About Space Rogue

Space Rogue is widely sought after by journalists and industry analysts for his unique views and perceptions of the information security industry. He has been called to testify before the Senate Committee on Governmental Affairs and has been quoted in numerous magazine and newspaper articles as well as appeared on such TV shows as News Hour with Jim Lehrer, CNN Nightly News, ABC News Online with Sam Donaldson, and others. A recognized name within the industry, Space Rogue has written articles that are often quoted or refered to by other major media outlets. He has spoken before numerous audiances including the Digital Messageing Association, Defcon, Pumpcon, HOPE, H2K, and others. As a former member of L0pht Heavy Industries, Space Rogue ran the widely popular Hacker News Network which quickly became a major resource on the Internet for daily information security news. Before HNN he ran the The Whacked Mac Archives, which at the time, was the largest and the most popular Macintosh security site on the net. Currently Space Rogue does consulting for various companies.

All of this has happened before and all of this will happen again

Two teenagers in Winnipeg Canada somehow got the idea to see if the default password on a Bank of Montreal ATM machine was still valid. The got the default password after finding the operators manual for the ATM online. As is often the case the default had not ben changed and was still valid. Instead of taking all the money they could carry and running away the kids instead went to the bank to let them know. Of course being fourteen-year-old kids they went to their local branch, and where, being fourteen-year-old kids, no one believed them. The kids had to go back to the ATM and get it to print out stats like how much money was still in the ATM before the bank branch manager believed them enough to notify the banks security department.

There are a lot of things that can be learned from this story, or actually should have already been known. If these kids had tried this in the United States, despite their good intentions, they may have been charged with a violation of the CFAA (Computer Fraud and Abuse Act). If the bank manager had not been so understanding I am sure they could have been charged with the Canadian equivalent. Testing for default passwords on bank owned ATMs is probably not the smartest way to utilize your free time.

The branch manager should have taken the allegation seriously the first time, regardless of how old the people with the information were. Instead the branch manager evidently told the kids that what they initially reported was impossible. This shows a serious lack of security awareness training for Bank of Montreal employees.

What about the bank itself? Why did the Bank of Montreal leave a default six-digit password on an ATM machine? It is unlikely that only one machine out of several hundred ATMs was configured with the default password. I hope BMO gets around to changing all those defaults before someone is able to make off with the cash.

The worst part about this story I think is that all of this has happened before. A lot of people have heard about the presentation at the Blackhat conference in 2010 by the late great Barnaby Jack where he made an ATM spit out money on stage. That was sort of sensational and required access to the back of the machine. But what about the arrest of two people in Lincoln, Nebraska in 2008 when they used default passcodes to steal money from an ATM? Or the thefts in Derry, PA in 2007 from Triton 9100 model ATM after the default passcodes were found online? Or again in Virginia Beach, VA in 2006, this time using default passcodes in the Tranax 1500 also found online in the operators manuals.

So in this one story we have default passcodes that aren’t changed, people who do not take security alerts seriously, people not learning from history and the possibility of innocent kids running afoul of the law. Of course all of this has happened before and unfortunately all of this will happen again.

Everybody must get stoned

Apparently FBI Director James Comey thinks that everyone in the Information Security Industry is a dope-smoking pothead who gets high just before an interview. “I have to hire a great work force to compete with those cyber criminals, and some of those kids want to smoke weed on the way to the interview,” James Comey was quoted as saying.

Of course two days later, after basically insulting most of the Information Security Industry by calling them all stoners Director Comey said his comments shouldn’t be taken seriously and that he was only trying to inject some humor.

Currently the FBI says that anyone who has used marijuana in the last three years is “not suitable for employment”. In addition you cannot have used other illegal drugs for the previous ten years. So the FBI has already recognized that marijuana is different from other ‘hard’ drugs and now they may be thinking about relaxing those standards even further. Considering that there are twenty-one states where marijuana for medical use is perfectly OK, and two states, Colorado and Washington, where marijuana is legal for recreational use it makes sense for the agency to revisit its anti-drug policy. However, specifically singling out one specific group such as Information Security professionals may not be the best way to attract applicants.

