Back to the NSA
I have taught one-week continuing-education courses to groups from the NSA several times. It tends to be strange. A senior manager who sat in on one of the earlier classes had been very helpful, explaining to me that the people at the agency tend to be quite naïve about the outside world. I should make sure that I carefully explain what both typical good guys and bad guys really do. I eventually encountered one student I would have to describe as being belligerently naïve.
After getting my wardrobe in line with the stringent NSA requirements after the second or third week, I continued teaching a series of courses for them. I did some TCP/IP networking courses, and some runs of an intro to cybersecurity one.
On the first morning of an introductory cybersecurity course, one of the students introduced himself by saying "I've worked at this agency for twenty-five years in the field of information security, the last fifteen of that specifically in computer and network security."
He might have continued, had I not interrupted him. Look, you're in the wrong course. This is the introductory course, you sound like the sort of person who ought to be teaching this material.
"Well, the boss says I have to do this training, so here I am."
Yeah, but you are going to be awfully bored. You really shouldn't be in here.
"But I have to do this training course now."
Well, hang out if you like, but feel free to get up and walk out when you've had enough. I won't be insulted, I'll understand.
Try as I might, I couldn't get him to leave. I was worried, asking him at every break during the first day if he wasn't bored yet.
"No, I'm OK. I figure I may learn something new this week."
Now, to put this into historical context, lest you think I was telling them about some little-known bleeding-edge technology, this course was running during the second week of June, 2004. I know that, or at least I can figure it out, because it was the week after Ronald Reagan died on the previous Saturday.
Reagan's funeral was an enormous state event, designated as a National Special Security Event. Many of the streets in Washington were closed to traffic and the cellular networks were even shut down for a few hours on one day. The students announced early in the week that they would not be in class on that day. I had been seeing all the newspaper and television coverage of the plans for the events, including a funeral parade from the Capitol to the National Cathedral. I asked if they were going to go see the parade or other events.
"HAY-ull no, ah'm goin' to the mall!" one of them said.
Ah. Well, I'm sure that's what Ron would have wanted. They're federal employees, so it's a bonus unplanned vacation day for them. Have fun at the mall.
Anyway, this course was in 2004. On the second or third day, the guy with the long experience in the field suddenly spoke up for the first time.
"I have a question about spyware. Actually, about anti-spyware software."
Wow, I was thinking that this was going to be tough. Who knows what arcane detail he wants to know about the heuristics used for behavior-based detection of polymorphic spyware. Well, not exactly.
"The wife and I have an e-mail account we use to keep in touch with family and friends. About a month ago we received a message about anti-spyware software."
Yes, I just got something about that topic from my ISP. Who sent the message to you?
"It was from some e-mail address we had never seen before. It said 'Click here to install anti-spyware software'."
Ah. Yes, you see those from time to time. So what's the question?
"What's the deal with people who write the anti-spyware software."
What do you mean, "What's the deal"? You've lost me.
"Well, I got that message, so I clicked on it."
Really? That's interesting. (I'm thinking that he's undoubtedly doing this on some virtual machine image running in a sandbox, something very advanced) So, what happened?
"You know, the usual. An installer screen came up, you click the 'Next' button several time until it gets to the end and it's a 'Finish' button."
OK.... I did not expect that. So, uh, where are you going with this?
"Well, this was about a month ago. Now it appears that I might have some spyware on my computer!"
Yeah, that would be my assumption.
"So what's the deal with that?"
What do you mean by "What's the deal"?
"What I want to know is, how can a company market something as anti-spyware software when it doesn't keep spyware off my system?"
Obviously you have spyware. You installed it.
"No, it was anti-spyware software that I installed!"
Look, that's what the hackers say. That's how they get you to install their malware.
"No, it clearly said that it was anti-spyware software!"
He was starting to get kind of angry. How do you respond to this? I tried to again explain what I thought would be obvious, that the claim in the e-mail was a lie told by hackers to trick people (rather naive ones at that, although I didn't go that far) into installing their malicious software.
He again insisted that it had to be anti-spyware software because that is what the message had said. He was sitting up in the front row, and someone who knew him and was sitting diagonally opposite him in the back corner (perhaps for a reason) told him to listen to me, I was telling him the truth.
He stood up and nearly yelled at the guy in the back, "YOU AREN'T PAYING ATTENTION! It clearly said that it was anti-spyware software!"
I said "Gosh, look at the time!" and called a break. Then I went to the break room at the far end of the hall to hide for ten minutes. I slipped back in through the rear door of the room, and asked his buddy in the back row what had happened while I was gone. He said that they had tried to convince him, but then everyone gave up.