Book Review: Cult of the Dead Cow

TL, DR: It’s a good story, not a history book. If you are looking for a good story with a message, read it. If you are looking for a nuanced description of what was happening in history, look elsewhere.

The NYTimes called “The Cult of the Dead Cow: How the Original Hacking SuperGroup Might Just Save the World” by Joseph Menn, a great piece of storytelling, and I will agree, it is definitely a story. This is not a history book. While I only found minor factual errors, that which can be attributed to twenty years of fog, the facts that have been used only tell part of the overall story and are used to paint the picture that Menn wants the reader to see. But this is the job of any good author, and Menn pulls it off masterfully. However, as someone who lived through and participated in many of the events mentioned in the book, actually reported on them at the time through my own news outlet, and was and still is close friends with many of the characters, I see Menn’s story for what it is, a story.

Anything written about the Cult of the Dead Cow that uses members of the group as its primary source material needs to understand the group’s history. For most of the group’s existence the cDc wasn’t really about hacking. Yes, the group existed online in the before time, in the long long ago, and so most of its members were very technically adept but the group wasn’t really about hacking. It’s all right there in the group’s publications, the t-files. There are a few early files that could be considered hacker related but for the most part they are shock value human interest pieces. The group was about public spectacle, at least that’s how it appeared to other non-member hackers. Just look at the huge productions made of the Defcon releases of Back Orifice and BO2K and of course the completely made up Hong Kong Blondes. Even one of the group’s taglines ‘global domination through media saturation’ suggests the group was just in it for the glory. Menn knows this as he calls the cDc a ‘performance art group’ (page 2), the ‘liberal arts section of the computer underground’ (12), ‘the arts wing of the hacking community’ (21), ‘successor to the Merry Pranksters’ (23), ‘more of a social space’ (25), ‘they were an enormous inside joke for hackers’ (47) etc… Menn knew that was cDc ‘playing with the media’ (58) and that they would ‘jam information to see how far out it would go’ (59). As such, and Menn alludes to this in the book obliquely, anything the group says to a reporter or an author needs to be taken with a grain of salt.

Menn seems to take liberty with which facts he includes and which ones he decides to omit or quickly gloss over. Obviously he can’t include everything or the book or it would easily be five or ten times longer and his big story would get lost in all the other little stories. But there are major important facts that should not only be included but expounded apon and explained in order to give a complete and accurate picture to the reader.

For example the transition of The L0pht from hobby space to LLC to VC backed firm didn’t just happen, it wasn’t just a one person idea. (56) It was a was a huge deal, It was not the first time a hacker group had tried to become a company but when you are the first legal LLC in the state and making the move from quasi underground organization to paying taxes I would think it warrants more of a mention than just ‘newly incorporated’ (56) Especially among other hackers where accusations of ‘sell out’ were often heard. Another important yet glossed over part of the story was the explusion of Count Zero. He wasn’t kicked out because he didn’t want to transition (56) but because he wasn’t respecting the space, not following the communal house rules, and kept mostly to himself.

Not only has Menn omitted major events, which admittedly could be simply an authors prerogative, he has confused the reader on more than one occasion. For example this book review was unable to distinguish between members of the Cult of the Dead Cow and members of the cDc Ninja Strike Force, which while closely aligned were two separate group’s. There is also an extreme blurring of lines between cDc and L0pht. Menn goes so far to label L0pht as the cDc’s East Coast base (59), despite later claiming that at least two cDc members (Veggie and FreqOut) (49) along with the group’s servers where on the other side of town at Messiah Village, which had nothing to do with The L0pht. Yes, cDc, Messiah Village, Hell House, Sin House, L0pht and others were all friends and knew each other (Boston was a glorious hacking place in the mid-late 90’s) but we were separate distinct group’s, Menn’s book seems to treat everyone as one large homogeneous cluster that happened to be in Boston and it was anything but.

Menn treats the entire Hong Kong Blondes debacle, which was pointed out as fake and labeled as a ‘media hack’ years ago, as some sort of glorified civil rights cause by Menn. That somehow lying to multiple news organizations for years to highlight human rights abuses (Menn isn’t clear as to how) was a just and moral thing. If such a thing happened today it would either be called Fake News or aired on FOX. It is unclear what good exactly came from these efforts and Menn does a poor job of explaining it to the reader. In fact if you read too quickly you may not even realize that this was anything more than an attention grab by cDc and that the HKBs had no basis in reality. I feel Menn does a serious disservice here by not flat out labelling the Hong Kong Blondes by what they actually were, lies.

