Worm: The First Digital World War (22 page)

BOOK: Worm: The First Digital World War
4.47Mb size Format: txt, pdf, ePub

He sent her another message:

“Hey, I really don’t want to cause problems for you. Really, I apologize if I did. I wanted to give you a heads-up. You don’t want me to come, let me know.”

Kwon fell silent. She did not respond, nor did she attend the one o’clock meeting. Rodney walked into an enormous conference room at FBI headquarters and was led to a lectern. He faced scores of officials, none of whom he recognized except for the attorney reviewing these matters for Obama, who had been at the morning briefing at Commerce. All wore security lanyards with their plastic ID prominently displayed, a totem in Washington’s security-obsessed culture, demarcating privileged access and high security clearances. But there were no names on the dangling plastic. He saw every agency acronym he had heard of—FBI, SS, DOD, FAA, FCC, DOJ, NSA, CIA—and many he had not. Curiously, no one in the room introduced him or herself. Just as with the Cabal’s dealings with the feds throughout, for these people information flowed in only one direction. They get your name; you don’t get theirs. Rodney had brought along a USB thumb drive with his presentation, and a laptop of his own, because he knew the government had banned the use of thumb drives the previous year—a rule dating back to the fiasco of the thumb drives in the Pentagon parking lot. But instead one of the men took the drive and plugged it right into a laptop at the lectern.

Rodney laughed.

“What?” asked the man.

“I’ll get to it,” said Rodney.

He gave a condensed version of the presentation he had given that morning. He saw the officials in the room exchanging startled looks and shrugs with each other—
Did you know about this? I haven’t heard a thing!
He told them how the botmaster had been upping his game, outmaneuvering the Cabal for months. He did his best, as Rick had done almost two months earlier, to describe the scope of the threat. He mentioned the thumb-drive issue, an infection vector ever since Conficker B, and explained his earlier laughter—his astonishment that DHS itself had evidently ignored the widely touted ban. He had been allotted fifteen minutes for his talk, and an hour later he was still at the lectern answering questions, explaining. The concern and surprise of the officials were evident. Rodney did his best not to throw U.S. CERT under the bus . . . but he could see why Kwon had tried to head off this briefing, and then had skipped it. It was embarrassing. A small group followed him out of the room when he was finished.

Rodney asked them who they were.

“I’m from the FAA,” said one.

“I hope I wasn’t boring you,” said Rodney.

“No. I’m on my way back to Kansas City. We have an issue.”

When he got back to Neustar, there were messages from several Congressional offices, asking that he come to the Hill to brief this or that senator or representative. He went right out and bought another white shirt, because clearly he was going to have a few more reasons to dress up this week.

In the Congressional Office Building the next day, between meetings, he received a message from one the attendees of the Monday afternoon briefing, double-checking some of the details in the PowerPoint presentation. Rodney just emailed it to him from his thumb drive. One of his assistants came to him later that day and told him he had received a phone call from a contact at U.S. CERT, asking questions about Conficker. It seems the agency had been tasked to make a presentation on the worm at the White House that day. The assistant had referred him to Rodney, and the contact had responded, “We’re not allowed to talk to him.” So Kwon had apparently taken umbrage at Rodney’s big show. But he clearly now had the feds’ attention.

“People seem to be finally getting that this is not a joke,” Rodney told his assistant.

The following day he was asked to brief the staff of the Senate Select Committee on Intelligence. Because the committee’s offices were off-limits to those without a high security clearance, the staff arranged to meet with Rodney in the Visitors Center of the Capitol Building, in the cafeteria. About a dozen staffers met him there in the middle of the afternoon. The cafeteria was quiet and mostly empty. They cordoned off a portion of the big room with portable dividers, and sat around a long table. Before Rodney got started, one of the staffers, a young woman, interrupted him.

“Just so you know,” she said, “We probably know a whole lot more about Conficker than you do. We received a classified briefing yesterday afternoon,” the woman said. “So there’s probably not much more you can tell us about this.”

“That’s really good news,” said Rodney, his voice heavy with sarcasm. By now he knew without a doubt how clueless the establishment was. The woman’s arrogance annoyed him. He started collecting his notes.

