Previous Issue | Search NetBITS | NetBITS Home Page | Next Issue
Spam continues to be a hot topic for NetBITS readers, and this week we bring you updates on a reversal of Netcom's spam policies, ways around relay filters for legitimate users, and the complexities of MIME and QP encoding. Talk of legislative approaches to thwarting spammers raises the question of defining and reacting to crime on the Internet, so in this issue we also bring you Computer Crime 101, discussing just what is and is not illegal online.
Contents:
Copyright 1997 TidBITS Electronic Publishing. All rights reserved. To subscribe to our weekly list, email <netbits-on@netbits.net>. Thanks to our sponsors for their financial support of NetBITS.
Netcom and Spam -- Apparently, when we reported on Netcom's spam policies last week in NetBITS-004, we were more informed than Netcom's senior management. According to CNET's News.com, the excellent procedures Netcom engineers put in place to stop millions of pieces of spam from reaching their users or being relayed through their mail servers have been pulled due to privacy concerns - and because the management of Netcom never knew the system administrators had put this into practice. It's unfortunate; this means an onslaught of additional spam despite the best intentions of Netcom's engineers.
<http://www.news.com/News/Item/0,4,15382,00.html>
Another item of interest is the percolation of spam concerns to a high-level news source - The New York Times. Our friend and colleague Peter H. Lewis (not to be confused with Australian Peter N Lewis who writes Macintosh Internet software) has a column in last Monday's Times on the subject. In it, Cyber Promotions' Sanford Wallace, the self-described spam king, tells how he is in the process of setting up his own backbone network and how this will make it harder to beat him, because he'll be part of the Internet's infrastructure. Fortunately for all of us, this would simplify the process of eliminating all spam originating from his site. As we discussed in last issue's spam article, high-level networks have preassigned blocks of IP addresses that are simple to filter out. We recommended against this, because you'll often filter legitimate traffic; with Cyber Promotions' backbone, however, there would be no risk of this. (Note: you can access the Times Web site for free only in the U.S. and Canada, and even that requires signing up for an account.) [GF]
<http://www.nytimes.com/library/cyber/techcol/102097techcol.html>
XTND XMIT Xplanation -- Several readers reminded us of a solution to a problem Glenn mentioned in his anti-spam article in NetBITS-004. If an ISP prevents relaying to protect its servers against being exploited by spammers, that action also prevents legitimate users from sending mail when not dialed into the ISP's own networks. This might happen, for instance, if an EarthLink user wanted to send mail from his EarthLink account while connected to the Internet via a dedicated connection at work. One solution to this problem is the XTND XMIT extension to POP (Post Office Protocol, which is generally used only for receiving mail). If both your mail server and your email program support XTND XMIT, you can send email via POP as well as receive it. Since POP is authenticated, XTND XMIT works for sending mail no matter how you connect to the mail server in question. Contact the support folks at your ISP if you think you might want to use XTND XMIT. They should be able to tell you if their mail server supports XTND XMIT, and they may know how to turn it on in your email program (it's a somewhat hidden setting in Eudora for both Macintosh and Windows, though I don't know about other email programs). [ACE]
by Will Mayall <mayall@fogcity.com>
[NetBITS reader Donovan Watts <actionman@earthling.net> asked why it is that a number of email messages in Claris Emailer, mostly digest versions of mailing lists, contain equal symbols at the end of some lines. Although this annoyance is by no means limited to Emailer, we turned to Will Mayall of Fog City Software, developers of Emailer and the extremely neat LetterRip mailing list management software, for the answer, which turned out to be rather complex. Take it away, Will. -Adam]
The short answer to why you sometimes see equal symbols in your email is that Claris Emailer, like most modern email programs, is MIME (Multipurpose Internet Mail Extensions) compliant. The problem is that sometimes mail is forwarded by servers that strip out some of the information necessary to identify and decode the MIME content properly. This isn't necessarily the fault of any of the programs, but is usually a result of a mixture of old and new standards.
To encode extended ASCII characters (8-bit ASCII), MIME formatted messages generally encode the text using quoted-printable (QP) encoding. QP generally leaves normal ASCII (7-bit) alone and only encodes the extended ASCII. Extended ASCII characters are encoded with an equal symbol followed by the hex value of the character. That's why you sometimes see things like =E3 embedded in the text. QP must also encode = symbols since they are part of the encoding process. (This is a reason to avoid using = symbols as "cosmetic" items in text.)
QP also marks all "soft" line breaks with an = symbol followed by a carriage return. Soft line breaks occur when carriage returns are automatically inserted within paragraphs to keep line lengths less than 76 characters. The = symbols at the ends of lines are generally the most distinctive aspect of a QP-encoded message that has not been decoded.
