Skip to Navigation
University of Pittsburgh
Print This Page Print this pages

September 11, 2003

One on One: Michael SPRING

web michael springThe origin of the term “spam” — as in, unwanted and often repetitively sent e-mail messages — is lost in the mists of time (somewhere back in the 1980s), says Michael B. Spring, a Pitt associate professor of information sciences and telecommunications.

It’s definitely not an acronym. According to Spring, the consensus among Internet historians is that e-mail spam was named after two things: its namesake luncheon meat (widely viewed as having little culinary value, just as most e-mail spam is worthless) and the classic Monty Python sketch about obnoxious Vikings who prowl modern London chanting “Spam-Spam-Spam-Spam-Spam…” in a way suggestive of the repetitious nature of junk e-mail.

Wherever its nickname came from, e-mail spam long ago ceased to be a mere nuisance, as the University was reminded last month when the Internet worm Blaster infected most of the computers in Pitt’s residence halls, clogging the network with spam and necessitating a massive clean-up.

When spread in great numbers via worms to unprotected computers, spam can render targeted e-mail sites inaccessible. The worm-spam combination even has the potential to bring down the Internet itself, warns Spring, whose teaching and research specialties include computer privacy and designing secure systems.

University Times assistant editor Bruce Steele interviewed Spring this week.

University Times: Please remind us, what is the difference between a computer virus and a worm?

Spring: Essentially, a virus is a malicious code embedded in a computer program. Typically, it does something bad like destroying files. To actuate it, you have to take some action. It can be as simple as opening an attachment to an e-mail, but you have to do something.

With a worm, no human intervention is required. Worms propagate themselves by infecting unprotected computers.

Actually, the distinction between viruses and worms is disappearing. Both of them can be very vicious or very benign. The most recent phenomenon we’ve seen are worms that search out and infect all unprotected, and therefore vulnerable, computers. And with hundreds of millions of computers, that means that if only 1 percent are vulnerable, we’re talking about a million machines. Anyway, for a period of time, maybe a month, these worms go out and find all vulnerable machines and then at a given point in time, they switch forms and take on a new activity.

So, to use a recent example, imagine a worm that spends a month infecting machines and then at a given time, on a given day, all of those worms are instructed to begin sending e-mail to a given address. Imagine that address is the White House. When the White House gets a million e-mail messages in one hour, what we have is what we call a “distributed denial of service” attack. Because all of these machines are sending these stupid e-mail messages to the White House — or to [British Prime Minister] Tony Blair, which happened last week — important messages can’t get through.

You might imagine that if the White House were aware that this was going to happen — which they were — they could change their e-mail address and instruct all of the carriers of those messages to throw them away — which they did. But even so, the White House network still gets clogged and degraded because until these e-mail messages are thrown away, there are hundreds of thousands of messages on the network preventing other people from getting access.

So, there are a variety of ways that people do damage to the new communications environment that we’re developing over the Internet. They can destroy machines, and we often think of viruses as doing that; early on, they deleted a lot of files. Or, malicious people can cause a targeted e-mail site to become inaccessible by sending it too many e-mail messages. Or, they can clog up a whole network, preventing us from getting any work done. Here at Pitt recently, some 2,000 student machines were infected with a worm that caused them to send many thousands of meaningless e-mail messages. Even if those messages were all thrown away they still, nonetheless, clogged and slowed down the network.

How do worms infect our computers?

What most of us want is a computer that is really smart and makes us very productive. We don’t want to know how it works, we just want to get our jobs done. Modern computers have responded to this demand by doing things to take care of themselves. The way this works is that programs are run when the machine is started that listen for communications from other machines.

On a Microsoft machine, press control alt delete, select the task manager button, and select the process tab. You will see 15 to 40 processes running on your machine — even if you are running no applications yourself. Some of these are simply waiting, listening for messages from other machines. Theoretically, networked machines have more than 64,000 “doors,” technically called ports. Several of these are monitored by the computer for some specific purpose like synchronizing clocks, or getting updates automatically. Now, imagine that one of the programs sitting there listening had a flaw in its design. Some smart person who knew about the flaw could write a program to contact your machine and exploit the flaw to do something bad.

We spend a lot of time talking in our courses about the nature of these flaws and techniques used to make sure you don’t include them in the software you design. But there are billions of lines of code and it only takes one small flaw in a widely used program to create problems. Now, imagine the program that exploited a flaw put itself on your machine and started looking for other machines that were also vulnerable. Thus, one machine starts and checks 100 other machines, finding three that it can take over. Those three start looking for 100 others and collectively find nine. Those nine each look for 100 others and collectively find 27. It doesn’t take long to get to millions.

What should I do to protect my home computer?

There are four things that an individual with a home machine can do. If you’re connected to the Internet, you should install a firewall, particularly if you have a permanent connection like DSL or a cable modem. A firewall allows you to do what you want to do on the Internet but doesn’t allow the hackers to get at your machine. The piece of software that does that is called a firewall. You can buy these at a computer store, and on campus CSSD [Computing Services and Systems Development] makes them available.

Secondly, you should have up-to-date virus software for what does get through, like an e-mail message which might have something bad in it. Anti-virus software also is available from CSSD. The problem is, 90 percent of the people I know install virus software when they buy their machine but, when you open it up, you see that it was last updated maybe 287 days ago. Well, every day somebody invents a new virus, a new way to infect a machine, and virus software that doesn’t know to look for a new virus is of no use to you. After you’ve installed anti-virus software, you need to continue to update it.

Microsoft now offers an automatic update service. Theoretically, at least, they’ve made the commitment to download the fix to your machine free of charge so you’re not vulnerable.

Whether your computer is a Macintosh or UNIX or a Microsoft PC, each of these organizations provides what are called patches, or fixes, when they find a vulnerability in their software. They’re getting very good at providing those in a way that makes it easy for anybody to keep their machine in prime condition.

Okay, here’s the bad news. Even if you do everything correctly, you are still not completely safe. Your e-mail address may be in 100 other people’s address books and so you are dependent on others being diligent.

Millions of very powerful machines are not managed by professionals. Most are not managed at all. Just consider all of the machines in people’s homes — very few of them are managed professionally and many of them are compromised or dirty.

PCs connected to the Internet have become very dangerous machines, in terms of the damage they can cause. We don’t allow people to drive cars on the highway without a license, without knowing what they’re doing, because we recognize that the car could become a lethal weapon. But we allow anybody to run a very powerful machine attached to a very complex network without any kind of qualification whatsoever. As well as I try to maintain my own home machines, I’ve had to fix them a dozen times because my sons are downloading games, which are programs that can have malicious codes in them. But from my sons’ point of view, a computer is a toy.

Most of the viruses and worms that we’ve heard about were designed to attack PCs. Are users of other computers, such as Macintoshes, more or less safe?

Any computer, when it’s attached to the Internet, is vulnerable to intrusion, theft and other bad things. It just happens that there are far more PCs than there are Macs or UNIX machines. So, if I want to be a nuisance to the Internet, the machine that’s best to attack is the most common. It’s not that Macs and UNIX aren’t vulnerable. But PCs are very complex and there are a lot of them. That makes them the best target.



Filed under: Feature,Volume 36 Issue 2

Leave a Reply