“Since you have matters
completely
under control,” he said, “then there’s no reason for me to be wasting any more of your time.”

As he stood, there was a chorus of nos.

“Stay,” protested one of the staffers.

“We want to hear it,” said another.

So Rodney sat back down. He took out copies of his PowerPoint presentation, which had been printed up on Neustar stationary. He handed them out around the table. The woman who had addressed him flipped through her copy and pronounced, “Yep, this is the same presentation we saw at the classified White House briefing yesterday.”

The meeting dissolved into laughter when the staffers realized that U.S. CERT had simply taken Rodney’s briefing and presented it at the White House as their own work—and
classified
it, to boot! Rodney later confirmed it with his White House contact, who had attended all three of the sessions—“They just gave yours as their own,” the contact said. So much for vaunted federal cyberdefenses.

This was hard work, this laboring to rouse the great slumbering giant of the U.S. government, trying to enlist its vast resources in the fight. He had been successful, to a point. That Thursday, T.J. passed along a request to add eight U.S. CERT officials to the List.

So Rodney was stung, after this weeklong uphill slog, to find himself being sniped at by some in his own ranks. No one from the Cabal itself, at least not directly, but word of Rodney’s briefings in Washington had spread far and wide in the Geek Tribe, as the administrators and staffers at his briefings reached out to their own trusted sources, to their own security experts, asking:
Who is this guy? Are these things he’s telling us true? Is this Conficker worm as dangerous as he says it is? If so, why haven’t we heard about this from you?
And at least some received answers—no doubt in some cases covering their own ass—that this Rodney Joffe fellow . . . may . . . have . . . exaggerated the danger. After all, the worm had done nothing yet. Some were far enough out of the loop that they still clung to the grad-student-stunt theory, à la the Morris Worm, which had gone out the window with Conficker B. No one who really knew the worm was making this claim, but people on the fringes, people worried that crying wolf in Washington might give the Tribe itself a bad name, feared that their own credibility might suffer by professional association. There were suggestions that Rodney, beating his drum so loudly, might have been puffing himself up.

This was—there is no other word for it—
insulting
. Rodney was a bona fide Internet pioneer. He had practically invented the techniques of e-marketing and e-commerce, and had gone on to invent the content distribution and load balancing technology that was utilized by ISPs all over the world. He wasn’t some ivory tower visionary, either; he was a successful businessman. With regard to divining where this marvelous technology was going, and assessing its strengths and its weaknesses, there were few people in the world who could match his record, who
saw the whole thing
so clearly. Who better to sound the alarm? Who better to quantify the risk?

Very early on Saturday morning, still in Washington, Rodney responded passionately and at length to his critics, posting a letter to everyone on the List. It was a forceful broadside, an argument for the importance of the effort, a defense of his own efforts in Washington, a challenge, and a rallying cry. If they were going to beat this thing, they had to stop undercutting themselves.

It led to a remarkable exchange:

Gentlemen,

Based on some off-line discussion and comments, as well as the reported discomfort of some of you on the List with my activities this week, I’d like to confront the elephant in the room. . . . The problem with Conficker is not Conficker.

Since the beginning of “the Cabal,” we have all been focused on the tactical issues of responding to it. Each of us in our way, and based on our own agendas. MS [Microsoft] because the initial hole was in the OS [Operating System], as well as the fact that ongoing infections and spread occurs with Windows users. Symantec and Kaspersky because the worm is a bastard to deal with and they make software that has to deal with it. Me, and the other registry operators because it uses our resources for C&C [command and control]. Registrars because C&C domains get registered through them. ISPs because they provide the transport and their customers are affected. Researchers because they see it and analyze it. Some of us (you) play multiple roles.

But none of us has really dealt with why this is bad stuff. Conficker has been relatively harmless so far, as far as we know. And as I was asked and admitted repeatedly as I rang the bells in Washington, we have no evidence that it has [been] or will be used maliciously. Some on this list have posited that it may just be an experiment that was wildly successful, or perhaps a group of coders proving they can write good code.

I was a reserve police officer in Los Angeles for 20 years. I learned that there is real crime in the world. And that some people are just plain evil (well, I knew that from before, but only through the lessons of history—working the streets of LA gave me firsthand experience at how common it was). Working a homicide scene shows you how even 2-bit gang bangers can be truly evil given half a chance.

