1

PART FOUR

Crime and Control


11

The Future of Computer Crime

The previous chapter discussed computer crime but its subject was metaphor. This time it is crime.

THE PAST AS PROLOGUE

In the early years, computers were large stand-alone machines; most belonged to governments, large firms, or universities. Frequently they were used by those organizations to control important real-world actions – writing checks, keeping track of orders, delivering goods. The obvious tactic for computer criminals was to get access to those machines and change the information they contained – creating fictitious orders and using them to have real goods delivered, arranging to have checks written in payment for nonexistent services,1 or, if the computer was used by a bank, transferring money from other people’s accounts to their own.

As time passed, it became increasingly common for large machines to be accessible from offsite over telephone lines. That was an improvement from the standpoint of the criminal. Instead of having to gain admission to a computer facility – with the risk of being caught – he could access the machine from a distance, evading computer defenses rather than locked doors.

While accessing computers to steal money or stuff was the most obvious form of computer crime, there were other possibilities. One was vandalism. A discontented employee or ex-employee could crash the firm’s computer or erase its data. But this was a less serious problem with computers than with other sorts of machines. If a vandal smashes your truck, you have to buy another truck. If he crashes your computer, all you have to do is reboot. Even if he wipes your hard drive you can still restore from your most recent backup, losing only the most recent data.

A more interesting possibility was extortion. In one British case, a supervisor of computer operations for a large multinational firm decided that it was time to retire. He took the reels of tape that were the mass storage for the firm’s computer, the backup tapes, and the extra set of backups that were stored offsite, erased the information actually in the computer, and departed. He then offered to sell the tapes – containing information that the firm needed for its ordinary functioning – back to the firm for a mere £275,000 (about $700,000).2

In a world with anonymous ecash, the payoff could have been made and the information delivered over the net via a remailer. In a world of strong privacy, he could have located a criminal firm in the business of collecting payoffs and subcontracted the collection end of his project. Unfortunately for the executive, he committed his crime too early. He tried to collect the payoff himself – on a motorcycle – and was caught doing it.


WONDERS OF A NETWORKED WORLD

Large computers controlling lots of valuable stuff still exist, but nowadays they are usually connected to networks. So are hundreds of millions of small computers. This opens up some interesting possibilities.

A few years back, the Chaos Computer Club of Hamburg, Germany, demonstrated one of them on German television. What they had written was an ActiveX control, a chunk of code downloaded from a web site onto the user’s computer. It was designed to work with Quicken, a widely used accounting package. One of the things Quicken can do is pay bills online. The control they demonstrated modified Quicken’s files to add one additional payee. Trick a million people into downloading it, have each of them pay you ten marks a month – a small enough sum so that it might take a long time to be noticed – and retire.

One of the classic computer crime stories – possibly apocryphal – concerns a programmer who computerized a bank’s accounting system. After a few months, bank officials noticed that something seemed to be wrong – a slow leakage of money. But when they checked the individual accounts, everything balanced. Eventually someone figured out the trick. The programmer had designed the system so that all rounding errors went to him. If you were supposed to receive $13.436 in interest, you got $13.43, his account got .6 cents. It was a modest fraud – six-tenths of a cent is not much money, and nobody normally worries about rounding errors anyway. But if the bank has a million accounts and calculates interest daily, the total comes to about $5,000 a day.

That sort of fraud is called a “salami scheme” – nobody notices one more thin slice missing from a salami.3 The Chaos Computer Club had invented a mass production version. Hardly anyone notices a leakage of a few dollars a month from his account but, with millions of accounts, it adds up fast. It is the old computer crime of tricking a computer into transferring money to you modernized for a world with lots of networked computers that each control only small amounts. So far as I know, nobody has yet put this particular form of computer crime into practice, despite the public demonstration that it could be done. But someone will.

A modern criminal who preferred extortion to theft could hold the contents of computers for ransom using either a downloaded ActiveX control or a computer virus – and take advantage of the power of public key encryption. Once the software gets onto the victim’s computer it creates a large random number and uses it as the key to encrypt the contents of the hard drive, erasing the unencrypted version as it does so. The final step is to encrypt the key using the criminal’s public key and erase the original.

The next time the computer is turned on, its screen shows a message offering to unencrypt the contents of the hard drive for twenty dollars in anonymous ecash, sent to the criminal through a suitable remailer. The money must be accompanied by the encrypted key, which the message includes. The extortionist will send back the decrypted key and the software to decrypt the hard drive.

From the standpoint of the criminal, the scheme has two attractive features. The first is that since each victim’s hard drive is encrypted with a different key, there is no way one victim can share the information about how to decrypt it with another – each must pay separately. The second is that, with lots of victims, the criminal can establish a reputation for honest dealing; after the first few cases, everyone will know that if you pay you really do get your hard drive back. So far as I know, nobody has done it yet, although there was an old case involving a less sophisticated version of the scheme, using floppy disks instead of downloads.

What else can be done in a world of lots of small networked computers? One answer is vandalism, familiar in the form of computer viruses. A more productive possibility is to imitate some of the earliest computer criminals and steal, not money, but computing power. At any instant, millions of desktop computers are twiddling their thumbs while their owners are eating lunch or thinking about what to type next. When you operate at millions of instructions a second, there’s a lot of time between keystrokes.

The best-known attempt to harness that wasted power is SETI – the Search for Extra-Terrestrial Intelligence. It is a volunteer effort by which large numbers of individuals permit their computers, whenever they happen to be idle, to work on a small part of the immense project of searching the haystack of interstellar radio noise for the needle of information that might tell us that, somewhere in the galaxy, someone else is home. Similar efforts on a smaller scale have been used in experiments to test how hard it is to break various forms of encryption, another project that requires very large-scale number crunching.

One could imagine an enterprising thief stealing a chunk of that processing power – perhaps justifying the crime on the grounds that nobody was using it anyway. The approach would be along SETI’s lines, but without SETI’s public presence. Download a suitable bit of software to each of several million unknowing helpers, then use the internet to share the burden of very large computing projects among them. Charge customers for access to the worlds’ biggest computer while keeping its exact nature a trade secret. Think of Randy Schwartz – who, whether or not he stole trade secrets, had the reputation of grabbing all the CPU power he could get his hands on. Nobody has done it. My guess is that nobody will, since the continuing access is too easy to detect. But two more destructive versions have been implemented repeatedly.

One is called a Distributed Denial of Service attack – DDOS, for short. To do it, you temporarily take over a large number of networked computers and instruct each to spend all of its time trying to access a web page belonging to some person or organization you disapprove of. A web server can send out copies of its web page to a lot of browsers at once, but not an unlimited number. With enough requests coming fast enough, the server is unable to handle them all and the page vanishes from the web.

A second reason to temporarily take over lots of computers that don’t belong to you is to solve the spam problem – not the problem that you and I face in dealing with in-boxes clogged by hundreds of offers to expand various parts of our anatomy but the problem faced by the people sending spam. If you send it from your own computer, you might get into trouble – if not with the recipients, then with your own ISP. One solution is to use a computer virus to modify lots of other people’s computers in a way that gives you temporary access to them and then use them as your unwitting accessories.4

Spam itself provides multiple examples of computer crimes made possible by the existence of enormous numbers of networked computers. Nobody with any sense would believe an email from a stranger in Nigeria offering to give him millions of dollars – after he first provides some small financial evidence of his reliability. But if you send out such an offer to a billion email addresses, ten million of which turn out to be actual people, you will reach the small minority of those ten million who are sufficiently credulous, or sufficiently greedy, to fall for the scam. A small minority of ten million people can still be a large number.

DISTRIBUTED COMPUTING: THE SOLUTION THE PROBLEM COMES FROM

Most of the problems we have been discussing involve software downloaded from a web page to a user’s computer. Such software originated as a solution to one of the problems of networked computing: server overload.

You have a web page that does something for the people who access it – draws a map showing them how to get to a particular address, say. Drawing that picture – getting from information on a database to a map a human being can read – takes computing power. Even if it does not take very much power, when 1,000 people each want a different map drawn at the same time it adds up and your system slows down.

Each of those people is accessing your page from his own computer. Reading a web page does not take much in the way of computing resources, so most of those computers are twiddling their thumbs – operating at far below capacity. Why not put them to work drawing maps?

