Automata Non Grata
Joshua Quittner tracks down the person,
or more accurately, the "bot," that is impersonating him
on Internet Relay Chat.
By Joshua Quittner
One day not too long ago, I found myself reading a strange piece of e-mail.
It was a message that appeared to have bounced back to me.
A daemon somewhere returned the e-mail as undeliverable. That wasn't unusual;
happens all the time, of course. What was weird was I had no recollection of
sending this particular message. The header yielded little information. There
was no name in the To: field and the From: field showed one of the e-mail addresses
I was then using - jquit@mindvox.com. Since this was not an account I typically
used for correspondence, I double-checked the body of the message and saw that,
sure enough, someone had committed electronic impersonation. I had never written
the thing; truthfully, I didn't even know what it was.
The body of the message was about 50 lines long and looked like some kind of
executable script; it was certainly some kind of programming language.
The thing was labeled "IRC 'BOT."
Now, I have long known what IRC is - the Internet Relay Chat, a "place" where
anyone with Net access can go to for free, real-time chat, 24 hours a day, year
round. I had been spending a lot of time there over the past year or so - too
much time - interviewing hackers, hacker wannabes, and hacker-crackers for a
book, and hanging out with people with names like Superfly who seemed to be
online whenever they were awake. I understood the allure of "chatting" with
people who always seemed to be there when you wanted them. Of course, these
chats took place in a stark ASCII world and consisted of people typing at each
other, their sentences marching up my monitor like army ants on maneuvers at
a picnic. Still, it was reassuring to know that, any time I wanted, I could
log in to my Internet provider, type irc and, like Dorothy clicking her heels
three times, be transported to a place where life was different.
I also already knew a little about bots. Bots are the bacteria of online life,
simple software agents that perform little tasks like greeting you by name.
Kids build bots from popular scripts and modify the code, adding new and ever-more-sophisticated
functions. For some reason, bots have always had a bad reputation. As I sat
there, peering dimly at the code under my name, I recalled seeing a notice the
last time I logged in to IRC, something along the lines of "NO BOTS ALLOWED
ON THIS SERVER." I had no idea why bots were unwanted, at this point, but clearly,
someone was being bad - and trying to fob it off on me.
Why the fear of bots? Well, bot code always has the potential to be obnoxious
and unwanted. The code could contain some hidden Trojan Horse or weird little
bug that would do something unadvertised, dangerous.
Cool, I thought.
Something interesting has been going on out there in IRC land. I set out to
find out what.
At this point, I should tell those of you who don't know that the Internet
Relay Chat is a federation of Internet-connected computers, aligned in a client-server
relationship. The computers that comprise IRC share specially written software.
That software, or IRC code, permits users to establish "channels," forums where
people go to chat about specific topics, role play, or just hang out. Anyone
can create a channel by typing /join #channel name.
Like everything else on the Internet, you need to know the peculiar argot of
the place (every command is preceded by a "/") to create a channel or nickname,
chat with your pals, send and receive private messages, and generally get by.
And, like everything else on the Internet, a good how-to book, human guide,
or copious use of the ? help command are all you need to figure things out.
In this case, /join is also the command you use to go to existing channels;
if no channel exists by that name, you automatically create one. At any given
time, hundreds of channels are up and running, with something like 8,000 users
(on a slow day), giving IRC the feel of an endless, floating cocktail party.
Internet Relay Chat channels can accommodate dozens of users at a time. But
usually, only a handful of people log in to any given channel: a channel with
too many people is like a rave in a dark tunnel. You never know who's saying
what to whom. Many of the channels are private, too - invitation-only setups,
where people go for intimate chats. Most of the public channels are each devoted
to a single theme, and users float there, as if trapped in an isochronous flavor
of Usenet.
Indeed, the majority of IRC channels are constant fixtures. Take #unix, for
example, where Unix hackers go to ask (or answer) questions about that operating
system. Or #hottub, where the environment is decidedly more groin-based.
