I am, however, broken hearted. All this time I have thought so higly of Carolyn Meinel – not!

The paper by Staniford, Paxon and Weaver discusses worm propagation and attacks, not focused attacks against the routing infrastructure of the Internet. The two are separate and distinct.

I believe it was former Senator Fred Thompson who asked the question that resulted in the now famous quote. The quote below comes from one of the few remaining sources providing any of the testimony, CBS News:

“I’m informed that you think that within 30 minutes the seven of you could make the Internet unusable for the entire nation. Is tat correct?” Thompson asked.

“That’s correct,” replied Mudge, a frizzy-haired computer security expert. “Actually, one of us, with just a few packets,” he added, referring to bundles of data that flow across the global computer network.

He went on to describe generally a process to separate “the different major long-haul providers,” such as AT&T, so its network couldn’t exchange information with other major networks, such as MCI.

“It would definitely take a few days for people to figure out what is going on,” Mudge said.

After reading the account above it’s pretty clear that Mudge was explaining vulnerabilities in Internet routing to the unitiated (i.e. Congress). Mudge never made a secret that he was talking about BGP, to argue anything else is just silly at this point.

I’m not an expert in Internet routing and I’ve never claimed to be one. However, I do have the benefit of working with some experts in the field, Danny McPherson and Craig Labovitz and working for a company that’s in the business of BGP expertise. BGP security didn’t simply pop-up overnight, it evolved. I firmly believe that in 1998 it was every bit as vulnerable as Mudge suggested.

The interested reader might consider a more complete treatment of the topic by reading Practical BGP by Russ White, Danny McPherson, Srihari Sangli.

The timeline of the sources you’ve cited for information on BGP misconfiguration does not in fact detract from the L0pht claim. The earliest citation in the lot is August 2002; more than four years after the L0pht’s Congressional testimony. Again, this is an eternity in the development of Internet security technology.

As I stated originally, the budgetary considerations afforded to the NIPC (IAIP) were a drop in the proverbial ocean of the FBI’s budget. While the GAO report describes issues with the development of the NIPC, it specifically deals with electronic counter-terrorism, not the non-electronic variety. The GAO reports are clear in their accounting of the NIPC budget for fiscal years 1999 and 2000. To argue that the diversion of .009% of the FBI’s budget substantially contributed to an intelligence gathering failure, real or otherwise, is far fetched at best. The numbers do not stack up.

I spent $3.95 to read the New York Times article you cited so I could extract the quote you’re referring to:

Without forceful direction from the White House, American intelligence and law enforcement officials handling counterterrorism cases were frequently short of resources and often distracted by competing tasks. Michael E. Rolince, a senior F.B.I. official, told the Congressional committee last week that there were fewer F.B.I. agents assigned to counterterrorism last Sept. 10 than there had been in August 1998, at the time of the embassy bombings in East Africa.

If your assertion is that an FBI computer forensic analyst should have been reassigned to non-electronic counterterrorism, I have to question whether the two skillsets overlap, let alone converge.

Last, the cited NIPC report describes the FBI’s intelligence capabilities at the time to be limited. Quoting directly from page 43 of the report:

Although NIPC officials cited a need for more personnel, they also cited a need for personnel with more experience and expertise in computers, infrastructure operations, and intelligence analysis. NIPC officials said that most of the FBI employees assigned to the [Analysis and Information Sharing Unit] have had limited expertise in these areas and have lacked the skills necessary to perform the assigned functions. The FBI’s 1998-2003 Stratic Plan corroborated these assertions, noting that FBI analysts often have had little or no training in intelligence analysis and lack experience in the subject matter for which they are responsible.

The FBI staffed 153 intelligence analysts prior to 9/11 according to Janes Defence Review. Pre 9/11 the FBI was primarily a law enforcement agency.

Arguing that a small section of the FBI with a small budget and small staff compared to the rest of the FBI contributed to a lack of prior knowledge which ultimately lead to the success of the attacks is offensive on many levels. The most obvious of which is blaming everyone but the criminals responsible for the 9/11 attacks.

