by John Freeman
I didn’t have to dig to turn up this e-mail. It’s posted on the Internet, where you can find all sorts of supposedly private e-mails, such as the one New York Times op-ed editor David Shipley sent to the McCain campaign saying a piece McCain had written could not be accepted as currently submitted. For a time, all the deposed e-mails that had been sent at the Enron Corporation could be viewed on a Web site, where personal e-mails about affairs and events at home were mashed up with the e-mails that showed that employees knew what was going on at the energy giant. In 2004, Wall Street Journal Mideast reporter Farnaz Fassihi sent an e-mail to her friends about the deteriorating security situation in Iraq, which at the time was being played down by the Bush administration—how impossible it made her job as a reporter, let alone her existence as a human being. It quickly became a global chain e-mail. “I wrote it as a private e-mail to my friends as I often do about once a month,” she wrote in another e-mail to the journalism blogger Jim Romenesko, “writing them about my impressions of Iraq, my personal opinons [sic] and my life here. and then it got forwarded around as you can see in a very unexpected way.”
The gap between what one person and another considers private means that almost any message can be forwarded— which can lead to devastating personal experiences. In England in 2000, a woman sent an off-color joke about oral sex to some friends and received a reply from her boyfriend, which led to a humorous but intimate exchange about her performance in a sex act. The boyfriend then forwarded the compliment—and its queue—to six of his mates with a note: “Now THAT’s a nice compliment from a lass, isn’t it?” It was immediately forwarded to several other men, who looked up her picture on the Internet, started a campaign to find her and give her a medal, and on it went. Eventually, after the message had made its way around the world, it came back to the woman, who wrote all of the peepers— that’s how she viewed them—a stinging scold:
I Can’t believe this!!!
First of all, I don’t know any of you!! What do you care about my social life? Don’t you sad bastards have anything better to do with your time?
Shouldn’t you all be working. I’m going to make it a point to send this email to [email protected] just so that people can see what you do with your time!
To you Girls: You’ve all swallowed at one time or another, so don’t judge me!
To the Guys: All you’re going to get is a fantasy, so go do what you’re good at… tossers!
Yum!
—Claire
Speed—and the ease with which e-mail can be sent accidentally, thanks to the auto fill-in-address function, to a large group—is part of the problem. In 2006, Lycos reported that every second, forty-two e-mails were misdirected. Sixty percent of these blunders involved an e-mail being sent to the wrong address, and a third of them were “steamy.” Always it’s information considered private pulled out of context. One executive once sent details of his salary to the entire company by accident and pulled the fire alarm in panic. A schoolgirl in Devon once wound up getting top-secret e-mails on a Pentagon round-robin list when a navy commander accidentally added her address. A professional spammer—who used to put “Asshole” into the address function of a test message—coded a message incorrectly, so that a couple million e-mails went out addressed “Dear Asshole.”
It’s hard not to laugh about such gaffes. In some cases, e-mail seems to out bad behavior and bring it to justice—or at least give it a good smack. Neil Patterson, the CEO of Cerner Corporation, a Kansas City–based health care information technology firm, sent a blistering e-mail to his managers when he felt that their work ethic had slacked. “The parking lot is sparsely used at 8 A.M.; likewise at 5 P.M.,” he wrote. “As managers—you either do not know what your EMPLOYEES are doing; or YOU do not CARE…. In either case, you have a problem and you will fix it or I will replace you.” The message was quickly forwarded around and wound up on Yahoo!’s message board system. The news hit Wall Street, where people assumed the company was in trouble, and its stock price plummeted 29 percent.
Politicians have proven reliably good at making e-mail blunders. On September 11, 2001, as the World Trade Center towers were collapsing, British transport secretary Stephen Byers’s adviser Jo Moore e-mailed colleagues suggesting it would be a good time to bury bad news—everyone’s attention would understandably be elsewhere. When the e-mail was forwarded around, it came out that she had made a similar suggestion on the day of Princess Margaret’s funeral. After British prime minister Gordon Brown returned from a visit to China, a junior treasury clerical officer, Robbie Browse, sent an e-mail to friends that included racist comments about Chinese eyes. He accidentally also sent the message to eighty-six members of the press, one of whom replied, “Will we all be invited to your leaving party?”
Had such a blunder happened in a conversation, the story would be passed around, but chances are it would be changed and eventually lose momentum. In an e-mail environment, though, such a faux pas is just one click away, and an exact record of what was typed is created. The ease of duplicating it and sending it along means that an online humiliation can be experienced by vast numbers of people. The laugh track is just waiting for us. But that’s not the biggest danger created by e-mail. The biggest problem has been there from the very beginning.
Door’s Open, Key’s in the Car
As the number of Internet users slowly increased in the 1970s and ’80s, the new network became too good a target not to be toyed with by hackers—they were the twentieth-century version of the highway robbers who plagued the early mail. But there was a category difference: if mail was robbed in Philadelphia, it didn’t affect a pouch going to the Ohio Territory. With the Internet, however, the connectedness was both its strength and its weakness; plant a strong enough virus anywhere in the system, and it had the potential to take the whole network down.