(Once, I was visiting #hottub and the participants were engaged in a lively
debate over whether women from one state had bigger breasts than women from
another. On another occasion, I helped a friend find shareware on the Net that
enabled him to read an IRC channel filled with Chinese expatriates, by and large,
who were using the software to communicate in their native ideograms. "What
are they saying?" I asked him, expecting to find lively political discourse
on recent events in Beijing. My friend frowned and translated the current discussion:
"Girls ... from Taiwan ... have bigger breasts," he said, scratching his head.)
As it happened, shortly after I got the IRC bot script in e-mail, another,
similar incident transpired.
My friend Red Sonja called me one night with some disturbing news, and I arranged
to stop by her office the next day. An ex-Air Force computer jockey whose real
name is Eileen Tronolone, Red Sonja is a system administrator at Polytechnic
University of New York, an urban technical school in Farmingdale. She has her
own office there, a tiny command post from which she orchestrates a network
of 250 or so workstations.
The first thing you see when you enter Red Sonja's office is a poster from
the Brigitte Nielsen/Arnie Schwarzenegger movie, Red Sonja. "A woman and a warrior
that became a legend," the poster reads. You look at the poster and you know
why. Tronolone took the name Red Sonja for IRC, where she spends much of her
time: she is a female warrior among geeko-barbarians. Also, she has very red,
long hair.
The second thing you see is a SPARC 10 work-station and the kind of expensively
glowing, movie-joke-sized monitor that usually makes my mouth dry. I want one.
But I had no time for overt monitor lust on that day. Red had some news to deliver.
"Looks like someone has been impersonating you on IRC," she said, wryly. (Red
is a very wry lady. She can say "How are you?" and it sounds vaguely sarcastic,
which is part of the reason I like her so much.)
Red Sonja poked at her keyboard and pulled up a file, which appeared to be
a log from a recent night on an IRC channel called #callahans. There I was.
Or rather, there was someone posing as me.
The channel known as #callahans models itself on a fictional pub called Callahans
Crosstime Saloon, which was central to the science fiction work of the great
Spider Robinson. The fictional pub held weekly pun nights, during which characters
tried to out-pun each other in beery competition.
People typically meet on #callahans Wednesday and Sunday nights, partly as
an homage to Spider and his legendary creation, but mostly to have good old-fashioned
disembodied net.fun.
Now, with the log called up on her gigundo monitor, Red Sonja explained that
the previous Wednesday, someone had shown up on #callahans, posing as me. She
showed me the log; it was true: someone calling himself "quittner" was all over
the place, wandering around, plangent as an amateur drunk.
"And how are we this evening?" my evil twin wheezed at someone. "Hunky dory?"
(I have never used those words in my life. This was a shocking thing to see,
even coming out of my clone's mouth.)
"All life nominal?" this "quittner" poseur queried, nonsensically.
"N0mbrist," he said to someone on #callahans, using a zero for an "o."
"Translate?" he said to someone else.
"Quintitiate?" he said to no one in particular. "Or simply repaginate."
At another point, my clone said: "1 n33d warezzz." This, as any Net surfer
can tell you, is how a young, "?lite dude" on the make might ask for pirated
software on a typical hack/phreak board. (Translation: "I want pirated software.")
Red Sonja, who happens to frequent #callahans, had invited me to the channel
some time ago and initially thought this was me. But, she quickly came to realize,
it wasn't me at all - something that became clearer when she sent "quittner"
private messages he failed to respond to.
I should note that on IRC, visitors can choose any nickname for themselves
so long as the name they want isn't already in use. So, you could go on IRC
right now and type /nick quittner. And, assuming the name "quittner" was free,
you'd get it. That's not what alarmed Red Sonja here. This person had hacked
me deeper. When Red Sonja issued the command /whois quittner, which is how you
find out who's behind a nickname, here is what she saw:
<quittner is jquit@mindvox.com (Mr. Brown) on irc server irc.colorado.edu
(Univ of Colorado Server 2.8)>.
Though I was indeed jquit@mindvox.com, I have never used the handle Mr. Brown;
the only Mr. Brown that comes to my mind is in the movie Reservoir Dogs. Nor
could I find a Mr. Brown on MindVox.
Red Sonja said that Mr. Brown, whoever he is, could have hacked me in one of
two ways. He could have simply hacked my MindVox account. This was certainly
a possibility. MindVox is a Manhattan-based Internet provider that was started
by a couple of guys with deep connections to the hacking underground. Their
system attracts lots of ex-hackers of some repute, including the great Lex Luthor,
a kid who founded the notorious Legion of Doom. I had long heard stories of
different people having root access to the service, and frankly, this didn't
bother me. I rarely changed my password there, since I would never store sensitive
information on that system. In a world with tinsel locks, privacy is a dangerous
illusion.
Still, here was someone who appeared to have hacked my account to go joy riding
around in my online identity. Not car theft - personality theft.
Red Sonja said there was another way, though, that Mr. Brown could have obtained
my name without going to the trouble of hacking my password on MindVox. He could
have hacked me further up on the IRC food chain.
The Internet Relay Chat is kind of a free-floating confederation of servers
and clients in more than 60 countries. Users like me run the IRC client, which
con-nects to server software running on certain machines around the Net. This
network of computers running IRC code is the backbone of the IRC federation.
The IRC code was written by a Finn named Jarkko Oikarinen in 1988, as a variation
of the popular "talk" program that allows two people to type messages to each
other on the Internet.
Red Sonja said that Mr. Brown could have nabbed my online identity by exploiting
two well-known security holes - dubbed Jupe and Grok - in an older version of
IRC client source code. Through these two holes, called Trojan Horses, any user
could gain access to my account. "This kind of thing is happening all the time
these days," she said. "It's getting to be a real nuisance."
I asked Red Sonja about bots and the script that someone had sent out under
my name. You can store the code for your bot in your shell account, or on your
PC, and launch it just like you'd activate any program. Many bots, once they
appear on a channel, have the terms bot or srv or guard as part of their nicknames.
But often, a bot looks like any other human user, and you might not be able
to tell you're hanging out with software. Sonja said that these days, "bots
are being used to help people keep ops during net splits."
Ops and net splits? Jargon alert! Sometimes, during network outages, the servers
in the IRC federation lose touch with each other, and the integrity of the network
collapses into a mess of disconnected nodes. This is known as a "net split,"
Sonja said. When this happens, it's as if an ant colony has been dispersed by
a thunderstorm. The whole IRC world momentarily crumbles and must rebuild itself.
Most important, all the long-standing channels must be reestablished by users
going out and reclaiming them. The first person to name a channel #unix from
then on controls #unix, at least until the next net split. Within seconds of
the network coming back online, for instance, you'll see #unix back up there
and #hottub, of course, and #callahans. A person who creates a channel is known
as its operator and may have the ability to kick other people off that channel,
or even ban them from getting on. Those privileges can then be passed to others
who oversee the channel. Having those operator privileges is known as having
"ops."
Now, some folks had been writing bots that would help control their own channels,
especially after a net split. Say an intruder from the dark and mysterious world
of System 7.5 decided to wreak havoc on #unix. He could insinuate himself on
#unix by being the first one back on the channel after a net split, get ops,
and be a jerk. But ... some clever hacker could design a bot to guard the channel,
and, without getting into the fine print too much here (See "This Bot's for
You," page TK), exploit the system to kick off the intruder and maintain ops
for a #unix regular.
Red Sonja said that, for instance, groups of Christian fundamentalists attempted
to grab channel ops on various pagan channels, such as #wicca, a group of witches
that Red Sonja frequents. Another place that sees its share of takeover attempts
is #asatru, a channel "for the open exchange of information, ideas and viewpoints
between pagans," according to its original charter, which was written by a guy
called USViking.
"I'm sure most of you, or at least some of you, have had run-ins with rude
and obnoxious people on IRC," wrote USViking, whose real name is John Rumpelein.
"Some are born-again Christians, some are hackers, some are white supremacists."
