Viruses
Richard Butt
The differences between the facts and myths of viruses will be explored. The most
popular viruses of the past few years will be discussed. As a practical matter, suggestions
on how to deal with the "threat" of viruses will be presented. Futher,
recent cases involving liability of BBS providers to users regarding the spread of
viruses will also be analyzed in conjunction with the issue of damages. Finally,
predictions of the future development of viruses and their solutions will also be
discussed.
Links
www.bocklabs.wise.edu
www.stiller.com
www.datafellows.com
www.symantec.com
www.mcafee.com
Computer Viruses and You
Introduction
One only needs to search the Internet using any search engine with the key words
"computer virus" to realize that the subject of computer viruses is of
great importance to many computer users. For example, a search using Alta Vista
within the scope of the entire Internet utilizing the term "computer virus"
produced more than a thousand hits. In the last five years there has been a proliferation
of computer users reaching out beyond their own individual computer. A steady increase
of computer users have begun utilizing the Internet and electronic mail to both consume
and produce information.
In fact, an entire software aisle in a typical computer superstore is dedicated
to virus detectors and virus eradicators.
What Is a Virus?
In the traditional sense, according to the American Heritage Dictionary, a virus
is defined by "any of various submicroscopic pathogens consisting essentially
of a core of a single nucleic acid surrounded by a protein coat, having the ability
to replicate only inside a living cell." A computer virus is much harder to
define because computer viruses can materialize in many different forms and under
many different environments. Fred Cohen, a renown virus expert, defines a computer
virus as "a computer program that can infect other computer programs by modifying
them in such a way as to include a (possibly evolved) copy of itself." Cohen's
computer virus definition is very broad and technically also encompasses running
"DISK COPY" under DOS. Most people would agree that a more contemporary
definition of a computer virus is a self-replicating program containing code that
explicitly copies itself and that can infect other programs by modifying them or
their environment such that a call to an infected program implies a call to a possibly
evolved copy of the virus. The addition of the term "explicitly copies"
narrows Cohen's broad definition. In common usage, a computer virus encompasses
any such program that tries to hide its malicious function and/or tries to spread
onto as may computers as possible. Some of these mis-labeled computer viruses may
actually more accurately be classified as "worms" or "trojan horses".
A computer worn is usually defined as a self-contained program which is able to
spread functional copies of itself to other computer systems. Accordingly, these
copies can also spread other functional copies. A major difference between computer
viruses and worms is that worms do not need to attach themselves to host programs.
As a general definition, a trojan horse is a program that completes a function that
the programmer intended but the user would not approve of the function if the user
knew. There are differing opinions as to which category the trojan horse belongs
to. For example, some people define a trojan horse as a particular type of virus
which can spread to other programs. However, other people define a trojan horse
as a non-replicating malware and are not viruses at all.
There are two main types of viruses. The first type are called FILE INFECTORS,
and the second type are called SYSTEM INFECTORS. These two type of viruses have
unique characteristics.
FILE INFECTORS attach themselves to ordinary program files. By definition, they
usually infect selective COM and/or EXE programs. However, there have been some
instances in which FILE INFECTORS attach themselves to SYS, OVL, OBJ, PRG, MNU, and
BAT files in which a program must call as a sub-routine to effectively be execute.
These FILE INFECTORS viruses can further be classified as either DIRECT-ACTION or
RESIDENT. A DIRECT-ACTION virus infects one or more other programs and infects
them each time the infected program is executed. A RESIDENT virus installs itself
somewhere in the random access memory (RAM) in the computer the first time the infected
program is executed. Thereafter, the RESIDENT virus infects other programs when
they are executed.
SYSTEM INFECTORS which comprise the second main type of viruses infect executable
code found in certain system areas on a disk. On personal computers, there are ordinary
boot-sector viruses which only infect the DOS boot sector, and MBR viruses which
infect the Master Boot Record on fixed disk and the DOS boot sector on floppy diskettes.
MBR viruses are memory resident.
There is also a growing class of viruses which infect both files and boot sectors.
They are a combination of the FILE and SYSTEM INFECTORS and are appropriately called
MULTI-PARTITE viruses.
