A plague on all your mouses

A year ago today David Smith,a"a geek with a grudge",released a computer virus on to an internet porn site. Within 24 hours American business had lost millions of dollars and the Pentagon was on security alert.Now, Smith faces a 45 -year jail sentence and a $900-million fine.

William Langley

On 26 March last year as a few half-hearted flurries of snow danced across the unlovely suburban landscape of northern New Jersey, David Smith drew the curtains of the small garden apartment he shared with two cats called Rockabilly and Eggnog. It was late on a Friday afternoon. Soon the nation's offices and factories, its government departments and much of its civil infrastructure would be closing for the weekend. The timing was critical for Smith's purposes.

At 30, single and employed on an irregular basis as a computer programmer, Smith met most definitions of a nobody. Admittedly, he dressed smartly and kept in shape, but his outward personability was more than negated by what one of his friends called 'the personality of bread mould'. His love life, as far as anyone knew had been fairly unremarkable. There was only one girl, somewhere in the past - a willowy blonde whom he seemed to have genuinely fallen for. Her name was Melissa.

Smith settled down in front of a personal computer. It was one of several that he owned. Later, when things became hot, he would have to smash it up with a garden spade, and throw the pieces into a rubbish skip. But this afternoon, as the big East Coast cities of New York, Boston and Washington began to empty, his fingers moved smoothly over the keyboard.

He entered cyber-space using a stolen access authorisation that had been issued by America Online, the giant internet provider, to a customer in Florida called Scott Steinmetz. This allowed Smith to use Steinmetz's e-mail address, slrvrocket@aol.com, which he proceeded to do, to devastating effect.

A few clicks of the mouse took Smith to an internet chatroom - an electronic forum where subscribers can exchange messages on a topic of mutual interest. The chat-room he chose was called alt.sex, one of many sites devoted to the appreciation of pornography. There, Smith posted the deadliest computer virus the world has ever known.

It couldn't have been more than a few minutes before someone, somewhere out in the vastness of the internet, visited alt.sex, saw Smith's message - which purported to contain free access codes to other internet porn sites and opened it. And with that single click, the virus was free to fulfil its purpose - to spread, multiply and contaminate.

Later, investigators would decipher its name from the computer code that Smith had written. He had called the virus Melissa.
Now Smith sat back in his gloomy, softly humming sitting-room and waited to see what would happen. He had chosen his moment carefully. The traffic on the big corporate and government computer networks that he had targeted would soon be slowing down for the weekend. The level of supervision would be lower, too, allowing greater opportunity for the virus to spread through the works. Everything was just as he had planned.

Except that the chaos that followed would far exceed Smith's wildest imaginings. Within 24 hours, the computer systems of some of the biggest corporations on earth would be paralysed; Nato and the Pentagon would move on to a heightened security alert in the belief that cyber-terrorists were launching a global attack; and millions of computer users around the world would wake up to find their machines had been 'Melissa'd'. And in the days that followed, the biggest, most desperate manhunt in the history of computer crime would lead investigators, step by step, through a strange, barely charted electronic universe to the faded grey front door of David Smith's home in New Jersey.

Early next month Smith, who admits planting the virus, will be sentenced at the New Jersey Superior Court on charges of interfering with public communications. He faces up to 45 years in jail, and could, in theory, be fined $900 million - a sum approximately twice the value of the damage he is estimated to have caused. His case has been followed obsessively by internet aficionados, and studied by almost everyone with an interest in the security of computer systems. Yet a year after Smith's assault, the big questions remain unanswered: who is he? Why did he do it? And where is Melissa?

'Smith caused hundreds of millions of dollars of damage. And if we don't learn something from this case, then we probably deserve to get whacked by the next person who tries it.'

The police mug shot of Smith, taken shortly after his arrest, shows a smiling young man with a handsome, wholesome face and a shock of dark hair. The loose-fitting jacket he is wearing looks to be hanging on a strong, well-muscled body. The gleam in his eyes suggests exhilaration rather than fear. And no wonder. For in the terms of the world Smith inhabited, he had just won the lottery. 'The scary thing about him,' John Farmer, the New Jersey Attorney General, tells me at his office in the state capital of Trenton, 'is that we are not - unless I am massively underestimating him - dealing with some kind of evil genius here. We are talking, basically about a geek with a grudge. A little guy, with not a lot going for him, who lived alone with his cats. And he set out totally to wreck the world's communications systems, and he nearly succeeded. He scared the living daylights out of the US government. He caused hundreds of millions of dollars of damage. And if we don't learn something from this case, then we probably deserve to get whacked by the next person who tries it.'