Incidentally, soft line breaks are one of the most obvious differences between most QP encoded messages and "old style" messages. Messages used to always have hard returns within paragraphs when the lines in paragraphs were longer than 75-80 characters. This was necessary due to limitations in some mail servers. QP maintains the line length restriction, but marks the artificial line breaks. Then, when the message is decoded, the line breaks are removed. Some email programs, most notably Netscape 2.0, improperly display the decoded paragraphs as a single long line of text that never wraps.
Also as an aside, the QP encoding was designed in such a way that even if a message has been encoded but then not decoded, the encoding is not so obnoxious as to make the message unreadable. This was an elegant solution to the problem of backwards compatibility.
There are two reasons why QP encoding might remain visible in a received message. First, if you use a non-MIME compliant email program, it won't decode the QP encoding, so it will remain in the text. Second, if the necessary information that tells your email program to decode QP is missing, your email program won't know how to do the decoding.
In email, information about the message is generally maintained in a header line, and MIME messages insert at least one header to identify that they are MIME messages. It looks like this:
Mime-Version: 1.0
In addition, if the message is QP encoded, there will also be at least the following header, although generally there are several others:
Content-transfer-encoding: quoted-printable
Email programs need to know that a message is a MIME QP encoded message for a message to be properly decoded. If a message lacks the above headers, it won't be decoded.
Although mail servers are not supposed to remove headers, there are a few miscreants that monkey with the headers. These are often gateways to local email systems. So, if your organization uses one of these gateway programs, your email program won't know how to decode the QP encoding, even if it is capable of doing so.
Another common source of the problem is mailing list servers. Mailing list servers are not simple mail servers. Not only do they forward messages like other mail servers, they also create digests of multiple messages. The digests are where the problem arises.
Remember that the proper message headers are extremely important. Without the headers, the QP encoding is not decoded. In most digests, most of the headers for each individual message are removed. In particular, MIME headers generally bite the dust.
Since a digest can include both encoded and non-encoded messages, it is sent without QP headers and therefore won't be decoded. Although annoying to some, this technique is in fact the conservative and correct thing to do. There is little that can be done to avoid the problem other than to encourage others not to send QP encoded messages to mailing lists.
A solution to the issue of MIME messages in digests does exist. There is a standard (RFC) for a MIME digest, which retains enough information about each individual message within the digest that each individual message can be decoded. However, there are several problems even with MIME digests:
Many mailers do not decode MIME digests. MIME digests that are not decoded are readable but aren't pretty.
For a MIME digest to be decoded properly, it should be burst into individual messages. However, for many people, the utility of a digest is that it's a single document to scan through, whereas a burst digest requires the user to look at many separate messages.
by Brady Johnson <brj@dbug.org>
People began committing crimes with personal computers soon after the machines started rolling off assembly lines. Early crimes, such as those involving hacking into mainframes, viruses, and fraud, haven't disappeared; however, recent computer crimes noted in the media concern issues like sexual predators, credit card theft, child pornography, and scams. In one famous case, a Trojan horse (a malicious program that masquerades as something else) promised free pornography, but instead dialed ruinously expensive international telephone calls.
In this informal article series, I plan to examine what computer crime is, how traditional laws address it, and if and why we need new legislation to deal with it. I plan to explain the principles of criminal law and how they relate to crimes committed via the Internet. I'm primarily discussing United States law and the English common law legal tradition; many areas are similarly legislated worldwide. This week we'll look at what constitutes a computer crime and the requirement for due process.
Regulation and Attempted Regulation -- When the public perceives an increase in crime, it cries out "there oughta be a law," and demands greater protection and stiffer penalties. In response to such concerns, the U.S. Congress enacted the Computer Fraud and Abuse Act (CFAA) in 1984, and in 1988 and 1994 the law was further amended and clarified.
<http://www.digitalcentury.com/encyclo/update/comfraud.html>
Despite Congress's efforts, the CFAA lagged behind public concerns, causing individual states to criminalize actions such as "computer trespass" and "unauthorized access." For example, Florida passed the first computer crimes bill in 1978. Nearly every state has enacted computer crime legislation since then.
In the past few years, the President and Congress have tried to regulate computer use in general and the Internet in particular. One such effort has been the White House's advocacy of software key escrow, which would allow law enforcement - police, FBI, Secret Service, etc. - with the proper subpoena to access escrowed encryption keys, and thus decode encrypted information from any computer using exportable encryption technology.
<http://www.law.miami.edu/~froomkin/articles/planet_clipper.htm>
Another effort was the recent spectacular failure of the so-called Communications Decency Act (CDA), which was thrown out by the Supreme Court for trampling on the First Amendment rights of free speech. Software key escrow, the CDA, and similar efforts to regulate computer use arose in response to the public outcry over computer crime.
<http://www.ciec.org/SC_appeal/decision.shtml>
What is Computer Crime? But does our society require all this legislation? What exactly is computer crime? This simple question is difficult to answer because the wording of a statute must be careful to avoid the convolutions that different interpretations can bring. One's first reaction to the question might be, "It's a crime committed with a computer." Of course, such a loose definition would include picking up a computer and throwing it at someone. Although that is indeed assault, it is of course not the heart of what I mean by computer crime.
"Hmm," one might go on. "What about a crime committed against a computer, such as stealing it?" Although this is a crime against a computer, it is simple theft and requires no new legislation. The recent case of a Seattle-area man shooting his computer in frustration would probably not have qualified as computer crime. To discuss computer crime meaningfully we might consider a crime committed against the data on a computer, or more specifically, on the computer's hard disk (Crime committed with data, such as transmitting child pornography, is illegal regardless of means.) To understand computer crime, let's look at things people do with computers that are considered criminal.
No New Crimes -- Dialing into a remote computer and moving or deleting files is widely considered a criminal act, and is often part of legislation concerning computer crime. In essence, such hacking involves accessing another person's data via an online connection, then viewing or copying the data, or even deleting it. However, this intrusion has a great deal in common with old-fashioned burglary, where a criminal sneaks into someone else's property and steals valuables. Often such theft is done for profit, but as with burglary, it is also done on dares or "just for fun" by the misguided.
As another example, if you use the Web much, you've probably seen warnings that you are entering a "non-secured area" and that data entered in a form will not be safe from prying eyes. Some data you might not much care about, but other information, such as a credit card number, you don't want to expose to the criminal element. Credit card theft is a serious problem, but whenever you use your card, whether on or off the Internet, you increase the risk of the number being stolen. Credit card fraud predates computer use by years, however, and is already subject to criminal penalties.
Finally, as a third example, selling, viewing, or otherwise handling general pornography on the Internet isn't in itself a crime in the United States or most Western nations, and pornography itself predates the Net by thousands of years. However, specific types of pornography, like that involving children, are highly illegal almost everywhere. Criminal penalties for pornography are enforceable on the Net and off, as well as on private bulletin board systems, though jurisdiction may limit or expand prosecution. Recent test cases by the United States Postal Service and online crackdowns by the FBI - the authority for investigating violations of U.S. federal law - on child pornography have attempted to establish jurisdiction across state lines from where the data was housed and in cyberspace regions like America Online.
What About New Legislation? If there are no new crimes, why do we need new legislation? The answer lies in how the law perceives and defines crime. Criminal law must be extremely specific so that "due process" is served. In short, that means that the citizenry must be able to look up and read the law and understand specifically what actions are prohibited and will be punished. Thus, criminal statutes tend to be quite precise in their wording, and conduct that is not clearly included will not be punished. In the case of computer crimes, cases brought under traditional criminal statutes can end up being dismissed because of the way the crimes were defined.
For example, breaking into a computer through a modem and copying confidential files is theft according to a common sense definition. But most traditional criminal statutes define theft in terms of "carrying away" property "of value." Electrons have no value, and since they also lack substance, they can't be carried away. As a result, criminal charges brought under traditional theft statutes for stealing computer programs have been dismissed.
For instance, in the 1972 California case of Ward vs. Superior Court, the defendant was accused of stealing computer source code from his ex-employer. He had used an access code to gain entry to the employer's computer, where the software was stored. Like many theft statutes, the California statute required that the item be "carried away." The defendant was convicted under the statute because he had printed the source code and carried the printout away. Had he copied it to a floppy disk, the result may have been different - the statute did not include the theft of patterned magnetic oxides on a substrate.
Similarly, common sense says that breaking into a computer is conceptually no different than entering property without permission - it is trespass. But, criminal statutes define trespass as the "physical entry" onto property of another. Connecting to another person's computer does not involve physical entry and does not violate traditional criminal trespass statutes. And further, looking at another person's files - even confidential ones - is not a breach of any traditional criminal law. As a result, most states have passed specific laws dealing with "computer trespass" and "unauthorized access."