I have criticized how other tech books have handled footnotes and I will do so again with Menn’s book for completely different reasons. In my review of Kim Zetter’s excellent book Countdown to Zero-Day I said that including the footnotes inline on every page detracted from the main story, especially when they took up half the page in a tiny font; for that book I would have preferred the footnotes at the end. The exact opposite is true for Menn’s book. There are key footnotes that Menn sticks in the back of the book because they don’t fit in nicely with his narrative. For example the footnote on the origin of hactivism (215). In the footnote Menn claims that previous research on the origin of the word is irrelevant and yet makes a major claim in the main text that cDc not only coined the term but attempted to popularize it. Additional research as to the origin of the word would seem appropriate to include in the main body of the text so that the reader can frame the ensuing paragraphs appropriately. Then in footnote 54 (218) Menn mentions that Mudge is prone to exaggeration. Mudge and I shared an apartment for a year, I heard all his stories more than once, I am intimately familiar with his story telling tendencies. (This is not a bad thing, they are great stories!) Considering that Mudge is Menn’s primary source for all the stuff about L0pht and features prominently in three chapters of the book it would seem that his tendency to tell tall tails would be important information that should be prominently shared with the reader and made it into the primary text, and not relegated to page 253.

There are numerous points throughout the book (as in several per page) where I remember things differently. In many cases what I feel are very relevant facts have been omitted and in others there are minor factual errors that impact the overall meaning. There are entire sections of the book that have little to nothing to do with The Cult of the Dead Cow, like the VC funding of L0pht, but are included anyway to support Menn’s overall story arc. I may try to go through and document each one of these if I can find the time, or I may not.

Much of this book dealt more with the L0pht than with cDc, and while there was some cross pollination we were two separate group’s each with its own accomplishments and goals. Unfortunately as a book about L0pht there just isn’t enough here, there are many more aspects to what the L0pht accomplished and did. Evidently Menn felt that large parts of the L0pht story are somehow relevant to cDc when they really aren’t. That being said this book is a very fun read, a fun romp through memory lane (even if the lane doesn’t follow my own memory exactly) and in the end it’s a great story. But it is just that, a story.

Four Unnamed Sources

Or: If a pipeline explodes in the desert and there is no one there to hear it was it really a cyberwar attack?

No one questions the importance of keeping abreast of current trends and developments with regards to information security. Whether it is new malware techniques, attack vectors or just the motivation of some attackers. That means looking into the details of the Target and Sony breaches, checking out the specifics of Heartbleed and Poodle, and keeping abreast of the latest patches from Microsoft and other vendors. It also means trying to separate the facts from the fear, uncertainty, and doubt used to generate page views.

One recent story has me questioning if a pipeline explosion in Turkey was actually in fact an early example of cyberwar. The article claims that a large explosion along the Baku-Tbilisi-Ceyhan (BTC) pipeline, near the Eastern Turkish city of Erzincan on Aug. 7, 2008 was in fact a cyber attack. The article attempts to downplay claims of the Turkish government who said the explosion was caused by a malfunction, as well as discounting the claims of the Kurdistan Worker’s Party who claimed credit for the explosion despite the groups history of blowing up pipelines. Of course there was also a statement by the Botas International Ltd. company which operates the pipeline which said that the pipeline’s computers systems had not been tampered with.

The explosion occurred two years before Stuxnet and while I doubt Stuxnet was the first operation of its kind the evidence to support a similar type of attack on this pipeline is mostly circumstantial at best. Even if this was a cyber attack it would not “rewrite the history of cyberwar,” as one expert quoted in the article claimed. It would just add one more data point to an already interesting history. Unfortunately the article does not give any proof that this was in fact a cyber attack.