In this sense, the Smith case can be seen as the sobering moment when a world intoxicated by the cleverness of its new technology had to acknowledge the extent of its vulnerability. 'In just the first few years of the computer age the world has gone from wide-eyed wonder to utter complacency,' says Mark Rasch, a consultant with Global Integrity Inc, one of America's leading computer security firms. 'This case was the wake-up call. Now people have to accept what they didn't want to believe before - that one ordinary kid with a home PC could bring half the nation to its knees.'

Nothing in Smith's background suggests a capacity or inclination to wreak such havoc. He was born in the nondescript commuter town of Aberdeen, New Jersey, where his father, Michael, a small businessman and local worthy served on the Board of Education. David attended the Aberdeen-Matawan High School, where he is remembered - but not very well - as a bright boy who made virtually no impression on his contemporaries. 'I'd have to say that most of the time, you weren't really that aware that David was even around,' says Lisa Dorfman, who went through the school with him before they both left in 1987. 'He was pleasant enough, but he wasn't part of the crowd. Socially, he was kind of in the middle - not unpopular, but not someone you'd spend a lot of time getting close to. I don't ever remember him having a girlfriend. Which I suppose strikes me as really strange now, because when I saw the pictures of him in the paper I thought, "Wow!"

On leaving school, Smith drifted between occasional jobs and spells of further education, before moving in early 1990 to Miami, Florida, where he first began working seriously in computer programming. Such traces as can be found of his movements show that he changed jobs and addresses with puzzling frequency. The beginning of 1995 found him living in Deerfield Beach, an antiquated seaside town on the Atlantic coast 15 miles north of Fort Lauderdale. It was here that he appears to have met Melissa.

Smith was now 26, and although he had developed into a passable hunk - squarely built, glossy haired and bronzed by the Florida sun - he had conspicuously failed to find romance. He wrote, on one occasion, to his brother Brian complaining that 'there's nothing doing here with the chicks'. It is not unreasonable to assume that he was lonely and probably frustrated. Certainly he was a regular at several of the topless bars that dotted the seedier extremities of Deerfield Beach and its neighbouring resorts. Melissa, it would later emerge, was a dancer in one of them, although strenuous efforts to find her have failed. Even under prolonged interrogation by the FBI, Smith has given few details about her, other than to say that she was a 'tall slender blonde' and 'my favourite woman.

A former programming colleague of Smith's who worked with him in Florida but who wishes to remain anonymous, says: 'I definitely remember him mentioning Melissa, although he never said what she did for a living. Look, she might have been as respectable as you or me. A lot of girls dance in these joints to put themselves through college or raise a house deposit.' They do indeed, and a lot of men go to watch them. But was Melissa ever more than a fantasy that Smith ogled over beers in a darkened room? 'I'm certain she was,' says the ex-colleague, 'but, you know, you couldn't be sure with David. He was hard to reach.'

For a while Smith seemed happier He wrote to Brian, 'Everything is so f-ing cool here.Why not get your fat ass down here? I don't think I ever want to leave: But he would soon have to think again. For in the summer of 1996, disaster struck. Smith was forced to file for bankruptcy listing debts of $23,860 and assets of $515. His financial difficulties had begun the previous year when he failed, on more than one occasion, to pay the rent on his $800-a-month seafront apartment. Although he twice moved - each time to humbler quarters - he was apparently unable to pay off the arrears and rapidly accumulated penalty charges. Stuart Lipson, the Miami bankruptcy lawyer who handled his case, will say only that Smith, 'was not a bad guy. He did his best and he took the sensible course of action.' Smith's creditors began making life uncomfortable for him and, on legal advice, he reluctantly packed up and returned to Aberdeen.