Rumpelein wrote a complex bot named Mjolnir3, which he referred to as a "fascist
bot," and whose job it was to help maintain order by booting unruly or undesirable
people off his channel as a favor to #wicca. That way, if a born-again, a hacker,
or a neo-Nazi attempted to control #wicca after a net split, he or she would
be summarily booted.
This did not sit well with some live-and-let-live wiccans, and they complained.
So Rumpelein pulled Mjolnir3 back to #asatru: "Some called me a control freak,"
he wrote the day he brought his bot home to roost, "and one notable character
accused me of being a Nazi. I was trying to help people out, and I am not interested
in being insulted. Mjolnir3 ... will not be back."
Now the bot exists as one of the shining examples of intelligent agents on
IRC. Rumpelein told me that Mjolnir3 comprises 1,800 lines of C code, all of
which are copyrighted. It recognizes close to 500 users on IRC, some of whom
are banned from #asatru. It also casts runes, which are to the Viking culture
what the I Ching is to the Chinese.
Red Sonja said that she has heard of cases in which people have written "warbots,"
whose job it is to take over channels immediately after a net split. Could the
bounced e-mail in my mailbox be a wayward warbot, a crusader come home to roost
after some religious war on IRC? A bot that someone launched from my MindVox
account?
Unlikely. Rumpelein believes reports of people using bots to stage attacks
on channels is greatly exaggerated: "Most people who try to hack the channel
do it because it's fun," he wrote me, "or because their parents didn't pay enough
attention to them when they were little. Who knows? One stray 'fundie' caused
problems by interfering with free discussion - raining fire and brimstone on
everyone. But they are usually dispatched very quickly and without a hassle.
Most of them respect #asatru as our place, and in turn, we don't bother #jesus
or #gospel."
This was good to hear, but didn't exactly jibe with what Red Sonja and others
had been telling me about all the reckless bots out there. Besides, I was still
no closer to finding Mr. Brown.
So I decided to find the person who wrote the book on IRC - or, I should say,
what passes for "the book" in the world of the Net: the FAQ. Her name is Helen
Trillian Rose and she, like Red Sonja, is also a system administrator, though
at an admittedly smaller place, Kapor Enterprises, in Boston. Rose has been
a devotee of IRC since her college days, five years ago, when she and her roommate
began using it as a painless way to keep in touch with friends at other schools.
Way back in 1989, however, IRC - like the Internet - was a considerably smaller
place. Rose recalled a dozen or so channels back then, with only about 50 people
chatting at any given time on any of the channels. That began to change during
the Persian Gulf War, she said, when hundreds of people started showing up to
talk about Desert Storm - and get first-hand reports from Israelis as Scuds
rained down.
"I'd like to think that it changed in respectability" as a result of the war
usage, Rose said. "It was no longer thought of as a toy, but as a tool."
Rose is a server administrator on EFNet (Eris Free Net), the largest network
of IRC servers. As the contact person for establishing new server links, she
exercises quite a bit of control over the US portion of the IRC world. When
a new site wants to link its users onto IRC by creating its own server, Rose
must approve the addition. She gets about a dozen requests a week; most of them
are denied because they come from sites with too few users. Every time a new
server is admitted to the federation, the network becomes larger - and slower.
So new servers are added infrequently on EFNet, and only after great deliberation.
She also adjudicates disputes on the 200 servers and helps set rules. One of
the rules on her server is, No bots allowed.
"I ban bots from my servers because there's no way to tell the difference between
malicious bots and benign bots," she said. Plenty of bots fall into that former
category, especially "clone bots," a viruslike example of the species. Clone
bots can reproduce and overload a server, bringing it down faster than three
bulldogs can drop a steer.
She said the problem with my mysterious bot script was not unusual. Never run
a bot given to you by someone else, she warned. "People who run bots from other
people are asking for trouble. They typically have security holes in them. Trojan
horses are very common," she said, noting that these holes, or horses, could
easily be exploited to give an intruder access to a personal account.
