The Melissa Syndrome

John Dillinger wasn't nailed with much more fanfare than the alleged creator of the now-famed Melissa virus, whose apprehension in New Jersey a few days ago drew a governor and a platoon of state, local and federal cyber-cops. This syndrome is becoming almost ritualistic. The virus and the arrest tell us a lot about Crime and Hype; Technological Hostility, and Closing the Distance that makes so much online hostility so easy.

CRIME AND HYPE: The Melissa Syndrome

John Dillinger himself wasn't arrested with much more fanfare. When police in New Jersey announced the "capture" last week of David Smith of Trenton, allegedly the creator and distributor of the now famous Melissa virus that's supposedly infected more than 100,000 computers and shut down several hundred corporate computer systems, it made front pages all over the country.

The FBI acted as if it had just rounded up the world's most wanted terrorist. The bureau rushed to hail its new National Infrastructure Protection Center, a division created to fight cyber-warfare threats following teenaged hackers' intrusions on U.S. Defense Department networks. "We will track down these electronic saboteurs," promised William Megary, the FBI special agent in charge of the Melissa investigation.

The case was such a public relations bonanza that New Jersey's governor - never before known to have uttered a syllable about the Internet -- turned out before the cameras to praise the "good old-fashioned detective work" that brought the villain to justice. She was flanked by the Attorney General and a battalion of law enforcement officials.

This reeks of opportunism and hype.

And it reflects the curious mythology of the Net and the Web, especially to the old-world institutions trying to figure out how to deal with it. The idea of a computer virus is genuinely chilling. But has it created enough damage or suffering to warrant this kind of coverage? Or is the idea of the virus more menacing than the reality?

Anybody who's been paying attention to the Net for any length of time has learned to be deeply suspicious of journalistic and law enforcement pronouncements about cyber-criminals. Both government and journalism have been fundamentally clueless about the dangers presented by hackers, virus-makers and other bogeymen. Dubious, unchallenged statistics are often presented as fact, great dangers invoked where they are few, sometimes no, victims. Too often, the hype hasn't fit the crime. More than anything, bureaucracies like to grow, and nothing feeds them faster than saving the public from real or perceived danger.

This drama has become almost ritualistic, ever since the famous Secret Service raids on suburban hacker bedrooms in the 80's. Law enforcement, competing for bureaucratic jurisdiction over the Internet, deeply suspicious of a culture it can't understand or control, has pressed for encryption tools and standards that challenge both privacy and freedom.

Journalists, threatened by the ferociously independent digital culture, accept and relay all sorts of unfounded accusations and statistics, and seem eager to portray the Net as a public health hazard.

So when somebody is hauled out of an apartment by publicity-hungry law enforcement agents, his equipment seized, the media enthusiastically passes along reports of massive damage and danger with little or no detail or substantiation.

The brilliant loner stalking society plays into the media's shallowest stereotypes and the public's deepest fears. In the David Smith case, the media have found their latest Kevin Mitnick style cyber-villian, another disconnected computer addict without a life, using his computer skills to prey on unsuspecting citizens and helpless companies.

The 30-year-old programmer was described as a reclusive, anti-social loner who rarely left his apartment. He allegedly named his virus after a topless dancer in Florida. He was charged with interruption of public communications, theft of computer services and wrongful access to computer systems. As noxious as viruses are, Dillinger, in fact, would have been embarrassed to be nailed on charges like this.

Journalists reported the existence of dark and menacing viral subcultures lurking on the Net and Web, working feverishly to prepare lethal viruses. Was Smith also VicodinES, another virus writer linked in Net posts with the creation and dissemination of Melissa?

According to the New York Times, the emergence of the Melissa virus "underscores the growth on the Internet of a community of virus writers and collectors. They freely trade malicious code, combine efforts to best the work of antivirus researchers, and post their creations on the Internet for anyone to download and release into the wild."

