It surprised me too, but it turns out that AT&T wasn't lying in those commercials: This Internet thing is so miraculous that it is indeed possible to exchange e-mail with the dead. Elvis is doing well and complains that if it weren't for the blatant cheating of the team of Jack Benny and George Burns, he and Jimi Hendrix would have swept the All-Afterlife Contract Bridge Tournament this year. Babe Ruth apologizes to Red Sox fans everywhere but adamantly refuses to lift The Curse, and Ben Franklin has been posting on comp.sys.mac.comm almost daily with his problems getting Open Transport to run on his PowerBook 170.
All these private e-mail messages and public Usenet postings are real. See the return addresses: elvis @uu.net, benfrank1776@aol.com, dabab @yankees.com? I hope that eliminates any lingering doubts. Why, I even have copies of each of these messages right here on my hard disk, along with a public posting from George Lucas revealing that the next Star Wars film will follow the plot of The Bridges of Madison County rather closely.
That last one I didn't have the guts to actually post, but I could have, as I did the others -- unfortunately, forging (or "spoofing") e-mail and Usenet postings is trivially easy.
For better or worse, the mainstreaming of e-mail has arrived with a misguided trust in e-mail security. Perhaps that's because there's yet to be a Chernobyl of spoofing -- an incident so hairy and so attention-grabbing that every system administrator is immediately directed to ensure that it never happens again. For the most part, spoofers have seemed content with the odd prank or two or with engaging in cowardly Usenet slander under the name and address of some innocent party.
Nonetheless, the danger is real, and our own innocence about e-mail is what makes us so vulnerable. If you were to receive a letter in the U.S. Mail from the president calling upon you to arm yourself and mass upon the Canadian border awaiting orders to invade, it would probably occur to you that anyone could put down 1600 Pennsylvania Avenue as a return address. But if the message were sent via e-mail, there would be that momentary confusion. I mean, silicon was involved. That stuff ensures that my microwave popcorn is cooked to perfection at the touch of a button, so any message it transmits must be more secure than one sent on a piece of paper, right?
Tampering Techniques
If anything, such a message is far less so. In the far-gone days of my misspent youth, I forged e-mail on occasion (I hasten to point out that this fell under the umbrella of Exploring the Many Wonderful Undocumented Features of RPI's UNIX System). That was nearly a decade ago, but those same simple techniques still work. And if they don't work on a particular system, there are a dozen others that will -- from tampering with UNIX mail software to using standard software to spoof a message's source-routing info to doing a simple Web search for an 18-line program that will return a list of vulnerable mail and news servers. It's a simple crime to commit and a complex one to solve; a clever spoofer can plant forgeries in such a way that only a team of a dozen system administrators poring over reams of activity logs could trace the message.
We do have a couple valuable weapons on our side: rampant paranoia and the stupidity of the unsavory element of society. Before your boss's angry and out-of-the-blue termination notice causes you to reply with a message in which the word orifice is prominently featured, check the message header (which most mail readers hide unless you specifically ask to see it). If your cyber pink slip was transmitted from Boston to New York by way of Delaware, Murmansk, and Kyzyl, you might be looking at a forgery. Your system administrator might be able to spot strange anomalies in the message header that you'd never notice. Check the time stamps to see if they match up with the sender's most likely working hours. Look for oddball characters in the user-name portion of the sender's address (andyi287aa@world.std.com); some spoofing techniques require that the address be unique.
Also, check the "organization" line and trust, for instance, that Bill Gates knows there's only one f in Microsoft. Your only bulletproof protection, unfortunately, is to encrypt all your e-mail with PGP software (slide on over to http://www.eff.org/pub/Net_info/Tools/Crypto/ for your copy) and publish your "public key" -- encourage your circle of pals to do the same. Unlike most other popular encryption schemes, PGP offers two-way security; if the receiver decrypts your message with your public key, then that person can rest assured that only a sender who knows the private key -- you -- could have encrypted it.
Still and all, your second-best defense will always be a healthy and mature skepticism in the face of Truly Suspicious-Sounding E-Mail; your finger should be poised over the panic button whenever people invite you to send them your password or credit-card numbers. The best defense, of course, is to have a tortuous Ellis Island name such as mine. Oh, the nightmares I've dodged thanks to poorly forged letters signed Andy Ikhanko....