Certainly the article lists plenty of circumstantial evidence to support the theory of a cyber attack to blow up the pipeline but the actual proof comes down to “four people familiar with the incident who asked not to be identified.” Obviously in some cases journalists must rely on unidentifiable sources however usually when they must do so the information provided is corroborated by other authoritative and named sources. That is not the case here. All of the named quotes in the article are speaking in general terms, adding background if you will, and are not speaking directly to this event.

Pipeline and cyber attacks have a long history in and of themselves that goes back at least as far as 1982 when the CIA convinced a Canadian company to deliberately put flaws into pipeline control software that was then sold to the Soviet Union. This reportedly led to a massive explosion along the pipeline in June of that year. This story also has its detractors, some saying the explosion was caused by poor construction and others saying it was flawed turbines and not flawed software that caused the Siberian explosion.

There was also a confidential report released by DHS in early 2013 claiming that key personnel in 23 different gas pipeline companies had been targeted by Chinese hackers with spear phishing attacks. And lets not forget the plot of the movie DieHard 4 where the evil hacker bad guy is able to redirect all the natural gas in the pipelines to converge on a power station causing a massive Die Hardesque explosion.

One really has to ask themselves why would anyone go to such great lengths to disrupt a pipeline when a simple misplaced cigarette butt can cause a massive explosion like what happened in Kenya in 2011 killing over 100 people. Stuxnet is thought to have required numerous teams of coders working for several months to create the software to disable the centrifuges at Natanz, a task that arguably could be accomplished in no other way. There are a lot more efficient ways to blow up a pipeline than to expend months of effort and untold dollars to accomplish what a small team and some explosives could do just as well if not even more efficiently.

So was the explosion along the Baku-Tbilisi-Ceyhan (BTC) pipeline an early act of cyberwar potentially setting back the clock on the earliest known cyber operation of this size? Sure, its possible, but without additional facts from someone other than an ‘unnamed source familiar with the incident who asked not to be identified” I will have my doubts. Until those facts are presented I’ll go back to reading my Microsoft Patch Tuesday reports.

UPDATE 2015.02.16
I was just sent this link
which indicates that physical security of the pipeline would be difficult if not impossible and it further supports that PKK was the primary suspect for the explosion via conventional means. The cable makes no mention of a cyber attack of any kind.

UPDATE 2015.06.19
An internal report now states that “A cyber attack would not have been possible in the described way”, The report goes on to say that the valve stations which were allegedly tampered with, were not connected to a network that could be remotely accessed anyway. Here is the original turkish article.

Additional Reading
Looks like I wasn’t the only one with a problem with this article.
Cyberwar revisionism: 2008 BTC pipeline explosion

Fitness and Discipline for Cyber Warriors

“More PT Drill Sergeant, more PT! We like it, We love it, We want more of it!”

There is a basic tenant in most of the worlds military forces that regardless of what your actual job or rank is, whether you are a private or a General, whether you are a cook, clerk, or mechanic, below everything, at the very core of your existence you are nothing but a gravel crunching, ground pounding infantry soldier (11B). Or as an old Colonel once told me, the poor slob in the kill zone. (Thank you, Sir!)

As part of the basic core existence in your nations military all soldiers, airmen, and sailors are required to be able to perform a basic set of tasks. Things like knowledge of how to wear your countries uniform, the ability to maintain and operate a firearm, how to use protective equipment such as a gas mask, and above all the ability to give and follow orders. But these items are more than just basic knowledge and rout tasks, it comes down to discipline, self-discipline mostly, that quality of doing what needs to be done without needing to be told or even wanting to do it.

This is what basic training is for, an intense six or maybe ten week training regimen that not only teaches all soldiers basic tasks like how to operate their firearm or shine their boots but also self discipline, the ability to continue doing your job under stressful and adverse conditions. This being the military, lives literally depend on that basic skill. It is discipline alone that is more important than any other trait or skill taught during that introductory basic training course of the worlds militaries.

The only way to teach discipline is to place an individual under stress and at the same time ensure that they can complete required tasks. The easiest way to place an individual under stress without placing them in a potentially hazardous situation is through physical activity. This is one of the reasons why most of the world’s militaries have minimum requirements of physical fitness. Things like a set time and distance for running, a minimum number of pushups or sit-ups. This ensures a minimum level of fitness for all soldiers and helps to ensure basic levels of self-discipline. These basic requirements apply to all soldiers, private or General, cook or mechanic.