To hackers, thieves, crackers, perverts, addicts and porn-peddlers we now add viral terrorists - "the anarchic lure of virus writing," one paper called this new danger. Curiously, if typically, there was no hard evidence to support the suggestion that virus writing has become epidemic, or even to substantiate the police estimates that more than 100,000 people and hundreds of companies had been affected by Melissa. How would we know? Did they all call the FBI?

Stories like this one reinforce the idea - already entrenched in journalism and politics - that people need walls around their computers to protect themselves, their businesses and their families.

These walls sometimes take the form of legislation (the late CDA, for instance, and sometimes result in the blocking and filtering systems spreading all over the Net).

"Here we go," e-mailed Johnny Rocket, who creates, studies and then dismantles (but never distributes) computer viruses for fun. "There are some sick people out there, but why don't they ever check to see how much real harm is done? Mostly, they're dumb kids. But they don't do nearly as much harm as you would think from watching TV."

And not nearly as much as human beings do to one another in the real world either. A child mailed or killed by gunfire --- more than 5,000 American kids were casualties of guns last year -- doesn't get a fraction of the coverage or attention David Smith or Melissa will get.

TECHNOLOGICAL HOSTILITY

Still, for all the exaggeration, hostility is a reality online. Whoever created Melissa did cause harm and damage. And to human beings, not just machines. He or she also reinforced the false idea that the Net and the Web are dangerous places inhabited by threatening people, and in need of urgent policing. The FBI and its National Infrastructure Protection Center is ready and waiting.

Yet some programmers do generate destructive programs like Melissa and take some warped pleasure in distributing them. Some do make viruses for fun, the same way others love bar codes and study magnetic strip coding. This kind of behavior isn't new to the world, or unique to the Net. Every year, thousands, even millions, of people race trains across tracks, drive drunk through stop signs at high speeds, beat up their spouses and kids.

But one of the strange realities of Internet life is that it juxtaposes extreme anger and powerful friendship, closely and continuously.

The Net is awash in varying emotions and diverse responses. It brings support, creates community, makes communication easier than ever, and almost simultaneously spawns disconnection and hostility.

The nearly continuous dichotomy - making friends, receiving generous advice and direction, fending off flames and criticism, even dodging viruses and mail bombs - is so discordant as to be disorienting.

In many ways, the Net is fundamentally about community - bringing disparate, far-flung people together in new kinds of social groupings. You really can't go anywhere online by yourself and be completely alone. Technologically-driven hostility becomes even more important in that context, because community requires the members of a given group to talk about issues, forge common values, articulate goals.

The communicative social nature of the Net makes the former - the coming together -- easy, but the latter - rational discussion -- almost impossible. People who share an interest in Linux, open source or free software can come here from all over the world, but can they talk openly about the very thing that brings them together? Not often easily. Any half-dozen angry people can, and often do, disrupt a discussion in seconds (and not just here, but all over the Web), driving away people who are disinclined to trade insults or have better things to do. The effect is bizarre. The majority are driven underground and out of sight, the tiniest minority becomes a tyranny.

I've made my closest friends online, gotten many of my ideas and a torrent of thoughtful commentary. I am continuously supported, and educated. I am continuously challenged, attacked, insulted. Although I'm used to it, it's still sometimes bewildering to be praised and criticized simultaneously, for the same ideas and words, so immediately and intensely that it's hard to maintain a sense of reality at times.

Should you still listen to all the feedback, or make a point of ignoring it? Do you factor in age and gender? Do you credit the most articulate and impassioned critics? The most thoughtful? Or do you finally throw up your hands, and go by your own instincts.

When I wrote for conventional media - Rolling Stone (where I still write), New York, GQ and other places - the problem was simpler. I was trained to dismiss readers. It didn't matter what they thought. Nobody could reach me, except those taking the trouble to write and send letters.

But every idea advanced online is praised, attacked and criticized in varying degrees, sometimes within seconds of being published and for weeks, even months beyond.

The bulk of e-mail is radically different from most of the public posters on the site itself. Neither group, the flamers or the lurkers, seems to have much direct contact with or even consciousness of the other.

