HOISTED ON THE PETARD OF PENPAL
In an astonishing gaffe, government intelligence experts writing for the Moynihan Commission's recent "Report . . . on Protecting and Reducing Government Secrecy" reveal they've been hooked on one of the Internet's ubiquitous e-mail computer virus hoaxes known as "Penpal Greetings"!
In a boldly displayed boxed-out quote (page 109) in a part of the report entitled "Information Age Insecurity" authors of the report proclaim:
"Friendly Greetings?
"One company whose officials met with the Commission warned its employees against reading an e-mail entitled Penpal Greetings. Although the message appeared to be a friendly letter, it contained a virus that could infect the hard drive and destroy all data present. The virus was self-replicating, which meant that once the message was read, it would automatically forward itself to any e-mail address stored in the recipients in-box."
The Penpal joke is one in half-a-dozen or so permutations spun off the well-known GoodTimes e-mail virus hoax. Variations on GoodTimes have appeared at a steady rate over the past couple years. Real computer security experts -- as opposed to the Moynihan commission's -- now occasionally worry in the press that they spend more time clearing up confusion created by such tricks than destroying actual computer viruses.
The report's authors come from what is known as "the Moynihan commission," a group of heavy Congressional and intelligence agency hitters tasked with critiquing and assessing the Byzantine maze of classification and secrecy regulation currently embraced by the U.S. government. The commission also devoted significant print space to the topic of information security and network intrusion.
Among the commission's members are its chairman, Daniel Moynihan; vice-chairman Larry Combest, Jesse Helms, ex-CIA director John Deutch and Martin Faga, now at a MITRE Corporation facility in McLean, Viriginia, but formerly a head of the super-secret, spy satellite-flying National Reconnaissance Office.
The part of the commission's report dealing with "Information Age Insecurity" merits much more comment. But in light of the report's contamination by the Penpal virus hoax, two paragraphs from the March 4 treatise become unintentionally hilarious:
"Traditionally, computer security focuses on containing the effects of malicious users or malicious programs. As programs become more complex, an additional threat arises: _malicious data_ [Crypt Newsletter emphasis added] . . . In general, the outlook is depressing: as the economic incentives increase, these vulnerabilities are likely to be exploited more frequently.
---W. Olin Sibert, 19th National Information Systems Security Conference (October 1996)"
And,
"Inspector General offices, with few exceptions, lack the personnel, skills, and resources to address and oversee information systems security within their respective agencies. The President cannot turn to an Information General and ask how U.S. investments in information technology are being protected from the latest viruses, terrorists, or hackers."
Got that right, sirs.
--------------------
Notes: Other authors of the commission report include Maurice Sonnenberg, a member of the President's Foreign Intelligence Advisory Board; John Podesta, a White House Deputy Chief of Staff and formerly a visiting professor at Georgetown University's Cyberlaw Center; Ellen Hume, a media critic for CNN's "Reliable Sources" and former reporter for the Wall Street Journal and Los Angeles Times; and Alison Fortier, a former National Security Council staffer and current director of Missile Defense Programs in a Washington, D.C.-based arm of Lockheed Martin.
The Penpal Greetings hoax appeared in November of 1996 which would seem to indicate the section of the report containing it was not written until a month or so before the report's publication on March 4 of this year.
Unsurprisingly, much of the report appears to be written by staff members for the commission chairmen. An initial phone call to the commission was answered by a staffer who declined to name the author of the part of the report carrying the Penpal hoax. The staffer did, however, mention he would forward the information to the author. And he was as good as his word. The following week, Crypt Newsletter was told to get in touch with Alison Fortier by way of Jacques Rondeau, a U.S. Air Force colonel who served as a commission staff director and was instrumental in writing the chapter on "computer insecurity."
Fortier was surprised by the information that Penpal Greetings was a hoax and could shed no light on the peer-review process that went into verifying items included as examples in the report. She said the process involved readings of the material by staffers to the commissioners. Examples were presented and this was one of the ones that was picked, apparently because it sounded good.
At first, Fortier argued that Penpal Greetings, as an example, was difficult to distinguish from the truth. Indeed, Fortier wasn't even convinced it wasn't a real virus. And this demonstrates the thorny problem that arises when hoaxes work their way into the public record at a very high level of authority: Simply, there is a great reluctance to accept that they ARE rubbish, after the fact, because the hearsay has come from multiple, supposedly authoritative, sources.
Crypt Newsletter then told Fortier that verification of whether or not Penpal was bogus could have been accomplished by spending five minutes of time on any of the Internet search engines and using it as a keyword ("Penpal Greetings" returns numerous cites indicating it is a hoax) and the Moynihan commissioner backed off on insistence that it might still be real.
"It's unfortunate that this error occurred because it can interfere with the recommendations of the commission, which are still valid," Fortier said. "When policy meets science -- it's always an imperfect match."
Crypt Newsletter also queried commissioner and ex-NRO director Martin Faga. "I've been aware of the error since shortly after publication of the report, but I'm not familiar with the the background," Faga told Crypt.
Commissioner Ellen Hume was also at a loss as to how Penpal Greetings had arrived in the report.
Commission staff director Eric Biel had more to say on the subject in a letter to Crypt Newsletter dated April 24. In it, Biel wrote: "I am very frustrated that we failed to get our information correct in this regard; as you note, the error only adds to the confusion concerning a very complicated set of security issues. You are quite right when you indicate this portion of the report was added late in the day. We had been urged to provide some anecdotes to complement the narrative text; this example thus was added to give greater emphasis to the points already being described . . . Obviously, there was not an adequate fact-checking and verification process with respect to the Penpal information."
Biel added that he was still confident of "the soundness of [the report's] findings and recommendations, including [those in the chapter 'Information Age Insecurity.']"
Go ahead, contact the Moynihan Secrecy Commission at 202-776-8727 and verify for them that Penpal Greetings is a hoax. After all, it's your money, too. But hurry, they're moving out of the office by the middle of the month.
Acknowledgment: A copy of the Moynihan Commission report is mirrored on the Federation of American Scientists' Website. Without FAS' timely and much appreciated efforts to make government reports and documents of strategic interest freely available to an Internet readership, Crypt Newsletter's rapid tracing of the travel of the Penpal hoax into the commission's record might not have been possible.
Other relevant links: