Will Real Mr. Belsie Please Stand Up?
PITTSBURGH — Until now, I've kept my nose clean. But when staffers on Capitol Hill opened their electronic mailboxes last week, they got this threat: "All files on the House's computers will be deleted by our gang of cypherpunks dedicated to the eradication of your systems."
Apparently, it came from me. In the new vocabulary of our electronic age, I was "spoofed" - electronically impersonated. Someone sent the threat and, using my electronic-mail address, made it look as though the message came from me. And others.
In what appears to be the largest mass spoofing to date, one or more hackers have impersonated several people this month, including at least one other journalist (at the San Jose Mercury News), to threaten Congress. The messages themselves did no apparent damage beyond annoying congressional staffers, who had to clean out their electronic mailboxes. As best as I can tell, they got 74 messages from me (whoever "me" is).
So far, no one has flashed a badge at my door. But the FBI is looking into the matter. "It's an ongoing investigation," says Jim Margolin, special agent with the bureau's computer crime squad in New York, one of three in the nation. He declined to say whether the squad has any leads.
E-mail impersonation is part of a much larger Internet phenomenon. As people increasingly hook up to the global network, many of them are tempted to exploit the system's anonymity. They pose as other people - which is often harmless, sometimes dangerous.
"The ability to pretend to be someone else, to pretend to be someone you're not, is one of the major appeals on the Internet," says Michael Mauldin, chief scientist for Lycos Inc., a well-known Internet-search company based in Marlboro, Mass. But "it also means that you've opened the door for outright dishonesty."
MOST on-line impersonation appears to be of the first type, more banal than threatening. Mr. Mauldin used to run a kind of Internet conversation group where members, mostly male, would pretend to be female to liven up the chat.
Other impersonations fall into a gray area. To keep tabs on an Internet businessman - someone toward whom she had romantic intentions - one woman posed as a male computer columnist and sent the man one to two e-mail messages a week for three months. From his responses, she found out the man was engaged and was eventually invited to his wedding. (She didn't go.)
"Ethically, some people might have trouble with it," says the author and former part-time lecturer at Northeastern University's journalism school in Boston. But "I don't feel I did anything.... It was a way of snooping."
Occasionally, on-line impersonation takes a more sinister twist. Last year, two Secret Service agents showed up at Pittsburgh-based EnviroLink Network with a copy of an e-mail. It was a death threat to President Clinton, apparently from a user of one of the network's thousands of users. As it turned out, the user had been spoofed.
"I knew it had happened before then with other people," says Josh Knauer, executive director of the on-line environmental network. "But to have it be that close to us and actually have to be staring down a Secret Service person to discuss the issue is a little bit disconcerting." He and other EnviroLink staffers have also received forged death threats aimed at themselves.
In theory, committing such acts in cyberspace is just as illegal as sending a threat via the United States mail. In practice, such cases are often hard to prove because the evidence is in electronic form, says Keith Epstein, senior counsel with Pacific Bell Internet Services, the on-line arm of the regional Bell telephone company. "The difficulty is tying it to individuals."
In 1995, a doctoral student at the California Institute of Technology spent six months in jail and was expelled for stalking a young woman, which included sending her e-mail. Eventually, a California court acquitted him. He claimed some messages had been forged, others doctored.
Spoofing is not limited to e-mail. In December, the head of a programming security team at Princeton University revealed that sites on the popular part of the Internet called the World Wide Web could also be spoofed. The technique allows hackers to disguise an Internet-connected computer so that it stands between an unsuspecting user and the rest of the web. Once in place, it could steal credit-card numbers and alter any data going to or from that user over the Internet.
An even bigger threat is Internet Protocol spoofing, which uses forged e-mail to attack a computer on the Internet. Last fall, hackers launched a widespread attack that flooded several computers with e-mail, bringing them down and knocking offline an Internet service company.
The effects were short-lived, says Lawrence Rogers, who heads the vulnerability unit at the Computer Emergency Response Team, part of a federally funded institute in Pittsburgh. "But the potential exists for lots of sites to be taken out."
Internet companies are trying to fix the holes that hackers exploit. But it is a big job. The Internet was designed for the academic and scientific community, where there were far fewer users and a much higher level of trust.
Now that the Internet has gone mainstream, the technology is changing. For example, the Internet community is moving to a new set of protocols - called Version 6 - that would make it much harder for users to hide their identities. But rolling out this technology could take two or even five years.