A plague on all your mouses
A year ago today David Smith,a"a geek with a
grudge",released a computer virus on to an internet porn site. Within
24 hours American business had lost millions of dollars and the Pentagon
was on security alert.Now, Smith faces a 45 -year jail sentence and a
$900-million fine.
William Langley
On 26 March last year as a few half-hearted flurries of snow
danced across the unlovely suburban landscape of northern New Jersey, David
Smith drew the curtains of the small garden apartment he shared with two
cats called Rockabilly and Eggnog. It was late on a Friday afternoon. Soon
the nation's offices and factories, its government departments and much of
its civil infrastructure would be closing for the weekend. The timing was
critical for Smith's purposes.
At 30, single and employed on an irregular basis as a computer
programmer, Smith met most definitions of a nobody. Admittedly, he dressed
smartly and kept in shape, but his outward personability was more than negated
by what one of his friends called 'the personality of bread mould'. His love
life, as far as anyone knew had been fairly unremarkable. There was only
one girl, somewhere in the past - a willowy blonde whom he seemed to have
genuinely fallen for. Her name was Melissa.
Smith settled down in front of a personal computer. It was
one of several that he owned. Later, when things became hot, he would have
to smash it up with a garden spade, and throw the pieces into a rubbish skip.
But this afternoon, as the big East Coast cities of New York, Boston and
Washington began to empty, his fingers moved smoothly over the keyboard.
He entered cyber-space using a stolen access authorisation
that had been issued by America Online, the giant internet provider, to a
customer in Florida called Scott Steinmetz. This allowed Smith to use Steinmetz's
e-mail address, slrvrocket@aol.com, which he proceeded to do, to devastating
effect.
A few clicks of the mouse took Smith to an internet chatroom
- an electronic forum where subscribers can exchange messages on a topic
of mutual interest. The chat-room he chose was called alt.sex, one of many
sites devoted to the appreciation of pornography. There, Smith posted the
deadliest computer virus the world has ever
known.
It couldn't have been more than a few minutes before someone,
somewhere out in the vastness of the internet, visited alt.sex, saw Smith's
message - which purported to contain free access codes to other internet
porn sites and opened it. And with that single click, the virus was free
to fulfil its purpose - to spread, multiply and contaminate.
Later, investigators would decipher its name from the computer
code that Smith had written. He had called the virus Melissa.
Except that the chaos that followed would far exceed Smith's
wildest imaginings. Within 24 hours, the computer systems of some of the
biggest corporations on earth would be paralysed; Nato and the Pentagon would
move on to a heightened security alert in the belief that cyber-terrorists
were launching a global attack; and millions of computer users around the
world would wake up to find their machines had been 'Melissa'd'. And in the
days that followed, the biggest, most desperate manhunt in the history of
computer crime would lead investigators, step by step, through a strange,
barely charted electronic universe to the faded grey front door of David
Smith's home in New Jersey.
Early next month Smith, who admits planting the virus, will
be sentenced at the New Jersey Superior Court on charges of interfering with
public communications. He faces up to 45 years in jail, and could, in theory,
be fined $900 million - a sum approximately twice the value of the damage
he is estimated to have caused. His case has been followed obsessively by
internet aficionados, and studied by almost everyone with an interest in
the security of computer systems. Yet a year after Smith's assault, the big
questions remain unanswered: who is he? Why did he do it? And where is Melissa?
The police mug shot of Smith, taken shortly after his arrest,
shows a smiling young man with a handsome, wholesome face and a shock of
dark hair. The loose-fitting jacket he is wearing looks to be hanging on
a strong, well-muscled body. The gleam in his eyes suggests exhilaration
rather than fear. And no wonder. For in the terms of the world Smith inhabited,
he had just won the lottery. 'The scary thing about him,' John Farmer, the
New Jersey Attorney General, tells me at his office in the state capital
of Trenton, 'is that we are not - unless I am massively underestimating him
- dealing with some kind of evil genius here. We are talking, basically about
a geek with a grudge. A little guy, with not a lot going for him, who lived
alone with his cats. And he set out totally to wreck the world's communications
systems, and he nearly succeeded. He scared the living daylights out of the
US government. He caused hundreds of millions of dollars of damage. And if
we don't learn something from this case, then we probably deserve to get
whacked by the next person who tries it.'