There are a few military job specialties that are harder to recruit for than others. Explosive Ordnance Disposal (89D) comes to mind, and there often incentives offered for new recruits to choose one job over another, often these incentives are monetary in the form of signing bonuses or hazardous duty pay. By and large however serving in the military is its own reward for most people for whatever personal reason they have, whether it is monetary compensation, future educational opportunities, patriotism, or in some cases they just like guns.

Recently a new military occupation has evidently become exceeding difficult to recruit for, that of the mythical ‘cyber warrior’ (25B, 35N, 35Q). Militaries around the world are complaining that they just can’t get enough people to fill the jobs they have available for any ‘cyber’ type position. As a way to incentivize new recruits there has been consistent talk that reoccurs every few months of dropping the physical fitness requirements for soldiers, airmen and sailors involved in ‘cyber’ activities. This is a colossally bad idea. Such an action would greatly impact morale of the entire military, will do nothing to increase recruitment numbers for these specialties and draws on an unfounded stereotype of those people who have traditionally been called ‘hackers’.

To create a special class of soldiers that are exempt from minimum fitness requirements will create resentment among other non-exempt units. It will also cause those who are exempt to suffer from issues of elitism and they will feel that they are no longer part of the basic military or required to abide by its rules. With the lack of discipline that will come with the removal of a physical fitness requirement this increase in elitism and individuality in a military setting could prove deadly.

The physical requirements and training aspects of military service are seldom a reason why someone who is interested in joining the military finally decides not to join. On the contrary, there are many examples of people who join the military specifically for the physical aspect that service requires. In fact in my own experience there were two people in my basic training unit who said the primary reason they joined the service was to lose weight, they said that nothing else worked for them and that they hoped the discipline they would learn and the physical exercise would finally accomplish what they could not do on their own.

Claiming that the only people who are qualified or want to do ‘cyber’ jobs in the military are only people who are not interested in physical activity plays on the age-old stereotype of ‘hackers’ who live in their parents basement eating nothing but pizza. Obviously the politicians and Generals who are advocating this no physical fitness requirement for ‘cyber’ operatives have no idea who it is they are trying to recruit anyway. Take a look around at any security industry or hacker conference, sure there are some obviously overweight and out of shape people in attendance but I would be willing to wager that the percentage of people who are somewhat physically fit would be far greater than the regular population.

If the militaries of the world are having problems in recruiting for ‘cyber’ specialties finding the proper incentives to increase recruitment in those areas is critical. As the world ramps up its electronic warfare capabilities being short handed at a precarious time would obviously be ill advised. However, dropping the physical fitness requirement for these soldiers, airmen and sailors is not going to increase their recruitment and retention levels and could potentially damage the effectiveness of the entire military through resentment and lowered morale. The politicians, military analysts and officers who advocate such a major change in military policies are obviously ignorant of not only who it is they are trying to recruit but the basic core of how todays modern military actually works.


Say Cyber Again.

I don’t think this will stay on YouTube very long I got an instant DMCA take down notice as soon as it was uploaded. I filed a dispute but we all know how those go so watch it now while you can.

Emails From Michael In Iran

If publishing unsourced emails claiming to be from Iran is a newsworthy event then I guess we should all copy Mikko and do the same thing.

A few years ago I received a chain of emails from ‘Michael’ that started out as the normal ‘teach me to hack’ emails I receive on an almost daily basis but this email chain went on longer than usual and took several turns I don’t usually see in such emails. I thought they might be good for a laugh or a tear depending on your viewpoint.


The emails start in May of 2009 and go through to December, I have not included them all and have edited some for brevity.

Things start out simple enough saying how he is a 20yr old Iranian and is a fan of the L0pht. Pretty straight forward. I responded as I usually do to emails that are at least half way intelligent. I admit I don’t always get emails from Iran with a verifiable Iranian IP address.

Then comes the first turn, ‘Micheal’ asks me to teach him to ‘hack’ specifically so he can change his grades at University. For me thats a big no no right there. If you ask me to do, or teach you to do, anything even remotely illegal in email thats where I stop. I will no longer respond. I don’t want to be considered an accessory or an accomplice or be put in an un-winnable Adrian Lamo type situation. Not to mention the whole assisting a foreign power angle. So I just stopped responding.

