A Class on the Net for Librarians with Little or No Net Experience

LESSON 21: SPAMMING AND INTERNET SECURITY

"I am continually fascinated at the difficulty intelligent people have in distinguishing what is controversial from what is merely offensive."

-- Nora Ephron, _Esquire_, 1976


SPAMMING

"Spamming." We know it's a *bad* word on the Internet, but what does it mean?

Actually, the term derives from a Monty Python sketch, set in a restaurant, where everything is served up with spam, whether the diners want it or not -- "egg and spam; bacon and spam; egg, bacon, sausage and spam ..." -- you get the idea.

In cyberspace, spamming means spewing out the same uninvited message to a multitude of listserv lists and USENET newsgroups. What makes spamming even more detestable is that the message is usually completely irrelevant to the on-going discussions and is very often some unwanted piece of communication, such as a chain letter, or a wild-eyed pronouncement from the fringe or, most often, a commercial pitch to sell some product or service.


Commercial use, or exploitation, of the Net has always been discouraged, especially when it shows up in the wrong places. It is not that net-users dislike commerce so much as they detest unsolicited advertising. Experienced net-veterans are quick to point out that there's lots of advertising going on in cyberspace, and most of it is considered quite proper.

This is the advertising that appears in newsgroups on USENET that are clearly labeled as commercial sites, showing extensions like .biz, .forsale, .wanted, .classifieds. When users access these sites, they know just what to expect. Similarly, many companies maintain their own home pages on the World Wide Web where people go to learn about new products and applications. Net-users usually do not raise objections to representatives of commercial interests answering questions about hardware and software applications and technologies as long as their answers are posted as information and not as advertising copy.


Spamming, however, isn't like that. It is more akin to some uninvited stranger showing up unannounced at your dinner table. You don't want him there but he has already taken a seat, and what are you going to do? Of course it costs you extra to feed him, just as it costs USENET news and listserv system administrators extra to store unwanted advertisements on their disk space. And then, you have to put up with this guy during the meal, whether you like him or not. It's enough to ruin your appetite and spoil your disposition!

One of the most highly publicized spams occurred in the spring of 1994, when a husband and wife law firm decided to advertise their services on the Net, spamming their message to thousands of newsgroups and listservs. The reaction was immediate and intense. The offending lawyers were inundated, in return, with thousands of mail-bombs (pieces of junk email); their computer system crashed; their mail was forwarded to strange places; and they were signed up for unwanted memberships and magazine subscriptions, to name only a few of the retaliatory measures. (Note: Unrepentant to the end, they have published a book about their experience entitled _How to Make a Fortune on the Information Superhighway_ by Laurence Canter & Martha Siegel.)


Spamming isn't the only irritating communication on the Net. Recently, Dan Lester warned of a new type of "blitzkrieg marketing" in which enterprising entrepreneurs write programs that "vacuum, suck or hoover" names from discussion group subscriber lists and postings to newsgroups. Says Lester, "If you ever post to a list or newsgroup you can be pretty sure that various databases now contain your email address and name at a minimum. You may receive unsolicited email as a result."

Then, there's the perennial "make money fast" message. According to the _EFF's Guide to the Internet_, "It's your basic chain letter. The USENET version is always about some guy named Dave Rhodes who was on the verge of death, or something, when he discovered a perfectly legal way to make tons of money -- by posting a chain letter on computer systems around the world. Yeah, right."

Finally, there's the "urban legend" message, which often involves a virus. Not long ago, one came to my mailbox, via a cross-post on a listserv to which I subscribe. It warned of the deadly "Good Times" virus that could be contracted simply by reading an email message. I was told that if I received email with the words "good times" anywhere in the subject line, I was not to read it or download it because it was a virus that would erase my hard drive. Fortunately, this wasn't a deadly virus, it was more like a snake-oil salesman's hokey hoax.

