This article by Stuart Adams appeared in Louisville Computer News May, 1999
The column this month is a postscript to last months column on privacy and hacking on the Internet. Actually, with the April 15th deadline approaching at the time of writing this article, I have a nice article almost ready on taxation and the Internet, a subject many of my clients are interested in. But, with extensions in hand for filing my personal taxes, I decided that events in the privacy area were continuing to unfold with such impact that I couldnt resist following up.
One of the problems for anyone who attempts to write anything about cyberspace is that by the time its published (if not by the time you finish writing it) things may have changed drastically. It happened when I wrote a "recent" article on Y2K litigation and mentioned that the Anderson Consulting case promised to be a landmark for law on the liability of a consultant installing a system which was not fully Y2K compliant. Seemingly the next day after the article went to press, I read one of my online newscasts and found the case had been settled out of court. I had my hopes up for some law on the subject, because both sides of the conflict had money to litigate to the death and they had already tried mediation. What was left but taking a very complicated case to court? But no! Right after deadline they settle.
Well it happened again last month with the privacy and hacking article. I no sooner wrote about how easy "hacking" had become and the possibility that hackers would try to interfere with military operations, as well as the hardware and software "intrusions" major manufacturers were engaged in, than these events came together on the six oclock news.
About the time of my last article a nasty virus called Melissa (apparently named after a topless dancer in Florida where the virus creator once lived) was making its way around the world. In case youve been under a rock for the last month, David L. Smith, age 30, is accused of being the creator of this virus. He is reported by the Wall Street Journal to have created the virus in his apartment from two other virus programs and then launched it over the Internet using a stolen AOL account number. Smith is reported to have worked as a network programmer for a company that did subcontracting for AT&T.
Melissa, which introduced itself in your "youve got mail" box as "important message," attached a file to the e-mail message using a Microsoft Word document that listed pornographic sites. When the user tried to open the file, the virus dug into the users computer address books and sent the infected document to the first 50 addresses it found. There are now several other copy-cat viruses out, some of which are "improvements" on Melissa, making them harder to detect, while some have their own "bugs," making them fairly ineffective.
The real story here, and the reason for inclusion of this in the postscript, is the speed with which the "primary suspect" was apprehended. Although authorities are still looking for an accomplice, Smith was captured within days of the release of Melissa. Apparently, a combination of computer forensics experts, free lance software detectives, and law enforcement officials came together and traced Smith to his apartment in New Jersey, using extremely powerful search and identification tools. This, of course would seem to add weight to the side of the scales favoring user identification numbers which cannot be obscured.
Investigators declined to explain the exact method used to track Smith. Associated Press quotes Don Willmott, executive director of PC Magazine Online, as saying e-mail can always be tracked and that "no matter how creative you think you are, you always leave a digital trail." The Wall Street Journal reports Peter Tippett, chairman of ICSA, a security company, as saying ICSA tracked over 3,000 Internet chat group messages to Mr. Smith over the years, talking about everything from viruses to music, art, sex, and depression drugs, including a conversation between Batman and the Joker which supposedly justified virus writing. Now thats scary. ICSA apparently infiltrates hacker sites to build files on known virus creators.
Smith, meanwhile is free on $100,000 bail. He faces the possibility of a maximum of 40 years in jail and a fine of $480,000 if convicted on charges of interruption of public communications, conspiracy and damage or gaining wrongful access to computer systems. Pretty stiff for a practical joke. On the other hand, if you are one of the thousands of businesses which has had its information stream clogged by the spam Melissa caused, the penalty may seem relatively low.
Last month I reported that Raytheon Co. was issuing subpoenas to Yahoo to catch Raytheon employees who posted anonymous messages about the company on the Internet. Yahoo hosted the company specific message board where these employees had allegedly posted confidential information about Raytheon, which boasts some large government defense contracts. It sued 21 employees, naming them by their online pseudonyms, such as "Raytheonveteran."
Since my article went to press, Mark Neuhausen, who was a vice president in Raytheons Arlington office, suddenly resigned. He had allegedly posted messages on the message board under the name "RSC Deepthroat." Additionally, another person who posted a Yahoo message under the name "Winston-car," also reported online that he had left the company.
