The Unending Cyber War
The AGS Computer Security Handbook
  • Tutorial
  • Essays
  • Information Communication Technology
  • Cyber War Stories
  • Tools, Methods, Products


  • Request Your Personal Review Copy


    Share Your CyberStory
    (even anonymously)!













    [ HOME ]

    Tell me more about AGS Security Partnership

    Cyber War Stories

    a Peek into the 'Unending Cyber War' book, now distributed for professional review.

    Request Your Personal Review Copy


    This section tells security stories. Tales of victory and defeat, depiction of the reality of security in the trenches. Some entries tell the corporate story, other the individual malaise. There is always a good guy and a bad guy, and the more persistent, more imaginative, wins. In the smoke and mirror reality of tales, denials, diversions, and deterrence that is so much part and parcel of security in general, and computer security in particular, it's hard to winnow the truth from the fantasy, the facts from the gossip, the events from their perception; all the same for the student of the subject. Every story is thought provoking, every tale a warning.

    In class and training I often use these and other stories as a discussion platform: what would you do? The more one challenges himself or herself with computer security case studies, the more one is ready when the challenge is real.

  • 1. A romantic setback and a blooming career that went south
  • 2. Low Tech beats High-Tech
  • 3. Luck Beats Smarts (and so it goes)
  • 4. Harmful Intent Turned Corporate Salvation.
  • 5. A generous employer and a swindler at large
  • 6. A Friend in need, a hack indeed
  • 7. Inner City Male Teachers
  • 8. It Was the Admiral's Fault... Sort of




  • A Romantic Setback and a Blooming Career That Went South

    Brian Treemart was highly regarded in the bank. Knowledgeable, well tempered, meticulous, and fair. "Judicial" was scribbled on his personal evaluation form. In his upper forties, never married -- but it did not seem to bother him -- Brian was all work and dedication. The man you could count on. He was not the smartest bulb in the room, but no one considered him dumb. That would change in a jiffy, and here is the story.

    Chloe was Mr. Goodcount's secretary, and in that office she was in daily contact with Vice President Brian who was Mr. Goodcount's boss. It all started on a Sunday night when Brian and Chloe found themselves alone in the office. The feverish preparation for Monday's grand opening were almost done, everyone left except the two of them. Chloe lived quite far from the office, and so she accepted Brian's lame invitation to pass the night at his apartment. Brian had no improper thoughts, and diligently set up his guest room for Chloe. Alas she was gameful, and masterly seduced the old bachelor. The bank had a strong policy against office romance, and so the two who became steady secret lovers practiced well minded discretion. Later on Brian would wonder: was it love, or trivial tenderness? Was it profound, or an ordinary awakening of unsatisfied hormones? Be it as it may, the days were sweet, the flame of last and the seeds of love colored Brian's life and introduced him to a brand new experience.

    Chloe was fifteen years Brian's junior, her sentiments were quite a mystery, except for their short lived nature. Barely four months into the romance Chloe sent Brian a short email calling the whole thing off. The paradise of before became hell of afterwards. "It must have been profound love that I have entertained in my heart, otherwise that email would not have hurt so much" argued Brian to himself. At work it became clear that something is happening with normally well composed Brian Treemart. And indeed his life went upside down. Chloe shut herself totally from him, and he could not have been overt in the office. So he stalked her at home, finding her with a man, appeared older than Brian, whose walk looked familiar, but Brian could not make him out. It was Saturday night. The next morning, Brian was in the office, fiddling with his high-privilege data access card. Part of the security apparatus in the bank was brute-force exposure of emails and private communication of low level employees to vice presidents and above. Brian took the manual he never used before and step by step he opened the various data locks that preserved Chloe's privacy. By the end of that fateful Sunday he could read her mail. What he saw unglued him. Chloe was busy. Her more recent notes of scantly camouflaged intimacy were sent to Mr. Lemmer, the chief financial officer. Brian was on fire. His security privileges allowed Brian to have a copy of every email to and from Chloe to be sent to his mailbox. He activated this option.

    In the following week, Brian was going through a traumatic jolt several times a day whenever Chloe and Mr. Lemmer expressed their sexual fantasies to each other -- as Brian correctly interpreted their code-book exchange. So taken was Brian by the affairs of the heart that he never suspected that the mail routing option he activated was as a matter of course, reported to the chief data security officer, Mark Hopper.

