Fake E-Mail, Other Abuses Plague 'Net

Last spring Kelly K. Johnson-Arbor '96 was stunned when she read an electronic mail message from her friend Grace S. Lin '96.

"Kelly, I know this is crazy, but I'm actually bisexual. I haven't told any-one, But I think cunnilingus sounds great.--Grace."

The return address showed Lin's account as the message's point of origin. But the e-mail, it turns out, wasn't sent by Grace Lin, who is straight. Eric E. Blom '96, an acquaintance of the women, later admitted to sending the fradulent message as a practical joke.

"I was really shocked that something like this could happen," Lin says," I thought that this was private."

The two women never told College officials about the message. Blom was already in trouble with the Freshman Dean's Office at the time for sending other fake e-mail messages, And after the prank, he sent the women a message--this time, in his own name--begging them to keep quiet lest he be expelled, according to a transcript of the message obtained by The Crimson.

"I know it was a very, very poor joke. I had a poor sense of humor at the time. I was a different person then," Blom says in retrospect. "I really had never paid any attention to register messages [warning against fake e-mail]. When I had the ability to send anonymous mail. I never really thought it was a big deal."

Sending e-mail in the name of another person is just one of the abuses that often occurs over Harvard's link to the Internet, a global data communication network. A two-month Crimson investigation, including interviews with about 100 faculty and staff and nearly 150 students, found that the security of electronic communications is frequently com-promised.

Some Harvard undergraduates secretly monitor each other's movements on the network and read their-e-mail message. Students have even broken into and destroyed personal files that their fellow under graduates keep in personal network accounts.

"The system is too easy to beat," says Whitney D. Pidot '96, a frequent network user and president of the Salient, a conservative magazine. "And the ultimate enforcers, the College administrators, don't know what's going on [or] how to divy out the penalties."

The process of ensuring security is complicated by four factors: the inherent flaws in the network operating system used by Harvard, the presence of students aware of these flaws, the lack of a clear understanding by students of what constitutes proper behavior on the network and Harvard's own vague rules on network etiquette.

University administrators, some users charge have not been able to keep up with the changes caused by the recent increase in undergraduate's use of the network.

Administrators respond that they are doing the best they can to develop rules for an evolving technology. For example, a five-year-old University committee on information security is currently revising its manual to cover problems involving the Internet, according to the manual's editor.

Increased security is an option, administrators say, but the network should not be overregulated.

"You can't have security and convenience," saysWilliam J. Ouchark, network manager for theHarvard Arts and Sciences Computer Service(HASCS). "You just can't have both. Havingservices available outweighs security issues...It's a big problem."

Part of the problem is that students often canbe hurt by abuses such as fake e-mail.

"I totally felt that it was a violation of mye-mail privacy," Johnson-Arbor says. "I wasdefinitely shocked. Grace and I were very closefriends and I knew that if Grace was going to tellme something like that she wouldn't to it in sucha tactless way."

Sending take electronic mail may soundlike a difficult proposition. But for regularusers of the network, it's no harder than placinga prank phone call.

"It's very simple to send fake e-mail toanyone," says Eugene E. Kim '96, president of theHarvard Computer Society. "I would say it's fairlycommon. Most people don't do it maliciously--ittends to be more of a practical joke than anythingelse. It's very easy to do if you know how."

User can send fake e-mail by altering amessage's "header," which usually identifies thesender. Altered messages can appear to be frompresident Clinton or President Neil L. Rudenstine.

Jeff C. Tarr '96, co-president of the newstudent technology group Digitas, says he'sreceived e-mail from both "God" and "The Devil."

A first-year student speaking on the conditionof anonymity says there are "rather easy ways ofsending fake e-mail which are more or lesscompletely untraceable."

Network users can send untraceable fake e-mailthrough port 25--an "open base" or area in thenetwork used to send and receive messages-in orderto avoid detection.

Sending fake "write message"--messages whichare written directly to the screen of alogged-on-user--is also possible.

The first-year student says he sends fake writemessages through port 811, a similar open base.

"I know how to send a write message... from anyreal or imaginary address, the first-year says.