Probably the most famous urban legend, and one that simply refuses to die, is the story of Craig Shergold. This is, BTW, a true story and it has been told by Patrick Crispen in his "Roadmaps" workshop. Craig Shergold was a 7 year old boy who was diagnosed with a seemingly incurable brain tumor. As he lay in bed, he asked only that friends send him postcards. The local newspapers picked up the story and Craig began to receive postcards. Soon, his wish changed and he wanted to get into the _Guinness Book of World Records_ for the largest postcard collection in the world. Word spread and the postcards began coming in -- by the millions! Miraculously, Craig lived, and he did indeed make the _Guinness Book of World Records_. However, the post cards -- like the brooms lugging buckets of water in Disney's _Sorcerer's Apprentice_ -- kept right on coming and Craig's dream turned into a nightmare. The post office in the small town outside London where he lives (he's an adult now) continues to be inundated with millions of cards every year. Just when the flow seems to be slacking off, someone resurrects the story, and it starts all over again.

Witness the email message posted to a library LISTSERV on May 24, 1995: "The Children's Make-A-Wish Foundation is working to make the wish of Craig Sherford come true. Craig is seven years old and is suffering from terminal cancer. It is his wish to be included in the Guiness [sic] Book of World Records for the most business cards ever collected by one person. Craig would be most grateful if you could send one of your business cards to the following address ... Additionally, please forward this letter to least ten (10) individuals who will continue the process." And so it goes, on and on ...

In his home pages, "How to Defeat a Chain Letter" and "Forward Hysteria", Jed Hartman, of Silicon Graphics Developer Publications, has gathered together and posted some common sense observations. He suggests that before you forward anything to a large number of people, ask yourself these questions:

If the answer to either question is 'no, Hartman recommends that you might reconsider sending it out. However, he says, if you do decide to send it along, be sure to post an expiration date on it in a prominent place. Finally, he cautions, while most forwarded pieces are harmless (cookie recipes, lists of funny signs, etc.), some are copyrighted (such as Dave Barry columns) and might be illegal to forward.

INTERNET SECURITY

"Crackers" is another *bad* word on the Net. Crackers are people who want to break into your account and use it for purposes other than for what it was originally intended.

You wouldn't want somebody obtaining the number of your charge card or telephone calling card, and then using this number to order, reserve and even pay for items and services you didn't know anything about. Well, you don't want anyone misusing your Internet account either.

Your protection against crackers of all kinds is your password. Never give your password to anyone. Don't write it down and leave it lying around where someone could come by and copy it. Never let somebody look over your shoulder while you enter your password. (That's called "shoulder surfing" and it's the most common way that accounts are cracked.) Finally, never email your password to anyone.

Remember the sergeant's daily admonition to the cops on the beat in "Hill Street Blues" - "Be careful; it's a jungle out there!" Well, even though the Internet appears to be a pretty safe place, it can be a jungle, too.

When you use the telnet function, your password is sent over the Net in plain text. If you telnet frequently, be prepared to change your password often. Crackers have been known to hide out on Internet gateways with stealth-like programs that find and steal these passwords.

Don't use the same password for other systems or accounts and don't select a password that relates to you personally, especially your userid. The best passwords contain a mix of letters and numbers, preferably a mix you can remember. Change your password on a regular basis (some systems require you to do this), and if you notice strange things happening to your account, don't assume it's a technical problem with the system; change your password immediately and contact your system administrator.

Finally, speaking of system adminstrators, Jed Hartman cautions:

If someone sends you email (or calls you) saying 'I'm the system administrator; please change your password to <whatever>,' you should immediately contact your *real* sysadmin and tell them about it ... no real sysadmin would make such a request.

PASSWORD REALITY CHECK

That said, you may discover that the biggest problem you face is not having your password stolen, but being barred from logging on because you have forgotten the password yourself. Even "netvets" occasionally find themselves in this situation. Thomas Forbes, writing in a recent issue of _NetGuide_, says, "Don't go telling the guy who waxes the floors around here, but we've written our passwords down on those low-tech Rolodex cards, which are discreetly placed between the telephone numbers for the parking garage and the periodontist."

