Notes: Chapter 3
1. Bob Sullivan, Remembering the Net Crash of ’88, MSNBC.com, Nov. 1, 1998, reprinted in ZDNet.com, http://news.zdnet.com/2100-9595_22-512570.html (last visited July 12, 2007).
2. See Joyce K. Reynolds, RFC 1135: The Helminthiasis of the Internet (Dec. 1989), http://www.ietf.org/rfcs/rfc1135; see also Internet Sys. Consortium, ISC Domain Survey: Number of Internet Hosts, http://www.isc.org/index.pl?/ops/ds/host-count-history.php (last visited June 1, 2007) (cataloguing the number of Internet hosts from 1981 to present).
3. U.S. Gen. Accounting Office, GAO/IMTEC-89-57, Virus Highlights Need for Improved Internet Management (1989) [hereinafter GAO Report], available at www.gao.gov/cgi-bin/getrpt?IMTEC-89-57; see generally Mark W. Eichin & John A. Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988 (1989) (paper presented at the IEEE Symposium on Security and Privacy) (providing a detailed analysis of the Morris worm and describing lessons learned by the Internet community in the immediate aftermath of the worm).
5. Reynolds, supra note 2, § 1.1. For more on how worms behave, see generally Eugene H. Spafford, Crisis and Aftermath, 32 Comm. of the ACM 678 (1989), available at http://portal.acm.org/citation.cfm?id=63526.63527.
6. Reynolds, supra note 2, § 1.1.
7. Eugene H. Spafford, Purdue Tech. Rep. CSD-TR-933, The Internet Worm Incident (1991), available at http://homes.cerias.purdue.edu/?spaf/tech-reps/933.pdf; Eugene H. Spafford, Purdue Tech. Rep. CSD-TR-823, The Internet Worm Program (1988), available at http://homes.cerias.purdue.edu/~spaf/tech-reps/823.pdf.
8. Reynolds, supra note 2, § 1.2.
10. See Sullivan, supra note 1; see also Spafford, The Internet Worm Incident, supra note 7, § 3.3.
11. Sullivan, supra note 1; see, e.g., James Bone, Computer Virus at Pentagon, The Times (London), Nov. 5, 1989; Philip J. Hilts, ‘Virus’ Hits Vast Computer Network; Thousands of Terminals Shut Down to Halt Malicious Program, Wash. Post, Nov. 4, 1988, at A1; Tom Hundley, Computer Virus Attack Called More Persistent Than Brilliant, Chi. Trib., Nov. 7, 1988, at C4; John Markoff, Author of Computer ‘Virus’ is Son of N.S.A. Expert on Data Security, N.Y. Times, Nov. 5, 1988, § 1, at 1.
12. Ted Eisenberg et al., The Cornell Commission: On Morris and the Worm, 32 Comm. of the ACM 706, 707 (1989), available at http://portal.acm.org/citation.cfm?id=63526.63530 (publishing findings and dispelling myths about Morris and the worm).
13. GAO Report, supra note 3. The GAO used the occasion to make its report the first distributed over the Internet as well as on paper. The Internet was far smaller then: the GAO placed a quaint request on the report’s cover page asking those who downloaded it to personally e-mail the author so he could manually tally the number of online readers.
14. Though there was initial discussion of legislation after the Morris incident, no federal legislation was passed. The Computer Abuse Amendments Act of 1994 was Congress’s attempt to close loopholes identified in United States v. Morris. See Computer Abuse Amendments Act of 1994, Pub. L. No. 103-322, § 290001, 108 Stat. 1796 (1994); United States v. Morris, 928 F.2d 504, 506 (2d Cir. 1991); Michael W. Carroll & Robert Schrader, Computer-Related Crimes, 32 Am. Crim. L. Rev. 183, 196–97 (1995); John K. Markey & James F. Boyle, New Crimes of the Information Age, 43 Boston B.J. 10, 23 (1999). The Morris case remains a favorite example of those calling for more regulation of cyber and computer crimes. See, e.g., Michael Lee et al., Electronic Commerce, Hackers, and the Search for Legitimacy: A Regulatory Proposal, 14 Berkeley Tech. L.J. 839, 872–73 (1999) (calling the expansion of the Computer Fraud and Abuse Act flawed); Joseph M. Olivenbaum, <ctrl><alt><del>: Rethinking Federal Computer Crime Legislation, 27 Seton Hall L. Rev. 574, 624–26 (1997).
17. Spafford, supra note 5, at 685; see U.S. Department of Homeland Security Announces Partnership with Carnegie Mellon (Sept. 15, 2003), http://www.cert.org/about/USCERT.html.