    The commission that examined this breach of security believed Mr. Lemmer that Brian's allegations of an affair with Chloe is a regrettable smear by VP Brian Treemart. They believed Chloe that nothing was going on with Brian, or with Mr. Lemmer, and the commission further concluded that Brian Treemart abused his trust, spying on the chief financial officer for a purpose inconsistent with the duties of an officer of the bank.

    Out of a job, spending hours on a bench in the park, Brian wondered: "I was so well regarded. My word was gold. My reputation platinum. Alas, no sooner did my actions threaten the position of someone higher on the food chain, and all that life-long credit evaporated at an instant."

    Low-Tech Beats High-Tech

    The source of the following story had some four empty cans of beer in front of him when he opened his mouth, so I certainly don't vouch for the details, but then again he was not in a position to invent such an account.

    One party to this daily exchange that is the object of this situation was a strategically placed individual in a major investment bank. The other was his cousin in LA. The exchange involved lame words, and a heated discussion about painting productions the cousin planned for walls in his real estate properties. The paintings were supposed to be a reproduction of a computerized picture showing some imaginary neighborhood, roads, houses, trees, shopping centers, and other ordinary items visible in a detailed map or through air photography.

    It was the frequency of the picture exchange that alerted the security chief. He refrained from challenging the individual involved, knowing that he would meet with some stupid answer, and will lose thereby the advantage of unsuspected suspicion.

    The security officer examined the exchanged JPEG files, printed them out, and studied them carefully since he had a hunch that something in the pictures is not kosher. But he found nothing. That particular security chief came to the investment bank from the intelligence community, so pulling his contacts he got the pictures analyzed for stealth bit messages interwoven into the fabric of the JPEG file. 'We extract Eigen values from all possible matrix structures, but netted nothing" reported his contact. The chief was a bit foggy about Eigen values but he understood that nothing untoward was discovered in these daily exchange of pictures.

    Flabbergasted the security chief confronted the individual involved and got what he expected, a lame story. But it was what happened next that convinced the security chief that the pictures were hot. A day or two after the confrontation the exchange stopped. The chief returned to his intelligence friends, implored them to look again. They did and found nothing, so he had to let it go.

    It was almost two years later, the cousin, a real estate magnate, was nabbed in a sting operation on some nasty financial swindle. His lawyer bargained for a plea deal, and threw in a confession that shaved some time from his sentence at the price of implicating his inside trader partner at the investment house.

    The security chief, loaded with beer, apparently just got the story that day when he shared it with the rest of us in the corner of the bar.

    "They used the oldest trick in the book, they have been so low tech that it's unnerving." he said. The investment bank individual reported daily transactions, bids, and negotiations with respect to major clients by simply putting the logo of the client as a displayed sign at the front of the depicted shopping center. He indicated the nature of the transaction by the kind of car that he displayed (using Photoshop) in front of that sign. A Honda meant a takeover bid, a Ford meant a counter offer, etc. And the value of the deal, bid, or offering was communicated by the number of houses, and trees in the picture. A double-garage house indicated $10,000,000, an oak tree indicated $500,000, and so on. The cousin simply counted the number of different houses in the picture.

    "They used this trick in ancient Greek, for crying out loud!" exclaimed the chief, "..and we were searching for Eigen values!"

    Luck Beats Smarts (and so it goes)

    The drug ring from Columbia was hi-tec all the way. Their phones were scrambled, their emails encrypted, their hard disks instantly erasable, and their hardware first class. In fact they used government issued crypt devices, and used NIST approved ciphersystems

    That was their one mistake, according to unnamed sources, who might or might not be in the know. Their whispered assertion was: "The NSA does not approve an algorithm for civil use, if the NSA cannot crack the same. Period"

    It is a risky policy indeed. A long time ago, the story goes, a confident and daring NSA set forth the policy to find, approve and use cryptographic tools that are so hard that the enemies of the United States will be unable to crack open, but not so hard for the much superior NSA computers to match. The more advanced NSA became, the more difficult could the recommended cipher algorithms be, and the greater the chance that ciphertext so generated will be readable by their intended readers and the NSA exclusively. The policy was clearly scented with a measure of arrogance: "we are smarter than our adversaries", but what else is new?

