GPSolo Magazine - June 2005
Security on the Internet, Then and Now
Back in the days before the Internet, “security” meant entering a password on your computer when you turned it on. Ah, what innocent times!
Computer viruses became an issue only when people began sharing files and using modems. In 1981 “Elk Clone” became the first widespread computer virus, reputedly spread from Texas A&M University. The term “computer virus” didn’t enter our lexicon until 1984, when introduced by an anti-virus software developer named Fred Cohen.
In our innocence, we protected ourselves by not using floppy disks without first scanning them for viruses. After all, viruses could only enter our system on infected floppies, right? Well, Ward Christensen and Randy Suess had already introduced the first computerized bulletin board system (BBS) in 1978, and with it the era of file sharing was begun. Eventually, bulletin boards became ubiquitous (I even ran one for a couple of years), and viruses had another way to infect our computers.
The Morris worm, a self-replicating UNIX-based program, was released by Cornell graduate student Robert Morris Jr. and brought about 10 percent of the computers on ARPANET (the precursor to the Internet) to their knees in 1988.
New threats materialized as hackers began using war dialers, computer programs that would dial every number in an interchange sequentially to determine if a modem was at the other end. Run it overnight and next morning the hacker had a list of modem phone numbers—which he or she could use to try to hack into the attached computer.
Literally and suddenly, the Internet changed everything. In 1993 the CERN research center in Geneva, Switzerland, introduced the first web browser, MOSAIC. The Internet now had a graphical interface just like Microsoft Windows. It was not just for geeks anymore. In June 1993 there were 130 websites worldwide. Today, it is estimated that there are more than 60 million.
Soon computer viruses were spreading through the Internet. Vulnerabilities in the Windows operating system (then and today) became apparent. Denial of service attacks brought down major Internet operations by using computers to log thousands of “users” into a website at the same time—all done automatically, sometimes through computers hijacked with a virus or worm. Antivirus programs became ubiquitous, and we all began to use words like “firewall” and “IP address” as though we understood the underlying concepts. In 1992 the number of computer-reported hacking incidents, viruses, and worm infections was relatively tiny. By 2002 it was in the hundreds of millions. New computer viruses had become front-page news.
In 1993 a Russian hacker group committed bank robbery over a network. In 1994 federal authorities captured Kevin Mitnick, the era’s most notorious computer hacker. He was charged with obtaining unauthorized access to computers belonging to numerous computer software and computer operating systems manufacturers, cellular telephone manufacturers, Internet service providers, and educational institutions, and stealing, copying, and misappropriating proprietary computer software. Mitnick was also in possession of 20,000 credit card numbers at the time of his arrest.
To our everlasting shame as lawyers, in 1994 one of the first “spam” messages was posted to newsgroups by two attorneys, Laurence Canter and Martha Siegel, offering their services in an upcoming U.S. “green card” lottery. A new industry (and annoyance) was born.
In 1997 Ian Goldberg, a University of California-Berkeley graduate student, took up a challenge by RSA Data Security, Inc., to crack its 40-bit encryption algorithm, then considered unbreakable. He did it in three and one-half hours. The message encrypted by RSA was, “This is why you should use a longer key.” Goldberg then successfully took up a challenge to break a 56-bit DES encryption algorithm (then the government standard). Today, folks routinely use 128-bit keys. And worry.
Soon we discovered that it wasn’t only computer programs (so-called executable files) that could contain viruses. The macro language in word processors such as Microsoft Word and WordPerfect were found to be vulnerable. One could merely open a document file and a malicious macro would wreak havoc. Vulnerabilities appeared not only in operating systems but also web browsers. Hackers could hide a program on your computer to do all kinds of nefarious things, including watching what you were doing; if your activities were of interest (e.g., entering a credit card number, a password, or the like), the program would report back to the hacker unbeknownst to you.
It got worse. Advertisers discovered the value of desktop space on your computer and found ways to put banner ads on your browser. Then they added so-called pop-ups that would mysteriously appear as a window on your computer monitor, often advertising the most embarrassing of services. To make matters worse, advertisers discovered that if they offered free software that did something useful, they could include “spyware” to track your shopping habits and report back to the vendor—who now had your name and e-mail address for a spam mailing list tailored to your interests. Less honest persons could do truly bad things with spyware, and the identity theft industry was born. Thus, too, was born a new software industry to prevent, discover, and remove adware and spyware.
With the Internet so intertwined with our law practices, computer security is not just a recommendation for attorneys; it’s an ethical requirement. Most of us now connect to the web via a high-speed cable or DSL hookup—always on, always available, and always potentially vulnerable. Antivirus software is essential, and it must be updated frequently. Firewalls, which limit the availability of connections to a computer on the Internet, are also a must.Today, security on the Internet is certainly not taken for granted. It requires diligence and attention, as well as a certain amount of technical capability. The threats are there—and as ingenious as only a worldwide community of miscreants could create.
Daniel S. Coolidge, a recovering large-firm lawyer, is now a patent attorney with Coolidge & Graves, PLLC, in Keene, New Hampshire. He can be reached at firstname.lastname@example.org.