But Michael wouldn’t give up, he sent me an email every day for weeks, then slowed down to a few times per week. Eventually he reached out other old L0pht members, those whose email address he could find, asking them if I was OK, saying he feared for my safety since I was not responding to emails. I will admit I felt a little bad at this because who knows maybe people just disappearing like that in his country is a sign of something sinister happening. I don’t know. My remorsefulness did not last long however.

Next came the names and the threats. ‘Michael’ called me a raciest and threatened to ‘destroy my life’ and that despite my lack of assistance he was going to become the worlds greatest hacker anyway and he was going direct his efforts at me. Then he was going to hack his University, graduate and travel to America to prove to me in person that he was a great hacker and that he did it all without my help.

I had a good laugh and a tear at the time, 2009, but as I read over these emails again and place them into the context of the ongoing ‘cyber’ cold war they really take on a different meaning. How many other people in Iran have similar motivations? I wonder if Michael ever made it through University, or maybe he got caught and ‘disappeared’? I will probably never know.

Email exchange with Michael from Iran

Résumé Wackiness

So I recently decided to move to a new city, as I result I quit my job as an IT Manager. One of the last tasks I had was to place advertisements, read resumes, and interview prospective replacements. It had been a while since I had hired anyone and usually I had HR sifting through the first round of resumes. This time however, I was it, this company had no HR department. Considering that the position was not an entry level position I assumed that the people who would be applying for the job would know how to write a résumé, I was wrong, I was very very wrong. After tweeting out my frustrations many people asked what exactly I was seeing, so here it is.

First let me explain the what the job was. The company in question was a small 30+ person creative company. They had a mix of mostly PCs with a smattering of Macs, all authenticating against an Active Directory domain. They had a file server, a firewall, a security and telephone system, and a few other unusual tech pieces which is pretty much the same in any company. They needed one person to handle it all. I had already done most of the hard work by upgrading and organizing the mess that was there when I arrived several years earlier. The job needed someone to handle everything from paper jams and software updates to managing the VPN and telling the CEO what new technologies he should be looking at. Not an entry level job but not a CIO either.

The job description was initially posted to Craig’s List and then to Linked-In. One thing about my experience hiring for this position that was different than hiring elsewhere was that all the résumés came directly to me. No one filtered them out before hand. Résumés from Craig’s List came in one big bunch at first followed by a big surge from Linked-In. I would say I got 80% of all the resumes I received within a week of posting both ads. Linked-In seemed to have the longest tail with résumés arriving at a pretty steady rate for about two weeks although some people were still responding to the Craig’s List ad up to three weeks later. If you are looking for a job I would recommend looking for new listings daily. In this particular case we went from job posting to job offer in three weeks. People who applied during the third week did not get the same consideration as those that applied during the first week. The job was listed on a Tuesday and I was already interviewing people on that Friday. I suspect in some companies they may wait until they get all the submissions and then start going through them, however every position I have ever hired has been a ‘We need to fill this position now, get them in as soon as possible’. I’ve never had time to collect a bunch of résumés and then leisurely sort through them.

As for the résumés themselves… well, I was surprised. People seem to have forgotten what the résumé is for, it serves one purpose and one purpose only, to get the interview. That’s it. You will not get hired for any job based on how good your résumé is, what you might get is an interview. For the record I received over 80 résumés in three weeks. With that kind of competition you really need make sure your résumé is going to get you that interview. Out of those 80 applicants I actually brought in and interviewed eight people. I don’t know if that can be extrapolated to the wider job market as a whole but 10% sounds about right to me.

Something else that people seem to forget is that a real person is actually going to read the résumé eventually. All those buzzwords you use to get caught in the HR search engine are going to read like crap when a real person tries to decipher the buzzword and jargon filled ten page diatribe you submitted as a résumé. Which brings me to my third surprise, length. Seriously I see no reason at all to go beyond three pages, ever. In my book two is acceptable but if you really want to impress me go with one page. I received exactly one résumé that was one page long. Guess what, he got an interview. On the other end of the spectrum the longest one I got was seventeen pages and the second longest was eleven pages. I think I glanced at the first two pages of both and threw them on the ‘no’ pile.