    And so when this hi-tec drug ring aired their encrypted messages, the NSA quickly identified them in their vacuum-sweep and attended to that gibberish flow with the full might of the byte-smashers in Ft. Meade Maryland. The clear message was completely identified and tossed with a dull thud on the desk of the FBI agent in charge, softly nested in a red "top secret" envelope. But now the agent in charge faced a daunting dilemma. If they bust the drug exchange meeting they learned about in the cryptanalyzed communication, they run the risk of alerting those drug dealers that their choice of encryption is not safe. If they simply let it go uninterrupted, then what's the point of law enforcement?

    The FBI solution was as clever as the NSA math. They concocted an elaborate hush-hush story which they pushed to the street through the same informants they use to extract information, and they suggested that a key figure in the ring is a snitch, on the FBI pay role. This gossip did not catch until the FBI raided the exchange, and in the aftermath the bosses of the ring eliminated the ill-suspected snitch, giving the FBI a bonus score.

    The method worked very well for a while until a bad luck occurrence. The person fingered by the FBI induced gossip was privy to two more drug rings, neither one of them used the NIST approved communication, and so they have accomplished their routine money-drug exchange without any interference from the FBI. Defending himself, the accused snitch argued that if he were singing to the authorities, the other rings would have been busted too. The highly alert survivor types in the first ring, got their suspicion tentacles up, and it was not too long before they switched to the crude eastern ciphersystem that the NSA was still working on...

    Harmful Intent Turned Corporate Salvation, and Changed One Man For The Better.

    Fritz George (not his real name) was the obnoxious type, and he knew it. He was fired from his last job for being a-social, and harmful to the team spirit; negative towards the corporate goal. The current job was better paying, and people seemed more accommodating, but Fritz was sure he would lose his job sooner or later. The pain of being fired was still sharp and real; like a knife in his stomach. His friends teased him: being a programmer he could have done something to fight back, to deal the same pain to his pain giver, and he had done nothing. He has not even thought about it. That was then. It would be totally different this time. Almost from day one, when he became a programmer on the database team Fritz was preparing his revenge, ready for the day, he knew would come. After all, his edge-sharp cynicism, his unbound criticism, his tactless lashings, his impolite, even shameless vocal expressions were things no body liked, and very few tolerated.

    In a short time after coming on board Fritz had a copy of the corporate database at home. It included confidential information, client's transaction history and everything else that was within his reach. He hooked his large volume hard drive to the corporate server and filled it up without any reservations. Security was so lax that nobody was there to stop him. Paul Gross, the token security chief was the head of HR, and he knew nothing about hackers, and did not care. He was the ambitious type and was busy carving his way to the top spot. "We have no money to steal, no technological secret to copy. We are not on the hack-map," was his rational. He was also supposed to plan for disaster recovery, and hadn't done a thing about it.

    The days have passed, and Fritz survived. Some say he was much less obnoxious after losing one job, others say, the new company was more tolerant of his shortcomings, and more appreciative of his contribution. But be it as it may Fritz was diligently updating his home copy of the corporate database.

    And then disaster striked. a near-by facility caught fire, and flames spread to the main plant of the corporation, and before morning the computers, the servers, and hard drive were all consumed by the raging fire.

    In the morbid meeting the day afterwards it suddenly became clear to Fritz that his home copy is the only copy left of the entire corporate database. The next choice was a four months old routine backup. His was updated to the night of the fire. The HR chief, Mr. Gross, who was formally responsible for safety and security was busy divvying up the blame on everyone in sight. His panic was beyond the lost data. Paul Gross saw his life long ambition to become the CEO, going out the window. Paul Gross had natural gravitas, and an air of authority about him. All the geeks in the room, included Fritz George were thoroughly consternated. Double so for Fritz who attracted more than his fair share of condemnation.

    At home Fritz was wrestling with a dilemma that was quite heavy for his undeveloped character. If he announced his home copy, he would be identified for what he was -- a thief. If he does nothing, the company as a whole might go out of business and he would lose his job anyway. "I was supposed to inflict the pain on them after they fire me, not before!" mused Fritz. And then he thought about mailing the files anonymously, and the idea slowly took hold of him.

    It took quite a few DVDs to house the entire corporate file, and the first one also featured an Emily Dickinson poem.