Besides the two main types of viruses, as discussed directly above, there are many
other distinct classes of viruses. These additional classes of viruses include:
CLUSTER viruses, KERNAL viruses, STEALTH viruses, POLYMORPHIC viruses, COMPANION
viruses, and TUNNELING viruses.
A CLUSTER viruses modify the directory table entries of the infected program so
that the virus is loaded and executed before the infected program is. The infected
program itself is not physically altered; only the directory entry of the program
file of the infected program is altered. CLUSTER viruses are very similar to FILE
INFECTORS.
A KERNAL viruses target specific features of the target program which are contained
in the "core" or "kernal" of the target program. This type of
virus is distinguished from viruses which may infect the "kernal" of a
program; KERNAL viruses attack special features of the "kernal" files such
as loading or calling operations.
A STEALTH virus, as its name implies, can hide the modifications it has made to
files or boot records while the virus is active. From a practical point of view,
when programs try to read infected files or sectors, these programs only see the
original, uninfected form of the infected files. Thus, by only inspecting the files,
the computer user as well as an anti-virus program may overlook the virus infection.
However, the STEALTH virus must be resident in memory, and can thus be detected.
A POLYMORPHIC virus is one which produces varied but operational copies of itself.
This type of replication is employed to attempt to hide different variations of
the same virus from detection. To make a polymorphic virus, the key is to choose
among a large variety of different encryption schemes which, or course, require different
decryption schemes. To be detected, the anti-virus program must exploit multiple
scan strings to reliably identify all the variations of this virus. A different
scan string must be used for each different encryption and decryption scheme. Further,
a more sophisticated polymorphic viruses vary their sequence of instructions in
the different variation of the same virus by inserting "junk" instructions,
by changing equivalent instruction sets, or by changing sequence of operations.
A COMPANION virus creates a new program instead of modifying an existing file.
Unknown to the user, this newly created infected program is executed instead of the
original program. After the newly created program executes, the original intended
program is then executed so that, to the user, everything appears normal. Further,
an ant-virus program will not detect this virus since they usually look for changes
to existing programs.
A TUNNELING virus finds the original interrupt codes in DOS and the BIOS and calls
them directly.
In addition, there are viruses which are considered fast, slow, sparse infectors.
They can belong to any of the previously mentioned categories above. There are
benefits to fast, slow, and sparse infectors. For example, a fast infector virus
is active in a computer's memory so that the virus infects not only programs that
are executed but also programs which are merely open. In marked contrast, the slow
infector virus only infects files as they are modified or executed. The sparse infector
virus is similar to the slow infector virus in that it infects only occasionally.
There are benefits to either the fast, slow, and sparse infectors. The fast infector
can efficiently spread to many files, but unfortunately will probably quickly discovered.
However, the fast infector virus can be combined with a polymorphic virus which
makes it difficult to identify all the mutations of the virus. The slow and sparse
infector virus will not spread as quickly but will also probably not be discovered
as easily.
Sources of Viruses
There is a common myth that being attached to a network such as Compuserve, America
On Line, or the Internet, a bulletin board system, or even a local area network will
make your computer more susceptible to viruses. This is wrong. The only way to
get a virus is to execute an infected program on your computer. Sure you may download
an infected program from the Internet, but you have to execute this infected program
before the virus will be active. An exception is the possibility of downloading
a worn which is self executable type of virus.
An important fact that sometimes gets forgotten is that data files cannot infect
your computer with a virus. A myth is perpetuated that data or electronic mail can
transmit viruses. However, since data or electronic mail cannot be executed, accordingly,
they cannot spread viruses. For example, Microsoft Word users can receive viruses
inside what appears to be document files. Thus on the surface, it appears that these
users can become infected through electronic mail or the Internet. However, the
virus infection can only be manifested when Microsoft Word program is activated,
not just merely opening and viewing these infected files. To avoid becoming infected
by what is called a MACRO type of virus, users should disable their Microsoft Work
program or any other program from automatically launching from their web browser
or electronic mail program. Accordingly, data or electronic mail messages by themselves
cannot infect a computer system.
Although data files cannot be infected by a virus, the physical diskette used to
hold the data files can contain a program infected by a virus which is hidden in
the boot sector of the diskette. Thus, if this diskette with an infected boot sector
is left inside a computer while the computer is being started, then the computer
will also become infected with the virus from the boot sector.
Detection of Viruses
A practical consideration for many computer users involves the issue of how to detect
a virus. All the descriptions and categories of viruses which can attack a computer
is of little value if one cannot detect a virus before damage is done. There is
good news because viruses can be detected or prevented from infecting a computer
long before they can inflict serious damage. For example, a hypothetical virus which
is programmed to reformat your hard disk probably needs to infect and reside within
your computer for quite a while before your hard disk will be reformatted. If this
hypothetical virus was to reformat your hard drive very shortly after infecting a
portion of your computer, this hypothetical virus would wipe itself out too early
and not have many opportunities to spread to other computers.
Several methods for detecting viruses are commonly utilized in anti-virus software.
These methods include the following: checking changes in file size, checking date
and time stamps, checking assignment of system resources, and checking code for known
viruses. Many anti-virus software checks for any changes in the file size of applications
and boot sectors. Thus, checking for changes in file size can be used to detect
file infectors, system infectors, and multi-partite infectors. The increase in file
size can indicate an attack by a virus. An infected file or application will often
have an increased file size from the immediate onset of the virus attack which in
theory should give the computer owner advanced warning to neutralize the virus attack
before any damage is done. However, many viruses can disguise the actual enlarged
file size and fool the anti-virus program into thinking that the file size is unchanged.
The method of checking date and time stamps of applications is another way to check
for virus activity. Abnormally frequent changes to application and boot sector files
can indicate a computer infected by a virus. However, like checking for changes
in file size, the effectiveness of checking date and time stamps can also be circumvented.
For example, a virus can hide recent date or time stamps so that the anti-virus
program will not detect date or time stamp abnormalities.
The reallocation of system resources can also be checked by an anti-virus program.
If unusual unaccounted use of RAM or reduction in the amount of available RAM is
detected, it is usually a sign of a virus attacking the system. Further, an even
more effective way to check for viruses involves scanning vital areas such as the
boot sector of the hard drive, the RAM, and all program files for code which resembles
a virus. A simple method for checking these vital areas for code which resembles
virus is to check this code against a large library which contains code for known
viruses. Utilizing the large library of known viruses can consume large amounts
of hard drive space and can take a long amount of time to complete the virus scan.
Further, since there are always new viruses being discovered, the library of virus
codes will never be complete and will also require constant updating. However, as
a benefit, the scan for virus codes using a library of virus codes ensures with a
high degree of certainty that the viruses contained in the library are not found
inside the scanned computer. An improvement over a fixed library of known viruses
is to also utilize a heuristic means to spot virus-like code. This method of combining
algorithms to recognize viruses allows the anti-virus program to become adaptive
and flexible so that new unknown viruses may also be recognized in addition to known
viruses. However, this method of a heuristic means does not always spot all new
viruses and also consumes a larger amount of computing resources.
Several simple steps should be taken to detect viruses before they infect or before
they cause damage to your computer. A virus scanner will help identify viruses early.
In order to gain the maximum benefit from a virus scanner, the virus scanner should
be run on new programs before installation onto your computer and on all applications,
RAM, and boot sectors upon starting your computer. Lastly, it is also important
to periodically update your virus scanner.
Common Viruses
As of January 20, 1997, the following viruses comprise the top five most frequently
found viruses. They include the following: WM.Concept, Form.A, One Half.3544, AntiEXE.A,
and Stoned.Empire.Monkey.A.
The WM.Concept virus utilizes five macros to infect the host computer and affects
Microsoft Word documents. The computer user initiates the first stage of the infection
by depressing the OK button when the dialog box displays a number "1".
Then, the virus replaces the "Save As" command in the File Pulldown menu
with its own command so that every time the user saves a document, the document is
placed in a new format. Further, this virus also replaces the macro "Auto Open"
with different contents so that "Auto Open" is automatically executed each
time a document is opened which allows the virus to replicate in new documents.