Tune in Next Time... I hope it's clear by now that although computer-related criminal conduct is simply a variation on age-old themes, the fact that it is often done almost spectrally, without physical intrusion or taking of material goods, sets it outside traditional criminal law. How have the courts dealt with this problem? In the next segment of this series, I'll expand on this information and introduce the basic principles of criminal law. After that, we'll turn our attention to U.S. federal and state computer laws with a focus on crimes committed via the Internet or other online methods.
[Brady Johnson is a Seattle attorney who focuses his practice on criminal law, plaintiff personal injury, and civil rights. He currently has a civil rights case pending before the U.S. Supreme Court.]
Question: What does a local dial-up number do? Richard Wanderman <richard@ldresources.com> writes about accessing Boston-based TIAC (The Internet Access Company) through a local dial-up phone number in Torrington, Connecticut. He notes that he used to use a number in Hartford, Connecticut, and that often the Torrington number is busy and Hartford's isn't. Richard asks: how this is possible?
Answer: When you call a local dial-up number, you're generally calling a secondary physical location (often just a single room) called a "point of presence" (or POP, not to be confused with the email Post Office Protocol, which is also abbreviated POP) where a bunch of modems are linked to devices called "terminal adapters," which in turn link to routers that connect to high-speed digital phone lines back to the main facility.
When you connect to a modem at a POP, the modem answers the call, turns to a terminal adapter for login authentication - usually a matter of consulting a remote database of usernames and passwords - and establishes the necessary protocol, usually PPP. Once those actions have taken place, the connection is set up and you can access Internet resources.
POPs typically rely on high-speed connections ranging from 56 Kbps to T1 (1.544 Mbps) to link to the central ISP facility, where the ISP connects to the rest of the Internet and maintains the bulk of their bandwidth and equipment.
In essence then, each POP is a little network hub in itself - an arm of the Internet - connected to the rest of the Internet via the ISP. Some large ISPs, like PSI, UUNET, SprintLink, and CompuServe, run hundreds of thousands of modems in thousands of POPs across the United States. They lease access to these POPs to other providers (like EarthLink, for instance) so that users can dial in from most locales without incurring long-distance charges.
To answer Richard's specific question, the two POPs might have different numbers of modems, or perhaps more people know about the phone number of the first one. Thus, it would be more likely that all the modems in the first POP would be in use, whereas at least some modems in the second POP would be free. [GF]
[Please send us all Internet questions surrounding topics of current or historical interest at <faqtoids@netbits.net>, and include your full name and email address. Questions may be edited for content and length. We cannot guarantee publication or a reply.]
Ramping Up Cheaply -- Ole Eichorn <ole@pacbell.net> writes about a nifty device he's found useful to give himself a virtual router without woes.
I've been using a WebRamp ISDN router in my house for six months, and it is wonderful. I have a PC and four Macs on a little 10Base-T Ethernet network, and the WebRamp ties them all in to my ISP (Pacific Bell) with no problems. The WebRamp acts as a DHCP server for my network, and "maps" the requesting IP addresses into the single dynamic IP address assigned by PacBell when I connect (enabling all of my computers to be surfing concurrently). It also allows one or both channels to be used as an analog phone line.
ISDN Purchasing Advice -- Louis Lee <louie@louie.net> offers some advice from his experience as a major ISP network engineer in purchasing ISDN equipment for companies.
Try to obtain demo models of the routers for which you are shopping. You're going to live with this router a long time, so make sure you're comfortable with its configuration interface.
Ask your ISP's support team about which model to buy. Most technical support representatives can be very frank about equipment they've encountered. At the very least, they can tell you what has been known to work well with their equipment.
Consider purchasing the ISDN router with administrative support from your ISP if you are willing to assume a small security risk.
Who's There? Joe Bates <jbates@loop.com> points out an important element to the aggravation that is spam.
Maybe I'm missing some essential point here. In all of the discussions of spamming, the legislative and administrative solutions available or proposed, it seems that it all comes back to one point: all email messages should have a legitimate email return address attached to them. Knowing the true point of origin allows the recipient, the ISPs in the sending chain, and anyone else who cares, to be able to backtrack to find the source of the message sent. The only legislation needed is a regulation or law that makes it illegal to spoof the originating address and specifies a fine for each message sent with a false address.
[Please send letters to the editor to us at <letters@netbits.net>. Please include your full name and email address. Letters may be edited for content, grammar, and length. All letters become the property of TidBITS Electronic Publishing. We cannot guarantee publication or a reply.]
Non-profit, non-commercial publications and Web sites may reprint or link to articles if full credit is given. Others please contact us. We do not guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies.
Previous Issue | Search NetBITS | NetBITS Home Page | Next Issue