So I say “b*llsh*t.” This isn’t a game. Looking at this list, every one of you has been the victim of a 6/20/11 DDoS. You’ve all dealt with spam. I know that most of you have been
pwned
, and had your keystrokes logged or traffic sniffed by malware. And at least one of you has been on the receiving end of extortion. So
you
know better. You
know
what a botnet can do. A small one. . . . We all know that a botnet of Conficker’s size is an effing lethal weapon in the wrong hands.

Well, who do you think the wrong hands are?

I have been accused of spreading fud in Washington. Of making a bigger thing of this than it is. So I want a discussion here and now to deal with this once and for all. Otherwise pfffffft to you. You’re taking your employer’s money or the taxpayer’s money under false pretenses.

This is also
not
about PR. I have not had a single conversation that wasn’t covered by some sort of requirement of confidentiality. The only conversations I have had are with one of you, or a government official who serves in some or other form as a specialist in security, or a legislator or staffer with TS [top security] clearance or better on a committee that has Cybersecurity under its purview. And I have not shared a single piece of information without first asking the source or author of that piece of information for permission. Period.

I have refused to allow any of our [Neustar’s] employees to even take a call from the press. And I have no intention of doing so until this group reaches consensus that we need to.

Now back to the discussion.

Conficker hasn’t caused any damage. It doesn’t slow its hosts down. It hasn’t eaten bandwidth. And it certainly hasn’t caused me any load problems.

But what if it does?

What happens to the net in general if each of the infected hosts sends just one other infected host 20KB/s of traffic a second, all at the same time? Or makes just one 50KB web post every few seconds, to a mixture of Yahoo, CNN, Google, Hotmail and other well connected sites. Given the nice maps you have, most of the world’s networks will collapse. Some of them just because they’re in the path. I don’t care who you are. Certainly all of the tier-2 networks would fall over. . . .

What would that do to the world? Not the Internet. The modern connected world? . . . How many infected hosts are there inside the Fortune 500? So what would it mean for the economy if the Fortune 500 all had their internal networks shut down for an hour? A day? A week?

Now let me ask you this; if you were the botmaster, and had a botnet of 2 million machines, how difficult would it be for
you
to bring the net worldwide to a halt?

Ahhh, you’re really clueful. The best in the world at your job, but you’re a good guy. And you wouldn’t do that kind of thing. So who the hell do you think they are? Are all the miscreants stupid? Do you think they’re all capitalists who need the net to be up so they can continue to siphon passwords, and read email, and surf porn?

And if you’re so damn bright, why haven’t you already managed to shut A/B down? Or C? Or Waledec. Or Torpig? Could it be because those bastards on the other side are as smart as you are? Or smarter? As we sit here now, they’ve managed to update a million of the A/B suckers, and you still don’t know how they’re doing it.
Right in front of you!
It took you apparently 2 days to even
notice
. And a week later you’re still sucking wind.

AND YOU’RE THE BEST WE HAVE!

What happens if one of them wakes up in a bad mood tomorrow morning? Or after a night of drinking or dope or being beaten in some humongous online game decides that the rest of the world is filled with evil by their way of thinking and needs to be destroyed. Just like in the game?

So as I said in my first heated briefing on Monday, this
isn’t
about Conficker. A, B, or C. Or Storm. Or Slammer. Or Torpig. Its about all of them. Those in the past, and those in the future. It’s about the one evil bastard who decides that he is going to use his botnet, or a piece of it, to punish someone else. Its about the fact that the ability to use it maliciously exists. And
we
have stood by and let it happen. And we haven’t marshaled all of our resources to try and deal with it. The people I talked to in Washington who make the laws and rules, and run our lives, and who we elected, and who swear to serve us—“we, the people”—have NO F**KING CLUE that this is out there. Now a few of them do, in terms that they understand. We need “them” to understand because we need “them” to give us help and resources.

Except that some of you (or your employers) are telling them that it’s not that dire, or as bad as I say it is.

Tell me we’re not one command away from a catastrophe. I dare you.

Other books

Fallen for Her by Armstrong, Ava
Swordfights & Lullabies by Debora Geary