Computer experts say there are ways to detectsome fake e-mail (please see graphic, thispage,) but most students do not know how.

During a Harvard Computer Society seminar lastmonth called" Avoiding Big Brother," PhilCartagena '96, a society members, said that byusing mail reading programs that allow users tosee the whole mail header--such as the "mail" or"elm readers--students can sometimes tell theauthentic-students can sometimes tell theauthentic from the fake. Full headers generallyidentify the computer from which the mail wassent.

In contrast, " pine," the program favored bymany undergraduates, allows users to view most,but not all, of the mail header.

"You have no idea if the person [whose name ison the message] really is the person who sent youmail," says Michael G. Burner, who manages UNIXsystems for HASCS.

Ouchark says HASCS is exploring new methods ofmail identification, such as electronicsignatures.

"But nothing is in widespread use yet," saysOuchark, acknowledging that fake e-mail is aproblem that's here to stay. " Even when somethingis available, it takes a long time for it to beadopted and utilized."

Fraud is only one problem affectingstudents. Users must also face the possibilitythat an unauthorized person may gain access totheir account.

"Every three days we get a mail message fromsomeone saying 'my account was broken into," sayOuchark. "It's normal."

But some network users say break-ins are toonormal. Gene McAfee, an eighth-year graduatestudent at the Divinity School, says he has had aUniversity account linking him to the Internet forfour year. And until this past "Thanksgiving, henever had a problem.

"When I returned [from Thanksgiving] and loggedon, the firs thing that I noticed was an errormessage saying that a new file was being createdfor my name," McAfee says. "I thought this was oddbut I assumed every-thing would be all right."

Almost immediately, McAfee discovered thatpersonal files and the electronic address book hehad stored in his account were missing.

"I had between 45-60 addresses in therebefore--addresses of people all over the countryand world, friends and colleagues in Jerusalem,"he says.

McAfee says HASCS personnel later determinedthat at least four different hackers--based in NewYork City, Los Angeles, St. Louis and WashingtonD.C--had broken into and cleaned out his accountwhile he was away.

HASCS was able to restore much of what he lostby using the University's back-up tapes of filesin his account, McAfee says.

"The main thing that I got out of this is thatI don't leave things in my folder on theUniversity account," McAfee says. "If you've everbeen burglarized you know there's great sense ofhaving been violated and a sense of "Why wouldsomebody do this?'...I'm more aware of thevulnerability of the system than I was before. Idid live in a false sense of security."

While frequent enough to cause alarm, break-inslike the ones on McAfee's account are not the mostcommon form of security violations, Kim, thecomputer society president, says violations oftenoccur after a person has left a computer andforgotten to log out--leaving all personal filesavailable for inspection.

In addition, Kim says that by placing a specialtext file in another person's account, an intrudercan log in whenever he wants.

"People can mess around with other people'saccounts without them knowing," says Rolland W. Ho'97, the business manager of the Harvard ComputerSociety. "If you forget to log out, people canleave hidden files in your account which willredirect your e-mail."

Some computer programs exist which allow formore sophisticated attacks on students' privateaccounts. "Crack," for example, is a freelyavailable program that exits solely to crackpasswords.

"What 'crack' does is to encrypt all the wordsin the dictionary and then match all the words tothe encrypted words. So if people use whole wordsfor passwords then it wouldn't be very had to findthe passwords and then gain access to people'saccounts," says Nina Yuan '94, who wrote herthesis on issues involving electronic security.

Some network users can write their own programsto beat passwords, students say.

"This campus is no different from any other,"says Thomas R. Raich, a newly hired HASCSprogrammer. "Passwords are just a lock on a door.And I bet you have students on this campus makingtheir own keys."

To combat break-in attempts, Harvard hasintroduced a program called "shadow passwords,"which limits access to the file where studentpasswords are stored. Shadow passwords renderprograms like "crack" useless.

HASCS has also implemented a system in whichstudents can no longer use their names or evenreal words as passwords.

Computer experts and administrators suggestthat students use a password that is a combinationof letters and numbers. Many students say theychange their passwords frequently for addedsecurity.