18. Eisenberg, supra note 12, at 709.
22. See U.S. v. Morris, 928 F.2d 504, 506 (2d Cir. 1991); Mathew Cain, Morris Avoids Prison for Internet Worm, MIS Week, May 7, 1990, at 1; see generally Susan M. Mello, Comment, Administering the Antidote to Computer Viruses: A Comment on United States v. Morris, 19 Rutgers Computer & Tech. L.J. 259 (1993).
23. Press Release, Yahoo! Media Relations, Yahoo! To Acquire Viaweb, June 8, 1988, http://docs.yahoo.com/docs/pr/release184.html.
24. See Robert Morris, Personal Web site, http://pdos.csail.mit.edu/~rtm/.
25. See Reynolds, supra note 2. Helminthiasis is an infestation of parasitic worms in the body. See Wikipedia, Helminthiasis, http://en.wikipedia.org/wiki/Helminthiasis (as of June 1, 2007, 08:00 GMT).
26. Reynolds, supra note 2, §§ 1.3–1.4.
28. Ron Rosenbaum, Secrets of the Little Blue Box, Esquire, Oct. 1971, at 119. For accounts from an individual claiming to be an original “phone phreaker,” see James Daly, John Draper, Forbes, June 3, 1996, at 138; John T. Draper, Cap’n Crunch in Cyberspace, http://www.webcrunchers.com/crunch/story.html (last visited June 1, 2007) (John T. Draper is also known as Cap’n Crunch).
29. Rosenbaum, supra note 28, at 120.
31. Amy Harmon, Defining the Ethics of Hacking, L.A. Times, Aug. 12, 1994, at A1.
32. Wikipedia, Signaling System #7, http://en.wikipedia.org/wiki/Signaling_System_7 (as of Aug. 15, 2007, 15:00 GMT).
36. Spafford, supra note 5, at 678–81.
39. Matt Blaze, Cryptography Policy and the Information Economy, WindowSecurity.com, Apr. 5, 2000, available at http://windowsecurity.com/whitepapers/cryptography_Policy_and_the_Information_Economy.html.
40. Increases in computer crime have received attention from the hacker community. See Harmon, supra note 31; see also Pekka Himanen & Linus Torvalds, The Hacker Ethic (2001); Bruce Sterling, The Hacker Crackdown: Law and Disorder on the Electronic Frontier (2002), available at http://www.mit.edu/hacker/hacker.html; cf. Note, Immunizing the Internet, Or: How I Learned to Stop Worrying and Love the Worm, 119 Harv. L. Rev. 2442 (2006) (introducing the idea of “beneficial cybercrime,” which values system attacks for their tendency to draw attention to vulnerabilities in computer networks).
42. Reuters News Agency, Latest MyDoom Outbreak Spreads, Toronto Star, Feb. 26, 2004, at D5; Wikipedia, Mydoom (Computer Worm), http://en.wikipedia.org/wiki/Mydoom (as of June 1, 2007, 10:00 GMT); see also U.S. v. Morris, 928 F.2d 504, 506 (2d Cir. 1991) (quantifying the damage caused by the Morris worm by measuring the “estimated cost of dealing with the worm at each installation”).
43. Wikipedia, ILOVEYOU, http://en.wikipedia.org/wiki/VBS/Loveletter (as of Apr. 6, 2007, 10:00 GMT); see also D. Ian Hopper, ‘ILOVEYOU’ Computer Bug Bites Hard, Spreads Fast, CNN.com, May 4, 2000, http://archives.cnn.com/2000/TECH/computing/05/04/iloveyou.01/ (“Files associated with Web development, including ‘.js’ and ‘.css’ files, will be overwritten . . . . The original file is deleted. [The virus] also goes after multimedia files, affecting JPEGs and MP3s. Again, it deletes the original file and overwrites it . . . .”).
44. See Wikipedia, supra note 43.
45. Robert Lemos, Michelangelo Virus—Is It Overhyped or a Real Threat?, ZDNet News, Mar. 5, 1998, http://news.zdnet.com/2100-9595_22-508039.html. Amazingly, a few copies of the 1992 virus were still circulating in 1998.
46. See, e.g., Paul W. Ewald, Guarding Against the Most Dangerous Emerging Pathogens: Insights from Evolutionary Biology, 2 Emerging Infectious Diseases, 245, 246 (Oct.–Dec. 1996) (“Like the traditional view of host/parasite coevolution, the modern view identifies host illness as a potential liability for the pathogen. When pathogens rely on the mobility of their current host to reach susceptible hosts, the illness caused by intense exploitation typically reduces the potential for transmission.”).
