03.22.12
Wayback Machine: Gulf War virus hoax
Today I’m reprinting material from many years back, a piece I wrote for the Wall Street Journal, and a bit from Rob Slade’s old Springer-Verlag book on computer viruses.
This in an add-on to the Voice of America blog post on cyberwar and Iran falling prey to the now over twenty year old joke.
Indeed, the editors and reporter Doug Bernard at Voice of America could have avoided the entire thing.
In e-mail yesterday, one of the sources for the story — it’s not too hard to figure out who (look for the “cyber doom” quote) — remarked in e-mail he would have warned VOA’s journalist about it if it had been mentioned in interview — but it wasn’t.)
VOA News did not respond to two of my notifications to them on the matter.
The Gulf War virus hoax story remains relevant, even though I wish it didn’t, simply because the nature of it plays so well to mainstream discussions on cyberwar. Almost all these greatly rely on exaggeration, fantastic claims and the painting of apocalyptic scenarios which make the alleged discombobulation of an Iraqi air defense system in 1991 seem quaint.
Paradoxically, even though no computer virus experts take the Desert Storm tale seriously, much more recently security researchers have worked to reveal vulnerabilities to malware in modern printers. For laymen who would stumble across the old 1991 joke repackaged as a new revelation from history, the distinction between a joke and what is actual research disappears.
Once again, such stories rely a flaw in American thinking — the belief that if bullshit is passed by enough sources it becomes not-bullshit. Or that “truth is a matter of majorities” — more specifically, those you choose, to quote Andrew White again.
Again, since the Gulf War virus hoax writings are now so old, you can’t find the originals on the web. (Well, you can find some material but it’s not at the fingertips.)
Reprints begin below.
Truth is the first casualty of cyberwar by George Smith, Wall Street Journal, September 8, 1998.
Reprinted with permission of The Wall Street Journal c 1998. Dow Jones & Company, Inc. All rights reserved.
Concern is growing in many quarters that society’s reliance on computers has made it extremely vulnerable to attack via keyboard. Journalist James Adams has written a new book, “The Next World War,” which claims that information warfare will be the battleground of the future. At the Pentagon, military theorists ponder how to defend America against hackers in the employ of a foreign power who might use the Internet to turn off the electricity, paralyze the armed forces, cause corporations to crumble and write dirty words on your Web site.
Before you run screaming from your computer and haul the old manual typewriter out of the closet, look closely at the source of these cyber-scares. It turns out that many of them are information-age ghost stories that get spookier with every telling.
Mr. Adams’s book passes along a couple of hoary tales. The first revolves around the idea that the National Security Agency developed a computer virus for use in the Gulf War. Supposedly secreted in the hardware of computer equipment destined for Iraq–printers, in the most popular variation–the virus was somehow designed to bushwhack Iraqi air defense computers hooked to the same network. This is implausible on its face: A printer has neither the hardware space nor the capability to spontaneously transmit programs, which is what computer viruses are, to other computers on a network.
The printer-virus story is very similar to an April Fool’s joke published in a 1991 issue of Infoworld magazine. The story was subsequently picked up in “Triumph Without Victory,” U.S. News & World Report’s book on the Gulf War. Many have fallen for it besides Mr. Adams. In 1997, a Hudson Institute researcher gave it credence in an analysis of “Russian Views on Electronic and Information Warfare.”
The second beguiling myth perpetuated by Mr. Adams and many others is that of the electromagnetic pulse gun. Since at least 1992, teenage hackers desperate for media attention have been spinning elaborate tales about this exotic weapon, usually said to be cobbled together out of a few hundred dollars worth of electronic trinkets, radio antennae, bailing wire and automobile batteries. This electronic rifle is allegedly capable of destroying computers by firing an assortment of electromagnetic waves. Mr. Adams reprints part of a 1996 interview in Forbes ASAP in which a hacker insists these are the “poor man’s nuke.” At a hackers’ convention in Las Vegas, one participant– appropriately named “Ph0n-E”–even showed off a bogus contraption that he claimed was a pulse gun.