If the FBI wants to review its marijuana policy in light of the recent relaxation of laws in some states for all potential applicants regardless of job function, well that’s great. The overall sentiment towards soft drugs like marijuana is changing and employers, including the FBI, should adjust to that sentiment at the same rate as society. However, to relax standards for just one specific job type sends the wrong message.

The FBI has open head count for over two thousand recruits this year, most of those will be assigned to cyber crime units. The FBI like every other employer in the security industry is having a difficult time attracting qualified applicants for those positions. The US Army has said in the past that it wants to relax physical fitness standards for cyber warriors Relaxing standards for those applicants, as I have argued before, is not the best way to get qualified candidates and sends the wrong message to applicants or current employees who met the old standards.

This is a simple economics question of supply and demand. When the demand is high and the supply is low the price, or in this case the salary, must go up. Artificially increasing the supply by lowering standards helps no one. If the FBI wants to lower standards to increase the pool of applicants how about it take a look at some of the other things that will automatically disqualify job candidates for employment with the FBI. If you failed to register for the selective service, guess what? No FBI job for you, same with defaulting on a government insured student loan. I have to think that the number of qualified candidate who have defaulted on a student loan and or did not register with the Selective Service is probably several times greater than those who light up a joint just before an interview. If the FBI is serious about increasing its applicant pool perhaps it should reexamine those restrictions as well.

The FBI and other government agencies have a lot of strikes against them when attempting to attract highly qualified applicants. Things like a strict dress code, initial assignments to small offices, and government bureaucracy don’t help at all. However, the FBI does have things that other employers can’t offer like an amazing benefits package, stable employment that isn’t subject to market forces and of course the fact that they are the government. There is a distinct subset of people that look at employment in the government and in law enforcement as an attractive option. Perhaps the FBI and other agencies should play up these strengths when recruiting as opposed to reducing standards.

But seriously are people really getting high before interviews, especially at the FBI, as Director Comey even humorously suggests? If someone showed up drunk to an interview I wouldn’t hire them either, let alone if they were stoned out of their mind. I am sure there is some drug use in the Information Security Industry just like there is with the rest of the population but to suggest that infosec people are a bunch of reefer toking stoners who are getting high so much they can’t sober up enough for an interview tells me they aren’t very familiar with the industry they are trying to recruit from.

Is it time for an industry wide MAPP program?

As you might suspect, the bad guys have much better exploit notification than the good guys. While there is no central repository of vulnerability information that is only released to the good guys, Microsoft does an excellent job with early notification of its vulnerability information via its MAPP (Microsoft Active Protections Program). Should there be something similar setup for all security bugs on an industry wide basis?

On the surface it sounds like a great idea. Information about critical bugs like HeartBleed could be shared with trusted and vetted members early before the information was made publicly available and the bad guys could take advantage of it. This gives those trusted members time to fix the problem before the bad guys could develop new attacks and take advantage of the flaws.

This is how MAPP works. Microsoft has very strict guidelines on who can and cannot be included in the program and if you are found to be leaking information before the specified release date you are ejected from the program. Microsoft historically only granted a few days notice to its trusted MAPP partners of the upcoming Patch Tuesday bugs but have recently expanded this length of time to give vendors more time to develop protections for their products before the bad guys can reverse engineer the patches and develop exploits for those bugs.

This all works for Microsoft because they are in control of their information, the number of members in MAPP is kept small and each much conform to strict guidelines to protect the information Microsoft provides. But on an industry-wide scale this model falls apart. A prime example of the chaos that can surround a critical bug disclosure is the mess surrounding the disclosure of the HeartBleed bug. If you look at the timeline composed by the Sidney Morning Herald it is evident that attempting to keep the disclosure process simple and organized on an industry wide level is anything but simple. The process is fraught with non-disclosure agreements, employee leaks and covert secrecy, definitely not a process that should be trusted with critical software vulnerabilities.

