Feb 15 2011

Criminal behavior: a new era for the computer security industry

Wait, I meant "alleged criminal behavior." Where's the "change headline" button?
No Gravatar

“Barr and Evans” might not sound as cool as “Bonnie and Clyde” or “Sidious and Vader,” but you—

—waitaminit, I just realized: you can’t call Barr & Evans a duo. Talk about a bad simile! Let me start over…

I’ve exposed charlatans and false prophets in the computer security industry for nearly a quarter-century. John McAfee, Richard Clarke, Dan Verton, D.K. Matai, and (most recently) Joseph K. Black all come to mind. Up to this point, though, their activities qualified as “unethical behavior” done for shameless self-promotion.

It shouldn’t surprise us to find outright alleged criminals operating out of a digital store front with real investors and paying customers.

Now comes a new era for the computer security industry — outrightalleged criminal activity within its ranks. Two new journalistic exposés (three if you count Forbes) lay out the filth & stench surrounding HBGary Federal CEO Aaron Barr and LIGATT CEO Gregory D. Evans.

This media attention comes after both men saw their dirty laundry aired when hackers gained illegal access to their corporate email archives. “Ouch.”

Unlike the fake-antivirus subindustry, CEOs Barr & Evans operate within the legit realms of computer security. Spit on them if you wish, but they’ve got real investors, publicly traded companies, actual products & services, paying customers, and media contacts.

Barr’s detractors regard him as the best student ever to graduate from the Dan Erwin School of Horror Stories, and he stands accused of targeting Salon journalist Glenn Greenwald for character assassination. Evans’ detractors documented accusations of rampant plagiarism, stock price manipulation plus insider trading, creating false evidence for a lawsuit, forging corporate documents, filing SLAPP subpoenas, corporate tax evasion, claiming false credentials, wiretapping, cyber-bullying, and (last but not least) sexually harassing his employees.

The global computer security arena is now so profitable and so willing to prostitute itself — with customers so eager to spend money and reporters so willing to write stories — that it shouldn’t surprise us to find outrightalleged criminals with a digital store front.

Indeed, it’s only a matter of time before a first-world nation secretly pays a “respectable” firm to build products to attack the very customers who pay them for protection. If that’s not criminal behavior, then I don’t know what is.

(You’ll find a great analogy to this in “The Good, The Bad, And The Ugly.” Stevens knows Baker paid Angel Eyes to kill him, so he pays Angel Eyes to hit Baker and promptly gets gunned down. Baker then pays Angel Eyes for killing Stevens and promptly gets gunned down. It’s only a matter of time before your antivirus firm is Angel Eyes — and you’re Baker.)

Thankfully, there’s an upside to all this. Any number of hobbyist observers use Twitter to take a stand against outrightalleged criminal behavior within the computer security industry. I and George C. Smith did this job all by ourselves in the old days and we did it quite well. Other critics have since come to the forefront, e.g. Attrition.org and LigattLeaks. To paraphrase The Joker in “The Dark Knight”:

“See, detractors have shown the Internet your true colors, unfortunately. LigattLeaks? He’s just the beginning. And as for using SLAPP suits as your so-called “plan?” Detractors have no jurisdiction. They’ll convince other media outlets to report on you! I know the exposés when I see them, and…”

Memo to Gregory D. Evans: you might want to buy a wedding dress before LIGATT goes supernova. KnowhatImean?

Everybody agrees we need film critics. This new era shows we need computer security critics.

There’s a downside, too. Regardless what anyone in the industry claims, they routinely exempt themselves from morality. Failure stalks every grandiose effort to inflict ethical standards on our digital paladins. If this failure was a medical procedure, we’d call it a moralectomy.

I inflict my ethical standard on the industry simply because someone’s got to do it. In 1998, Symantec’s then-CTO Enrique Salem acknowledged I could directly impact his stock price on Wall Street. Such was the power of one outside observer in a hundred-million dollar antivirus industry.

Ah, but there’s the rub — I and George C. Smith can no longer do it effectively, all by our lonesome. These days we’re just Don Quixotes tilting at multi-billion dollar windmills. We need more Don Quixotes. Enter Attrition.org, LigattLeaks, and dozens of gleeful Twitter users.

In the same way film critics became a subindustry of the Hollywood industrial complex, so too must computer security critics become a subindustry of their industrial complex. Everybody agrees film critics serve a much-needed purpose, warning us about trash like “Attack of the The Eye Creatures.” Likewise, this new era shows we need computer security critics to warn us about trash like Barr and Evans.

Welcome to the new era, folks.