I had just finished hacking the Gibson when I heard the news: Rudy Giuliani, the guy who said he was gonna solve cybersecurity, had just been named Trump’s cyber advisor. I hopped onto our hacker mafia’s government-proof encrypted chat app to make sure everyone knew that we were in real trouble. When I got no response from Mr. Robot or Anonymous I got my rollerblades on, and got out of my mom’s basement as fast as possible.
I dialed our ringleader with a secret, anti-authority encrypted phone app while hacking all the traffic lights between here and his mom’s basement as I raced over. When he picked up I blurted, “Stop hacking baby monitors and trying to crash the stock market!”
He yelled, “What?!” I realized I’d forgotten to take my balaclava off! I shouted that Big Rudy was the new hacker sheriff in town, and all us hackers were gonna have to go underground. Tears spilled down the front of my ninja costume as I wobbled on my ‘blades, telling him our days of taking out the internet for lulz and raking in piles of bitcoin from ransomed AOL accounts was over.
In reality, we have plenty of reasons to worry. Before Rudy Giuliani was named Donald Trump’s official presidential Cybersecurity Advisor, the former New York City mayor had made a number of things crystal clear about his intentions towards hackers and the cyber. For one, he’d been pretty up front about the fact that he got into cybersecurity dealmaking for the money. Giuliani was emphatic over many years and at every opportunity that he was going to be the guy to “solve cybersecurity.”
Hacking, he said on several occasions, was like cancer. It was the worst word he could think of to call information security research. And finally, he never wavered from his belief that hackers were not only like the mafia, but that they could never, ever be trusted — especially so-called “reformed” hackers. Giuliani always made sure that people knew he couldn’t be fooled by that principle of the justice system.
All his talk of hackers as permanent criminals spreading cancer has no doubt bolstered the beliefs of conservatives in Trump’s extreme right pocket, who didn’t need help imagining pedophiles and lawless balaclava-wearing basement dwellers (or Asians in faraway hives). Like most things we’ve seen come out of Trump’s surreal fright show, Giuliani’s working hard to encourage that people and press wallow in these manipulative, lurid fantasies.
That’s why most hackers and infosec professionals found it all kinds of disturbing that Trump will be using Giuliani as his go-to for advice on all things cyber. It’s not just that he counts one of his qualifications as the fact that he’s given over 300 speeches on how everyone’s ignoring the scourge of hacking. Giuliani’s not great at following advice when it comes to security. When he was advised against moving New York City’s emergency services into the World Trade Center because it wasn’t a good call, he did it anyway. Right before 9/11.
It didn’t make anyone in the infosec sectors feel better when Giuliani announced he would be forming a cybersecurity team for the President-elect. Rudy isn’t exactly a team player when it comes to computer security matters. When the NYPD commissioner built a “computer statistics” system for crime, Giuliani did the equivalent of having him banished — forcing him out — to prevent credit going to anyone but Giuliani.
According to the Trump Transition’s official announcement, Rudy’s team will advise the leader of the free world on issues “concerning private sector cyber security problems and emerging solutions developing in the private sector.”
Things only got worse when, the minute the announcement was made, infosec denizens did impromptu security assessments of Gulianisecurity.com and Gulianipartners.com. Both servers were described as having sat for years with the equivalent of a “hack me” sign on them — meaning that both were likely hacked long ago. The laundry list of years-old unpatched vulnerabilities, nearly two dozen active exploits, and overall security failures was astonishing.
Team Giuliani didn’t respond to all the public attention around the nearly-comic website security failings of both sites. By January 14, both Gulianisecurity.com and Gulianipartners.com suddenly failed to resolve in DNS, making both sites unavailable to the public. But, as of this writing, the server addresses remained (just visit http://126.96.36.199/), showing that whoever attempted to pull the sites only removed the DNS entry — but left Giuliani’s vulnerable servers online.
Whether or not Giuliani manages those servers himself is beside the point: This is the worst possible resume anyone in this position could have. It’s embarrassing and avoidable, and displays a blatant disregard for even the most basic cybersecurity practices. It is the behavior of someone who carelessly believes he is an exception to the rules everyone else must live by. It sends a terrible message to an industry struggling for both legitimacy and a voice with regard to US policy, and in every way possible.
Giuliani has been interested in cybersecurity since he read an FBI report in 2003 predicting a hacking crimewave, and instantly decided he needed to build a business around it. That business was Giuliani Partners, a security consulting company. His naming to Trump’s post comes one week after Giuliani Partners, had announced its new partnership with Blackberry. The recently released BlackBerry Secure platform will provide the underlying software for Giuliani Partners’ cybersecurity consulting product, whatever that will be.
Under these auspices, the future of cybersecurity policy looks dark. Given how much Giuliani hates hackers and believes he’s the king of cops, we can probably expect to see the cyber version of “stop and frisk” coming out of Trump’s inevitably opportunistic Giuliani-led Cybersecurity Working Group.
It’s clear the incoming powers-that-be don’t think very highly of hackers and hacking. Nor do they understand the subtleties of how hackers are actually the entire underpinning of infosec, let alone how important it is to this sector that someone like Giuliani models even the most basic website security. By Giuliani saying stupid things about infosec while pretending entire hacking communities didn’t just call out his own cybersecurity as literally the worst possible ever, he’s a complete hypocrite for even stepping into the ring. And if there’s anything that gets exposed faster and louder than an anti-gay senator on Grindr, it’s hypocrisy in security.
This is a business and culture that believes the teeny-tiniest details matter really and has witnessed firsthand that one careless step can topple businesses, and ruin lives. Unlike Rudy Giuliana, the people in cybersecurity have dedicated everything to giving a shit about getting things right.
So if Giuliani and his sideshow of opportunists want to think of hackers as some kind of criminal cancer, they’re doomed from the start. Thought pieces by armchair infosec pundits can try to tell us Giuliani should be taken seriously in this role all they want. But I can’t think of doing anything worse for the future of cybersecurity right now.
Images: Craig F. Walker/The Boston Globe via Getty Images (Lead image); United Artists/Getty Images (Hackers movie still); REUTERS/Mike Segar (Giuliani and Trump).