"I make sure to change my password and on myown computer I have a password," says Aaron B.Brown '97. "The longest I've kept my password istwo weeks. Sometimes I alternate betweenpasswords."

Rules vs. Etiquette

Harvard has made some efforts to keep up withsecurity problems associated with network use. Inthe 1992-93 Handbook for students, rules aboutstudent use of computers dealt primarily withconcerns of plagiarism and theft of electronicmaterials.

In contrast, this year's handbook issignificantly more hip to problems of networksecurity, with passages guaranteeing privacy anoutlawing fake e-mail or any other form ofelectronic "harassment."

But many students charge that, despite thesechanges, the University has failed to make adistinction between rules and etiquette.

And HASCS's "Computer Rules and Etiquettee,which was published last December, says Harvard"does not distinguish computer rules from goodetiquette."

"Is this bad manners or will they bring you upbefore the Ad Board?" asks Jol A. Silver-smith'94, the former director of the Civil LibertiesUnion at Harvard.

The lack of distinction is particularlytroubling, critics, say, because the network is anew, unique medium where direct attacks andpersonal criticism are not unusual.

"Sometimes when you write an [e-mail] letter,you intend it to have a sarcastic tone, butthere's no way to detect it from plain text,"Silversmith says. "I'm not sure whether standardsshould be more or less strict, but to apply thesame standards is problematic at best."

But the handbook for students considersharassment over e-mail as if it were harassment inperson or on the telephone." E-mail harassment isnot the same as harassment over the phone orharassment in person, " Silversmith says.

And censorship is possible, given thatHarvard's system administrators have total accessto students' e-mail.

"The system administrators at Harvard can readevery person's e-mail over the [network] and a lotof people don't realize this," Kim says. "That's abig issue that's going to grow a lot bigger asmore and more people sign up and get accounts."

But others say it is not possible to defineclear rules for regulation technology as dynamicas the network. Richard S. Steen, acting directorof HASCS, says a "spirit of etiquette" is all thatis needed to regulate the system, and morestudents agree.

"It's very hard to be explicit and still coverall the things that come up," says James S.Gwertzman '95, the student representative to theFaculty of Arts and Sciences committee oninformation technology. "I feel perfectly happyrelying on Harvard to maintain the spirit offreedom of information."

Other students, however, worry that in theabsence of clear rules, members of the Ad Boardlack the knowledge of the network needed toadjudicate cases involving electronic wrongdoing.

"The biggest problem is the lack of awarenesson the part of Harvard's Ad Board," Kim says. "Ifyou don't understand how the computer works,you're not going to understand a lot of thecontext of the ethical issues."

But Virginia L. Mackay-Smith '78, the Ad Boardsecretary, disputes that claim. She says thedisciplinary body has used members who arecomputer experts to set up an ad-hoc committeewhich reviews cases involving computers.

Mackay-Smith also says the student-facultyjudicial board is likely to see cases in the nearfuture that will help the College refine itspolicy.

"We are seeing more computer-related cases andit concerns up because computer use is deceptivein our culture," says Mackay-Smith, who adds thatfewer than five computer-related cases have madeit all the way to a full Ad Board hearing. "Itseems very familiar-you use words, you send mail,you draft documents, these are all things whichwe've done in other contests. But the mechanism iscompletely new."

But HASCS has more control than the Ad Boardover how to punish student abuses of the network.

HASCS personnel can sanction students withoutconsulting the Ad Board either by shutting offaccounts or limiting students' access to thenetwork whenever they see fit. HASCS usually putsthe account of a student accused of wrongdoing onhold, Steen says.

Mackay-Smith says that "99 percent of the time"it is HASCS that discovers student infractions.And it is up to the network man agers to refercases to the Ad Board.

Some wonder if playing network cop is too bigof a job for HASCS, which has been plagued by twinproblems of overworked employees and inadequateresources. Others worry that the programmersemployed by the computer service have too muchaccess to the system already.

"A lot of wrinkles need to be ironed out of thesystem and HASCS hasn't done it yet," Kim says.

The broad discretion given HASCS, coupled withthe University ambiguous rules has many studentsconcerned.