The first issue of an industry wide MAPP style program would be who would run it? Is this a task for the US government? What about bugs found outside the United States? How would you keep the NSA or other agencies from attempting to horde a critical flaw and add it to their weapons stockpile? While an independent international third party could run such a program how would it be funded? You could charge a fee to trusted members but then you introduce the possibility of someone buying their way in even though they shouldn’t be trusted. Not to mention the ethical debate that would arise from ‘selling’ vulnerability information.

Then there is the matter of deciding who can be trusted with handling such information early. As with any secret the more people you tell the harder it is to keep secret and as a the heartbleed timeline shows some people may leak information to their friends and employers or bad guys before a public announcement. Membership should be limited to prevent the circle from getting to large but who decides who is in and who isn’t?

Of course all this completely ignores the actions of the rogue researcher who is free to do whatever they want with their research. There is nothing stopping them from publishing such information publicly, telling a small group of people, selling it to the highest bidder or hording it for their own uses and telling no one.

An industry wide MAPP program sounds good at first but due to governance issues, international politics, and of course money, it would be difficult to keep together, keep the information out of the hands of the bad guys, and probably just create way to much drama and infighting inside the industry. Even if you were able to solve all those problems there will still be the one person who decides they don’t want to play by the rules and will do what they want.

Another BIG hack that wasn’t

No time to do a full analysis but the basics are a story out of Israel of a tunnel that was hit by a sophisticated cyber attack that caused a… traffic jam. The story went out on the Associated Press newswire on a Sunday afternoon so by Monday morning it was pretty much everywhere you looked.

The “attack” was supposedly a “classified matter” involving “a Trojan horse attack” that targeted the security camera system in the Carmel Tunnels toll road on Sept. 8. The attack caused an immediate 20-minute lockdown of the roadway and then an eight hour shutdown the next day causing a pretty big traffic jam. Supposedly the attack was the work of “unknown, sophisticated hackers” which were then compared to Anonymous but not sophisticated enough to be nation state funded attackers from Iran.

Even just by reading this it sounds like a run of the mill malware infestation and not some targeted sophisticated state sponsored cyber attack. I mean why would anyone specifically target a tunnel? There is no money there, no intellectual property to be stolen, so unless your goal is to create an isolated traffic jam, whats the point? But there is more. The tunnel operators, CarmelTun, issued a statement saying Nope, no cyber attack here. And blamed the traffic jam on a “an internal component malfunction” and went on to say “this was not a hacker attack.”

@snd_wagenseil @4Dgifts @WeldPond more than one source confirmed.

— Daniel Estrin (@DanielEstrin) October 28, 2013

According to @DanielEstrin whose name is on the byline of the story, more than one source confirmed this Trojan Horse attack story and yet he did not bother to confirm with the people most likely to know, the actual operators of the tunnel.

So we can either believe the unnamed “cybersecurity experts” who warned of a sophisticated “Trojan horse attack” that was compared to Anonymous and was conducted for no monetary gain or intelectual property theft or we can believe the operators of the actual tunnel system itself. Who has more to gain here?

Late Update:
Looks like I am not the only one to think this might not have been a cyber attack.
“Cyberattack Against Israeli Highway System? Maybe Not”

A Psycho Analysis of Jericho

The epic box-o-shit. I don’t know where the tradition started but it has been perfected by Jericho of Attrition.org. Beginning at least five years ago Jericho has boxed up the chotskies, leftover guinea pig fur, random bits of useless tech and whatever else he happened to have laying around and shipped them off to whoever he felt was most deserving, or whoever he felt would make the best victim. I had been waiting in anticipation (actually it was down right fear) until I received what I almost knew was coming, but it never did.