    To his surprise Mr. Gross, the besieged security chief, has claimed that he himself did make a secret backup file on his own. A brazen claim from someone who could not program a speed dial number on his phone. But that's the nature of gravitas, it silences disturbing queries. No word went out about the anonymously mailed box of DVDs. Chief Gross was instantly celebrated as the hero who saved the company, and a while later he was promoted to president. Fritz was one of the first people to be fired by the new CEO. On his way out, a much finer man by now, holding his cardboard box with some personal effects, Fritz stopped by the new chief executive who fired him that morning and simply uttered Emily Dickinson's poem:

    If I can stop one heart from breaking,
    I shall not live in vain;
    If I can ease one life the aching,
    Or cool one pain,
    Or help one fainting robin
    Unto his nest again,
    I shall not live in vain.

    The shock in the face of the new president of the company was visible only by Fritz. For many days later, and hopefully for the rest of his life, he considered the experience of moral triumph as a worthy compensation for his pain on the job.

    A Generous Employer, and a Swindler At Large

    Juan Ermoso was busy laying out the vegetables in the grocery store where he worked, when a smooth thin man made conversation, by the end of which he offered Juan a job in his landscape business. Since Juan was paid just a trifle above the minimum wage, he jumped on the opportunity, and became a landscaper at the "Flowers Today" enterprise. Everything seemed to finally click for hard working Juan, but four month hence all hell broke loose.

    At half past midnight, loud knocks have shaken Juan's dilapidated small house on the poor side of town. With his wife and three children present and crying, Juan was hand-cuffed and dragged out of his house. Three days later he was driven back home. The next day he went right to the office of Alberto, his boss, and with great trepidation shared his harrowing experience. "The FBI insisted", he said, that he had opened some bank account, and transferred large sum of moneys from Mexico to London, and to some other places. They shouted and pressed him to confess. They deprived him of drink, food, and air conditioning. Juan cried, and whimpered, but did not confess. He never opened any account. It was not him.

    Alberto was easy with Juan, promised to pay his absent days in full, and gave him a consolation bonus to take his family out on the weekend. Juan was sizzling with his expressions of gratitude towards his caring employer. Alberto kept his interest, and almost daily asked about Juan's welfare. About two weeks after the shocking arrest Juan intimated to Alberto that the police visited him again, but this time were very polite and considerate. They apologized for the rough treatment, and asked him questions about Alberto. "They did?" double checked Alberto, trying to hide his sense of alarm. "Sure did!" replied Juan, barely noticing that Alberto jetted out of his office. When the police showed up in force the next morning, nobody in "Flowers Today" had any clue what was going on. Agent Gonzales was the first to spot the missing hard drive in Alberto's computer, and sighed in disappointment: "We are too late".

    Like so many similar cases, somebody in the loop could not hold back the story, and after a long zigzagging path it found itself to these pages. Alberto had done it as a matter of routine. He would offer a job to bona fide citizens with no criminal record. This would give him two critical advantages: (1) he had a perfect excuse to garner the private data of his victim, and (2) he kept tabs on his victim on a daily basis. Soon after Alberto would open an account in the name of his victim. The account would be used in some criminal act. Recently the department of homeland security has tightened up its reporting requirements, some are even kept secret, so that criminal minds would find it difficult to engineer their schemes under the government radar. But Alberto, this time, was not even trying to come under the radar. He knew that he would trip the reporting mechanism head on. His scheme was more subtle. He new from the press and other sources that the DHS is short stuffed and that 'exception reports' as they are called, languish for weeks and month before being exposed to a human eye. All Alberto needed was a window of opportunity. Juan Ermoso gave him just that. On the books it looked as if poor Juan opened an account, transferred the funds, and sent them off. The transfer had all the markings of a "Laundromat" and the agencies moved uncharacteristically fast. Only that it did not take them long to realize that Juan Ermoso was a victim of identity theft. They went through the CCTV records and flashed out a hazy picture of the person that claimed to be Mr. Ermoso. Fortunately for the FBI that person had an unusual distance between his eyes, and the facial recognition software homed on this attribute, compared it to its database, and identified the imposter. Unfortunately for the FBI, the imposter was a well known character of an unknown address. Frustrated the FBI dug deeply into another agency capability and flushed out the communication links of Seth Baptista, the imposter. One of the dotted lines pointed to Alberto, Juan's employer. The two corresponded by email and by phone. But that glossy Baptista fellow had a large circle of 'extensive communication partners', and Alberto did not stand out right away. Only when the reports on these first circle of correspondents was analyzed in the same way was the loop closed: Ermoso-Baptista-Alberto. But it could have been a fluke. So an agent was dispatched to Ermoso's house to learn some more about that Alberto that netted by the powerful government data mining grinders. This was the government mistake. The friendly relationship that Alberto cultivated with Juan Ermoso paid off. He was unwittingly alerted, and flew the nest. You win some, you lose some. The cyberwar never ends, they always come back.