I don’t usually check to see if a résumé has education listed, formal education does not impress me, I wasn’t hiring for an entry level position so I was looking for experience, however most people did list some sort of secondary education. It has been my experience that most schools force students to take some sort of career development class where they teach you how to write a résumé. Either most people forgot what they learned or schools are teaching shite. If you have never taken a résumé writing class or slept through that class in school find a class at your local Adult ed center and take it, or ask someone who works in HR to critique your résumé or something. Also don’t forget the cover letter. It doesn’t have to be long but I personally consider not including some sort of letter other than the résumé to be rude and lazy.

So what do I want to see on a résumé? First follow directions. If the job listing says to submit to a specific address then do so, don’t just hit reply on the Craigs List ad. This really upset me, if you can’t follow simple directions why should I hire you? Unfortunately it happened way to many times. At least half the résumés went to the wrong address.

The résumé should be easy to read. This should go without saying. This was for an IT Manager position not a graphic designer. Multiple colors and wacky fonts with strange layouts do not impress me. They go straight to the No pile.

If you are applying for an IT Manager position and your last job was a CTO then you are probably a bit over qualified and will end up in the No pile. If you are not really a CTO but just gave yourself the title because you are the only tech guy where you work, don’t. If you are applying for a lower position than you currently have then dumb down your résumé. If I think you are just going to jump ship as soon as you find something more on your level I’m not going to hire you. I probably got 20 or so résumés that list CTO or CIO as their last job, almost all of them wet straight to the ‘No’ pile.

I received one résumé with no job history at all, just a list of certifications and schools. This guy had every cert I think I had ever heard of. There were more acronyms than words on the page. I got nothing against certs, and if you got ’em put on there, they can’t hurt, unless they are the only thing you have. Personally I want to see experience. Even when I am hiring for an entry level position where applicants are likely to have no relevant experience I still want to see job history. Even if it is landscaper, Burger King and Best Buy, list it. I want to know that someone else thought you were worth hiring and that you could keep that job.

And speaking of experience the first thing I look for is job titles, make sure those stick out some how on the résumé. I want to see job titles and I want to see dates of employment. If you only list the year like say 2005-2006 and those years aren’t very far apart I’m going to get suspicious. I mean I’m a tech guy I understand people jump around a lot but if I see four jobs in three years there better be a logical progression of positions or you will end up in the ‘No’ pile.

Oh, and a biggie, fix ALL typos and grammar errors. The résumé should reflect your absolute best work, a typo, spelling error or simple grammar mistake probably won’t kill your chance at an interview but it won’t help and there is no reason for it. Get someone else to proof read it for you. Personally I suck at spelling and grammar, so much so that the way I write got its own name, ‘Spaceronics’, but there is no excuse for such mistakes on a résumé.

So if you want to get called in for an interview for a position I am hiring for keep the résumé short, three pages max, easy to read, highlight job titles and dates of employment and try to make your work history as relevant as possible. Dumb it down or smarten it up as necessary (Do NOT lie on the résumé, ever!) For a bonus make sure it prints out well. I think anyone who follows those steps and applies for a position they are somewhat qualified for should at least get a phone call. Good Luck.

Red Team Uniform

Allied Security Jacket

So I happened to be walking by the thrift store today and they had a rack of winter jackets on hangers outside on the sidewalk with a sign on them that said “Jackets $5.00”. The really interesting thing was that one of the jackets happened to be from the local security company Allied Security with the logos still prominently displayed. It would make a great costume for a Security Red Team. Something to think about next time you see a Security Guard wandering around somewhere maybe he shouldn’t be or who seems to be asking you a lot of unusual questions.

Financial Company Still Recommending Insecure Software

There are few things in this world that really piss me off and blatant ignorance is one of them. On January 31st 2006 Microsoft did the right thing and removed Internet Explorer for Mac from their available IT downloads. Considering that IE5 for Mac had ceased further development in 2003 it had become riddle with unpatched security holes by the time MS removed it from the its website. Despite Microsoft’s positive action people are still recommending the software three and half years later, and not just regular Joe Schmoe idiots but major financial corporations.