The web page copies to each of the computers a little map-drawing program – an ActiveX control or Java applet. That only has to be done once. Thereafter, when the computer reads the web page, the page sends it the necessary information and it draws the map itself. Instead of putting the whole job on one busy computer it is divided up among 1,000 idle computers. The same approach – distributed computing – works for multiplayer webbed games and many other applications. It is a solution – but a solution that, as we have just seen, raises a new problem. Once that little program gets on your computer, who knows what it might do there?

Microsoft deals with that problem by using digital signatures authenticated by Microsoft to identify where each ActiveX control comes from. Microsoft’s response to the Chaos Computer Club’s demonstration of a new use for an ActiveX control was that there was really no problem. All a user had to do to protect himself was to tell his browser, by an appropriate setting of the security level on Explorer, not to take controls from strangers.

This assumes that nobody can fool Microsoft into signing bogus code. I can think of at least two ways of doing it. One is to get a job with a respectable software company and insert extra code into one of their ActiveX controls, which Microsoft would then sign. The other is to start your own software company, produce useful software that makes use of an ActiveX control, add an additional unmarked feature inspired by the Chaos Computer Club, get it signed by Microsoft, put it up on the web, then close up shop and decamp for Brazil.

Sun Computer has a different solution to the same problem. Java applets, their version of software for distributed computing, are only allowed to play in the sandbox, designed to have a very limited ability to affect other things in the computer, including files stored on the hard drive. One problem with that solution is that it limits the useful things an applet can do. Another is that even Sun sometimes makes mistakes. The fence around the sandbox may not be entirely applet-proof.

The odds are that both ActiveX and applets will soon be history. Whatever form of distributed computing succeeds them will face the same problem and the same set of possible solutions. In order to be useful, it has to be able to do things on the client computer. The more it can do, the greater the danger of its doing things that the owner of that computer would disapprove of. That can be controlled either by controlling what gets downloaded and holding the firm that certified it responsible for the software’s behavior or by strictly limiting what any such software is allowed to do – Microsoft’s and Sun’s approaches, respectively.

GROWING PAINS

Readers with high-speed internet connections may at this point be wondering if they ought to pull the plug. I don’t think so – and I haven’t.

There are two important things to remember about the sort of problem we have been discussing. The first is that it is your computer, sitting on your desktop. A bad guy may be able to get control of it by some clever trick, by getting you to download bogus software or a virus. But you start with control – and whatever the bad guy does, you can always turn the machine off, boot from a CD, wipe the hard drive, restore from your backup, and start over. The logic of the situation favors you. It is only bad software design and careless use that makes it possible for other people to take over your machine.

The second thing to remember is that this is a new world and we have just arrived. Most desktop computers are running under software originally designed for stand-alone machines. It is not surprising that such software frequently proves vulnerable to threats that did not exist in the environment it was designed for. As software evolves in a networked world, a lot of the current problems will gradually vanish.

Until the next innovation.

THE WORM TURNS: CLIENTS FOOLING SERVERS

We have been discussing crimes committed by a server against clients – downloading chunks of code to them that do things their owners would not approve of. I once got into an interesting conversation with someone who had precisely the opposite problem. He was in the computer gaming business – online role-playing games in which large numbers of characters, each controlled by a different player, interact in a common universe, allying, fighting each other, gaining experience, becoming more powerful, acquiring enchanted swords, books of spells, and the like.

People running online games want lots of players. As more and more players join, the burden on the server supporting the game increases, since it has to keep track of the characteristics and activities of an increasing number of characters. Ideally, a single computer should keep track of everything in order to maintain a consistent universe, but there is a limit to what one computer can do.

One solution is distributed computing. Offload most of the work to the player’s computer. Let it draw the pretty pictures on the screen, maps of a dungeon or a fighter’s eye view of the monster he is fighting. Let it keep track of how much gold the character has, how much experience he has accumulated, what magic devices are in his pouch, what armor on his back. The server still needs to keep track of the shared fundamentals – who is where – but not the details. Now the game scales; when you double the number of players you almost double the computing power available, since the new players’ computers are now sharing the load.