The Form.A virus infects the boot sector of a hard drive. This virus reserves 2k
of RAM memory and the last two sectors of the hard drive for the original boot sector
and the virus sector. This virus does not protect the last two sectors of the hard
drive so that these two sector can be overwritten. This virus checks for the 18th
day of any month. Upon reaching the 18th day, this virus produces a clicking sound
each time the keyboard is depressed. This virus contains no intentionally damaging
code. However, there are two bugs which can cause the infected computer to crash.
The virus is programmed to only allow one disk read and not allow a retry so that
after the first failed disk read the system will crash. Further, since the boot
sector of the hard drive may be overwritten, the drive may be rendered unbootable.
The One Half virus is an advanced multi-partite virus which infects both the boot
sector and application files. The One Half virus utilizes both stealth techniques
to hide the master boot record infection on the hard drive and also polymorphic techniques
to make file detection and removal nearly impossible. One of the stealth capabilities
include displaying a clean copy of the master boot record and a hidden infection
size while the files are being displayed. The master boot record infection from
the One Half virus is generic. A major concern is that this virus slowly encrypts
the hard drive. Every time the hard drive is cold booted, two more cylinders of
the hard drive are encrypted. The real problem is when the One Half virus is removed
from the master boot record which can be accomplished by using a typical anti-virus
program, all the data in the encrypted area of the hard drive is lost. For the file
infector portion of the One Half virus, this virus only infects files with a .COM
or .EXE extension. One Half does not attack files with SCAN, CLEAN, FINDVIRU, GUARD,
NOD , VSAFE, or MSAV. When One Half finds an appropriate file to infect, this virus
inserts portions of itself into random points within the host file and also changes
its form to disguise the virus. In addition, this virus also appears to be compatible
with most versions of DOS and Windows 3.1.
The AntiEXE virus is a system infector which attacks the master boot record and
DOS boot sectors. Fortunately, this virus can only spread from computer to computer
by booting the system from an infected floppy disk. However, once the computer is
infected with the AntiEXE virus, this virus remains active in memory. Then, this
virus searches for specific files with the EXE extension and corrupts the file if
found. To prevent virus scanners from detecting this virus, the AntiEXE virus has
stealthing capabilities so that disk reads of the infected master boot record or
DOS boot sectors are redirected to their clean uninfected counterparts.
The Stoned.Empire.Monkey which is also called Monkey is a system infector which
attacks the master boot record and floppy boot sectors. The purpose of this virus
is not to cause intentional damage. However, because of the rapid and aggressive
replication of this virus, portions of the infected computer's hard drive can be
overwritten and damage data.
Virus Hoaxes
The Good Times virus scare started in early December 1994. The supposed Good
Times virus is carried by electronic mail. It was purported that just by reading
a message with "Good Times" in the subject line will erase your hard drive
and even destroy your computer's circuits. This propaganda turned out to be a hoax.
The original "warning" message concluded with instructions to forward
this warning message to all friends. The following are excerpts from this "warning"
message:
Somebody is sending electronic mail under the title "good
times". If you get anything like this, do not download the
file!!! It has a virus that rewrites your hard drive, and you
lose anything on your hard drive. Please be careful and
forward this mail to anyone you care about.
To combat the Good Times virus hoax, several links were created on the Internet to
help overcome this Good Times virus hoax. Some these informative sites include the
following: http://www.tcp.co.uk/tcp/good-times/ and Data Fellows Ltd's Virus Information
Centre. The negative effect of virus hoaxes like the Good Times hoax is that people
who already know it is a hoax keep getting bombarded with repeated hoax warnings
and others who do not know it is a hoax, spend needless time and energy worrying
about a Good Times infection. Further, the extra energy and bandwidth devoted to
informing users of the Good Times virus hoax and the wasted productivity of uninformed
people worrying about the virus is like a virus in itself. Even though the Good
Times virus does not even exist, the effects of this virus hoax has the same effect
of a real virus. In fact, many people say that the Good Times virus hoax was not
a computer virus, but rather it is a social or thought virus. Instead of replicating
like a typical computer virus inside a computer host, this thought virus replicates
copies of Good Times virus hoax warnings by using people as its host instead of a
computer. Many people also believe that the best way to control a thought virus
is to create a counter virus as an antidote. Further, as the hoax virus is contagious,
the key to making the antidote effective is to make sure that the counter virus spreads
as well.
