuted for "interfering with a religion" (Scientology--in part due to an online joke he posted about using a "Cruise missile") and fled to Canada, started the L5 Society with Meinel in 1975. In their divorce proceedings, Meinel apparently made charges of child molestation against Henson which were published by Scientology front group "Religious Freedom Watch" as a way to "dead agent" Henson. Meinel, while supportive of Henson, didn't actually retract the charges, though I took her comments to suggest they were bogus. (UPDATE July 18, 2008: Henson's daughter Val has recently gone public and argues that the charges are true.)

Meinel had a long-running feud with hacker "jericho" (Brian Martin), who runs attrition.org. Martin, as it happens, was once the roommate of phony hacker "Christian Valor" ("Se7en"), but was also one of the people who exposed his fabrications. In addition to exposing other bogus security experts, his site contains a large collection of criticisms of Meinel, her behavior, and her work. Given the personal nature of many of the criticisms it is difficult to know what, if any, to take seriously, except for those which specifically address her accuracy and knowledge of hacking and network security, such as the critique of her 1998 Scientific American article, "How Hackers Break In...", by Fyodor (author of the widely used security port scanning tool, nmap). That article, which may be partly based on a hacker break-in at Meinel's ISP, Rt66 Internet (in which case "Dogberry" may be John Mocho of Rt66), contains a number of questionable statements. For example, the scenario describes the firewall of "refrigerus.com" responding to a port scan by launching an attack in response, as though this is a good form of security, and the description of the attack itself suggests that either the description is inaccurate or the attack itself is incredibly naive. The author description on "How Hackers Break In..." stated that Meinel has an "upcoming book, War in Cyberspace" that "examines Internet warfare." As of today, there appears to be no such book.

In 1998, a hacking group that called itself "Hacking for Girliez" or HFG defaced a number of websites, including that of the New York Times. Brian Martin believes he was on the list of suspects. A number of HFG defacements made reference to Meinel (which I interpret to mean that HFG had a grudge against her rather than that she was involved), and she was herself questioned by the FBI and asked to take a polygraph, which she wisely declined (given the lack of empirical support for the validity of the polygraph).

In 2001, Meinel's techbroker.com website was compromised and a piece of software placed on it. A message was sent to the Vuln-Dev mailing list under Meinel's name (apparently a forgery), claiming that the software was an exploit for a vulnerability in the wu-ftpd FTP server; but in actuality it was malware which would attempt to delete files.

Given the lack of support for the title claims in this article and the lack of Meinel's expertise in computer security, I don't think Skeptical Inquirer should have published it, at least in the form it appeared.

Meinel, it should be clear, is not an advocate of illegal hacking--she seems to be fairly emphatic about not breaking into machines unless you own them or have permission to do so. But at the same time, she seems to give a wink and a nod to those who are going to break into the machines of others and has been billed as a "walking script kiddie factory." She also seems to advocate offensive measures as a mode of defense (as described in her 1998 Scientific American article), which is not responsible computer security advocacy.

UPDATE (March 4, 2006): Today I obtained a copy of Gerald Posner's book Why America Slept (2004, Random House), which is cited by Meinel at the end of her paragraph claiming that NIPC budget diversion to cyber warfare was the cause of 9/11 failures. The concluding sentence of that paragraph reads: "Therefore, the FBI lacked the resources to follow up on an agent's warning of al Qaeda members at U.S. flight schools (Posner 2003)."

The relevant section of Posner's book is pp. 169-173. It in no way supports what Meinel has written--Posner makes no reference to NIPC in his entire book, and he enumerates several failures on the part of the FBI with respect to Ken Williams' memo--the lack of communication with the CIA, the failure of middle management of the FBI to recognize the significance of the memo, and lack of resources within the FBI: "The FBI considered the Phoenix idea [to check out the thousands of students at the flight schools] too costly and time consuming, and a few even expressed concerns that such a probe might be criticized in Congress as racial profiling."

The main thesis of Meinel's article is not supported by the facts, and she has misrepresented at least three of the sources she cites--Gerald Posner's book, Kevin Mitnick's book, and Adam Penenberg and Marc Barry's book. That's sloppy work that doesn't deserve publication.

UPDATE (February 19, 2007): I thought I had already added a link to the April 2006 discussion of Meinel's article by Jeff Nathan at the Arbor Networks blog, but I hadn't. This remedies that oversight. There's a good exchange between Nathan and Meinel in the comments.

Also, Skeptical Inquirer published my letter to the editor regarding Meinel in the July/August 2006 issue (p. 62) along with a response from Meinel.

UPDATE (August 8, 2010): James Bamford's most recent book, The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America (2008) contains more detail about intelligence screwups that, had they been prevented, might have averted all or part of the attacks of 9/11--but NIPC's budget had nothing to do with it.

1 comment:

Lippard said...

I brought my blog post to CSICOP's attention, and they requested that I submit a letter to the editor, which I've done. So there should be at least one letter to the editor in the next issue or two.