The rise of the Internet saw the rise of a new kind of crime, the ramifications of which would only grow as more and more systems, such as telephone switchboards, were computerized and hooked into the Web. Between 1978 and 1983, there were at least thirty attacks on computer facilities in Europe, with some of them being literally blown up. Tampering with computers was a powerful avenue for revenge for disgruntled ex-employees, especially since so many companies were so vulnerable. Two former programmers for Collins Food International were caught planting a logic bomb—a piece of code secreted in software that sets off a malicious function when certain conditions are met— in the computers that controlled the payroll and inventories of four hundred Kentucky Fried Chicken and Sizzler Steak House franchises. If it hadn’t been found in time, the bomb would have erased all the records, as well as any traces of the bomb that was planted. By August 1983, $300 million a year was being lost in the United States due to the fraud and viruses perpetuated by computer criminals.
And it was easy. One description in a New York Times article from the period conveys the aura of mystery and criminal intrigue that surrounded the early Internet: “Penetration into the misty realm of computer networks can be easily and legally achieved by anyone with a home computer and the proper modem, a device selling for $100 or so that converts a computer’s digital pulses into electromagnetic waves that can be transmitted over a phone line. One simply dials the seven-digit local telephone number of a data network and starts roaming the electronic ether.” There were no firewalls, and in some places a hacker could try as many passwords as he liked. “It’s like leaving the keys in the ignition of an unlocked car,” said Martin Hellman, the Stanford professor credited with inventing public key cryptology.
Given that military installations and research universities were among the first institutions to become networked, there were serious security risks at the heart of the Internet from the beginning. In spite of $100 million spent to prevent it from happening, ARPANET was broken into numerous times, and in the early 1980s a motivated hacker broke through the security system of the Lawrence Livermore National Laboratory in Berkeley, California, w
here nuclear warheads and other weapons are designed, while another used Telenet to dip into the Los Alamos National Laboratory in New Mexico, where the hydrogen bomb and other nuclear variants were hatched. The fear of such events quickly entered the mainstream culture. In the 1983 film War Games, Matthew Broderick plays a young computer hacker who discovers a back door into systems just like this and winds up playing an escalating war simulation with a supercomputer at a top-secret air force installation. Due to these security breaches, ARPANET split into two networks—MILNET, for the U.S. military and Defense Department, and DARPAnet, which remained in public use for universities.
These breaches did more than just split up a few existing networks and motivate security concerns, however; they challenged the utopian dreams of the Internet. It’s important to remember that, however essential Baran’s apocalyptic fail-safe was, the basic thrust of the early network was an idea of sharing and collectivity. The Internet was a true tabula rasa, since, unlike the American territory, it hadn’t been stolen from anyone: it had been created out of thin air. And companies followed suit with the communal spirit. “At the beginning, companies make it easy to get on and assume people are going to be nice,” said the vice president for development and engineering of BBN Communications Corporation, a company that helped pioneer the development of data networks. “That lasts for a while and then you have to add access control. You can’t just leave all the doors open.”
No attack caused people to question this attitude more than the Morris worm of 1988, the first computer worm released onto the Internet. The architect of the worm was Robert Tappan Morris, a twenty-two-year-old graduate student at Cornell University. According to Morris, he created the program simply to gauge the size of the Internet. And he did so by exploiting a hole in the Unix operating system’s “sendmail” program. The worm disguised itself as a user and sent itself out over e-mail, where, upon receipt, it would be duplicated and sent out again to a whole new address book, and upon receipt there it would duplicate again, leapfrogging off yet more address books. It was ingenious and incredibly destructive: it clogged thousands of machines and nearly shut down the entire Internet. That Morris was the son of a National Security Agency computer security analyst added a special irony to the case.
The nation’s response was swift and alarmed. By the mid- to late 1980s, America’s data networks were accessible by almost 9 million desktop computers. How many more Robert Morris types were lurking out there? The New York Times ran eleven stories on the story in the three days after it broke, including an op-ed by a Cornell graduate student who announced that the Internet’s age of innocence had officially come to an end. “Many of us know how to abuse the system, read others’ files and steal secrets, but old-fashioned etiquette stops us,” argued Peter Wayner. “The rest of us are caught in a similar bind. Do we encourage trust and freedom in experimentation or do we install complex safeguards? At America’s universities, computer scientists surely must realize we can’t keep leading an Eden-like simple life in the heart of the computer age.”
As he himself suggested at the time, Morris did the developing Internet an expensive favor: he exposed its security weakness and planted a large reminder that what we send over the Internet is not private and that the very machine and interface through which we access information is vulnerable, too. Someone—or something—can reach down into our virtual desktop and rifle through our things, our thoughts, our financial data. We are connected, but the size of the connection is far too big to rely upon basic human trust and existing laws to protect us from malfeasance. Our new communication tool of e-mail was a boon—who could say no to receiving messages from friends and loved ones around the world?— but it was viral, and that was perfectly suited to another group who wanted something from us: advertisers.