Where this left Melissa remains unclear, for at this point the lady vanishes. Back in the dreary hometown he had left six years before - jobless, broke and without a girlfriend - Smith rented a cramped one-bedroom apartment in a residential complex on Matawan Avenue. His new neighbours noticed that he rarely seemed to go out. When he did, he usually wore headphones over his ears and, at best, only nodded to them. Kim Holler, a legal secretary who lives opposite, says, 'His place looked kind of deserted, with the curtains often drawn. I'd go so long without seeing him I'd think that he must have moved out. No one ever seemed to come to the door. And then I'd see him again. I felt sorry for him. He looked like a nice guy but he didn't seem to have a life.'

At the start of last year, Smith was working part-time as a freelance programmer with CSG Corporation, a New Jersey software company which operated as a sub-contractor for the giant AT&T telecommunications group. He functioned quietly without drawing attention to himself. But each evening, back in his apartment, he roamed the wilder fringes of the internet, testing the weaknesses of its systems, and slowly stitching together the code that would become Melissa. From his computer, he communicated regularly with the outlaw community of hackers and virus writers who see themselves as the free spirits of the internet. By the middle of March last year he was ready to launch his assault.

A computer virus is a rogue file, usually written by skilled pranksters and transmitted via the telephone lines that connect millions of terminals around the world. Once a machine has been infected, the virus begins issuing instructions that may make the computer destroy stored information or cause its installed programmes to malfunction in a variety of - usually chaotic - ways. For most domestic PC-users this is a serious annoyance, but if the virus gets into the giant computer networks of a large company or government agency the results can be catastrophic. Most commercial computers are equipped with anti-virus software, designed to stop any unauthorised files from entering the system. For the cyber-saboteurs who get their kicks from writing and spreading viruses, the challenge is to beat these defences.

Within minutes of Smith posting his fateful message at alt.sex, strange things began to happen in cyberspace. The plague began - like any other - with a single case that spread, slowly at first, and then with incredible speed, until large numbers of people around the world were receiving an unexpected e-mail headed 'Important Message From' followed by the name of somebody they knew.

Anyone who clicked on the e-mail saw a list of pornographic sites that Smith had compiled, along with the codes to access them. But by the simple act of opening the message, Melissa was released. The virus then went to work, automatically forwarding the same message to the first 50 addresses in the victim's e-mail address book. If any one of these 50 recipients opened their e-mails, another 50 people would receive it.

In this way, Melissa operated as a gigantic, virtually unstoppable electronic chain letter. Soon it was generating hundreds of millions of e- mails a day clogging systems worldwide and causing whole networks of computers to seize up. It was later estimated that 70 per cent of America's top 500 companies were hit. The US Marine Corps was forced to shut down its entire interbase e-mail system. Nato headquarters in Brussels had to cancel its systems experts' weekend leave, believing at first that something so devastating could only have been launched by state-backed terrorists.

Scott Steinmetz,unlucky owner of the stolen AOL account that launched the Melissa virus into cyber-space. In the days following the release of the virus he received up to 600 abusive messages an hour.

The unfortunate Scott Steinmetz, rightful owner of the stolen AOL account, watched in disbelief as his own e-mail traffic rose from about two messages a week to 600 an hour. Many of these were abusive and contained threats to either sue him or 'do him in'.

The damage caused by Melissa was later estimated to have cost more than $400 million to America's corporate sector alone. Thousands of companies were forced to install new programmes to counter it. Although the worst effects were over within a week, the virus has never been fully eradicated and remains active.

Meanwhile, David Smith was lying low. Virus spreaders are notoriously difficult to catch. So much so that, although hundreds of viruses are released every year, only a handful of culprits have ever been prosecuted. And Smith had gone to great lengths to cover his tracks. That weekend he stayed indoors, following Melissa's progress on internet news sites with a mixture of pride and astonishment. He knew it was a clever bug but he had never expected to unleash a maelstrom like this. Still, he wasn't particularly worried. It was only as a precaution that he destroyed his computer. It was an old one. He could do without it.

The first break in the hunt came when AOL's computer tracking system, sifting at phenomenal speed through the millions of internet connections made via the company every day determined, early on the morning of Tuesday 30 March, that the call to alt.sex was made not from Florida where Steinmetz's account was listed, but in New Jersey. At this point the company contacted Christopher Bubb, head of the Computer Analysis and Technology Unit at New Jersey's Division of Criminal Justice.

Working with the FBI and a huge team of computer experts, Bubb - effectively the state's chief cyber-cop - was able to use tracing equipment to pinpoint the telephone number from which the AOL call had originated. Even as the police prepared to swoop, other evidence was piling up. A leading internet security company ICSA, found striking similarities between the code used in Melissa and other rogue files put on the internet by a young man from New Jersey identified as David Smith.