Some of the companies which have fallen for the Good Times virus hoax include the
following companies: AT&T, CitiBank, NBC, Hughes Aircraft, and Texas Instruments.
The U.S. government has also been a victim to the hoax and has spread to the following
divisions: Department of Defense, FCC, NASA, and Department of Health and Human Services.
The Deeyenda hoax follows the Good Times virus hoax and uses similar tactics to
scare users. The Deeyenda hoax warning contains similar facts which appear in the
Good Times warning. Additionally, the Deeyenda hoax falsely claims that the FCC
issued this alert to watch out for the Deeyenda virus. The FCC does not is in the
business of issuing virus warnings. Further, the Deeyenda virus warning also claims
that once the Deeyenda virus attacks a computer, this virus is virtually undetectable.
This is not true; all viruses become detectable after the host computer is infected.
Lastly, like the Good Times virus hoax, the Deeyenda virus warning does not reference
a verifiable author to the warning. Thus, the facts and accuracy of the warning
cannot be confirmed. This is an especially useful and common element for spreading
all virus hoaxes.
Common Cure for Viruses
Some unscrupulous anti-virus software products claim that by running their anti-virus
software, you will be safe from viruses forever. Unfortunately, as enticing as this
sounds, it is not true. As you can guess by the brief description of computer viruses
as found above, the solution cannot be this simple. Any anti-virus software product
will need to be updated to be able to detect and/or protect you from ever evolving
viruses.
Some people advocate write protecting certain files or even write protecting the
entire hard drive. These write protection mechanisms are usually implemented by
software which makes these write protection mechanisms especially vulnerable to viruses
themselves. In fact, a virus can easily bypass the costly and inconvenient results
of write protecting both files and hard drives. It is important to note that while
write protecting selected files or entire hard drives may be ineffective and therefore
impractical, write protecting floppy diskettes by locking the movable tab is extremely
effective for a clean floppy diskette from becoming infected.
It is a common myth that a user who only runs retail software is safe from exposure
to viruses. One of the most common types of viruses, the boot sector virus, will
infect a computer if an infected floppy diskette is booted up. There have been quite
a few viruses which have been shipped inside shrink wrapped products directly from
the manufacturer. Further, some software stores allow software to be returned after
being used. The returned software could have been infected by the first user. Then,
this infected software is re-shrink wrapped and sold again. Clearly, a user who
only runs retail software is not free from the threat of viruses.
Legislation Addressing Viruses
One of the most relevant federal statutes regulating the spread of viruses is 18
U.S.C.S. section 1030 entitled, "Fraud and Related Activity in Connection with
Computers." Following directly below is the history of relevant portions of
title 18 section 1030 from 1988 to the present. By tracing the changes in these
statutes involving computer viruses allows us to explore the contours of the past
as well as the current state of our law.
1984 version:
anyone who knowingly accesses a computer without authorization, or having accessed
a computer with authorization, uses the opportunity such access provides for purposes
to which such authorization does not extend, and by means of such conduct knowingly
uses, modifies, destroys, or discloses information in, or prevents authorized use
of, such computer, if such computer is operated for or on behalf of the Governement
of the United States and such conduct affects such operation.