About a year ago I was at a local flea market when I spied at the bottom of a box of random crap a glass squirrel approximately eight inches high. It was depression era pressed glass, speckled with random paint drops, a few chips in the glass and a rather nasty piece of sticky green felt glued to the bottom. Somehow this disgusting piece of glass made me think of Jericho. I figured the squirrel needed a better home than the bottom of some random box full of shit. It needed to become the centerpiece of highly selected box-o-shit. I figured it was time to put my box-o-shit destiny into my own hands, time to tempt fate, time to poke the angry guinea pig with a carrot.

Glass Squirrel

The guy at the flea market wanted $20 for the squirrel with the paint spots, chipped glass and nasty sticky felt on the bottom. Not really sure what he was thinking but I managed to talk him down to $8. I took the squirrel home, scrubbed off the paint drops and the nasty felt. There wasn’t much I could do for the chips in the tail though. By now it didn’t look to bad and I was wondering if maybe I should keep it for myself, that jerk Jericho definitely did not deserve anything half as nice as this.

Instead of using shipping peanuts or those bags of air or even crushed newspapers, I instead grabbed every chotsky, random bits of useless tech and whatever else I happened to have laying around and used that for packing material. Unfortunately I was fresh out of leftover guinea pig fur.

It took Jericho three months before he even acknowledged receiving the box but he eventually wrote it up. And then I waited. I waited for the inevitable retaliation that was sure to come my way. I knew Jericho wouldn’t just let an eight-inch tall glass squirrel arrive unsolicited in the mail and do nothing about it. But I waited, Spring turned to Summer and every trip to the mailbox filled me with more and more dread, when would he strike? When would he put and end to this torture? Why oh why did I ever decide to send that jerk anything at all? I should have kept that squirrel for myself or better yet let it sit and rot in the bottom of that box of random shit at the flea market.

Finally after nearly a year of self imposed torture, of opening the mailbox each day in anticipatory fear, it arrived, a small unassuming brown box. I immediately knew right away what it was and where it was from. On the one hand I was relieved that my torment was over, but I knew I still had to open the box, I still had to pour through the contents of whatever wretched debauchery Jericho’s twisted mind decided to send me. It has taken me a while; months actually, to get up the courage to finally pull back the packing tape to reveal the contents of Jericho’s box-o-shit.

box

What I realized as I went through the contents of the box was that it wasn’t about me, it wasn’t about revenge for a glass squirrel. This box-o-shit and maybe all boxes-o-shit are glimpses into the deranged mind that is Jericho. Perhaps even a desperate cry for help that echoes from the basement he must live in deep inside the Rocky Mountains.

As you can see on the top of the box was a plastic baggy full of multi colored paper with two stick-on eye balls and labeled with the word ‘puzzle’. Obviously this is a symbol of a cracked and fractured psyche symbolized by the many pieces of different color paper cut up into small sizes. Obviously Jericho is crying out for someone to put his poor soul back together again.

open box

Beneath the puzzle was a collection of magazine subscription cards, which at first glance might seem like nothing more than filler for the box. However, after sorting the cards and conducting a frequency analysis on the represented publications it is clear that these cards are yet another look into at the enigma that is Jericho. While it is well known that Jericho is at or below average intelligence he considers himself to be of above average intelligence. This is indicated by the large number of subscription cards to Discover and Science Today magazine. The subscription cards to Men’s Health and Psychology Today indicate that he knows that he has a problem and is looking for some sort of solution, which he hopes to find by reading these magazines. While he considers himself to technologically knowledgeable and therefore reads Wired magazine the fact that he is still subscribing to dead tree publications shows that he is in fact a Luddite. Of course anyone as mentally instable as Jericho will have deep-seated sexual frustrations as indicated by the subscriptions to Penthouse and Maxim, as well as the included Durex condom found elsewhere in the box.