Such recommendations place these corporations, not to mention their customers, at major risk for online fraud, phishing attacks, identity theft, etc… If a company does not wish to support a specific platform that is their prerogative but if they go out of their way to recommend not only an unsupported solution but also an extremely dangerous one shouldn’t they be held liable for their negligence?

I am pasting below a recent email exchange between a local IT Manager and the technical support for (If anyone knows anyone in security at Paychex you might want to point this out to them.) I sincerely hope that the flunky in IT who wrote this has just been misinformed and that this is not Paychex official policy, but hey, there are a lot of stupid idiots out there.

—–Original Message—–
From: Joe Smith (
Date: Monday, May 11, 2009 05:19 PM
To: (
Subject: Online FSA – Contact Us

What are the minimum requirements to use your website?

Several of our employees are having problems accessing their accounts. Do you support Firefox? Safari? Chrome? Do users need Java or Flash installed? Which versions? Thank you.

Kind Regards,

– J. Smith
IT Manager

From: Paychex Section 125 []
Sent: Tuesday, May 12, 2009 4:22 PM
To: Joe Smith
Subject: RE:’Paychex=007-082-074’Online FSA – Contact Us

Hello and thank you for your email,

There are certain access issues that may occur with firefox and safari and it is not recommended to use these for this website. Internet Explorer should have no issues with access or transmitting information. No additional programs are required for access how ever to request certain documents and view them adobe acrobat reader is required.

Thank you,

Paychex Section 125

From: Joe Smith (
Date: Tuesday, May 12, 2009 04:48 PM
To: ‘Paychex Section 125’ (
Subject: RE: RE:Online FSA – Contact Us

Internet Explorer is not available for Macintosh users. How do you recommend that those users with Macintosh computers access your website?

Kind Regards,

– J. Smith
IT Manager

From: Paychex Section 125 []
Sent: Tuesday, May 12, 2009 4:22 PM
To: Joe Smith
Subject: RE:’Paychex=007-082-074’Online FSA – Contact Us

Hello and thank you for your email,

There are mac versions of internet explorer available online free of charge.

Thank you,

Paychex Section 125


Oh, and they had this stupid disclaimer on the bottom of their emails

The information contained in this message may be privileged, confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or any employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Paychex, Inc.

All I can say is that idiocy must be brought out into the light so that it can wither and die. Become enlightened. Oh, and don’t use IE for Mac.

Fake Story Still Fake, Media Still Clueless

About eight years ago a media story broke about how some “hackers” took over a British Ministry of Defense Satellite and were holding it for ransom. Anyone who knew anything about Command and Control systems for satellites knew this would be almost impossible especially for a military satellite. That didn’t stop Newsbytes, Yahoo News, ZDNet, even Reuters from running the story and sensationalizing the crap out of it. None of the ‘legitimate’ media questioned the story at all. They just reran the original Sunday Business story. The only website that I know of that questioned the story at the time was The Hacker News Network.. It was the questioning of that story that prompted Brock Meeks of MSNBC to label HNN as “the voice of reason”. As it turned out no confirmation of the original story was ever obtained, the Ministry of Defense flat out denied the event ever took place and the Sunday Business never revealed where the story came from.
So? Big deal? What’s the point of this walk down memory lane? Well, here it is eight years later and the same crappy media is republishing the same bullshit story as truth and fact. Evidently Corinne Iozzio over at PC Magazine, nor her (his?) editors can be bothered to do basic journalism, simple research or check facts. No, can’t let facts get in the way of a good headline and increased page views and ad impressions. So now this supposed ‘hack’ that as far as I can tell never actually happened, is the second most mysterious unsolved cyber crime. I suppose, on the Internet, if you repeat something enough times it magically turns into fact?

For reference here are the old HNN pages from March 1, 1999 and March 2, 1999. Unfortunately the chrome is gone and none of the links work anymore but the content is unchanged.

UPDATE: Thanks to Google’s 10th Anniversary Archive from 2001 and the Internet Archive a few quick searches help to confirm that the original story was fake. (Hey, Corinne, this took me all of about ten minutes.)

ZDNet – via Internet Archive “Our Satellites are Hack Proof” – via Internet Archive “Satellite hack is impossible, says UK”
Reuters Retraction – via “British Defense Ministry Dismisses Hacker Report”