by Michael Finley
Copyright © 1997 by Michael Finley

-- dialogue from A Kaczynski Kind of Christmas

The case of the Unabomber, now nearing trial, gives us shivers. He took something as simple as a letter in the mail, and made it a lethal weapon.

What gives us shivers is the unnegotiability of it. The letter-bomb is like a very slow bullet that plods through postal sorting, handling, and eventual delivery. Then, even if the address was wrong, or the wrong person opens it, the bullet suddenly picks up the pace and explodes in the recipient's hands.

Just as there are snailmail bombs (snailmail is the term the neterati have assigned to the U.S. Postal Service), so are there e-mail bombs. Where snailmail bombs do analog damage, e-mail bombs destroy digitally. Less physical blood is shed from e-mail bombs. But not being snailborn, they occur with more rapidity and can wreck a career or a company in a moment.

We all know about viruses -- applets which hitch a ride on other binary materials and which, unhatched, invade systems and destroy data. This Christmas we are assured of a holiday virus attack, as friends of imprisoned hacker Kevin Mitnick Despite promise to release wee beasties around the world to win his freedom.

While 14,137 viruses are known to exist (http://www.drsolomon.com/vircen/stats.cfm), relatively few of us have personal experience with them. What we are told is a virus on our systems is usually simple file corruption. The only people actually subject to contamination are the fraction who download unchecked files from other systems, which may contain the alien beings, or the truly unlucky few who buy off-the-shelf software whose disks were tampered with by malicious employees or subcontractors. One recent outbreak was traced to a commercial disk-copying service that loaded an especially invidious critter onto every disk sold by its client -- a Fortune 500 software maker -- for over a month.

But that sort of catastrophe was the sort of thing that, until now, happened to the next person, not you. Today we are witnessing the birth of a new generation of e-mail-borne devices, which owe their existence to the new capabilities e-mail packages are offering, such as the ability to read HTML code and run Java applets.

I learned this in an innocent way. A friend sent me a holiday e-mail message. The e-mail began as text, then shifted into HTML (World-Wide-Webbese). This HTML in turn ran a little animation program. It showed Santa's sleigh, ready for action. Rudolph the Red Nosed Reindeer trots up next to the bag, lifts a leg, and urinates on all the children's toys.

It was such a heartfelt expression of end-of-the-millennium holiday sentiment that I laughed. But it occurred to me that I was never given the option to see or not see this animation. It ran itself.

The next day, Hue White of Test System BBS (612-470-9635) posted a message by someone named Tom Brazil on the comp.risks Usenet newsgroup:

I received a spam mail today that was rather sinister. Many spams that I receive request that you click on the hyperlink to go to their site. This one was different. I am running IE4.0, and I simply highlighted the new message in my mailbox, and clicked on the subject to read it. It immediately downloaded and initialized a Java applet that took control of my browser, opened a session to their site as I sat in amazement.

Brazil said he shut down the program immediately, before it could do whatever it was going to do. When he examined the source for the message, it was like my reindeer animation, excerpt that it was a sales spiel.

Brace yourself for the waves of invasion. First will be the horde of spam artists looking for ways to be more invasive. Following after them will be the purveyors of "push" information -- the online magazines and reports that are tossed, at your request, on your electronic doorstep every morning.

But now push has come to shove. The identical technology will inevitably be applied with pure malice. Every single one of the 14,137 extant viruses can be recast as a Java applet, and sent out to a million systems at a shot. An applet that can boot your browser can just as easily perform wholesale delete operations, change your password, or reconfigure your system so that it is unstartable. A merry prankster with a hogshead of e-mail addresses, five minutes of programming time, and an index finger on the send button can knock out the world.

So net users, get those hackles up. Batten the hatches. Switch off those auto-preview toggles on your e-mail programs. If you don't understand an applet's source code, don't run it. That innocuous message in your mail queue may be a Trojan horse. Inside its belly is a stranger who has no desire to be your friend. Starting now, spam kills.

Michael Finley is co-author with Harvey Robbins of THE NEW WHY TEAMS DON'T WORK.Visit Michael Finley at his home page, or e-mail him at mfinley@mfinley.com