Says, Ho, the computer society businessmanager: "I don't believe that Harvard really hasany good standardized rules for any of this."

While many students push for greatersecurity, no one is sure just what such securitywould entail. Some functions possible over thenetwork fall in a category that make themdifficult to regulate.

For example, anyone can search the current mailqueue-the list of messages waiting to bedelivered-for a specific undergraduate's name,identify when and to whom that student has sentmail, not the size of the mail message andrecognize the message's delivery status. But asmessage delivery speed increases, messages willspend less time in the queue, making it moredifficult to monitor, them.

Certain commands also make it possible forstudents to check to see when their friends are onthe network. But it also lets undergraduatesmonitor each other in a manner that some sayresembles stalking.

Regulating these kinds of arrangements is oneof the reasons writing rules on network securityis tricky. Harry R. Lewis '68, co-chair of the FAScommittee on information technology, acknowledgedas much during a panel discussion at the LawSchool last October.

Said Lewis: "One of the most difficult thingsto get right in phrasing rules is how to balancethe expectation of privacy in the communicationand storage of information on networked computerswith the need to be able to investigatedestructive behavior."CrimsonJamie W. Billett

"You can't have security and convenience," saysWilliam J. Ouchark, network manager for theHarvard Arts and Sciences Computer Service(HASCS). "You just can't have both. Havingservices available outweighs security issues...It's a big problem."

Part of the problem is that students often canbe hurt by abuses such as fake e-mail.

"I totally felt that it was a violation of mye-mail privacy," Johnson-Arbor says. "I wasdefinitely shocked. Grace and I were very closefriends and I knew that if Grace was going to tellme something like that she wouldn't to it in sucha tactless way."

Sending take electronic mail may soundlike a difficult proposition. But for regularusers of the network, it's no harder than placinga prank phone call.

"It's very simple to send fake e-mail toanyone," says Eugene E. Kim '96, president of theHarvard Computer Society. "I would say it's fairlycommon. Most people don't do it maliciously--ittends to be more of a practical joke than anythingelse. It's very easy to do if you know how."

User can send fake e-mail by altering amessage's "header," which usually identifies thesender. Altered messages can appear to be frompresident Clinton or President Neil L. Rudenstine.

Jeff C. Tarr '96, co-president of the newstudent technology group Digitas, says he'sreceived e-mail from both "God" and "The Devil."

A first-year student speaking on the conditionof anonymity says there are "rather easy ways ofsending fake e-mail which are more or lesscompletely untraceable."

Network users can send untraceable fake e-mailthrough port 25--an "open base" or area in thenetwork used to send and receive messages-in orderto avoid detection.

Sending fake "write message"--messages whichare written directly to the screen of alogged-on-user--is also possible.

The first-year student says he sends fake writemessages through port 811, a similar open base.

"I know how to send a write message... from anyreal or imaginary address, the first-year says.

Computer experts say there are ways to detectsome fake e-mail (please see graphic, thispage,) but most students do not know how.

During a Harvard Computer Society seminar lastmonth called" Avoiding Big Brother," PhilCartagena '96, a society members, said that byusing mail reading programs that allow users tosee the whole mail header--such as the "mail" or"elm readers--students can sometimes tell theauthentic-students can sometimes tell theauthentic from the fake. Full headers generallyidentify the computer from which the mail wassent.

In contrast, " pine," the program favored bymany undergraduates, allows users to view most,but not all, of the mail header.

"You have no idea if the person [whose name ison the message] really is the person who sent youmail," says Michael G. Burner, who manages UNIXsystems for HASCS.

Ouchark says HASCS is exploring new methods ofmail identification, such as electronicsignatures.

"But nothing is in widespread use yet," saysOuchark, acknowledging that fake e-mail is aproblem that's here to stay. " Even when somethingis available, it takes a long time for it to beadopted and utilized."

Fraud is only one problem affectingstudents. Users must also face the possibilitythat an unauthorized person may gain access totheir account.

"Every three days we get a mail message fromsomeone saying 'my account was broken into," sayOuchark. "It's normal."