cards

And while we already have enough information to determine that Jericho needs major professional help there is yet more supporting evidence within the box. A collection of Pimm’s Cup and several tequila bottle caps shows his attempts at self-medication through alcohol. The collection of self-promoting stickers shows a predilection to narcissism and the random keys, rocks, candy and fur balls shows just how schizophrenic he actually is. The collection of dinosaurs is obviously a link to his still present infantilism.

tequila

stickers

dino

Unfortunately I only do psycho analysis and perpetrator profiling as a hobby, as such there are still a few items in this box-o-shit that I have been unable to apply towards the subject Jericho. A Honda emblem? A Slinky Jr? An Elevation of privilege card game? And who inside the United States under the age of sixty has a copy of a Susan Boyle CD? (I guess I do now.) I am sure with proper analysis these items will also provide valuable insight into the deranged and demented mind of Jericho.

Susan Boyle

demented yellow squirrel

Beyond Hype

Sometime an article comes along that is just beyond the traditional sort of hype I usually rant about. In other words its just plain wrong. “How They Popped The Penguin: The Bash Attack And What It Means For Linux Data Security” by Michael Venables, which somehow got posted to Forbes, of all places, is one of those rare pieces of…well, I’m even going to call it journalism. There is absolutely no fact checking whatsoever and according to the person interviewed for the article some of the facts are just entirely made up. Instead of me ripping this article apart line by line like I usually do I will instead share with you a list of a few of many many tweets that were posted in response.

“this is the most ridiculous, breathtakingly stupid article I read this year.”

“not even trying to do basic research or reach out to verify facts is failing at doing your one job.”

“I’m afraid I am putting @mpvenables on my bad list of journalists to never talk to. This also affects Forbes rank.”

“how did you guys read that? I got bored around paragraph 2″

“the new journalism: get the twitterverse to fact check, issue a correction later. #clownshoes”

“holy shit, I think I know what we’re submitting to hackin9 next time!”

“L M F A O”

“I’ve not seen a more clueless piece of journalism ever. Pwnie nomination”

“You are kidding right? This is not news.”

“Most retarded security article ever. When you don’t know, stfu ! WTF Forbes ??”

“that article made me want to open a vein. Thanks, @mpvenables.”

“PR person sends me a Bash Attack story on Forbes. I read it. I’m sorry I did. The hacker in me will sit and rage in silence.”

“I feel dumber for having read (half of) that”

“This is a great example of really really bad security journalism. Look upon it and weep.”

“”Dot so Good Anymore: The ‘ls -a’ Tactic and What It Means For Linux Hidden Files” #UpcomingForbesArticles”

“OMG that Forbes article. Facepalm city.”

“BRB OWNING SOME LINUX BOXES WITH A SOPHISTICATED BASH ATTACK”

“Good that Plaestinian hackers did not use the bash attack!”

 

 

UPDATE:
Perhaps a little late but the glorious Tumblr blog @sec_reactions has several posts on this article here, here, here, and here.

Some twitter quotes collected by @quine.

Anatomy of Hype, Take 2

I almost wasn’t going to write about the supposed cyber attack at the New York Times last week as reported by Fox Business because I just haven’t had the time but after the NASDAQ went down today and everyone and their brother started to speculate as to the nature of the ‘technical glitch’ I figured I should throw something together.

In my talk ‘Hackers and Media Hype or Big Hacks That Never Really Happened’ I mention that I see this sort of thing every day. That it is rampant throughout the tech press and often leaches over into traditional media outlets as well. I’ve detailed this sort of thing before as in this blog post ‘Anatomy of Hype’ however this time reporters Matt Egan and Jennifer Booton published their unconfirmed ‘cyber attack’ on the FOX Business website and while FOX takes a lot of shit for their style of nearly tabloid journalism they have a much greater reach than tech news outlets like ZDNet.

