Approaching Zero, Paul Mungo [good summer reads TXT] 📗

linked to a printer, it could cause an invoice to be printed out. The money

for the license was to be sent to PC Cyborg Corporation at a post office box in

Panama City, Panama. It was not specified what users would receive for the fee,

apart from a license. But it was assumed that an antidote for the trojan would

be included in the deal.

 

The AIDS information diskette was the largest and most complex trojan Jim had

ever seen. He worked on it eighteen hours a day for seventeen days and later

said that taking the program apart was “like peeling an onion with a paper

clip.” His final disassembly ran to 383 pages, each containing 120 lines of

code. He had managed to produce a quick antidote to the AIDS trojan on the day

he received it, but after he had disassembled the bug, he put together a

program called ClearAid which would restore files and cleanse infected systems.

 

The antidote and ClearAid were offered free to infected computer users by Jim

and PC Business World.

 

Later, when the furor died down, Jim decided that the trojan had been written

“by a young, inexperienced programmer with only scant knowledge of both the

language and the machine capabilities at his disposal.” Its tortuous complexity

had been caused by incompetence rather than design.

 

This was little comfort for those who had suffered damage from the bug. Over

twenty thousand of the AIDS diskettes had been

sent out, using not only the PC Business World mailing list, but the delegate

register to a World Health Organization (WHO) conference on AIDS in Stockholm.

In the first few days, a number of recipients had panicked when they realized

that they had just loaded a potentially destructive trojan onto their systems.

The trojan had caused the loss of data at the U.N. Development Program offices

in Geneva, and in Italy an AIDS research center at the University of Bologna

reported the loss of ten years of research. Like many users, they had not kept

backup copies of their valuable data. The trojan reached hospitals and clinics

throughout Europe, and the Chase Manhattan Bank and International Computers

Limited (ICL) in England both reported unspecified “problems” caused by the

program. In every instance, scientists, researchers, and computer operators

wasted days chasing down and eliminating the bug, even after Jim’s antidote and

ClearAid program became generally available.

 

At New Scotland Yard the Computer Crime Unit under Detective Inspector John

Austen established that all twenty thousand diskettes had been posted from west

and southwest London, between December 7 and I I, 1989, and that they had been

sent to addresses in almost every country of the world, with one glaring

exception: none had been sent to the United States.

 

The Computer Crime Unit does not have an easy job.

 

In many cases it has been frustrated by the unusual nature of computer crime,

and with viruses it has been noticeably unsuccessful in bringing prosecutions.

Most viruses are written abroad, by unknown and certainly untraceable authors,

often in countries such as Bulgaria where the act itself is not a criminal

offense. To prosecute a case against a virus writer, the unit must have a

complaint against the author from a victim in Britain, evidence of criminal

intent, proof of the author’s identity, and finally, his presence in Britain,

or at least in a country from which he can be extradited.

 

The legal problem with viruses, quite simply, is their internationality. They

seep across borders, carried anonymously on diskettes or uploaded via phone

lines to bulletin boards; their provenance is often unknown, their authorship

usually a mystery. But inspector John Austen was determined that the AIDS

diskette incident would be different. He viewed it as the “most serious” case

the unit had faced: not only was it a large-scale attack on computers by a

trojan-horse program, it was blackmail—or something very similar. In this

case, he also had a complaint; indeed, he had a few thousand complaints. It was

clearly time for the unit to throw its resources into tracking down the author

of the trojan.

 

The publishers of PC Business World told the police that they had sold this

particular mailing list for about $2,000 to a Mr. E. Ketema of Ketema &

Associates, who purported to be an African businessman representing a Nigerian

software company. The transaction had been carried out by post; no one had ever

met Ketema.

 

Ketema & Associates operated out of a maildrop address in Bond Street, London.

Company documents revealed that the firm had three other directors, supposedly

Nigerian: Kitian Mekonen, Asrat Wakjiri, and Fantu Mekesse. The staff of the

company that operated the maildrop had never seen the three Nigerians, but they

had met Mr. Ketema. Far from being an African businessman, he was described as

white, bearded, and probably American.

 

Computer Unit detectives then turned their attention to PC Cyborg Corporation

of Panama City. Through inquiries to the Panamanian police, it was discovered

that the company had been registered a year earlier. The Panamanians were also

able to find the company’s local telephone number.

 

Waiting until early evening in London, when it would be ten A.M. in Panama, a

detective put a call through, and was rewarded by the sound of an American

voice when the phone was answered. “Mr. Ketema?” asked the detective

tentatively. “Who?” answered the voice. It turned out to be an American marine.

 

Panama had been invaded on that very day.

 

- Simultaneous inquiries in Nigeria did not turn up evidence of

the three Nigerian businessmen who were registered as directors of the company.

 

Indeed, the Unit discovered that the three names didn’t sound Nigerian at all.

They might have been made up.

 

By then the Computer Unit’s detectives were convinced that they were chasing

one man, probably an American.