The next day, 31 March, Smith was arrested at his brother Brian's home. He went quietly. The media frenzy that accompanied his capture quickly dissolved over the following days as newspapers and TV networks were obliged to report - in tones of disbelief and mild affront - that the accused man was no super-villain from a Bond movie, no techno-terrorist in the pay of the nation's enemies, but a lonely nerd from the suburbs with a life as dull as his surroundings. After initially pleading 'not guilty' Smith was released on $100,000 bail. 'This thing that he created', the New Jersey prosecutor Robert Cleary said later, 'showed no mercy and knew no boundaries. It was the fastest spreading, most destructive virus ever released.' On 10 December last year Smith changed his plea to 'guilty'.

Has anything been learned? Last month computer hackers disabled the websites of several of America's biggest high-tech companies, including Amazon.com, the huge online bookseller, the global TV news network CNN, and the internet portal Yahoo!. The attacks were skilfully co-ordinated and lethally effective. The cost to the companies that were hit was at least $100 million. No one has been caught.

The US now has a dedicated agency - the National Infrastructure Protection Center (NIPC) - to fight cyber-crime. Launched with the usual political flourishes, its budget this year is $18.5 million - less than the cost of a single fighter jet. The government, the FBI and the computer industry are in outright disagreement as to what they should be doing. The FBI wants high-profile prosecutions; the industry wants a co-ordinated drive for higher standards of security; Washington just wants the problem off its hands. Meanwhile the hackers and virus-spreaders are running rings around it. The NIPC's staff are lowly paid and usually a level removed from the cutting edge of the technology. 'It's just a mess,' says Jim Settle, former head of the FBI's in-house computer crime unit. 'To the goons out there who are causing this chaos it is virtually saying, "Go ahead".'

While awaiting sentencing, Smith has remained in seclusion. His family declines to talk about the case. Ed Borden, Smith's affable Princeton lawyer, tells me, 'He's very sorry. He genuinely didn't intend to cause the kind of trouble he did.' And where is Melissa? 'She's out there somewhere.' The girl or the virus? 'Both.'

Also would anything have been done to upgrade security had not anyone tested the capacity of the system to be secure against this kind of an assault? I also find it grossly offensive that big business and government bodies characterise highly creative people as nerds,goons,and geeks.They are only jealous that they are unable to exert such influences themselves,and have an underdeveloped ability to defeat hackers.It is sour grapes that they cannot attain such notoriety.

Moreover there is an idea that established corporate mentality and materialism should hold sway over everything and that those who hold the chains of power should continue to do so.Whenever a small guy exerts such great influences they drop on him like a ton of bricks.The fiasco over Napster and MP3 and Amazon's attempts to patent a form of internet use,are areas where the freedom of the individual is being maligned by corporations. Napster is doing nothing wrong.

Amazon is doing a similar thing to those trying to patent DNA strands.If someone strikes a blow for freedom and liberty of the individual against corporate big wigs then so be it - it shouldn't be called "cyber terrorism" just because big business gets hit.Middle men are taking money off everyone for doing next to nothing.Frontier artists like David Bowie and Peter Gabriel are seeing the way forward not digging their stupid heels in like Madonna and Metallica.

There is a paradigm change happening as far as artistic ownership is concerned.Home taping hasn't killed music, and people will always make copies,especially in this day and age,and trying to stop that with legislation is absurd.The original artist has already run into problems via sampling technology,and yet sampling has taken off in a big way.No one really owns material,anymore than they can own land.But musical artists have to make a living,and the best way forward is to cut out those who make us pay through the nose for CD's that are cheap to produce,and give the whole 100% revenue to the original artist.

The music and film industry will have to get used to the idea that copying is here to stay and that the whole idea that someone owns copyright is under attack. People like myself don't care if their original work is copied,as long as the original author is noted and the work is not passed off as someone else's work and plagiarised.In this,owning copyright should stay.But to try and stop copies being made is like Canute trying to stem the incoming tide.There isn't a hope.

Court battles over use of samples are absurd because fundamentally one must ask who owns a note of music or a set of digital samples,and no-one does. For getting artistic material into the public domain,the internet is a boon,it should not be curtailed by legislation because a few fuddy-duddy luddites can't see a progressive way to make their living from the way that the system has changed.