So lets see if we can piece together what happened here. At approximately 11:30 on August 14th 2013 the New York Times website went down. And by down I mean down hard, nytimes.com and nytco.com were both throwing up 503 site unavailable errors. Hey, shit happens, sites go down, they get fixed they come back up. As anyone who has ever worked on-call for an IT department will tell you despite backups, failovers and triple redundancies this happens ALL THE TIME.

tweet

By 11:53am, about half hour into the outage the official verified New York Times twitter account cited technical difficulties as the reason for the outage.

At 11:55am Matt Egan Matt Egan (@MattEgan5) and Jennifer Booton (@jbooton) pushed the first version (screenshot) of their story “Source: New York Times Website Hit by Cyber Attack”. Their entire basis for the story was ‘a source close to the matter’. A source they fail to identify. A source as it turns out wasn’t all that close to the matter after all.

By 12:31am, internal New York Times employees start referencing an internal email that cites a malfunctioning system patch as the cause for the outage. While Microsoft’s Patch Tuesday was the day before, which may or may not have been the cause of the outage, it made much more sense than a cyber attack.

At 12:47pm, a little over an hour into the outage the New York Times Official twitter account finally offers up an explanation citing a ‘server issue’.

In the face of all this new evidence did FOX Business pull the erroneous story about a cyber attack? Did Matt Egan and Jennifer Booton update their story to reflect the new information?

Well, they did update their story (screenshot), put they updated it with quotes that make it sound like there was still some sort of cyber attack, quotes that are obviously of a hypothetical nature. Quotes that appear to be taken completely out of context but which support the original erroneous hypothesis of a cyber attack.

One of the people who was quoted in the article said afterwards that the reporters came to him saying that they had already confirmed the cyber attack which was the only reason he agreed to speak with them. I have to ask, where was the confirmation? I have never been to journalism school but I suspect that Matt Egan and Jennifer Booton must have slept through the class on confirmation. I always thought you needed two independent sources to confirm a story. A lone ‘source close to the matter’ does not count as confirmation. Where were the FOX Business editors that reviewed this tripe before it was posted to the FOX Business website?

As I did with ZDNet I call on FOX Business to either completely rewrite the story on their site to reflect the currently known facts or to remove it altogether. Leaving a story such as this to fester on their website reflects poorly not just on FOX Business Matt Egan and Jennifer Booton but on the InfoSec industry as a whole, not to mention the damage that it is doing to the New York Times.

The excuse that it fast breaking new story does not fly; a news website has a responsibility to the public to publish accurate and timely information. There is no excuse in this modern age not to update stories with new information as it becomes available. FOX Business has updated this story, several times, but the information is entirely skewed to support the original erroneous hypothesis.

So how about FOX, Matt, and Jennifer, can you take the high road and report the facts or do you prefer to wallow in the muck of fear, uncertainty, and doubt?

Update: Dave Lewis at CSO Magazine has also blogged about this story.

Fitness and Discipline for Cyber Warriors

“More PT Drill Sergeant, more PT! We like it, We love it, We want more of it!”

There is a basic tenant in most of the worlds military forces that regardless of what your actual job or rank is, whether you are a private or a General, whether you are a cook, clerk, or mechanic, below everything, at the very core of your existence you are nothing but a gravel crunching, ground pounding infantry soldier (11B). Or as an old Colonel once told me, the poor slob in the kill zone. (Thank you, Sir!)

As part of the basic core existence in your nations military all soldiers, airmen, and sailors are required to be able to perform a basic set of tasks. Things like knowledge of how to wear your countries uniform, the ability to maintain and operate a firearm, how to use protective equipment such as a gas mask, and above all the ability to give and follow orders. But these items are more than just basic knowledge and rout tasks, it comes down to discipline, self-discipline mostly, that quality of doing what needs to be done without needing to be told or even wanting to do it.