Obviously, the genesis of this idea lies in a 1962 nuclear test whose electromagnetic pulses famously blocked radio communications. But no one has been able to overcome the basic physics problem of packing these pulses into a gun: Any such weapon would have an effective range of only a few feet while requiring a power supply so large it would severely burn, if not kill, whoever fired the weapon.
Indeed, no genuine pulse gun has ever been produced for examination. But that hasn’t stopped Congress’s Joint Economic Committee from holding two unintentionally amusing hearings, in June 1997 and February 1998, on the matter. Apocryphal claims have even spread that unnamed British financial institutions have had their computers electrocuted by such weapons.
Some other cyberwar myths making the rounds:
In 1997, Sen. Daniel Patrick Moynihan’s commission on reducing government secrecy issued a report containing a chapter devoted to computer security. In a boxed-out quote, the commission uncritically reported: “One company whose officials met with the Commission warned its employees against reading an e-mail entitled Penpal. . . . Although the message appeared to be a friendly letter, it contained a virus that could infect the hard drive and destroy all data present.” Actually Penpal is a notorious Internet hoax. In this instance, the pranksters took in a commission whose members included former intelligence agency chiefs John Deutch and Martin Faga. The spring issue of the U.S. Army War College’s scholarly journal, Parameters, contained an article by Lt. Col. Timothy L. Thomas that soberly mentioned a computer virus called Russian Virus 666 allegedly capable of putting computer users into a trance in which they could be made to suffer from arrhythmia of the heart. The virus’s satanic name should have been a tip-off. Yet while no one would give credence to a military publication that wrote about, say, salvaging weapons technology from UFOs, readers seem to leave logic behind when the subject is computers. In the December 1996 issue of the FBI’s Law Enforcement Bulletin, two academics, Andra Katz of Wichita State University and David Carter of Michigan State, discuss the “Clinton virus” which was “designed to infect programs, but . . . eradicates itself when it cannot decide which program to infect.” To the chagrin of the authors, the indecisive “Clinton virus” was revealed to be another Internet joke.
Oh well, look at the bright side: Cyberwar is cheap. Dueling jokes, myths and hoaxes cost almost nothing to produce and even less to spread.
Mr. Smith is the editor of The Crypt Newsletter, an Internet publication about computer crime and information warfare.
A lot, but by no means all, of the old Crypt Newsletter can be found here in the Wayback Machine.
Computer security and virus expert Rob Slade also addressed the Gulf War virus hoax in his book, forthrightly entitled “Rob Slade’s Guide to Computer Viruses,” published by Springer in 1995.
In a section on virus myths:
In early 1992, there were reports of a virus that shut down Iraq’s air defense system during Desert Shield/Storm. This seems to have started in Triumph Without Victory … and the serialization of the book by US News and World Report. The articles were rerun in many papers … and the article on the virus that ran in my local paper is specifically credited to US News & World Report. The bare bones of the article are that a French printer was to be smuggled into Iraq through Jordan; that US agents intercepted the printer and replaced a microchip in the printer with one reprogrammed by the NSA; and that a virus on the reprogrammed chip invaded the air defense network to which the printer was connected and erased information on display screens when “windows” were opened for additional information on aircraft.
[Longer technical discussion omitted.]
There is … a much more telling piece of evidence supporting the mythical status of what became known as the Desert Storm virus. Infoworld (April 1991) carried an article reporting a computer virus that US authorities had used to shut down Iraqi computer systems. The Infoworld article, to careful readers, an obvious April Fool’s joke (supported by the name of the virus, AF/91). The article ended with the warning that the virus was out of control and was now spreading through system in the Western world. It was a spoof of the new Windows 3 program, the popularity of which was startling industry analysts.
Although the Triumph Without Victory story was confirmed by sources in the Pentagon, the similarities to the Infoworld AF/91 prank article are simply too great. This is obviously a case of official “sources” taking their own information from gossip that had mutated from reports of the joke …
One of the other rules of thumb in thinking critically on these matters: Extraordinary claims require extraordinary evidence, not just someone’s say so.