1988 version:
1030(a)(5)(A): whoever intentionally accesses a Federal interest computer without
authorization, and by means of one or more instances of such conduct alters, damages,
or destroys information in any such Federal interest computer, or prevents authorized
use of any such computer or information, and thereby
(A) causes loss to one or more others of a value aggregating $1,000 or more during
any one year period;
1992 version:
No change from 1988
1994 version:
1030(a)(5) intentionally accesses a Federal interest computer without authorization,
and by means of one or more instances of such conduct alters, damages, or destroys
information in any such Federal interest computer or prevents authorized use of any
such computer or information and thereby--
(A) causes loss to one or more others of value aggregating $1,000 or more during
any one year period;
1995 version:
1030(a)(5)
(A): whoever through means of a computer used in interstate commerce or communications,
knowingly causes the transmission of a program, information, code, or command to
a computer or computer system if--
(i) the person causing the transmission intends that such transmission will--
(I) damage, or cause to damage to, a computer, computer system, network, information
data, or program; or
(II) withhold or deny, or cause the withholding or denial, of the use of a computer,
computer services, system or network, information, data or program; and
(ii) the transmission of the harmful component of the program, information, code,
or command--
(I) occurred without the authorization of the person or entities who own or are
responsible for the computer system receiving the program, information, code, or
command; and
(II) (aa) causes loss or damage to one or more other persons of value aggregating
$1,000 or more during a 1-year period; or
(B) whoever through means of a computer used in interstate commerce or communications,
knowingly causes the transmission of a program, information, code, or command to
a computer or computer system--
(i) with reckless disregard of a substantial and unjustifiable risk that the transmission
will--
(I) damage, or cause to damage to, a computer, computer system, network, information
data, or program; or
(II) withhold or deny, or cause the withholding or denial, of the use of a computer,
computer services, system or network, information, data or program; and
(ii) the transmission of the harmful component of the program, information, code,
or command--
(I) occurred without the authorization of the person or entities who own or are
responsible for the computer system receiving the program, information, code, or
command; and
(II) (aa) causes loss or damage to one or more other persons of value aggregating
$1,000 or more during a 1-year period; or
1996 version:
1030(a)(5)(A): whoever knowingly causes the transmission of a program, information,
code, or command, and as a result of such conduct, intentionally causes damage without
authorization to a protected computer;
1030(a)(5)(B): whoever intentionally accesses a protected computer without authorization,
and as a result of such conduct, recklessly causes damage;
1030(a)(5)(C): whoever intentionally accesses a protected computer without authorization,
and as a result of such conduct, causes damage;
Case Law
Since the introduction of Section 2(d) of the Computer Fraud and Abuse Act of 1986,
there have only been several cases which specifically address section 1030(a)(5)(A).
Two such cases are United States v. Robert Morris (928 F.2d 504) and United States
v. Bernadette Sablan (92 F.3d 865).
In United States v. Robert Morris (928 F.2d 504), the United States government charged
Robert Morris with violation of section 1030(a)(5)(A) 1988 which punishes "anyone
who intentionally access without authorization a category of computers known as
federal interest computers and damages or prevents authorized use of information
in such computers, causing loss of $1000 or more." In the fall of 1988, Morris
was a first year graduate student in Cornell University's computer science Ph.D.
program. Morris already had significant computer experience and expertise. Upon
entering Cornell, Morris was given a computer account with access to the University's
computer network.
In October of 1988, Morris began working on a program which is referred to as a
"worm" or "virus". According to Morris, the goal of this program
was to demonstrate the inadequacies of the current security measures on computer
networks by exploiting the defects which Morris had already discovered. Morris chose
to release his worm program onto the network computers. Morris had designed the
worm program to spread across a national network of computers after his worm program
was merely inserted at one computer location connected to this national network.
This national network of computers is commonly known today as the INTERNET. However,
back in 1988, the INTERNET was used primarily to connect university, governmental,
and military computers around the country.
Morris programmed his INTERNET worm to spread widely without drawing attention
to itself. In other words, Morris wanted his worm to have stealth properties. To
attain stealth properties and not be detected, the worm was supposed to occupy little
computer processing time and thus not interfere with normal computer use. Further,
Morris also made his worm difficult to detect.
