Hoaxes, myths,
urban legends




About us


Truth about computer security hysteria
Truth About Computer Security Hysteria

Rob Rosenberger

First let's kill all the virus writers

Rob Rosenberger, Vmyths co-founder
Friday, 15 January 1999

CNN REPRINTED A Network World "Corporate Vigilante Survey" penned by information warfare expert Winn Schwartau. Let me quote the most painful part of the survey:

Lou Cipher (a pseudonym of his choice) is a senior security manager at one of the country's largest financial institutions. "There's not a chance in hell of us going to law enforcement with a hacker incident," he says. "They can't be trusted to do anything about it, so it's up to us to protect ourselves."

Cipher's firm has taken self-protection to the extreme. "We have the right to self-help — and yes, it's vigilantism," he says. "We are drawing a line in the sand, and if any of these dweebs cross it, we are going to protect ourselves."

Cipher says his group has management approval to do "whatever it takes" to protect his firm's corporate network and its assets.

"We have actually gotten on a plane and visited the physical location where the attacks began. We've broken in, stolen the computers and left a note: 'See how it feels?' " On one occasion, he says: "We had to resort to baseball bats. That's what these punks will understand. Then word gets around, and we're left alone. That's all we want, to be left alone."

CNN's web­site claims an anony­mous finan­cial insti­tu­tion hired face­less thugs who flew to an undis­closed loca­tion so they could break into an unnamed facility to steal com­pu­ters in re­tal­i­a­tion for an unde­scribed hacking incident.
Accor­ding to CNN, thugs for the same com­pany once assaulted a hacker with base­ball bats.
Will this finan­cial insti­tu­tion re­sort to murder if an em­ployee gets caught writing com­pu­ter viruses on com­pany time?

No wonder this guy doesn't want the police to get involved! Network World and infowar.com each highlighted Lou Cipher (pronounced "Lucifer") in press releases touting the survey. Schwartau claims the guy presented himself to skeptical Network World editors; we must assume he told them of the felonies he committed with the full backing of his superiors. We also must assume a CNN editor looked at blood-encrusted Louisville Sluggers before accepting Schwartau's survey.

Let's recap: CNN's website claims an anonymous financial institution hired faceless thugs who flew to an undisclosed location so they could break into an unnamed facility to steal computers in retaliation for an undescribed hacking incident. Thugs for the same company once assaulted a hacker with baseball bats.

Will this financial institution resort to murder if an employee gets caught writing computer viruses on company time?

NOW LET'S TACKLE the survey itself. I participated in it — mostly because I found so many things wrong with the questions. I quote Winn's survey & my answers in verbatim:

  1. Recently the Pentagon responded to a series of hacker attacks by striking back at them with software which disabled the attackers’ browsers. Is this a good thing? Should they have done it? What was the alternative?
    It saddens me to think the Pentagon wastes its time playing games with 14yr-old wannabees who launch trivial denial-of-service attacks. It gives official government credence to the actions of those 14yr-old wannabees — who love to brag about how their government labels them a national security threat.
  2. Should companies respond to hacker attacks by attacking the hackers back? Why?
    See answer #1. Besides: too much chance of deep-pocket litigation here in the U.S.
  3. Is a single "Ping" an attack?
    It begs the question that someone actually logs the details of a single ping.
  4. Is a port scan an attack?
    Spies do not launch "attacks." They conduct "reconnaissance."

    I hope some­one at CNN comes for­ward to say "I know where Lou Cipher works and I be­lieve he com­mitted felonies with the full backing of his superiors at one of the largest finan­cial insti­tu­tions in America."

  5. When does a subtle "mapping" of your networks become an attack?
    See answer #4.
  6. If an attack comes from outside the USA, should a company respond with offensive software?
    I infer you mean "immediate response" as opposed to "judged response." It doesn't matter if an attack comes from inside or outside the USA — an immediate offensive response might actually take out an innocent straw computer, itself the victim of an intermediary hack, possibly used in an attempt to hack through your own system on the way to an even larger ultimate target/goal. Of course, a Distributed Coordinated Attack would theoretically come from locations all around the world. Would immediately respond by attacking every participating computer, whether or not the system user recognized his/her participation in the DCA? Even more important, do you and your upstream providers possess enough bandwidth/computing power so you can launch a simultaneous attack against every participating computer? Speaking of your upstream providers, how would they interpret your counter-attack? Would they interfere with your efforts to wreak immediate vengeance?
  7. Do you agree that responding with offensive software is the electronic equivalent of removing a weapon from an attacker in the physical world?
    I can visualize the defensive removal of an attacker's objective — upgrade an exploitable program on the victim computer, for example. But how would you offensively remove a weapon from a cyber attacker? You can't just call AOL to get his account terminated, you know.
  8. Where is the line to be drawn as to when a person or a company has the right to strike back at an attacker?
    It begs the question that you can draw such a line in the first place.
  9. The US govt. is developing offensive software. When and where should it be used?
    "The US govt. is developing bombs. When and where should they be used?" To which I must ask, what type of bombs? Neutron bombs? Thermonuclear bombs? EMP bombs? Radar-seeking smart bombs? 9kton bunker busters? Traditional 500# cluster bombs? Napalm bombs? .... What type of offensive software is the U.S. gov't developing?
  10. Several non-US companies have said they will strike back at US locations if they identify the attack as from here. Should they be able to do this? Why? How should we respond in kind?
    Boycott them. Sue them. Set up a web page to expose their stupidity. Add their domain to Cyber-Sitter and Net-Nanny and spam-filter software. Notify the media about the company's antics.
  11. One financial institution has said it will "use every means at our disposal to protect our assets." They have built strike-back offensive capabilities. Does your company use such techniques? Would you be willing to? What event would send you over the edge to adapt this position?
    I hope I don't bank with them — I'd hate for a bunch of 14yr-old wannabees to gang up with trivial denial-of-service attacks, to which they respond by hacking into a dozen ISPs, wiping out hundreds of legitimate business websites for several days, thereby generating a class-action suit against the financial institution for indiscriminately destroying livelihoods.
  12. Is a physical response to an electronic attack appropriate? Why?
    A Muslim fanatic[1] sips on coffee and smokes a cigarette at the Prinzes Dai cyber cafe on the sovereign island of Niue while breaking into the Tennessee Valley Authority dam control server. He opens the floodgates, ultimately costing seven lives and $200M. He then boards a cruise liner bound for the sovereign island of Tonga. Should we launch a land, air, or sea assault against the cyber cafe? Should Marines forcefully board the cruise liner in international waters? Perhaps sniper the Muslim as he steps off the ship in Tonga?
  13. If you found yourself the victim of a retribution attack, what would you do about it?
    See answer #10.
  14. Should child porn sites be "fair game" for on-line assaults? Why?
    We can't even get people to agree on a definition for the noun "pornography." How do you expect folks to agree on the use of "child" as an adjective?
  15. What other sites might be OK to attack?
    It begs the question that some sites are OK to attack in the first place.

One final piece of advice to Lou Cipher — never use baseball bats in a gunfight.