In this sense, the Smith case can be seen as the sobering moment
when a world intoxicated by the cleverness of its new technology had to
acknowledge the extent of its vulnerability. 'In just the first few years
of the computer age the world has gone from wide-eyed wonder to utter
complacency,' says Mark Rasch, a consultant with Global Integrity Inc, one
of America's leading computer security firms. 'This case was the wake-up
call. Now people have to accept what they didn't want to believe before -
that one ordinary kid with a home PC could bring half the nation to its knees.'
Nothing in Smith's background suggests a capacity or inclination
to wreak such havoc. He was born in the nondescript commuter town of Aberdeen,
New Jersey, where his father, Michael, a small businessman and local worthy
served on the Board of Education. David attended the Aberdeen-Matawan High
School, where he is remembered - but not very well - as a bright boy who
made virtually no impression on his contemporaries. 'I'd have to say that
most of the time, you weren't really that aware that David was even around,'
says Lisa Dorfman, who went through the school with him before they both
left in 1987. 'He was pleasant enough, but he wasn't part of the crowd. Socially,
he was kind of in the middle - not unpopular, but not someone you'd spend
a lot of time getting close to. I don't ever remember him having a girlfriend.
Which I suppose strikes me as really strange now, because when I saw the
pictures of him in the paper I thought, "Wow!"
On leaving school, Smith drifted between occasional jobs and
spells of further education, before moving in early 1990 to Miami, Florida,
where he first began working seriously in computer programming. Such traces
as can be found of his movements show that he changed jobs and addresses
with puzzling frequency. The beginning of 1995 found him living in Deerfield
Beach, an antiquated seaside town on the Atlantic coast 15 miles north of
Fort Lauderdale. It was here that he appears to have met Melissa.
Smith was now 26, and although he had developed into a passable
hunk - squarely built, glossy haired and bronzed by the Florida sun - he
had conspicuously failed to find romance. He wrote, on one occasion, to his
brother Brian complaining that 'there's nothing doing here with the chicks'.
It is not unreasonable to assume that he was lonely and probably frustrated.
Certainly he was a regular at several of the topless bars that dotted the
seedier extremities of Deerfield Beach and its neighbouring resorts. Melissa,
it would later emerge, was a dancer in one of them, although strenuous efforts
to find her have failed. Even under prolonged interrogation by the FBI, Smith
has given few details about her, other than to say that she was a 'tall slender
blonde' and 'my favourite woman.
A former programming colleague of Smith's who worked with
him in Florida but who wishes to remain anonymous, says: 'I definitely remember
him mentioning Melissa, although he never said what she did for a living.
Look, she might have been as respectable as you or me. A lot of girls dance
in these joints to put themselves through college or raise a house deposit.'
They do indeed, and a lot of men go to watch them. But was Melissa ever more
than a fantasy that Smith ogled over beers in a darkened room? 'I'm certain
she was,' says the ex-colleague, 'but, you know, you couldn't be sure with
David. He was hard to reach.'
For a while Smith seemed happier He wrote to Brian, 'Everything
is so f-ing cool here.Why not get your fat ass down here? I don't think I
ever want to leave: But he would soon have to think again. For in the summer
of 1996, disaster struck. Smith was forced to file for bankruptcy listing
debts of $23,860 and assets of $515. His financial difficulties had begun
the previous year when he failed, on more than one occasion, to pay the rent
on his $800-a-month seafront apartment. Although he twice moved - each time
to humbler quarters - he was apparently unable to pay off the arrears and
rapidly accumulated penalty charges. Stuart Lipson, the Miami bankruptcy
lawyer who handled his case, will say only that Smith, 'was not a bad guy.
He did his best and he took the sensible course of action.' Smith's creditors
began making life uncomfortable for him and, on legal advice, he reluctantly
packed up and returned to Aberdeen.
Where this left Melissa remains unclear, for at this point
the lady vanishes. Back in the dreary hometown he had left six years before
- jobless, broke and without a girlfriend - Smith rented a cramped one-bedroom
apartment in a residential complex on Matawan Avenue. His new neighbours
noticed that he rarely seemed to go out. When he did, he usually wore headphones
over his ears and, at best, only nodded to them. Kim Holler, a legal secretary
who lives opposite, says, 'His place looked kind of deserted, with the curtains
often drawn. I'd go so long without seeing him I'd think that he must have
moved out. No one ever seemed to come to the door. And then I'd see him again.