47. See generally Randolph Court & Robert D. Atkinson, Progressive Pol’y Inst., How to Can Spam: Legislative Solutions to the Problem of Unsolicited Commercial E-mail (Nov. 1, 1999), http://www.ppionline.org/ndol/print.cfm?contentid=1349.
48. See, e.g., Jeff Ferrell, Crimes of Style: Urban Graffiti and the Politics of Criminality (2005). Graffiti has been described as an example of artistic rather than financial entrepreneurship.
49. John Horrigan, Broadband Penetration on the Upswing: 55% of Adult Internet Users Have Broadband at Home or Work (Apr. 19, 2004), available at http://www.pewinternet.org/PPF/r/121/report_display.asp.
50. The respective numbers are 42 percent for broadband and 22 percent for dial-up. See John B. Horrigan, Home Broadband Adoption 2006, at 1, 9 (2006), http://www.pewinternet.org/pdfs/PIP_Broadband_trends2006.pdf. Over the past year, there has been an almost 40 percent increase in the number of broadband lines worldwide. See Vince Chook, World Broadband Statistics: Q2 2006, at i–ii, 2 (2006), http://www.point-topic.com/content/dslanalysis/World+Broadband+Statistics+Q2+2006.pdf.
51. America Online & Nat’l Cyber Security Alliance, AOL/NCSA Online Safety Study 2 (Dec. 2005), http://www.staysafeonline.org/pdf/safety_study_2005.pdf.
52. See, e.g., Jeremy Reimer, Security Researchers Uncover Massive Attack on Italian Web Sites, Ars Technica, June 18, 2007, http://arstechnica.com/news.ars/post/20070618-security-researchers-uncover-massive-attack-on-italian-web-sites.html (reporting on the compromise of Italian Web sites by malicious IFRAME code, made available for a fee by Russian crime organizations).
53. Tim Weber, Criminals ‘May Overwhelm the Web,’ BBC News, Jan. 25, 2007, http://news.bbc.co.uk/2/hi/business/6298641.stm.
55. Anestis Karasaridis et al., Wide-scale Botnet Detection and Characterization (2007), www.usenix.org/events/hotbots07/tech/full_papers/karasaridis/karasaridis.pdf. Existing studies attempting to identify compromised computers are hard-pressed to keep up. Operation Bot Roast, headed by the FBI, has uncovered only a comparatively tiny one million botnet computers in the United States. See FBI Tries to Fight Zombie Hordes, BBC News, June 14, 2007, http://news.bbc.co.uk/2/hi/technology/6752853.stm.
56. Posting of Bob Sullivan to The Red Tape Chronicles, Is Your Computer a Criminal?, http://redtape.msnbc.com/2007/03/bots_story.html (Mar. 27, 2007, 10:00 GMT).
57. Luke Dudney, Internet Service Providers: The Little Mans Firewall (2003), http://www.sans.org/reading_room/whitepapers/casestudies/1340.php.
59. According to IronPort, over 80 percent of the world’s spam is currently sent by zombie computers. See Press Release, IronPort, Spammers Continue Innovation (June 28, 2006), http://www.ironport.com/company/ironport_pr_2006-06-28.html.
60. Symantec’s Top Threats, in Symantec Home and Office Security Report 4 (2006), http://www.symantec.com/content/en/us/home_homeoffice/media/pdf/SHHOS_Dec06_NL_Final.pdf.
61. See Laura Frieder & Jonathan Zittrain, Spam Works: Evidence from Stock Touts and Corresponding Market Activity (Harv. Pub. L. Working Paper No. 135), available at http://ssrn.com/abstract=920553.
62. See Posting of Bob Sullivan to The Red Tape Chronicles, Virus Gang Warfare Spills onto the Net, http://redtape.msnbc.com/2007/04/virus_gang_warf.html (Apr. 3, 2007, 10:00 GMT).
64. See Deborah Radcliff, When World of Warcraft Spreads to Your World, ComputerWorld Security, Apr. 16, 2007, at http://computerworld.com/action/article.do?command=viewArticleBasic&articleId;=9016684 (detailing recent exploits of the MMOG World of Warcraft, and noting that users’ poor password practices—a study finds that 45 percent of respondents admitted to using one or very few passwords for multiple accounts—means one password stolen can allow access to multiple sites).
65. See Symantec Corp., W32.Sobig.F@mm, http://www.symantec.com/security_response/writeup.jsp?docid=2003-081909-2118-99 (last visited June 1, 2007) (providing a summary and removal details about the worm known as W32.Sobig.F@mm).