    A Friend in Need, a Hack Indeed

    Early on I made a decision to stay clear of any moral ambiguity and keep my nose clean of any shady use of hacking skills I may have acquired. It made a lot of sense since if people will wonder which side of the good-bad divide I reside in, they would be hard pressed to trust me with fighting the bad guys. Not so long ago, though, this simple determination was put to a test. And here it is:

    Like so many things that start small, and mushroom big, it started with a friendly morning phone call. Josh was on the line, sounding full of angst, and requesting with uncharacteristic insistence a lunch meeting that very day. By the time we licked the dessert spoon I became privy to my friend's agonizing development. Some months ago, on one of his business trips Josh met a married woman in his hotel. They acted on mutual sympathy that the young lady quickly used to unload her marital misery on my dear friend. Her vulnerability proved irresistible for Josh, who found himself mixed in an emotional affair that soon enough turned to bite him. The poor lady's husband found out, called Josh's house and shared the story with Josh's wife, Sara. Hot tempered as his wife is, Josh found himself packing, leaving the stately colonial house that was his family's for generations and now banned from any contact with his wife, who filed for divorce, and seeks to cement her hold on the house and most of their estate. Josh left so fast that he did not have the presence of mind to secure his data, his hard drive, his computer, upon leaving. Now it was in his former study, and there he has the copies of all the agreements that he signed with his wife, their emails -- everything he needs to fight back. "I can't openly ask her for my stuff" it would point her to it, and she would say it's not there or something, and use it against me. "The computer is permanently online, so, you, being my good friend," so he said, "and skilled in those things, would you hack into my own computer, please, and get me my own stuff, surely there is no ethical problem, here," he said."

    "In fact there is" I replied. "The only way I can hack into it, is if your wife is using it online, and if so it contains her private data, which would be wrong for me to violate."

    "Why wrong, whatever we can get that she communicates with her lawyer about our divorce is good stuff! "

    "I am sure it is, but it crosses the line of good-bad, and I won't permit myself to do it."

    "But you would permit yourself to see your old friend getting beaten out of everything he owns!" Josh challenged bitterly.

    "You know what," he said, after some thinking, "mask anything that is not purely mine, erase it, don't show it to me, don't show it to yourself. Just let me have what is mine. How can that be ethically wrong?"

    "You can get a court order to seal your computer or pass it on to you. " I tried to get out of this pickle.

    "What court order, this was a shared computer. Anything that shows her that I am desperate about the data, will guide her to use it against me."

    I must say that I was tempted. My sympathy with Josh was intense, since my personal marital story is one of strife, agony, and the pain of being victimized by the person I chose to trust and intimate. We concluded the lunch to the relief of the waiter who immediately cleaned the table and got some people from the line onto it. "Will talk tomorrow!" I said. "Why not tonight?" he countered.

    I called my lawyer and he reacted as I expected, "Don't even think about it!" I consulted with my partners: "You are out of your mind! Do you know what lies and accusations you will face from that spiteful woman? Didn't you have your share?"

    Against all that sound advice, stood the emotional mountain of loyalty, and friendship. To hack into my friend's computer and 'steal' his own stuff, was no vice, I concluded. It's like hiring a locksmith to break into your own car, having left the keys inside. But any such move on a computer that contains data for which I have no right of access, and moreover, for which an adversary of my good friend claims ownership, that was too much to set aside.

    I shunned Josh phonecalls, agonizing over the unexpected dilemma. On the weekend he left a message: he found a way around it, he wants to talk.

    I suspected that he just said so to get me on the horn, and cater to my sense of friendship but I braced myself and called him back.

    He did find a creative solution, I must admit. In fact myself being in this business I should have thought about it myself. Josh had a friend that owns a computer store where Josh bought the computer, and he also has a maintenance contract. That good friend (Josh was emphasizing the last phrase) is willing to use an excuse of a maintenance call, and while there copy the folders that Josh needs, and erase them from the hard drive. All that is needed is for the wife to make a service call, which she will surely make, if the computer stops working or gives her trouble. So, Josh came to the punch line: "I need you not to steal any data, just mess around with my computer so that my wife calls the maintenance guy, so much you can do for your friend can't you?"