Don’t Talk to a Stranger on the Internet
Spam is such a universal problem today that its dimensions are hard to properly comprehend. By some estimates, 85 to 95 percent of all e-mail sent is spam, and dealing with it cost $140 billion in 2008. It has been with us since the beginning of the Internet, too. Gary Thuerk sent the first piece of it in May 1978 over the ARPANET to 400 of the 2,600 people who had e-mail addresses at that time to invite them to an open house for new models of Digital Equipment Systems computers in Los Angeles. Like G. S. Smith’s band of circular mailers, Thuerk had to type every e-mail address in by hand. Many of the people who heard from him weren’t happy about being pitched. Someone from the RAND Corporation wrote to him to say he had broken an unwritten rule of the ARPANET that it wasn’t to be used for selling things. A major phoned Thuerk’s boss and asked that he never send such an e-mail again. Even so, it was a cost saver and a success. It also led to an estimated $12 million in sales.
The origin of the word “spam,” as identifying unwanted mass messaging, is in dispute. One of them links back to the Monty Python skit from the 1970s in which a man and a woman (played by Eric Idle and Terry Jones, in drag) are trying to order from a breakfast menu at a cafeteria in which every item has Spam in it. Spam—the canned pink pork product— was one of the only meats not subject to rationing in post–World War II Britain, so it was ubiquitous, some would say unfortunately so. Whenever the word “Spam” is uttered in the skit—and it is said 132 times in three minutes—a chorus of Vikings chimes in.
As in postwar Britain, people didn’t want any spam, but they would get it nonetheless. Aside from Gary Thuerk’s message, other examples of early mass messaging included one sent on an early time-sharing network mail program at MIT to the more than one thousand users linked to it protesting the Vietnam War. The message began: THERE IS NO WAY TO PEACE. PEACE IS THE WAY. In the early days of the Internet, “spamming” referred to the habit of flooding chat rooms and bulletin boards with unwanted text. Around this time the immigration lawyers Laurence A. Canter and Martha S. Siegel paid a Phoenix programmer to flood Usenet’s various message boards with an advertisement for their service of enrolling people in the green card lottery. As with Thuerk’s e-mail, the outcry was immediate. But it didn’t matter; the scheme worked. In just two months the ad brought the couple $100,000 of new business.
As more and more people began using e-mail, spammers gravitated to it as the best way to target potential customers. By 2005, there were 30 billion spam messages per day; in 2007 that number had jumped to 100 billion. The number of these e-mails that are trying to sell products has also led to spam being called junk mail, a phrase that refers to the load of “junk” advertising circulars marketed to people through the post. One of the most common ways of sending messages— and eluding authorities—is for spammers to take over a series of computers, which are turned into “zombies” that work together in networks known as “botnets,” and use them to send spam.
A botnet turns a series of hijacked computers, most of which are in homes, into a spam factory. Most computers become part of a botnet because they have inadequate firewall protection. A Trojan horse, or piece of malicious code, can be sent down an open line and activated later, causing the botnet to transmit messages either to a single site, shutting it down as a form of attack, or to many addresses, in the form of spam. Eighty percent of the spam sent in 2006 was sent from zombie PCs. In 2008, there were more than 10 million zombie PCs in use at any one time. In many cases, the owners of the PC never know that they have been taken over. It happens in seconds. In 2005, as a test, the BBC set up an unprotected PC, and within eight seconds it was infected by a spammer’s worm.
Staying ahead of these armies requires a lot of work and money. In November 2008, a San Jose, California, Web-hosting company called McColo was pulled offline when security experts approached the companies that managed McColo’s connection to the larger Internet, showing that McColo’s Web sites were being used for spamming and other online schemes. Indeed, it was estimated that 75 percent of spam shot out into the world had come from machines hosted by McColo. But the fix was short-lived. The machines, which had been infected by a Trojan
horse virus called Srizbi, formed what may have been the largest botnet in the world. At some 450,000 machines, it was capable of sending 60 billion e-mails a day hawking everything from watches to penile enhancement pills. Deprived of the McColo-hosted Web sites, however, these machines lacked a connection to centralized instructions. Once the sites went down, they simply started looking for new domain names where they could find new instructions.
One security firm, FireEye, found that if it registered domain names that the Srizbi-infected computers would look for, it could actually stay ahead of the spam problem. Each week, it registered 450 new domain names at a total cost of $4,000, the idea being that it could possibly send instructions so complicated that they would halt the compromised computers in their tracks as they tried to work them out or actually send instructions to the computer to uninstall the virus program. The latter idea, however, could have been illegal or actually harmful to the infected computers. So eventually, after unsuccessful attempts to enlist other corporations, such as Microsoft, or the U.S. government to enlist the remaining domain names sought by the Srizbi-infected computers, FireEye stopped the practice. A few days later the massive botnet was resurrected and the spam volume shot up again.