I felt sorry for him. He looked like a nice guy but he didn't seem to have
a life.'
At the start of last year, Smith was working part-time as
a freelance programmer with CSG Corporation, a New Jersey software company
which operated as a sub-contractor for the giant AT&T telecommunications
group. He functioned quietly without drawing attention to himself. But each
evening, back in his apartment, he roamed the wilder fringes of the internet,
testing the weaknesses of its systems, and slowly stitching together the
code that would become Melissa. From his computer, he communicated regularly
with the outlaw community of hackers and virus writers who see themselves
as the free spirits of the internet. By the middle of March last year he
was ready to launch his assault.
A computer virus is a rogue file, usually written by skilled
pranksters and transmitted via the telephone lines that connect millions
of terminals around the world. Once a machine has been infected, the virus
begins issuing instructions that may make the computer destroy stored information
or cause its installed programmes to malfunction in a variety of - usually
chaotic - ways. For most domestic PC-users this is a serious annoyance, but
if the virus gets into the giant computer networks of a large company or
government agency the results can be catastrophic. Most commercial computers
are equipped with anti-virus software, designed to stop any unauthorised
files from entering the system. For the cyber-saboteurs who get their kicks
from writing and spreading viruses, the challenge is to beat these defences.
Within minutes of Smith posting his fateful message at alt.sex,
strange things began to happen in cyberspace. The plague began - like any
other - with a single case that spread, slowly at first, and then with incredible
speed, until large numbers of people around the world were receiving an
unexpected e-mail headed 'Important Message From' followed by the name of
somebody they knew.
Anyone who clicked on the e-mail saw a list of pornographic
sites that Smith had compiled, along with the codes to access them. But by
the simple act of opening the message, Melissa was released. The virus then
went to work, automatically forwarding the same message to the first 50 addresses
in the victim's e-mail address book. If any one of these 50 recipients opened
their e-mails, another 50 people would receive it.
In this way, Melissa operated as a gigantic, virtually unstoppable
electronic chain letter. Soon it was generating hundreds of millions of e-
mails a day clogging systems worldwide and causing whole networks of computers
to seize up. It was later estimated that 70 per cent of America's top 500
companies were hit. The US Marine Corps was forced to shut down its entire
interbase e-mail system. Nato headquarters in Brussels had to cancel its
systems experts' weekend leave, believing at first that something so devastating
could only have been launched by state-backed terrorists.
The unfortunate Scott Steinmetz, rightful owner of the stolen
AOL account, watched in disbelief as his
own e-mail traffic rose from about two messages a week to 600 an hour. Many
of these were abusive and contained threats to either sue him or 'do him
in'.
The damage caused by Melissa was later estimated to have cost
more than $400 million to America's corporate sector alone. Thousands of
companies were forced to install new programmes to counter it. Although the
worst effects were over within a week, the virus has never been fully eradicated
and remains active.
Meanwhile, David Smith was lying low. Virus spreaders are
notoriously difficult to catch. So much so that, although hundreds of viruses
are released every year, only a handful of culprits have ever been prosecuted.
And Smith had gone to great lengths to cover his tracks. That weekend he
stayed indoors, following Melissa's progress on internet news sites with
a mixture of pride and astonishment. He knew it was a clever bug but he had
never expected to unleash a maelstrom like this. Still, he wasn't particularly
worried. It was only as a precaution that he destroyed his computer. It was
an old one. He could do without it.
The first break in the hunt came when AOL's computer tracking
system, sifting at phenomenal speed through the millions of internet connections
made via the company every day determined, early on the morning of Tuesday
30 March, that the call to alt.sex was made not from Florida where Steinmetz's
account was listed, but in New Jersey. At this point the company contacted
Christopher Bubb, head of the Computer Analysis and Technology Unit at New
Jersey's Division of Criminal Justice.
Working with the FBI and a huge team of computer experts, Bubb
- effectively the state's chief cyber-cop - was able to use tracing equipment
to pinpoint the telephone number from which the AOL call had originated.
Even as the police prepared to swoop, other evidence was piling up. A leading
internet security company ICSA, found striking similarities between the code
used in Melissa and other rogue files put on the internet by a young man
from New Jersey identified as David Smith.
