Preface
Taming the Internet

“It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood, who strives valiantly; who errs and comes short again and again; because there is not effort without error and shortcomings; but who does actually strive to do the deed; who knows the great enthusiasm, the great devotion, who spends himself in a worthy cause, who at the best knows in the end the triumph of high achievement and who at the worst, if he fails, at least he fails while daring greatly. So that his place shall never be with those cold and timid souls who know neither victory nor defeat.”

– Theodore Roosevelt (1858–1919), “Man in the Arena” speech, given April 23, 1910

I’m out to fix all of Internet security, or at least as much as I can, before I depart Earth. I know from experience that mostly what I’m doing is inviting critics to pan my ideas and tell me how I’m not that smart. It’s okay. I’m a man in the arena.

At nearly the same time that I started to develop an intense interest in personal computers, I also developed a strong interest in fighting malicious hackers and their malware programs. My interest was immediately intensely passionate, religious-like, and felt life-changing. And it turned out to be exactly that, as it changed the rest of my life and became my career. I don’t know why because prior to that epiphany, I had never had an interest in becoming a cop or detective in real life, even though I have always greatly admired and appreciated them. But something clicked when I got into computers.

It wasn’t like malicious hacking was rampant at the time. Back in 1987, there were only a few PC computer viruses, a few on Apple computers (e.g., Elk Cloner), and a few on IBM-compatible computers (e.g., Stoned, Pakistani Brain, etc.). They were so few and generally uncommon that popular and respected early PC Magazine columnist John Dvorak wrote a column declaring them a hoax.

For the first decade or so after that period, even as hackers and their malware programs began to really flourish, most hackers and malware programs really didn’t go out of their way to permanently harm someone or something. Back then, hacking and writing computer virus programs was more of a way for someone (usually men aged 12 to 24) to brag about their programming and hacking machismo to similarly minded online social communities. There were only a few exceptions (e.g., PC Cyborg ransomware trojan, Michelangelo virus, etc.) where a hacker program intentionally tried to harm something. But almost none stole money. And most, if they did do something harmful, really didn’t intend to.

I followed an early online newsletter called The Dirty Dozen, so-called because it described all the currently-existing-at-time dozen malware programs to be aware of. Originally created by Tom Neff and later updated by Eric Newhouse, it quickly grew over the next few years to include many “dozens.” Here’s an example from 1988: https://totse.totseans.com/viruses/virus_information/dd.html.

I had read a 1987 book called FluShot Plus by Ross Greenberg, which described early malware and how to fight it. Greenberg covered how he created what he thought was a totally secure sandboxed environment and invited hackers to hack it: which they successfully did many times in a continuing cat-and-mouse game that portended today’s back-and-forth antivirus battles.

The FluShot Plus book is such an early book on computer malware that I can’t even find a mention or reference to it on the Internet. Imagine something that really existed in the real world that the Internet has no record of! Part of that reason is that the Internet wasn’t really even the “everywhere Internet” as we know it now. We had a patchwork of globally connected messaging systems, but it wasn’t called the Internet. The official Internet was something only privileged universities and colleges had and could afford at the time. I owned a physical copy of the FluShot Plus book for decades. If I had to point to a single thing that piqued my interest in fighting malicious hackers and malware the most, it was that book.

Greenberg also made an early companion antivirus program called FluShot Plus, and he eventually wrote one of the first antivirus scanning programs that could scan for multiple malware programs at the same time called Virex PC. Before then, if you thought you had a malware program on your computer, you had to hope that someone had made a dedicated “detector” program and run that specific program that looked for that one malware program. And if you learned from the detector program that you did indeed have that malware program, you had to execute and run another companion program, if you were lucky and it even existed, to remove the malware program as you crossed your fingers.

The now infamous and late John McAfee made the “virus scanner” program explode in popularity around 1988–1989 and, with it, a new mega swarm of virus writers. Before John created his VirusScan program, there were probably less than a dozen computer viruses. However, one of the weird side effects of writing a popular computer virus-eradication program was that it attracted new people who wanted to code a brand new computer virus and get their 15 minutes of fame.

I first met John in 1987 or 1988 on a computer virus fighting online group called Virus L (I think that was what it was called) on FIDONet, an early precursor of today’s Internet. From that meeting, John encouraged me to learn Assembly language to disassemble viruses, and for the next few years I was disassembling and documenting DOS computer viruses for him. At first, he would send me one or two new computer viruses a month to look at, but within less than two years he was sending me dozens a day. I could not keep up. My real full-time job as an accountant was suffering. John eventually started McAfee Associates and had teams of full-time virus disassemblers. He did not need me.

But I was fully hooked into fighting malicious hackers and their malware programs by then, spending every spare hour I could on it…even neglecting my new wife and young babies more than I should have in pursuit of my new passion. I was, even back then, doing consulting services to companies hit by computer viruses. I remember dressing up in my finest brown corduroy suit and walking into the board rooms of Fortune 100 banks in distress and being paid big money to advise the U.S. Navy when they got hit by computer viruses.

It was all headed stuff, and if they knew just how scared I was inside my own young head, they would probably chased me out. But I did help them. I was even in Newsweek magazine in March 1992 along with John in an article about the Michelangelo boot virus that was erasing hard drives (actually only the master partition tables) around the world.

My passion was expanded past just computer malware when I read Clifford Stoll’s 1989 The Cuckoo’s Egg (https://www.amazon.com/Cuckoos-Egg-Tracking-Computer-Espionage/dp/1668048167) about tracking and trapping a foreign hacker using a honeypot. Not coincidentally, I later wrote a book on honeypots in 2005 called Honeypots for Windows (https://www.amazon.com/Honeypots-Windows-Experts-Voice-Grimes/dp/1590593359). I started to learn about hackers, hacking, and how to stop them.

At the time, I didn’t realize cybersecurity would become my life’s passion and a multidecade career. In my full-time professional life, I have worked my way from PC repair technician to network technician, to network supervisor, to regional director of networks and technology for a large healthcare organization, and finally to vice president of information services of a midsize hospitality company. But during all of that, my real passion was fighting hackers and malware. I was reading everything I could on it. I was frequently making money consulting on it. I was, for sure, neglecting my full-time job to really work on computer security. My bosses thought I was working on budgets or something like that, and really, I was researching and fighting hackers. My full-time jobs were funding my even fuller-time professional hobby. I’m not sure how I didn’t get fired because I wasn’t a great boss or manager.

By April 2003, I realized I had enough of doing anything that wasn’t computer security related. I remember calling my wife one day out of the blue and telling her I was quitting my very well-paying job as a VP and going to start doing computer security full-time. She already knew of my passion but wasn’t as gleeful as I was since we had four kids to support and a large mortgage.

She cautioned me to do general computer consulting instead and do computer security when I could until I could make it into a full-time business. And I could understand her concern. There wasn’t a field called cybersecurity. There were not even a ton of malicious hackers. John’s antivirus program seemed to be getting more and more accurate, and there was a real possibility that the problem of computer malware might be solved. A lot more hackers were getting arrested and put in jail…finally…including infamous early hacker, Kevin Mitnick, who decades later became my employer, friend, and supporter. It seemed like...