Yahoo, which hosts many such company boards and does not require users to register by name, often doesnt know who the users are. It cooperated with the subpoenas, however, providing the identity of the Internet service providers used by the people posting the messages. Following up on this lead, Raytheon was apparently able to nail the employees, who thought they were anonymous.
Raytheons site is used by employees, investors, and others and includes both gossip and supposed business tips or "insider information." Quite often these tips prove to be inaccurate, such as a recent posting that the company would get a big government contract that actually went to Boeing.
Raytheon officials claim they encourage employees to "air their views" but say these employees crossed over the line by publicly posting sensitive and proprietary company secrets, such as bid proposals, unreleased financial information and pending divestitures of the company. While this may have a chilling effect on public criticism by employees, it should also send us all a message about how fragile our perceived online anonymity really is.
No, this isnt a digression into a cooking tip. This subtitle relates to last months article about the possibility hackers would be used, either in international terrorism or military disruption. Well, guess what. NATO reports that, while it is bombing Belgrade, it has traced "rogue" computer users in Belgrade to be the source of thousands of messages, viruses and computer commands used to attack NATO computers. One computer in Belgrade is reported to have sent NATO 2,500 messages in one hour, in an apparent spam attack designed to slow down NATO computers. The attack was apparently successful in blocking some e-mail service for a while, as was an incessant "ping" attack where multiple computers send a request to the same NATO computer, asking it continuously to electronically identify itself to the exclusion of other functions.
Additionally, NATOs virus protection software has apparently caught at least a dozen viruses (some of which were like Melissa) sent to it in another attempt to disrupt NATO operations in Yugoslavia. NATO reports that its system was not compromised, other that being a little inconvenienced.
On another front, all sides of this political and military conflict seem to be using the Internet as a tool in the propaganda war, which always seems to accompany the major military campaigns these days. NATO posts its side at www.nato.int (which may still be a little slow because of hackers. The Federal Republic of Yugoslavia has its official site at www.gov.yu. This site even includes the downloadable and printable version of the "I am a target" bulls-eye symbol that some residents of Belgrade have been wearing as they stand on their bridges waiting for NATO bombers.
The Serbian Resistance Movement can be found at www.kosovo.com and the Kosova Liberation Army is on the Web at www.zik.com. The U.S. U.S. Department of Defense Official Website and Canada www.dnd.ca also have sites which largely echo the NATO site. There are, of course quite a number of media sites devoted to the conflict, which are too numerous to mention here.
WHATS THE POINT
No great witticism here, but the point of this postscript is that the Internet is like the rest of the world. Its just rotating a little faster. It has dangers. It has information. It has opportunities, which you must investigate before you dive in. It is a place where pirates and thugs operate to the damage of society and personal freedom. It is a place where your point of view can reach millions in seconds, but dont be fooled into thinking that you are completely anonymous when you exercise this forum or try to misuse it to damage others.
Our system of laws is desperately trying to keep up but, frankly, seems to be losing ground to the explosion of new technology. The good news is perhaps that the Melissa situation indicates at least some of the time public and private experts are able to get together to help protect our cyber-frontier. Like the citizens posse of our old Wild West days, this can be a good thing. On the other hand, such groups were sometimes willing to disregard the personal freedoms of individuals who got in their way, while they were chasing the "bad guy." Eventually, the laws and enforcers of those laws grew in strength and the anarchy of the frontier largely disappeared.
Now the intentional anarchy of the Internet poses questions for all of us who explore and exploit it. Do we leave it alone and hope for self regulation? Do we draft laws and form Internet police squads to patrol it and enforce new legislation? How do we balance those personal freedoms we cherish, such as our supposed anonymity, against the dangers of those who would injure us by exploiting the lack of regulation and enforcement? How can countries around the world make uniform decisions, which impact all of us in our "global village," when we cant even keep the peace internationally or form an international economic organization which has world wide authority? Ill be sure to write an another article with the answer when I figure it out, but dont hold your breath.