The next day, 31 March, Smith was arrested at his brother Brian's
home. He went quietly. The media frenzy that accompanied his capture quickly
dissolved over the following days as newspapers and TV networks were obliged
to report - in tones of disbelief and mild affront - that the accused man
was no super-villain from a Bond movie, no techno-terrorist in the pay of
the nation's enemies, but a lonely nerd from the
suburbs with a life as dull as his surroundings. After initially pleading
'not guilty' Smith was released on $100,000 bail. 'This thing that he created',
the New Jersey prosecutor Robert Cleary said later, 'showed no mercy and
knew no boundaries. It was the fastest spreading, most destructive virus
ever released.' On 10 December last year Smith changed his plea to
'guilty'.
Has anything been learned? Last month computer hackers disabled
the websites of several of America's biggest high-tech companies, including
Amazon.com, the huge online bookseller,
the global TV news network CNN, and the internet portal
Yahoo!. The attacks were skilfully
co-ordinated and lethally effective. The cost to the companies that were
hit was at least $100 million. No one has been caught.
The US now has a dedicated agency - the National Infrastructure
Protection Center (NIPC) - to fight cyber-crime. Launched with the usual
political flourishes, its budget this year is $18.5 million - less than the
cost of a single fighter jet. The government, the FBI and the computer industry
are in outright disagreement as to what they should be doing. The FBI wants
high-profile prosecutions; the industry wants a co-ordinated drive for higher
standards of security; Washington just wants the problem off its hands. Meanwhile
the hackers and virus-spreaders are running rings around it. The NIPC's staff
are lowly paid and usually a level removed from the cutting edge of the
technology. 'It's just a mess,' says Jim Settle, former head of the FBI's
in-house computer crime unit. 'To the goons out there who are causing this
chaos it is virtually saying, "Go ahead".'
While awaiting sentencing, Smith has remained in seclusion.
His family declines to talk about the case. Ed Borden, Smith's affable Princeton
lawyer, tells me, 'He's very sorry. He genuinely didn't intend to cause the
kind of trouble he did.' And where is Melissa? 'She's out there somewhere.'
The girl or the virus? 'Both.' My comment : Whilst everyone would not like to have viruses infest their computers,I think it's unfair to treat David Smith as some kind of cyber-vandal.The internet inherently has the capacity to create forwarded letters,and robotocise this process. The fact that a stolen account was used questions AOL's role and their culpability. If Scott Steinmetz's account details not been stolen would Melissa have been released?
Also would anything have been done to upgrade security
had not anyone tested the capacity of the system to be secure against this
kind of an assault? I also find it grossly offensive that big business and
government bodies characterise highly creative people as
nerds,goons,and geeks.They are only jealous that
they are unable to exert such influences themselves,and have an underdeveloped
ability to defeat
hackers.It is sour grapes that they cannot attain such notoriety.
Moreover there is an idea that established corporate
mentality and materialism should hold sway over everything and that those
who hold the chains of power should continue to do so.Whenever a small guy
exerts such great influences they drop on him like a ton of bricks.The
fiasco
over Napster and MP3 and Amazon's
attempts to patent a
form of internet use,are areas where the freedom of the individual is
being maligned by corporations. Napster is doing nothing wrong.
Amazon is
doing a similar thing to those trying to patent DNA strands.If someone strikes
a blow for freedom and liberty of the individual against corporate big wigs
then so be it - it shouldn't be called "cyber terrorism" just because big
business gets hit.Middle men are taking money off everyone for doing next
to nothing.Frontier artists like David Bowie and Peter Gabriel are seeing
the way forward not digging their stupid heels in like Madonna and
Metallica.
There is a paradigm change happening as far as
artistic ownership is concerned.Home taping hasn't killed music, and people
will always make copies,especially in this day and age,and trying to stop
that with legislation is absurd.The original artist has already run into
problems via sampling technology,and yet sampling has taken off in a big
way.No one really owns material,anymore than they can own land.But
musical artists have to make a living,and the best way forward is to cut
out those who make us pay through the nose for CD's that are cheap to produce,and
give the whole 100% revenue to the original artist.
The music and film industry will have to get used
to the idea that copying is here to stay and that the whole idea that someone
owns copyright is under attack. People like myself don't care if their original
work is copied,as long as the original author is noted and the work is not
passed off as someone else's work and plagiarised.In this,owning copyright
should stay.But to try and stop copies being made is like Canute trying to
stem the incoming tide.There isn't a hope.