Forbes goes on to recommend that you ignore the cautious advice you're likely to receive about avoiding the use of obvious, easy-to-remember passwords like family nicknames and go right ahead and choose them because, he points out, "password coveting is not a Top Ten temptation -- and hackers have bigger ambitions than cracking your Prodigy account." However, Forbes does end on a sobering note: if asked for your password, always refuse. "Never give your password to anyone," he says. "Particularly your mother. No fooling."

How about a compromise: follow the security rules outlined above, but use the initials from an easy-to-remember phrase to make it memorable for you. For example, TEIHTSP: "To err is human, to spam porcine."

LET THE USER BEWARE!

Even given your best efforts, a secure password does not always safeguard your good name on the net. It is possible, indeed fairly easy, for persons to forge your email address into the header of outgoing mail to make it appear that you have sent the message. For example, many newsreaders and web browsers allow the user to plug in an outgoing address, which isn't verified against any system values: people can "assume" any email identity! While sysadmins can usually research any forgeries and identify them as such (by carefully analyzing the complete mail header), it is virtually impossible for them to identity who actually did send the faked mail.

On an even simpler level, since most email packages don't "freeze" the contents of messages you send, it is very easy for the recipient to forward a message along to someone else, changing or completely replacing the text of the original message! The original headers will still be intact, and there are no tell-tale signs to indicate tampering in the message being forwarded -- no erasures, no white-out, no other clues!

There are also "anonymous remailers" accessible on the net which purposely allow people to send out email while masking their identity. Everybody needs privacy sometimes, right? Well, that is what the purveyors of these services contend. While the intent may be to provide privacy for folks who legitimately need to conceal their identity (for example, when submittings survey responses), you can imagine the opportunities provided for horseplay and worse... And threatening mail sent via an anonymous remailer makes it impossible for sysadmins to track down the guilty party.

Given the security breaches still posed by electronic mail (the oldest tool on the net), we can't reasonably expect any more reliable security in newer Web-based applications. Besides your good name, given the thousands of point-of-sales sites on the Web, lots of parties are in a position to filch your purse as well! Encryption, signature, and security procedures for the Net are a work in progress (check out the Yahoo Security and Encryption pages for a notion of what's in the works). While Netscape and some other browsers attempt to provide security and encryption for transfers of credit card numbers and other sensitive data, no guarantees are possible (don't obsess though: do you give our credit card info over the phone? -- no guarantees there, either!).

What to do? If you suspect foul play, ALWAYS hang on to offending email messages and report them IMMEDIATELY to your system administrator. He or she may just have the savvy (with some assistant sleuthing on your part) and the clout to track down the offender. And, if you're considering making purchases over the net, you first might want to check out the legitimacy of a company. The Better Business Bureau now provides BBBOnLine (http://www.bbbonline.org/) as a stamp of approval for online company services. Other organizations are working to establish services providing accreditation, security audits, and privacy standards for online businesses (see the eTrust homepage: http://www.etrust.org/).

It isn't a perfect world, so you can't expect a perfect "virtual world". You can be expected, however, to be alert to the possibilities open to the devious few. For now being an informed Net user is your best bet against abuses: let the user beware!


YOUR ASSIGNMENT:

Find out how to change your password whenever you want to, think of a new password, and change it today.

ELECTRONIC WEB RESOURCES

If you have Web access, there' lots of fun places to visit, including:


* "BCK2SKOL" is a free electronic library classroom created by Ellen Chamberlain, Head Librarian, University of South Carolina Beaufort, and Miriam Mitchell, Sr. Systems Analyst, USC Columbia. Additional support is provided by the Division of Libraries & Information Systems, University of South Carolina Columbia.


Your feedback and support for BCK2SKOL are appreciated; please email link updates, suggestions and comments to: eechambe@gwm.sc.edu

Return to BCK2SKOL Index

Go to Next Lesson

Links checked 9 March 1998. See the BCK2SKOL homepage for course update details.
Copyright © 2000, the Board of Trustees of the University of South Carolina.
URL: http://www.sc.edu/bck2skol/fall/lesson21.html