 

The arrest happened almost by accident. New Scotland Yard had routinely

circulated details of the case to Interpol, the international police

intelligence agency. Four days before Christmas in 1989, just two weeks after

the diskettes had been posted from London, the Dutch police detained an

American citizen at Schiphol airport in Amsterdam, who had been behaving

strangely.

 

The American was Joseph Lewis Popp. He was en route from Nairobi, where he had

been attending a WHO seminar, to Ohio, where he lived with his parents in the

small town of Willowick, near Cleveland. Popp seemed to think that someone was

trying to kill him: at Schiphol he had written “Dr. Popp has been poisoned” on

the suitcase of another traveler, apparently in an attempt to notify the

police. When he had calmed down, the authorities took a discreet look through

his bags: in one, they found the company seal for PC Cyborg Corporation.

 

The police let Popp continue his journey to Ohio, then notified Austen in

England about the seal. On January 18, 1990, Austen began extradition

proceedings. The charge: “That on December 11, 1989, within the jurisdiction of

the Central Criminal Court, you with a view to gain for another, viz. PC Cyborg

Corporation of Panama, with menaces made unwarranted demands, viz. a payment of

one hundred and eighty nine U.S. dollars or three hundred and seventy eight

U.S. dollars from the victim.” In Ohio the FBI began a surveillance of Popp’s

parents’ home, and finally arrested him on February 3rd.

 

Neighbors in Willowick were said to have been surprised at his arrest. He was

described as “quiet, intelligent, and a real gentleman.” At the time of his

arrest he was thirty-nine, a zoologist and anthropologist who had worked as a

consultant on animal behavior with UNICEF and WHO. He was a soft-spoken man,

darkhaired, with flecks of gray in his beard. He had graduated from Ohio State

University in 1972 and obtained a doctorate in anthropology from Harvard in

1979. In the previous few years he had become passionately interested in AIDS.

 

Austen’s extradition request ground through the American courts for nearly a

year. In September 1990 Jim Bates was flown over to Cleveland for five days to

give evidence at Popp’s extradition hearing. It is unusual to have live

witnesses at such hearings, but Jim brought the AIDS diskette. He was the

principal witness, and it was his task to demonstrate to the court what the

diskette was and what it did.

 

In the hallway outside the small courtroom, Jim sat beside Popp’s parents, a

friendly and courteous pair. “Do you like Cleveland?” Popp’s mother asked. Jim

wasn’t sure; all he had seen by then was the airport, a hotel room, and the

hallway. Inside the courtroom Jim had his first glance at Joseph Popp. His hair

was long and unkempt, his beard had grown out, making the ~ray more emphatic.

He shuffled around the courtroom, wearing a shabby jacket, a sweater, and

faded jeans. He looked, Jim later said, “like a lost soul.”

 

Popp’s mental state was the crux of the defense’s argument in the extradition

hearings: his lawyers argued that he had suffered a nervous breakdown and was

unfit to stand trial. Popp never denied writing the AIDS trojan nor sending out

the diskettes. But at the time, his lawyers said, he was in the grip of mental

illness and was behaving abnormally.

 

The lawyers also argued that the demand for a license fee for the use of the

diskette was not tantamount to blackmail. It was, they agreed, somewhat extreme

to wreck a computer’s hard disk if the user didn’t pay, but operators were

warned not to load the diskette if they didn’t accept the terms and conditions

laid down in the instruction leaflet. And it was quite clearly stated on the

same sheet that if they used the diskette and didn’t pay, the computer “would

stop functioning normally.”

 

There was a basis in law to the argument. Software publishers

have long struggled to stop the unauthorized use and copying of their copyright

programs. Software piracy is said to cost American publishers as much as $5

billion a year, and many markets

Taiwan, Thailand, Hong Kong, Singapore, Brazil, India, and even Japan, among

others—have become what are euphemistically referred to as “single-disk”

countries: in other words, countries where one legitimate copy of a software

program is bought and the rest illegally copied. To combat piracy, publishing

houses have used a number of devices: some programs, for example, contain

deliberate “errors,” which are triggered at set intervals—say, once every

year—and which require a call from the user to the publisher to rectify. The

publisher can then verify that the user is legitimate and has paid his license

fee before telling him how to fix it.

 

Other publishers have resorted to more extreme methods. One celebrated case

involved an American cosmetics conglomerate that had leased a program from a

small software house to handle the distribution of its products. On October 16,

1990, after a disagreement between the two about the lease payments, the software company dialed into the cosmetic giant’s computer and entered a code that

disabled its own program. The cosmetics company’s entire distribution operation

was halted for three days. The software house argued that it was simply

protecting its property and that its action was akin to a disconnection by the

telephone company. The cosmetics company said that it was “commercial

terrorism.”

 

The Cleveland District Court, however, rejected arguments that the AIDS

diskettes simply contained some sort of elaborate copyright-protection device.

It also ruled that Popp was fit to stand trial and ordered his extradition to

Britain to face charges.

 

Popp was the first person ever extradited for a computer crime and the first

ever to be tried in Britain for writing a malicious program. From the welter of

complaints, the police had prepared five counts against him; he faced ten years

in prison on each charge. According to