From: Ralph Logan (rlogan@medusa.blackops.org)
To: editors@sciam.com
Cc: Alexander_Wellen@zd.com, rthieme@thiemworks.com, winn@infowar.com,
betty@infowar.com, derad@aol.com, savage@dfw.net,
dc-stuff@merde.dis.org, aleph1@dfw.net, route@phrack.com,
editor@cultdeadcow.com, dtangent@defcon.org, tunafish@rt66.com,
root@rt66.com
Date: Fri, 6 Nov 1998 13:26:59 -0800 (PST)
Subject: Carolyn Meinel --- Debunking the myth.
Approximately a year and a half ago, I attended Defcon V.
Information Security professionals attend Defcon regularly to see old
friends, form new relationships, and generally relax in an environment
where we can speak about familiar topics without having to stop and
explain years of computer knowledge to the general public, managers, clients or our bosses.
According to the Official Defcon V page there was a panel discussion
moderated by:
Carolyn P. Meinel - Moderator of the Happy Hacker Digest and mailing
lists. She will preside over a seperate[sic] Happy
Hacker discussion pannel[sic] that
will cover the topics of wether[sic] or not "newbies"
should hav[sic] information handed to them, or should
they learn for themselves?
Having established relationships previously with other Information Security
Professionals, I was surprised her name had never been mentioned, so I decided to sit in
on the panel. Understanding that this was an informal convention, I was not expecting
strict guidelines or 'stuffy' behavior from any of the panel members, but the complete
ignorance and irrelevance of Ms. Meinel's statements, retorts and reactions to open
questions amazed me.
I left the panel discussion early.
Over the last year, I have kept a watchful eye on this person, Ms. Meinel. I researched
her history, read her list, watched other mailing lists, and attempted to understand how
and when she became a 'Security Professional'. Knowing the experience and educational
backgrounds of other Information Security Professionals, I could not grasp how the
moderation of a mailing list qualified her as a 'Security Professional.'
I received a document sent to Mike Bellus of the FBI outlining Ms. Meinel's services as
a consultant. In the description of the "3-day Beginner Hacking Course" she was proposing
to the Federal Bureau of Investigation, Ms. Meinel roughly portrays one of her services
as "...designed to go far enough in these three days to teach serious proficiency at
catching email criminals such as mail bombers."
Such are the 'skills' that Ms. Meinel encourages in her followers on the "Happy Hacker"
mailing list and journal, although the 'skills' Ms. Meinel teaches on her list are just
sufficient to get a new computer enthusiast in enough hot water to send them to prison.
She of course throws in an occasional 'Don't do this or you will go to jail' comment, but
let's compare that to setting the cookie jar in front of the hungry child, shall we?
Questions began to form in my mind: 'Is Ms. Meinel attempting to generate business for
herself?', 'Is her skillset really this limited, or is she teaching new computer
enthusiasts just enough to set off the warning signals with potential clients?'
I watched at a distance as Ms. Meinel continuously poked and prodded her way around the
underground scene with inflammatory accusations, ridiculous claims, and pious retorts to
intelligent queries. Taunting the underground personalities with challenges, then
turning to Federal Officials and accusing innocent people of terrorizing her, Ms. Meinel
has unjustly accused many people of criminal activities, with not the slightest bit of
evidence.
It was obvious to me that Ms. Meinel had an agenda other than simply helping the
uninformed in her 'Happy Hacker' mailing list. Sure enough, in early 1998 her book 'The
Happy Hacker' was published.
Interest waned after the book was released, as myself and other security professional
associates realized that she was a harmless charlatan.
At Defcon VI Ms. Meinel was amazingly quiet.
A few months later, my current military client and I attended NISSC (National Information
Systems Security Conference).
One session of the conference concerned 'The Future of Information Security'. Included
in this session's audience were professionals from the Department of Justice, National
Security Agency, Federal Bureau of Investigation, Secret Service, security professionals
from the 'Big Five' accounting firms, Microsoft, and INFOSEC Professionals in the private
industry. The panel discussion soon moved to 'How are we as INFOSEC professionals going
to police the integrity of our profession?' When someone mentioned the content of Ms.
Meinel's recent 'Scientific American' article, the entire audience burst into laughter.
It was a satisfying moment for those of us following Ms. Meinel's less than illustrious
career: to finally see that our fellow PROFESSIONALS see her for what she is, and not
what she purports to be. I returned home from that conference with a sense of
satisfaction, knowing that other INFOSEC professionals see through the charade that Ms.
Meinel is creating.
The most disturbing part of this last year and a half of watching Ms. Meinel, is her
uncanny ability to pull the wool over the eyes of the press and the limited amount of the
public that listen to her. I am afraid we are going to see more people in our industry
playing these games with potential clients and the public, and we must constantly guard
the integrity of INFOSEC, for integrity is a mainstay of any INFOSEC professional.
It was with shame that I read your article after my boss pointed it out to me, asking if
I was familiar with Ms. Meinel.
This letter is not for publication, only to ask you to please research your publicized
writers before publication in the future.
This is not a letter to taunt Ms. Meinel, for I have no desire to respond to her,
correspond with her, or even give her an attempt to justify her ever downward spiralling
'career' as a 'Security Expert'.
Ralph Logan
Senior Information Management Specialist
Affiliated Computer Services, Inc.
The opinions stated in this correspondance are in no way representative of
my employers.