I wonder how many samples of other people's work are used in Metallica or Madonna's music without crediting the original artist? What kind of hypocrites are they? Samples are so quickly transmitted and readily recorded that no policing system could hope to keep up with it.Artists should accept that their output will be used in this way,and exploit it and feed off it,not plant their ostrich heads in the sand.

[It's ironic that Steve Hackett's "Defector" -"The Show" carries the lyric "Rock Music should be free,money's worth less and less" whilst the record company's sleeves carried "Home taping is killing music" which might be described as a "Slogan" in Steve's case. Presumably real artists would like to play for free.The ENID for instance survive on the voluntary contributions of their fans because the fans VALUE the survival of the band.It is NOT essential to buy into corporate greed mentality and a Gordon Gecko aspiration that ultimately kills creativity.]

I'm not pro-hacking, where it is malicious and destructive, no one gains,everyone loses,but if systems are not secure and a hacker breaches the system then that only shows that someone with malicious intent could get in just as easily.People like David Smith should be given a job with the NIPC as "punishment" for their action,as they are obviously more talented than those who create security on the internet.

In David's case all he did was clog the system,something that anyone theoretically could do.If loads of people lost money,then that's only a problem if you worship money and material things.Power is in the hands of con men and self serving self righteous hypocrites anyway.So what if they get hurt? I fail to see what law has been broken by the Melissa virus.If I released robot cars onto a highway that self-propagated and brought motorways to a standstill,and no one got injured what's the law that's been broken?

There would be mass inconvenience and a lot of irate people and "normal life" would be altered,and someone would be forced to look at how the motorway system came to a halt.But so what? There is a curious "taking for granted" within politics and business that the values held by big business and government are the values of everyone. What if that's not true? What is meant when they say "He didn't have a life" is "He didn't have a life like mine".So what? Who wants a life like an establishment prole?

When the government or corporations attack the individual or groups of people by forcing a bypass where residents don't want one,that's okay is it?
But when the individual strikes back by being cleverer than the paper - pushers,they invent all kinds of laws that they've broken. Bill Gates goes for the American Dream and attains it,and is punished for being clever by having his business broken in two! The message this sends out is "Don't get too smart for your own boots,or the government will slap your hands". Bill played fair (?)and rivalled the government in terms of power and influence,and they moved the goalposts! Not fair!

If this is the methodology,then it is no wonder that individuals get miffed and start making viruses.If the establishment was actually composed of smart people instead of creeps,boot-lickers and toadies and ladder - climbers then perhaps we'd have secure systems with the people in charge of those systems being the one's that are currently breaching them!

The idea that hackers are "goons out to do damage" is overly simplistic.No doubt some are like this,but others may be like myself who have legitimate concerns over the way the establishment rides rough-shod over individual liberties.I lack the capability to create viruses,but I am not unsympathetic to those that create them. But like every other legitimate user I wouldn't wish to be a victim of a prank,it's bad enough receiving porn SPAM all the time from imbeciles with too much time on their hands.

To categorise hackers as sheer vandals,misses the point of some of the reasons why viruses are released.There may be a sense in which a virus is like creating a living thing,or as leaving a semi-permanent mark on the wall of history,but some of the reason must be to be latter-day Robin Hoods, and the establishment fulfills its role of the Sherrif of Nottingham very accurately.David Smith is just a scapegoat for the ISP and establishment's inability to deal with the fast paced change of technology.

The law lags technology,philosophy lags it,people's ideas and morality lag it (ie Metallica/Napster). All these luddite clock turners should get real.The world is changing and hanging out one guy to dry because you didn't have the right laws or security in place will do nothing to halt the pace of change.The Berlin Wall came down,and we see it as it happens.We see injustices as they happen,and the whole world is motivated against them.David Smith held up the electronic highway for a few days.So what?

Who will be prosecuted if Concorde drops out of the air, and someone is to blame,or if there's a rail disaster,and people die through bad servicing? No,you can bet that it will be an uphill struggle for families seeking to sue Railtrack or BA, because the big corporate big-wigs have the best lawyers. Who helps the little guy?

MAIN INDEX

REFERENCE GUIDE

TRANSCRIPTS

GLOSSARY