Nathan argues that exploitation of Border Gateway Protocol (BGP) must have been what Mudge had in mind. In Mudge’s defense, he never said this that I know of. In any case, the current standard, BGP-4, had long been in use in the core when Mudge gave his Senate testimony. (All bets can be off within a Autonomous System, but that’s another issue and another flame war.) To get an idea of the complexities of taking down the entire Internet via BGP-4, you are welcome to read these papers on various ways to do so:
“Understanding BGP misconfigurations,” by R. Mahajan, D. Wetherall, and T. Anderson, Poceedings of the ACM SIGCOMM Conference, Pittsburg, Aug. 2002,
“Pretty Good BGP: Protecting BGP by Cautiously Selecting Routes,” by Josh Karlin, Stephanie Forrest, and Jennifer Rexford. University of New Mexico Technical Report TR-CS-2005-37, October 2005, “Pretty Good BGP: Protecting BGP by Cautiously Selecting Routes,” by Josh Karlin,et. al., presented at the Fourth Annual Adaptive and Resilient Computing Security Workshop (ARCS2005), Nov. 2-3, 2005, http://www.cs.unm.edu/~treport/tr/05-10/pgbgp.pdf, “Listen and Whisper: Security Mechanisms for BGP,” by Lakshminarayanan Subramanian, Volker Roth, Ion Stoica, Scott Shenker, and Randy H. Katz. Presented at the Usenix First Symposium on Networked Systems Design, March 29-13, 2004,
“Security and Predictability: Two Missing Pieces in BGP,” by Lakshmi Subramanian, Workshop on Internet Routing Evolution and Design (WIRED), October 7-8, 2003, http://www.net.informatik.tu-muenchen.de/wired/position/lakme.pdf

As for FBI spending on counter-terrorism including all activities around the world, on Sept. 20, 2002, Michael E. Rolince, Special Agent in Charge of Counterterrorism, Washington Division of the F.B.I., testified before a joint hearing of the Senate and House Intelligence Committees that fewer F.B.I. agents in total were assigned to counterterrorism on Sept. 10, 2001 than in Aug. of 1998. See “TRACES OF TERROR: THE INTELLIGENCE AGENCIES; C.I.A.’s Inquiry On Qaeda Aide Seen as Flawed,” by James Risen, The New York Times, Sept. 23, 2002, Late Edition – Final, Section A, Page 1, Column 5. The Skeptical Enquirer story citation on domestic F.B.I. spending on counter-terroism comes, as shown in the footnotes to the article, from the “Report to the Subcommittee on Technology, Terrorism, and Government Information, Committee on the Judiciary, U.S. Senate: Critical Infrastructure Protection; Significant Challenges in Developing National Capabilities,” General Accounting Office, April 2001, GAO-01-323,. If this is not enough to be convincing, you can read the report of the 9/11 Commission, which goes into brutal detail about the FBI refusing to follow leads on al Qaeda because of refusal to spend the money on this low priority activity. Also you can read the pages I cited from “The Age of Sacred Terror,” by Daniel Benjamin and Steven Simon in which they argue quite cvogently that the FBI diverted money from terrorism to the hacker beat. These two men wwere staffers of Richard A. Clarke and therefore were clearly on the inside — as was the GAO and the Special Agent in Charge of Terrorism.

I rest my case.

Interesting to come across your post on this topic–I’m an Arbor customer and a longtime SI reader whose reaction to the article you’re writing about was similar. I posted at length about Meinel’s article on my blog when I received that issue, and also submitted a letter to the editor which I understand will be published along with a response from Meinel. Should be interesting!

I think most people working infosec are themselves skeptical inquirers. We’re open to the possibility of new things, we’re just very cautious of snake oil (i.e. skeptical).

I’ll give SI its fair due by reading some of the other articles before making a truly harsh indictment of the magazine, if ever. From what you’ve explained, the cover story wasn’t exactly a shining example of its best material.

As far as working with Mudge, you interact daily with Dave G. and Window; either of them could have reminded you that I worked for @stake in 2000 and 2001.

Apparently, they’ve now trained their skepticism on government. While this is laudable in principle, it seems they need to strengthen their review process. Identifying instances of “government waste” is trivially easy, and saying that any given instance of such waste “is responsible” for some sort of bad outcome which would have cost less than the wasted amount to prevent is simplistic in the extreme. I’d view anyone that made such a claim with a very skeptical eye.