Unaware that I receive praise, the flamers expect me to go up in smoke. Unaware of one another, the lurkers reassure me. The lurkers sometimes know that ferocious, even vicious, debate and hostility is evident just a few scrolls down. The flamers have no idea that anything else is.

For a columnist dealing in opinions, this is a Brave New World, a parallel universe, my very own Matrix. It's sometimes impossible to know where one reality begins and the other ends.

CLOSING THE DISTANCE.

Technological vandalism and hostility - flaming, personal attacks, virus and mail-bomb attacks -- occur because the people who practice and advocate them must operate at an enormous physical and psychological distance from the people they attack and from the consequences of their actions.

Although they differ enormously in their impact, the principle is the same as scientists' and technologists' advocating the use of advanced air weapons against remote and presumably primitive peoples.

Both kinds of attacks are made possible by the disconnection technology permits. We don't see our adversaries as human beings, and don't expect to ever encounter them. So, since we have the instant and visceral technology to respond emotionally to things we fear or dislike, we attack them with the expectation that there will be no consequences. And there hardly ever are. On the Net, assaulting someone is no tougher - or riskier -- than pushing a send button.

Online violence and hostility, wildly exaggerated in terms of scope and danger but still epidemic, will diminish only when the distance between people is somehow closed by the same technology that now promotes it. Perhaps when audio and video-streaming permits live encounters with real-time video and sound. Or when phone, voice and visual messaging technologies fuse, and the presence on the other end appears, even in virtual form, as a human being.

Smith may or may not be the author of the virus, and it may or may not be as dangerous and pervasive as the publicity-hungry cyber-cops suggest. But it's still a great metaphor for the nastiness that has marked the first generation of the Net, and then the Web.

For me, the damage comes mostly from what can't happen: intelligent, continuous discussions, messages from the many lurkers who have powerful ideas but are not willing to endure the public assault that comes with expressing them.

The best resistance: to persevere. To listen to all criticism, no matter how crudely expressed, and keep writing and talking. To do anything else would be to give up the freedom that makes the Net unique. Some day, the Net will have its own equivalent of a "peace" movement, and mindless hostility will be perceived as the very direct threat to free and open speech that it is.

Exaggerated or not, techno-hostility forces community underground, into closed websites, mailing lists and e-mail. It stunts the evolution of ideas, movements and communities themselves.

It aborts ideas.

Hostility, from flames to viruses, are an inducement to the many in journalism, politics and the corporate world itching to find ways to control and curb free access on the Net and the Web.

And they are all generally acts of cowardice and malice at worst, unthinking and reflexive cruelty at best. It's no wonder that the most enthusiastic attackers hide behind anonymity.

"The lesson," wrote computer pioneer Joseph Weizenbaum in a 1976 essay explaining the people who advocated the advanced weaponry used to maim and kill during the Vietnam War, "is that the scientist and technologist must, by acts of will and of the imagination, actively strive to reduce such psychological distances, to counter the forces that tend to remove him from the consequences of his actions." jonkatz@slashdot.org

the distraction

[Tom]

the #1 sickening thing about the whole melissa hype is how it distracts from the facts.

here we have a collection of well-known security holes practically screaming "exploit me". they should've been fixed for years, but instead they've been put deeper and deeper into the very design.
yes, I'm flaming micro$oft, but it's not them alone. it's the armada of clueless who, far from being honest about what they know and what they know nothing about, not only BELIEVE, but carry the word along - "integration is good for the customer".

in my country (i.e. germany), when I break into a bank and it is found out that the bank's security company made my job considerably easier by leaving out standard security procedures or making serious mistakes that a security company really shouldn't make, it can be made liable for parts of the damage done.
in the states, you have those idiot cases where macdonalds is sued for the same thing - negligience - because they forgot to tell some fool that hot coffee is, well, hot.

I wonder whether micro$oft will be sued for melissa-incurred damages. if you can sue macdonalds for hot coffee, than sure as hell you should sue micro$oft for gross negligience of basic security procedures.

Whose fault was it, really?

[Bruce+Perens]

Microsoft's system was like a forest that hadn't had a controlled burn in decades, just waiting for one person with a match to turn it into a disaster.