66. See John Leyden, US State Department Rooted by 0-day Word Attack, The Register, Apr. 19, 2007, http://www.theregister.co.uk/2007/04/19/us_state_dept_rooted/.
67. See Karasaridis, supra note 55.
68. See Sullivan, supra note 56.
70. CERT has also noted another threat, evidenced by the exploding number of incidents of application attacks as Web sites increasingly link Web pages to company databases. See Bee Ware, The Risk of Application Attacks Securing Web Applications (Jan. 7, 2005), http://www.securitydocs.com/library/2839.
71. IBM Internet Security Systems, IBM Internet Security Systems X-Force 2006 Trend Statistics 4 (2007), http://www.iss.net/documents/whitepapers/X_Force_Exec_Brief.pdf.
73. Internet Sys. Consortium, supra note 2.
74. Thomas M. Lenard & Daniel B. Britton, The Digital Economy Fact Book 38 (8th ed. 2006), available at http://www.pff.org/issues-pubs/books/factbook_2006.pdf.
78. See, e.g., Common Malware Enumeration: Reducing Public Confusion During Malware Outbreaks, http://cme.mitre.org/ (last visited June 1, 2007).
79. Bill Gertz & Rowan Scarborough, Inside the Ring—Notes from the Pentagon, Wash. Times, Jan. 5, 2007, at A5, available at http://www.gertzfile.com/gertzfile/ring011207.html.
80. Ryan Naraine, Microsoft Says Recovery from Malware Becoming Impossible, eWeek.com, Apr. 4, 2006, http://www.eweek.com/article2/0,1895,1945808,00.asp.
81. Edu. Tech. Program, Costal Carolina Univ., Accessing the Internet, http://www.coastal.edu/education/ti/internetaccess.html (last visited Apr. 6, 2007); John B. Horrigan & Lee Rainie, The Broadband Difference: How Online Americans’ Behavior Changes with High-Speed Internet Connections at Home (June 23, 2002), available at http://www.pewinternet.org/PPF/r/63/report_display.asp.
82. The first academic application of the term “virus” to computer software has been attributed to Leonard Adleman, a professor of computer science and molecular biology at the University of Southern California. See Wikipedia, Computer Virus, http://en.wikipedia.org/wiki/Computer_virus#Etymology (as of June 1, 2007, 10:05 GMT); see also Fred Cohen, Computer Viruses: Theory and Experiments, 6 Computers & Security 22 (1987) (presenting research on the potential harm computer virus could cause and potential defenses).
83. Cf. WebMD, What We Know About the Flu Virus, http://www.webmd.com/cold-andflu/flu-guide/how-do-flu-viruses-work (last visited June 1, 2007).
84. See Paul Ohm, The Myth of the Superuser, 41 U. C. Davis L. Rev. (forthcoming 2008).
85. Susannah Fox et al., The Future of the Internet: In a Survey, Technology Experts and Scholars Evaluate Where the Network Is Headed in the Next Few Years, at i (Jan. 9, 2005), available at http://www.pewinternet.org/PPF/r/145/report_display.asp.
86. See Scott Berinato, The Future of Security, ComputerWorld, Dec. 30, 2003, http://www.computerworld.com/printthis/2003/0,4814,88646,00.html (attributing the first use of “digital Pearl Harbor” to D. James Bidzos in 1991, later taken up by U.S. cybersecurity czar Richard Clarke); see also David Farber, Balancing Security and Liberty, 5 IEEE Internet Computing 96 (2001) (discussing the possibility of a terrorist attack over the Internet in tandem with conventional terrorist attacks).
87. Mike Reiter & Pankaj Rohatgi, Homeland Security, 8 IEEE Internet Computing 16, (2004), available at http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/ic/&toc; comp/mags/ic/2004/06/w6toc.xml&DOI;=10.1109/MIC.2004.62; see also Drew Clark, Computer Security Officials Discount Chances of ‘Digital Pearl Harbor,’ Nat’l J. Tech. Daily, June 3, 2003, available at www.govexec.com/dailyfed/0603/060303td2.htm (reporting on experts’ discounting of Internet viruses as a mode of terrorism, while acknowledging some of the risks of more run-of-the-mill security compromises).
88. E-mail from Christina Olson, Project Manager, StopBadware.org, to Jonathan Zittrain (Mar. 16, 2007, 22:12:20 EDT) (on file with the author, who is a principal investigator of the StopBadware project).