Court battles over use of samples are absurd because
fundamentally one must ask who owns a note of music or a set of digital
samples,and no-one does. For getting artistic material into the public domain,the
internet is a boon,it should not be curtailed by legislation because a few
fuddy-duddy luddites can't see a progressive way to make their living from
the way that the system has changed.
I wonder how many samples of other people's work
are used in Metallica or Madonna's music without crediting the original artist?
What kind of hypocrites are they? Samples are so quickly transmitted and
readily recorded that no policing system could hope to keep up with it.Artists
should accept that their output will be used in this way,and exploit
it and feed off it,not plant their ostrich heads in the sand.
[It's ironic that
Steve Hackett's
"Defector" -"The Show" carries the lyric "Rock Music should be free,money's
worth less and less" whilst the record company's sleeves carried "Home taping
is killing music" which might be described as a "Slogan" in Steve's case.
Presumably real artists would like to play for free.The ENID for instance
survive on the voluntary contributions of their fans because the fans VALUE
the survival of the band.It is NOT essential to buy into corporate greed
mentality and a Gordon Gecko aspiration that ultimately kills creativity.]
I'm not pro-hacking, where it is malicious and
destructive, no one gains,everyone loses,but if systems are not secure and
a hacker breaches the system then that only shows that someone with malicious
intent could get in just as easily.People like David Smith should
be given a job with the NIPC as "punishment" for their action,as they are
obviously more talented than those who create security on the internet.
In David's case all he did was clog the
system,something that anyone theoretically could do.If loads of people lost
money,then that's only a problem if you worship money and material things.Power
is in the hands of con men and self serving self righteous hypocrites anyway.So
what if they get hurt? I fail to see what law has been broken by the Melissa
virus.If I released robot cars onto a highway that self-propagated and brought
motorways to a standstill,and no one got injured what's the law that's been
broken? There would be mass inconvenience and a lot of irate people and "normal life" would be altered,and someone would be forced to look at how the motorway system came to a halt.But so what? There is a curious "taking for granted" within politics and business that the values held by big business and government are the values of everyone. What if that's not true? What is meant when they say "He didn't have a life" is "He didn't have a life like mine".So what? Who wants a life like an establishment prole?
When the government or corporations attack the
individual or groups of people by forcing a bypass where residents don't
want one,that's okay is it?
If this is the methodology,then it is no wonder
that individuals get miffed and start making viruses.If the establishment
was actually composed of smart people instead of creeps,boot-lickers and
toadies and ladder - climbers then perhaps we'd have secure systems with
the people in charge of those systems being the one's that are currently
breaching them!
The idea that hackers are "goons out to do damage"
is overly simplistic.No doubt some are like this,but others may be like myself
who have legitimate concerns over the way the establishment rides rough-shod
over individual liberties.I lack the capability to create viruses,but I am
not unsympathetic to those that create them. But like every other legitimate
user I wouldn't wish to be a victim of a prank,it's bad enough receiving
porn SPAM all the time from imbeciles with too much time on their hands.
To categorise hackers as sheer vandals,misses the
point of some of the reasons why viruses are released.There may be a sense
in which a virus is like creating a living thing,or as leaving a semi-permanent
mark on the wall of history,but some of the reason must be to be latter-day
Robin Hoods, and the establishment fulfills its role of the Sherrif of Nottingham
very accurately.David Smith is just a scapegoat for the ISP and establishment's
inability to deal with the fast paced change of technology.
The law lags technology,philosophy lags it,people's
ideas and morality lag it (ie Metallica/Napster).
All these luddite clock turners should get real.The world is changing and
hanging out one guy to dry because you didn't have the right laws or security
in place will do nothing to halt the pace of change.The Berlin Wall came
down,and we see it as it happens.We see injustices as they happen,and the
whole world is motivated against them.David Smith held up the electronic
highway for a few days.So what?
Who will be prosecuted if Concorde drops out of
the air, and someone is to blame,or if there's a rail disaster,and people
die through bad servicing? No,you can bet that it will be an uphill struggle
for families seeking to sue Railtrack or BA, because the big corporate big-wigs
have the best lawyers. Who helps the little guy? |
Chaos | Quantum | Logic | Cosmos | Conscious | Belief | Elect. | Art | Chem. | Maths |