Melissa was Microsoft's fault. They left their system wide open to this sort of abuse, they knew it could happen and did nothing. The fact that word macros could be abused was public knowledge for at least a year before Melissa came along. Rather than fix their system and protect a few hundred thousand users, they waited for someone to come along and set off their bomb. Someone so naive that he left incriminating evidence in the virus. The fact is, MS users are unprotected from rank amateurs.

Bruce Perens

'Melissa' Virus not the point of Jon's article.

[CodeShark]

Folks, consider the source here... Jon Katz is not writing about Microsoft (which I acknowledge has not done a very good job securing VBA -- why should a VBA macro be able to access my e-mail address book without permissions, etc.?), he's writing about the societal response to bad news and the Internet.

Then he makes (IMHO) a valuable connection of the similarity in psychological distancing involved n the use of high tech killing weapons. The 'Internet Creeps' (the so-called dark side of the Internet: porno junkies, perverts, crackers, flamers, etc.) have the advantage of anonymity from their intended victims that allows them to launch whatever type of attack they wish, without responsibility for the results of their actions.

Freedom without responsibility invariably leads to anarchy. Let me offer several examples.

• I am (not being an ex-convict, or otherwise restricted) 100% free to buy a gun. I am not 100% free in how I use it.
  Use it wrong, and I am subject to arrest for breaking the law.
• I am free to buy the ingredients which mixed together, could make an explosive or illegal drug.
  But if I make the explosive or drug, again, I am breaking the law, and deserve the consequence of my actions.

Similarly, I am free to write an unbelievably malicious computer virus. I am not free to distribute it without consequence. But even these thoughts are not 100% what the article is (IMHO) trying to focus our attention on.

Either we work together to make the 'Net a more livable, enjoyable, and safe place to co-exist, or we do in fact deserve the heavy-handed law enforcement and media responses which would undoubtably otherwise follow.

40 years?

[Merk]

Apparently if found guilty on all counts this guy could face up to 40 years in prison.

I, for one, find this ludicrous. Nobody was killed, nobody was hurt, and as far as I know no data was even lost.

I think, on general principles, anybody who writes a macro virus should face half the legal penalty of someone who writes a true machine-language virus. Afterall, in order for his/her virus to do anything the person whose computer is involved has to effectively let them, by allowing the macros to run.

Maybe the way to divide up the blame is to say any malicious things the macro virus does to the host computer can be laid squarely on the shoulders of the virus writer. Any denial of service resulting from the virus spreading is shared between the company that has a macro-virus enabled platform, and the users who don't check for virii.

In that case, this guy would be liable for writing the Simpsons quote in thousands of documents, but that's it.

But unfortunately my views aren't the views of law enforcement.

So. How is a very successfully propagating but non-destructive macro virus different from some other action resulting in denial of service? For example: the people responsible for the net clog following the Pamela Anderson / Tommy Lee videos? Lucasfilm for the popularity of the Star Wars trailers? Even the /. effect! We take down servers just has harshly as Melissa did when there's something cool to see there.

Look out Cmdr Taco -- 40 years as some guy's bitch isn't worth the coolness of maintaining /.

This stuff

[Madhatter]

If you take a loaded gun with a label that says "Point in face and pull the trigger for a hell of a good time" and pass it around to a random group of people are you to blame for the morons who pull the trigger and blow their heads off? That guy was e-mailing a loaded gun (if it was him responsible for spreading it) and people very stupidly opened up stuff they had no idea was about. Is he to blame for everyone being so lax about their own security in the computer world?
On top of that, I've seen entire mail networks brought down by one lone dumbass who hits reply all to a system e-mail that causes a crazy loop drawing in other dumbasses telling her to shut up and before long servers are crashing all over the network(MS-Mail 3.2 BTW).
Freedom of information. He has every right to write a macro virus if he wants to. Who can prove that he did or didn't spread his melissa ho all over the internet? I look forward to seeing how this plays out in front of a jury. The poor sots are going to be confused to hell by the end, and probably turn into disgrunteled cyber-terrorists.