    Well, it surely seems cleaner, and more benign. But I immediately thought of denial of service: hackers flood a popular site with bogus pings that consume all its resources from servicing legitimate users. No data is being stolen, no privacy is being violated, but by any standard this is full blown hack-work. Indeed it is. And so is the new plan Josh has for me. I felt rotten to turn him down, because I sensed that he was so happy to have found a way around my prudish inhibitions. That Saturday night we had some great family entertainment, but my mind was totally occupied with my dilemma. And I felt uneasy when on Monday I simply did not call Josh. He did not try to reach me either. This imprinted on me a more profound sense of self criticism, and one side of me strongly argued that I use my high minded arguments to save my own skin, protect my business, and refusing to take any chances to help a friend in need, especially a need I was so partial to.

    I did not call Josh on Tuesday, but I received a call from Henry, a mutual friend from the old days. "Keep your pink ass by the warm fireside" he assailed me in his typical crude language. "Just give us names, that much you could do, no?" "Names?" as I raised the question I figured out what Henry had in mind: I was asked to supply hacking references. "No!" I said quite resolutely. "I won't do this either". The silence was stock heavy, and I did not hear from either one for the balance of the week. The weekend was quiet too. It was burdensome silence. I felt the heaviness of Josh disappointment in me. I recalled various occasions of profound friendship between us, and late at night, as soon as I turned off the TV, I was gripped by a nagging self debate.

    The silence endured for several long weeks. Finally I summoned my sprits and placed a call. Josh was subdued but not distressed, which was curious. He told me that two mutual friends shared his disappointment with my cowardice. "It's too bad," I replied mindlessly.

    Josh was quiet as he listened to me extruding my arguments which he heard before. He did not interrupt me for some five minutes of a monologue. When I concluded my points he said: "Never mind!" He then explained that the court mandated mediation, and his wife agreed to have him back, for the sake of the children, of course.

    "That's wonderful" I said, "That's really wonderful. I am happy for you, Josh". I sincerely was.

    "And I am happy for your loyalty and friendship" he answered bitterly, "What would I have done without you?"

    Inner City Male Teachers

    Looma, not sure about his last name, is a splendid example of 'boot strapping oneself' from a deep hole into a spacious office, and a respectable position. Now a well respected security professional, Looma grew up in the inner city, raised by a single mother, spent time is juvenile jail, and there a minister managed to rescue him form the short life of crime he was destined to. When we meet we always start with shop talk, and very quickly move to a Looma story, I am always fascinated by. Here is one: The minister that managed to impress Looma to drop the life trajectory of most of his friends, was similarly successful with another African American fellow by the name of Michael. Michael studied social sciences and worked on his PhD dissertation, researching inner city crime and punishment. A keen fellow Michael assembled data to prove certain observations and hypotheses that as a bundle will earn him the coveted degree of doctor of philosophy. There was an unexpected problem with one of his conclusions. Michael showed that so many young African American boys are raised in a household without a male role model, and study in a school without male teachers to emulate, leaving those boys to acquire their sense of manhood from street gangs. We cannot force abstaining fathers to role model for their children, Michael stated in his dissertation but we sure can impose a mandatory lower limit of male teachers in the inner city schools. Michael followed this thesis with some economic figures showing that this would be the most cost effective way to help young boys in the city. Michael was surprised by the vehement negative reaction that this conclusion attracted. His advisors have stricken it down. "The last thing we need in this town is to attract the ire of the women organizations that would throw a feat over the suggestion that positions in school will be reserved for male teachers." Michael wound not risk his degree for which he worked so hard, and obliged his advisors, then he approached Looma.

    Challenging him: "How can we get this idea out, with my research to back it up, without me sustaining any blame, I need to earn my PhD."

    "Why don't you send your data and conclusions in an unmarked envelope to a sympathetic journalist?"

    "Won't work, data without sources is meaningless, and with sources it points to me, and I will be blamed for being underhanded."

    "Well," said Looma, "if the only way the data will be taken seriously is by linking it to your research, how in the world will you get it out there without implicating yourself?"

    "I was thinking," said Michael, "of someone hacking into my computer. Can you arrange for somebody to get into my computer and steal the report?"

    "Even if I could, why would a thief care to publicize a report that gives him no benefit?"

    "He does not have to do so, said Michael. I would report the intrusion to the university, say that my original thesis was there, and then if an unmarked envelop will be sent to a journalist with my name, I will have my deniability."