89. Niels Provos et al., The Ghost in the Browser (2007), http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf.
90. The sheer magnitude of phishing activities suggests it is effective at seizing sensitive information. As one study monitoring a widely used antispam system reported, “In 2006 Symantec’s Brightmail system blocked 2,848,531,611 phishing emails. Of these, 323,725 were unique phishing messages. On average, therefore, in 2006 there were 7.8 million blocked phishing attempts and 887 unique phishing messages each day.” Zulfikar Ramzan & Candid Wüest, Phishing Attacks: Analyzing Trends in 2006 (2007), www.ceas.cc/2007/papers/paper-34.pdf (emphasis added).
91. Some early versions of two-factor authentication, such as identifying a preselected picture on a bank’s Web site customized to the customer, are in fact not very secure. See Jim Youll, Why SiteKey Can’t Save You (Aug. 24, 2006), http://www.cr-labs.com/publications/WhySiteKey-20060824.pdf. More promising versions require new hardware such as USB dongles or biometric readers on PCs—a fingerprint or retina scanner that can be used in addition to a password to authenticate oneself to a bank. It remains difficult to unambiguously authenticate the bank to the user.
92. StopBadware.org, Report on Jessica Simpson Screensaver, http://www.stopbadware.org/reports/reportdisplay?reportname=jessica (last visited June 1, 2007).
93. StopBadware.org, Report on FunCade, http://www.stopbadware.org/reports/reportdisplay?reportname=funcade (last visited June 1, 2007). For many programs, including FunCade and KaZaA, uninstalling the main program does not uninstall all the undesirable software originally installed along with it. Users must be knowledgeable enough to identify and remove the software manually.
94. See IntelliAdmin, Security Flaw in RealVNC 4.1.1 (last updated June 2006), http://www.intelliadmin.com/blog/2006/05/security-flaw-in-realvnc-411.html.
95. See Willie Sutton & Edward Linn, Where the Money Was: The Memoirs of a Bank Robber (1976).
96. Microsoft TechNet, 10 Immutable Laws of Security, http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true (last visited June 1, 2007).
99. Cf. Madeline Drexler, Secret Agents: The Menace of Emerging Infections (2002). For an excerpt, see http://www.pbs.org/wgbh/pages/frontline/shows/meat/safe/o157.html.
101. Philippe Biondi and Fabrice Desclaux were the two scientists. See Black Hat Europe 2006 Topics and Speakers, http://www.blackhat.com/html/bh-europe-06/bh-eu-06-speakers.html#Biondi (last visited June 1, 2007).
102. Philippe Biondi & Fabrice Desclaux, Presentation at Black Hat Europe: Silver Needle in the Skype 95 (Mar. 2–3, 2006). For slides, see http://blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf.
103. See Microsoft Xbox, http://www.microsoft.com/xbox/ (last visited June 1, 2007).
104. See Tim Hartford, Xbox Economics, Part 2, slate, Dec. 21, 2005, http://www.slate.com/id/2132988/.
105. Microsoft was found to have abused its Windows monopoly for far less restrictive behavior that gave its own application writers an advantage against independent software producers. See United States v. Microsoft Corp., 97 F. Supp. 2d 59 (D.D.C. 2000) (order); United States v. Microsoft Corp., 87 F. Supp. 2d 30 (D.D.C. 2000) (conclusions of law); United States v. Microsoft Corp., 84 F. Supp. 2d 9 (D.D.C. 2000) (findings of fact); Commission Decision in Case COMP/C-3.
106. Tim Wu, Wireless Carterfone, 1 Int’l J. Comm. 389, 404–415 (2007), available at http://ijoc.org/ojs/index.php/ijoc/article/view/152/96.
107. See AMD, Telmex: Internet Box, http://www.amd.com/us-en/ConnectivitySolutions/ProductInformation/0,,50_2330_12264_14265,00.html (last visited June 1, 2007).
108. See MythTV, http://www.mythtv.org.
109. See, e.g., Microsoft TechNet, Troubleshooting Windows Firewall Problems (last updated Mar. 28, 2005), http://technet2.microsoft.com/windowsserver/en/library/e5e9d65e-a4ff-405c-9a1d-a1135523e91c1033.mspx?mfr=true (offering advice to users encountering problems running software because of their firewalls); Victor Paulsamy & Samir Chatterjee, Network Convergence and the NAT/Firewall Problems, Proceedings of the 36th Hawaii International Conference on System Sciences (Jan. 2003), at http://doi.ieeecomputersociety.org/10.1109/HICSS.2003.1174338 (analyzing solutions to problems caused by firewalls in the deployment of VOIP software).
111. U.S. GAO, supra note 3; see also Patricia Wallace, The Internet in the Workplace 33 (2004).