But some network users say break-ins are toonormal. Gene McAfee, an eighth-year graduatestudent at the Divinity School, says he has had aUniversity account linking him to the Internet forfour year. And until this past "Thanksgiving, henever had a problem.

"When I returned [from Thanksgiving] and loggedon, the firs thing that I noticed was an errormessage saying that a new file was being createdfor my name," McAfee says. "I thought this was oddbut I assumed every-thing would be all right."

Almost immediately, McAfee discovered thatpersonal files and the electronic address book hehad stored in his account were missing.

"I had between 45-60 addresses in therebefore--addresses of people all over the countryand world, friends and colleagues in Jerusalem,"he says.

McAfee says HASCS personnel later determinedthat at least four different hackers--based in NewYork City, Los Angeles, St. Louis and WashingtonD.C--had broken into and cleaned out his accountwhile he was away.

HASCS was able to restore much of what he lostby using the University's back-up tapes of filesin his account, McAfee says.

"The main thing that I got out of this is thatI don't leave things in my folder on theUniversity account," McAfee says. "If you've everbeen burglarized you know there's great sense ofhaving been violated and a sense of "Why wouldsomebody do this?'...I'm more aware of thevulnerability of the system than I was before. Idid live in a false sense of security."

While frequent enough to cause alarm, break-inslike the ones on McAfee's account are not the mostcommon form of security violations, Kim, thecomputer society president, says violations oftenoccur after a person has left a computer andforgotten to log out--leaving all personal filesavailable for inspection.

In addition, Kim says that by placing a specialtext file in another person's account, an intrudercan log in whenever he wants.

"People can mess around with other people'saccounts without them knowing," says Rolland W. Ho'97, the business manager of the Harvard ComputerSociety. "If you forget to log out, people canleave hidden files in your account which willredirect your e-mail."

Some computer programs exist which allow formore sophisticated attacks on students' privateaccounts. "Crack," for example, is a freelyavailable program that exits solely to crackpasswords.

"What 'crack' does is to encrypt all the wordsin the dictionary and then match all the words tothe encrypted words. So if people use whole wordsfor passwords then it wouldn't be very had to findthe passwords and then gain access to people'saccounts," says Nina Yuan '94, who wrote herthesis on issues involving electronic security.

Some network users can write their own programsto beat passwords, students say.

"This campus is no different from any other,"says Thomas R. Raich, a newly hired HASCSprogrammer. "Passwords are just a lock on a door.And I bet you have students on this campus makingtheir own keys."

To combat break-in attempts, Harvard hasintroduced a program called "shadow passwords,"which limits access to the file where studentpasswords are stored. Shadow passwords renderprograms like "crack" useless.

HASCS has also implemented a system in whichstudents can no longer use their names or evenreal words as passwords.

Computer experts and administrators suggestthat students use a password that is a combinationof letters and numbers. Many students say theychange their passwords frequently for addedsecurity.

"I make sure to change my password and on myown computer I have a password," says Aaron B.Brown '97. "The longest I've kept my password istwo weeks. Sometimes I alternate betweenpasswords."

Rules vs. Etiquette

Harvard has made some efforts to keep up withsecurity problems associated with network use. Inthe 1992-93 Handbook for students, rules aboutstudent use of computers dealt primarily withconcerns of plagiarism and theft of electronicmaterials.

In contrast, this year's handbook issignificantly more hip to problems of networksecurity, with passages guaranteeing privacy anoutlawing fake e-mail or any other form ofelectronic "harassment."

But many students charge that, despite thesechanges, the University has failed to make adistinction between rules and etiquette.

And HASCS's "Computer Rules and Etiquettee,which was published last December, says Harvard"does not distinguish computer rules from goodetiquette."

"Is this bad manners or will they bring you upbefore the Ad Board?" asks Jol A. Silver-smith'94, the former director of the Civil LibertiesUnion at Harvard.

The lack of distinction is particularlytroubling, critics, say, because the network is anew, unique medium where direct attacks andpersonal criticism are not unusual.