Likewise, even benign bots are automata non grata on her server, which can
handle only 500 people at a time. Since a bot takes up as much space as a human,
she bans them. "IRC is a chat network, and I think people should have priority
over automata," Rose said.
Rose told me that one of the problems besetting IRC lately has been the jerk
quotient; it's going up on IRC just as it is elsewhere on the Net. She'd like
to see EFNet's server do more to create a cohesive federation, making administrators
more responsible on their local servers for the actions of their users. "I'd
like to see a measure of accountability," she said - although she has plenty
of faith that users can deal with troublemakers on their own. "Harassment can
be a problem, especially if it's consistent and the system administrator of
the site will do nothing to stop it."
Most of this harassment, Rose decided, comes from 17-year-old boys.
One Friday afternoon, I decided to have a look at how other IRC bots worked,
so I logged in to #jeopardy. Recently revived as #riskeybus, #jeopardy is where
IRC people go to play an endless series of Jeopardy games. A bot once named
alexbot - re-christened RobBot - runs the matches. Anyone can play.
As my client tucked me into IRC, I noticed that there were 774 users listed;
another 964 people showed up as "invisible," which means their names and/or
channels were not available by typing /whois. Including #jeopardy, 895 channels
were formed on 122 servers. This was a relatively small turnout compared with
the middle of the night, when thousands of people would be on. Perhaps a net
split had just occurred. Still, there was plenty of action in the channel known
as #jeopardy; 15 people were playing (or lurking) here.
<alexbot> Current category: The_Beatles. Question Value: 400. Question
27 of 30: The name of Mr. Mustard's sister.
Almost simultaneously, two people - listed as Nathan and Normzart - typed out
their answers. Nathan got there first:
<Nathan> alex: pam
<alexbot> nathan: That is CORRECT! You win 400. Your total is 400. Please
wait while preparing the next The_Beatles question.
And on and on. Each game proceeds to Final Jeopardy, when a winner is declared.
Then a game begins anew. The show never stops, like some kind of floating poker
game in the press room. I could tell, given how quickly many of the "contestants"
responded, that there were some fine minds here. Doubtless, many of them were
flunking out of school, seduced by RobBot (aka alex).
But where was Mr. Brown? On a hunch, I checked into #hack, a channel teeming
with hackers, would-be hackers, crackers, and would-be crackers. This was a
channel I had visited a lot during the past couple of years. Right off, I saw
a former hacker whom I will call Superfly. Superfly was a competent cracker
in his day, I'm told. Now, however, he works for a large Internet provider.
Some people say he likes to narc on pupa hackers he finds on #hack.
As soon as I got onto #hack, Superfly greeted me: "jquit is a punk."
I responded: "Superfly is *my* punk," wondering whether this jail-house display
of alpha-pack-leader dominance was really necessary. But it seemed to shut down
Superfly, at least publicly.
"What are you doing here? What do you want?" he asked me, in a private message.
"Quit hacking my account or I'll break your arms."
I had never met Superfly, but people I know say he is roughly the size of a
hamster, so this was a safe bluff.
"Why would I waste my time hacking your mindvox account? Anyone who wants can
get in there."
Yes. This wasn't definitive proof, but it was good enough. I had never said
anything about MindVox; indeed, I was coming onto IRC on this day from another
Internet provider. Yet here was Superfly copping to a deeper familiarity with
me. I could practically hear him say "Oops."
I'd like to think I won that little episode; my various friends in IRC have
seen neither my clone nor Mr. Brown since that initial appearance.
Of course, my home telephone number was recently hacked, and all my calls were
forwarded to an out-of-state answering machine, where people trying to reach
me heard a male voice say, "Hi! This is Josh Quittner ... I suck balls!" I figure
that was the work of Superfly, too. But that, dear friends, is a different story.
Joshua Quittner (quit@interramp.com) writes about cyberspace for Time magazine
and is co-author, with Michelle Slatalla, of Masters of Deception: The Gang
that Ruled Cyberspace (HarperCollins).
