When it sucks, it *really* sucks

Kelley kelley@interpactinc.com
Sat, 13 Oct 2001 06:31:16 -0400

At 07:28 AM 10/13/01 +0200, Eugene Leitl wrote:
>On Fri, 12 Oct 2001, Kelley wrote:
> > IIRC, Tim May (cypherpunks) enjoyed it when he got one of the first Nimda
> > viruses in his mbx:  from an FBI intern, no less.
>It wasn't Nimda, and furthermore it was a hoax.

good thing i typed, IIRC! you're right, it was the Sircam virus. That the 
FBI got nailed by the virus wasn't a hoax, as far as I know. I velieve that 
May might have written a hoax to cypherpunks about receiving documents from 
the FBI or that I confused him with someone else. A quick search of my 
archives turns up nothing in cypherpunks or cyberia-l to verify hoax or 
not. in any event, if you know if the following is a hoax--your meaning is 
unclear--i'd appreciate a pointer to the follow up. It's good info to keep 
on file for clients:

From:         Richard Forno <rforno@INFOWARRIOR.ORG>
July 25, 2001
Tech Center
FBI Cyber Researcher Unleashes Virus
That E-Mails Private Agency Documents


WASHINGTON -- A researcher in the Federal Bureau of Investigation's
cyber-protection unit unleashed a fast-spreading Internet virus that
e-mailed private FBI documents to outsiders -- all on the eve of a Senate
hearing into troubles at the unit.

Although the Sircam virus didn't spread to other computers at the FBI's
National Infrastructure Protection Center, it did send at least eight
documents to a number of outsiders. One, about the investigation into an
unrelated virus, was marked "official use only." The Sircam virus has
infected thousands of computers since its discovery last week.

1U.S. Pentagon Shuts Down Public Access to Web Sites (July 24)

2'Code Red' Web Virus May Attack Other Computers in Coming Weeks (July 23)

FBI spokeswoman Deb Weierman said that no sensitive or classified
information about continuing investigations was disclosed Tuesday. The
"official use" designation protects documents from disclosure under the
U.S. Freedom of Information Act.

It isn't uncommon for virus researchers to accidentally infect their own
computers, but the mistake was particularly embarrassing because it
occurred ahead of a Senate Judiciary panel's oversight hearing about the
FBI cyber unit's effectiveness. Lawmakers were expected to focus on other
agencies' failure to cooperate fully with the FBI center, and on a
perceived lack of trust between the FBI and private-sector groups.

The unit generally gets high remarks for its criminal investigations, and
even critics say the unit is more effective than it was a year ago. "The
effort here is not to embarrass anybody but to stress that a lot of work
has to be done," said Republican Sen. Jon Kyl of Arizona.

Meanwhile, the White House has begun organizing a new early-warning network
for Internet threats. But unlike the current system, it will be coordinated
by the Pentagon, not the FBI. The mechanism for warning all U.S. military
and civilian agencies -- and ultimately corporations -- will be dubbed the
Cyber-Warning and Information Network, or "c-win." Organizers envision
dozens of computer centers that could sound an alert when a threat is

The network is expected to begin operating in October. The FBI unit, which
currently relays these warnings, came under sharp criticism from
congressional auditors for issuing tardy alerts. Ms. Weierman, the FBI
spokeswoman, called the new network a "useful mechanism" to offer the
government a "technical capability that doesn't currently exist." The FBI,
she said, wasn't concerned it would lose its warning responsibilities.

Tuesday, at least three people said they received some of the FBI
documents, including a 23-year-old Internet-security expert in Belgium,
Niels Heinen. He operates a Web site that reports on Internet break-ins and
speculated that the analyst, Vince Rowe, visited the site on the infected
computer. Mr. Rowe didn't respond to a request for comment.

Write to Ted Bridis at ted.bridis@wsj.com3

URL for this Article:

Hyperlinks in this Article:
(1) http://interactive.wsj.com/archive/retrieve.cgi?id=e1-SB99601609210000000
(2) http://interactive.wsj.com/archive/retrieve.cgi?id=e2-SB99601609210000000
(3) e3-SB99601609210000000