"Sometimes when you write an [e-mail] letter,you intend it to have a sarcastic tone, butthere's no way to detect it from plain text,"Silversmith says. "I'm not sure whether standardsshould be more or less strict, but to apply thesame standards is problematic at best."

But the handbook for students considersharassment over e-mail as if it were harassment inperson or on the telephone." E-mail harassment isnot the same as harassment over the phone orharassment in person, " Silversmith says.

And censorship is possible, given thatHarvard's system administrators have total accessto students' e-mail.

"The system administrators at Harvard can readevery person's e-mail over the [network] and a lotof people don't realize this," Kim says. "That's abig issue that's going to grow a lot bigger asmore and more people sign up and get accounts."

But others say it is not possible to defineclear rules for regulation technology as dynamicas the network. Richard S. Steen, acting directorof HASCS, says a "spirit of etiquette" is all thatis needed to regulate the system, and morestudents agree.

"It's very hard to be explicit and still coverall the things that come up," says James S.Gwertzman '95, the student representative to theFaculty of Arts and Sciences committee oninformation technology. "I feel perfectly happyrelying on Harvard to maintain the spirit offreedom of information."

Other students, however, worry that in theabsence of clear rules, members of the Ad Boardlack the knowledge of the network needed toadjudicate cases involving electronic wrongdoing.

"The biggest problem is the lack of awarenesson the part of Harvard's Ad Board," Kim says. "Ifyou don't understand how the computer works,you're not going to understand a lot of thecontext of the ethical issues."

But Virginia L. Mackay-Smith '78, the Ad Boardsecretary, disputes that claim. She says thedisciplinary body has used members who arecomputer experts to set up an ad-hoc committeewhich reviews cases involving computers.

Mackay-Smith also says the student-facultyjudicial board is likely to see cases in the nearfuture that will help the College refine itspolicy.

"We are seeing more computer-related cases andit concerns up because computer use is deceptivein our culture," says Mackay-Smith, who adds thatfewer than five computer-related cases have madeit all the way to a full Ad Board hearing. "Itseems very familiar-you use words, you send mail,you draft documents, these are all things whichwe've done in other contests. But the mechanism iscompletely new."

But HASCS has more control than the Ad Boardover how to punish student abuses of the network.

HASCS personnel can sanction students withoutconsulting the Ad Board either by shutting offaccounts or limiting students' access to thenetwork whenever they see fit. HASCS usually putsthe account of a student accused of wrongdoing onhold, Steen says.

Mackay-Smith says that "99 percent of the time"it is HASCS that discovers student infractions.And it is up to the network man agers to refercases to the Ad Board.

Some wonder if playing network cop is too bigof a job for HASCS, which has been plagued by twinproblems of overworked employees and inadequateresources. Others worry that the programmersemployed by the computer service have too muchaccess to the system already.

"A lot of wrinkles need to be ironed out of thesystem and HASCS hasn't done it yet," Kim says.

The broad discretion given HASCS, coupled withthe University ambiguous rules has many studentsconcerned.

Says, Ho, the computer society businessmanager: "I don't believe that Harvard really hasany good standardized rules for any of this."

While many students push for greatersecurity, no one is sure just what such securitywould entail. Some functions possible over thenetwork fall in a category that make themdifficult to regulate.

For example, anyone can search the current mailqueue-the list of messages waiting to bedelivered-for a specific undergraduate's name,identify when and to whom that student has sentmail, not the size of the mail message andrecognize the message's delivery status. But asmessage delivery speed increases, messages willspend less time in the queue, making it moredifficult to monitor, them.

Certain commands also make it possible forstudents to check to see when their friends are onthe network. But it also lets undergraduatesmonitor each other in a manner that some sayresembles stalking.

Regulating these kinds of arrangements is oneof the reasons writing rules on network securityis tricky. Harry R. Lewis '68, co-chair of the FAScommittee on information technology, acknowledgedas much during a panel discussion at the LawSchool last October.

Said Lewis: "One of the most difficult thingsto get right in phrasing rules is how to balancethe expectation of privacy in the communicationand storage of information on networked computerswith the need to be able to investigatedestructive behavior."CrimsonJamie W. Billett