This is what basic training is for, an intense six or maybe ten week training regimen that not only teaches all soldiers basic tasks like how to operate their firearm or shine their boots but also self discipline, the ability to continue doing your job under stressful and adverse conditions. This being the military, lives literally depend on that basic skill. It is discipline alone that is more important than any other trait or skill taught during that introductory basic training course of the worlds militaries.

The only way to teach discipline is to place an individual under stress and at the same time ensure that they can complete required tasks. The easiest way to place an individual under stress without placing them in a potentially hazardous situation is through physical activity. This is one of the reasons why most of the world’s militaries have minimum requirements of physical fitness. Things like a set time and distance for running, a minimum number of pushups or sit-ups. This ensures a minimum level of fitness for all soldiers and helps to ensure basic levels of self-discipline. These basic requirements apply to all soldiers, private or General, cook or mechanic.

There are a few military job specialties that are harder to recruit for than others. Explosive Ordnance Disposal (89D) comes to mind, and there often incentives offered for new recruits to choose one job over another, often these incentives are monetary in the form of signing bonuses or hazardous duty pay. By and large however serving in the military is its own reward for most people for whatever personal reason they have, whether it is monetary compensation, future educational opportunities, patriotism, or in some cases they just like guns.

Recently a new military occupation has evidently become exceeding difficult to recruit for, that of the mythical ‘cyber warrior’ (25B, 35N, 35Q). Militaries around the world are complaining that they just can’t get enough people to fill the jobs they have available for any ‘cyber’ type position. As a way to incentivize new recruits there has been consistent talk that reoccurs every few months of dropping the physical fitness requirements for soldiers, airmen and sailors involved in ‘cyber’ activities. This is a colossally bad idea. Such an action would greatly impact morale of the entire military, will do nothing to increase recruitment numbers for these specialties and draws on an unfounded stereotype of those people who have traditionally been called ‘hackers’.

To create a special class of soldiers that are exempt from minimum fitness requirements will create resentment among other non-exempt units. It will also cause those who are exempt to suffer from issues of elitism and they will feel that they are no longer part of the basic military or required to abide by its rules. With the lack of discipline that will come with the removal of a physical fitness requirement this increase in elitism and individuality in a military setting could prove deadly.

The physical requirements and training aspects of military service are seldom a reason why someone who is interested in joining the military finally decides not to join. On the contrary, there are many examples of people who join the military specifically for the physical aspect that service requires. In fact in my own experience there were two people in my basic training unit who said the primary reason they joined the service was to lose weight, they said that nothing else worked for them and that they hoped the discipline they would learn and the physical exercise would finally accomplish what they could not do on their own.

Claiming that the only people who are qualified or want to do ‘cyber’ jobs in the military are only people who are not interested in physical activity plays on the age-old stereotype of ‘hackers’ who live in their parents basement eating nothing but pizza. Obviously the politicians and Generals who are advocating this no physical fitness requirement for ‘cyber’ operatives have no idea who it is they are trying to recruit anyway. Take a look around at any security industry or hacker conference, sure there are some obviously overweight and out of shape people in attendance but I would be willing to wager that the percentage of people who are somewhat physically fit would be far greater than the regular population.

If the militaries of the world are having problems in recruiting for ‘cyber’ specialties finding the proper incentives to increase recruitment in those areas is critical. As the world ramps up its electronic warfare capabilities being short handed at a precarious time would obviously be ill advised. However, dropping the physical fitness requirement for these soldiers, airmen and sailors is not going to increase their recruitment and retention levels and could potentially damage the effectiveness of the entire military through resentment and lowered morale. The politicians, military analysts and officers who advocate such a major change in military policies are obviously ignorant of not only who it is they are trying to recruit but the basic core of how todays modern military actually works.

MarineTimes_cover2013.03

Say Cyber Again.

I don’t think this will stay on YouTube very long I got an instant DMCA take down notice as soon as it was uploaded. I filed a dispute but we all know how those go so watch it now while you can.