Like many solutions, this one comes with a problem. If my computer is keeping track of how strong my character is and what goodies he has, that information is stored in files on my hard drive. My hard drive is under my control. With a little specialized knowledge about how the information is stored – provided, perhaps, by a fellow enthusiast online – I can modify those files. Why spend hundreds of hours fighting monsters in order to become a hero with muscles of steel, lightening reactions, and a magic sword, when I can get the same result by suitably editing the file describing my character? In the online gaming world, where many players are technically sophisticated, competitive, and unscrupulous – or, if you prefer, where many players regard competitive cheating as merely another dimension of the game – it is apparently a real problem. I offered him a solution; I do not know if he, or anyone else, has tried implementing it.

The server cannot be bothered to keep track of all the details of all the characters, but it can probably manage 1 in 100. Pick a character at random and, while his computer is calculating what is happening to him, run a parallel calculation on the server. Follow him for a few days, checking to make sure that his characteristics remain what they should be. If they do, switch to someone else.

What if the character has mysteriously jumped twenty levels since the last time he logged off? Criminal law solves the problem of deterring offenses that are hard to detect – littering, for example – by scaling up the punishment to balance the low probability of imposing it. It should work here too.

I log into the game where my character, thanks to hundreds of hours of playing assisted by some careful hacking of the files that describe him, is now a level 83 mage with a spectacular collection of wands and magic rings. There is a surprise waiting:

"You wake up in the desert, wearing only a loin cloth. Clutched in your hand is a crumpled parchment.”

"Look at the Parchment.”

"It looks like your handwriting, but unsteady and trailing off into gibberish at the end.”

"Read the Parchment.”

The parchment reads:

"I shouldn’t have done it. Dabbling in forbidden arts. The Demons are coming. I can feel myself pouring away. No, No, No … .”

"Show my statistics.”

Level: 1.

Possessions: 1 loincloth.

Crime doesn’t pay.

5HIGH-TECH TERRORISM: NIGHTMARE OR EMPLOYMENT PROJECT?

A few years ago, I participated in a conference called to advise a presidential panel investigating the threat of high-tech terrorism. So far as I could tell, the panel originated with an exercise by the National Security Agency in which they demonstrated that, had they been bad guys, they could have done a great deal of damage by breaking into computers controlling banks, hospitals, and much else.

I left the conference uncertain whether what I had just seen was a real threat or an NSA employment project, designed to make sure that the end of the Cold War did not result in serious budget cuts. Undoubtedly a group of highly sophisticated terrorists could do a lot of damage by breaking into computers. But then, a group of sophisticated terrorists could do a lot of damage in low-tech ways too. I had seen no evidence that the same team could not have done as much damage – or more – without ever touching a computer. A few years after that conference, a group of not very sophisticated terrorists demonstrated just how much damage they could do by flying airplanes into buildings. No computers required.

I did, however, come up with one positive contribution to the conference. If you really believe that foreign terrorists breaking into computers in order to commit massive sabotage is a problem, the solution is to give the people who own computers adequate incentives to protect them, to set up their software in ways that make it hard to break in. One way of doing so would be to decriminalize ordinary intrusions. If the owner of a computer cannot call the cops when he finds that some talented teenager has been rifling through his files, he has an incentive to make it harder to do so in order to protect himself. Once the computers of America are safe against Kevin Mitnick,6 Osama bin Laden won’t have a chance.



Footnotes

1  A timeline of hacker history and an account of a legal setback for the Secret Service. For one early computer crime case see United States v. Jones, United States Court of Appeals Fourth Circuit 553 F.2d 351 (1977)

2 Parker, 1983, pp. 50–51.

3 A news story from a few years ago described a salami scheme that worked by adding small charges to the victims’ phone bills.

4 A description of how DDOS attacks work. Lots of stories and discussions on attacks. A story on an extraordinarily sophisticated attack, via a computer worm, on Iran's nuclear program. An earlier but probably more reliable account—by a security expert, not a reporter. [Not in the hardcopy of the book--added 11/30/2010

5 A description of a real problem along closely related lines.

6 Kevin Mitnick was possibly the best known of the early computer criminals; he specialized in using social engineering to gain access to computers, spent five years in jail, and currently runs a computer security consulting business.