As another step to ensure that his worm would not be detected, Morris wanted to
ensure that multiple copies of his worm did not occupy the same computer because
multiple worms on the same computer would bog down this computer and would ultimately
crash this computer. Further, multiple copies of the worm on the same computer would
make detection much easier. Accordingly, Morris designed his worm to ask the potential
host computer if it already had a copy of this worm. If the host computer responded
negatively, the Morris' worm would be copied onto the host computer. Otherwise,
the worm would not be duplicated. However, Morris was concerned that other programmers
could prevent the worm from being copied onto an uninfected host computer by simply
having the host computer answering the worm with a false positive answer which signals
the worm not replicate. To circumvent this possible protection against his worm,
Morris programmed a security feature in the worm to duplicate itself every seventh
time it received a positive answer to the worm's question. Morris underestimated
the number of times a computer would be asked the question by his worm and Morris's
security feature resulted in far more duplication than he expected.
Morris identified four ways in which his worm could break into computers. Morris
utilized a bug in the SEND MAIL function to infect computers through electronic mail.
He also found a bug in the "finger demon" program which permits a person
to obtain limited information about users of another computer. Morris utilized the
"trusted hosts" feature which gives a user of one computer to have similar
privileges on another computer without using a password. Finally, Morris also utilized
a very simple and low tech method of password guessing.
On November 2, 1988, Morris released his worm. Soon after November 2, Morris discovered
that the worm was replicating and re-infecting machines at a much faster rate than
he anticipated. Many computers around the country crashed because of Morris' worm.
Damages ranged at each installation from $200 to $53,000. Morris was found guilty
of violating 18 U.S.C. section 1030(a)(5)(A).
Morris appealed the verdict and argued that the Government had to prove in addition
that he intended unauthorized access, but also that he "intended" to prevent
others from using it, and thus caused a loss. The court ruled that in this case,
punctuation alone is not so clear as to preclude review of the legislative history.
The court held that in the lower court correctly held that the Government did not
have to prove that Morris "intended" to cause the damage and that it was
enough to show that Morris intended to gain unauthorized access and subsequently
caused damage. The court based its decision on the legislative history of this code
section. In this code's earlier version in 1984, this subsection covered anyone
who "knowingly" accessed an unauthorized computer. The 1986 version changed
from "knowingly" to "intentionally". The resulting move toward
intentional unauthorized access prevents a person who inadvertently stumbles into
someone else's computer files or data. The "intentional" standard is a
higher hurdle to clear than the "knowledge" standard.
Morris also argued that he exceeded his authorized access rather than gaining "unauthorized
access". Morris argued that he was authorized to use computers at Cornell,
Harvard, and Berkeley, all of which were on the INTERNET. The court cited a Senate
Report at 10, U.S. Code Cong. & Admin. News at 2488. The Report stated that
this subsection applies "where the offender is completely outside the Government,
. . . or where the offender's act of trespass is interdepartmental in nature."
The court ruled that Morris's use of SEND MAIL and finger demon were not used for
their intended purpose and therefore, Morris's conduct falls well within the area
of unauthorized access. The ruling by the Appellat Court affirmed that Morris was
guilty.
In United States v. Bernadette Sablan (92 F.3d 865), the government charged Sablan
with the same subsection 1030(a)(5)(A) described above in the Morris case. After
Sablan was fired from her duties as an employee of a bank, she returned to the bank
and illegally entered the bank with a copied key. Sablan then proceeded to access
the computer system using an old password. The Government asserted that Sablan severely
damaged several bank files.
Sablan argued that the word "intentionally" in subsection 1030(a)(5)(A)
applied to each of the elements of the crime. The court adopted the reasoning of
the Morris court and ruled that the "intentionally" standard only applies
to the "accesses" phrase and not to the "damages" phrase. Sablan
also argued that if subsection 1030(a)(5)(A) does not require intent for the damages
element, the statute is unconstitutional. Sablan relied on the Supreme Court's decision
in X-Citement Video, 115 S. Ct. 464. The present court ruled that since the subsection
1030(a)(5)(A) does not criminalize otherwise innocent conduct, subsection 1030(a)(5)(A)
is constitutionally valid. In the present case, the Government proved that Sablan
intentionally accessed a federal interest computer without authorization. Thus,
Sablan must have had a wrongful intent in accessing the computer.
From D. Friedman
Finally--a (Word macro) virus that really does spread by EMail.
Back to the list
of student paper topics
Back to the CCP home
page