    "Thin deniability though," said Looma,

    "I know, but hey brother, don't we owe it the kids that like us are on the verge of being sucked into a world of crime and violence. I am quite selfish, I reckon, not altogether ready to mount the barricades and risk my PhD out right, but a measured risk, its' worth it for me. I will need though an expert hack work on my computer because the university will send its sleuths to check me out."

    "I know the security guy in your school he is quite good, but we could arrange for a masterful simulated hack for the purpose."

    "And you did it?" I asked Looma.

    "I sure did!" his mischevious smile was electrifying.

    "So why did not I hear anything about it in the news?"

    "Well, Michael sent his data and conclusions to three reporters and nobody picked it up..."

    "So send to some more."

    "Michael is too careful. If it comes out after sending it to too many reporters it would be clear that Michael and not the falsely claimed thief has done it."

    "It would be pretty obvious anyway," I said.

    "Yes," said Looma, "but Michael is quite determined. He told me that once he gets his degree he will do something about it."

    "Or once he has a tenured position," I replied dryly.

    "Do you have a better idea?" his voices was clipped.

    "Lets have another beer, and between us two, we might think about something."

    It Was the Admiral's Fault... Sort of

    The security officer on base, was some three ranks below the admiral, and for that the conversation was awkward. Gradually the admiral came to understand that the security chief wishes to interview him on account of an embarrassing incident. Last Friday, a hacker compromised the Navy's Munitions Tracking database, and roamed through top secret data detailing munitions status in all active Navy ships. The Behavior Tracer was what caught him after the hacker loitered around that cyberspace backyard for more than an hour. The hacker disconnected without a trace, but the record showed that he used the Admiral's name and his correct secret password. Protocol dictated that the security chief should interview the senior officer, attempting to track down the circumstances for the leakage of the password. "No!" stressed the consternated admiral, responding repeatedly to the standard questions of "Have you shared the password?", "Have you written it on a piece of paper that got lost?", "Have you coded it into your PDA, or Smartphone?"

    The security officer had to take the Admiral at his word, and went on to check other ways by which the hacker could have gotten a hold of the password. It was not an easy sequence, nothing that a hacker could randomly guess. The password was kept on file in its encrypted form, so no one who had access to the file could recreate it. Valid leakage options disappeared fast. There was no conceivable way for the password to be compromised. It was generated by the Admiral on his secure workstation, only its encrypted image was on record, no other person had any knowledge of the password. Had the admiral lost it, only a system administrator could have reopened his account.

    The needle swung back to the admiral himself. Was he covering up? Was he worried about his reputation, had he admitted negligence? But who would challenge the base commander?

    "Unresolved" was the status marked with a red stamp all over the file. In extremely cautious words the security officer pointed to the admiral as the only conceivable source of the leak.

    That security report made its way up to the Admiral's file. All the higher ups privy to that file, have read the unresolved suspicion, and were negatively impressed. The admiral himself had no clue that his reputation is tainted, and that many a negative response that he would get over the coming years would be attributed to his incident.

    Relief came late, too late in fact. The elusive hacker who used the admiral's password, went to bolder and more daring exploits. They continued on and on, until the got caught. He then negotiated a plea in exchange of complete exposure of all his work. He liked it, he always craved respect of his peers. And he sure got himself very respected for his cunning and stealth. The hacker, Kevin, was particularly glowing about a small applet he programmed into the dialogue code in the old system, CompuServe -- one of the earliest successes of online community. The applet simply made a record of all the login attempts and the passwords they used, especially the failed passwords. The file listed lots of nonsensical entries, but once in a while a "gold nugget" would show up. And yes, Kevin, remembers very well the admiral and his login password that failed. Kevin immediately suspected that the admiral has mindlessly typed in a password that belongs to another online portal. He tried to log in to any database

    he knew of, until he got lucky.

    The security team on base was different than the one at the time of the incident. The admiral was already a civilian. When he learned about the resolution of this open case he remarked that several opportunities for advancement were inexplicably blocked, and this lingering stain could have contributed. 'At least nobody suspects that I have covered up for something", he sighed wistfully, and then he added: "It's still my fault, isn't it?"


    The Unending Cyber War
    The AGS Computer Security Handbook
  • Tutorial
  • Essays
  • Information Communication Technology
  • Cyber War Stories
  • Tools, Methods, Products


  • Request Your Personal Review Copy