THE BLACK BARON THE SAD TALE OF CHRIS PILE'S 15 SECONDS OF FAME In mid-November 1995, the English trial of virus-writer Chris Pile ended with a bang after months of stops and starts when the 26 year-old Devon man was sent away for 18 months as punishment for spreading and inciting others to distribute the SMEG computer viruses, programs of his design. It was a depressing tale that stretched over a year, from Pile's arrest and the confiscation of his computer by New Scotland Yard's computer crime unit in 1994, to his conviction in Crown Court in mid-1995, to the inevitable sentencing which sent him up for a year and a half stint in an English bighouse the same week when many others in computerland where trotting out shiny new wares at ComDex in Las Vegas. During the case, Pile admitted to five counts of unauthorized access to computers to facilitate crime and five of unauthorized modifications of computer software between 1993 and April 1994. He also confessed to a charge of inciting others to spread viruses. The English newspaper The Independent referred to Pile, known briefly as the Black Baron in the virus underground, as a "'mad and reclusive boffin' who wreaked havoc on computer systems by spreading [viruses] . . . across the world . . ." [Webster's New World Dictionary informs readers "mad boffin" is Brit slang for "mad scientist."] The Times asserted Microprose had been struck by one of Pile's SMEG viruses and estimated that it lost 500,000 pounds in business and wasted 480 man hours checking files for Pile's replicating code. Another company, named Apricot, was claimed to have been closed while clearing a third of its machines from a Pile-written virus infection. In America, Dr. Alan Solomon - developer of the UK-based Solomon Anti-virus Toolkit (S&S International), worked the news of Pile's downfall into a presentation given by his firm at ComDex in Las Vegas, Nevada. The following week, Graham Cluley - a colleague and employee of Solomon at S&S, privately remarked on the Compuserve on-line service that the severity of Pile's sentence surprised him. Treatment of Pile, an unemployed self-taught programmer, by the English press was slightly reminiscent of the US media's portrayal of Kevin Mitnick. For the press, Pile was writ large as a young cyber-madman bent on corrupted programming that resulted in computer data damage escalating into the millions of dollars. Worse, his code was said to be in the hands of shadowy criminal arch-fiends in the US and Europe. Mitnick, of course, had been attributed with cartoonish superhuman malevolence by the US media, a man dangerous enough to bring down the Internet, steal the Christmas card list from your computer and/or break into military computers controlling NORAD. English newspapers repeatedly reprinted the activation message from Pile's SMEG.Pathogen virus. "Your hard disk is being corrupted courtesy of PATHOGEN! Programmed in the U.K. (Yes, NOT Bulgaria!) [C] the Black Baron 1993-94. Featuring SMEG v0.1: Simulated Metamorphic Encryption Generator! 'Smoke me a kipper, I'll be back for breakfast.....' Unfortunately some of your data won't!!!!!" Only superficially baleful and menacing, the message was a mixture of quote from an English TV show named "Red Dwarf" and the stereotypical gloating anti-style of previous virus writers too numerous to count. For The Independent Pile was the "most famous" of virus-writers and the "most dangerous" of a small band of them working in England. The Independent exaggerated when adding further that Pile's viruses, called SMEG.Queeg and SMEG.Pathogen, were "the two most sophisticated ever written." This was probably surprising news even to the anti-virus software developers interviewed for the Black Baron stories. Indeed, Alan Solomon's "Virus Encyclopedia," a compilation of technical notes on computer viruses gives them a page a piece, neither much more nor less than the hundreds of other entries in the book. Pile's viruses, however, had reached "criminal elements" working in Northern Ireland, the US, and Germany, according to the Independent. The demonization and denunciation of Pile was unusually harsh in light of the fact that prosecution witness Jim Bates commented to Crypt Newsletter that UK authorities were uninterested in sending officials overseas to collect evidence on the SMEG viruses in the United States because a guilty verdict had been arrived at by mid-1995. Bates was the prosecution's point man in the case against Pile. He was, perhaps, the most experienced for the job, having played a starring role in another famous U.K. computer crime case - the prosecution of Joe Popp for the AIDS Information diskette extortion scheme - in 1991. In late 1989, Jim Bates was among the first to examine software called the AIDS Information Trojan. The AIDS Info Trojan, as it became known, was used as part of a computer blackmail attempt launched by Popp, an erratic scientist living in Cleveland, Ohio. Popp had concocted a scheme to extort money from PC users in Europe. It involved the programming of a software booby-trap that masqueraded as a database containing information on AIDS and how to assess an individual's risk of contracting the disease. The database, as one might expect, was trivial and contained only the barest information on AIDS. However, when an unwitting user installed the software, the AIDS Information Trojan created hidden directories and files on the computer while hiding a counter in one of the system's start-up files. Once the count reached 90, Popp's creation would encrypt the directory entries, alter the names of files with the intent of making them inaccessible and present the operator with a message to send approximately $200 to a postal drop in Panama City for a cure reversing the effects of the program. The AIDS Information Trojan came with a vaguely menacing warning not to install the software if one didn't intend to pay for it at once. Popp mailed 20,000 sets of the trojan on disk to users in Europe, apparently subscribers to a now defunct magazine called PC Business World. The plan quickly fizzled but Bates was among the first to analyze Popp's AIDS software boobytrap and supplied technical reports on it to English authorities. The disks were eventually traced back to Popp and New Scotland Yard began a lengthy process of extraditing him to England to stand trial for computer blackmail in connection with the disks, a battle which took almost another two years. Bates was flown to Cleveland during this time to present evidence in court which persuaded American authorities to hand over Popp for extradition to London. Bates also analyzed Popp's original AIDS Information Trojan software, source code and a program which was evidently intended to reverse the effects of the logic bomb, thus regenerating a victim's data. However, instead of going smoothly, the Popp trial became a source of controversy. It was claimed the Cleveland man was unfit to stand trial because he began wearing a cardboard box over his head, making it impossible to determine whether he was legitimately non compos mentis or merely shamming. As a result, Bates said to Crypt, Popp was declared a "public disgrace" by the court and ejected from the country. In England, this is an unusual classification which, apparently, allows the case to remain open, the purpose being - on this occasion, according to Bates - to discourage by intimidation the authoring of books or a publicity tour of talk shows in the United States by the defendant. At the time, it was difficult to tell if Bates was being serious or facetious. Chris Pile, unlike Joe Popp, appeared not to be flat crazy. Plus, his computer viruses worked too well. It didn't take much work to scare the uninformed with them. And Pile's legal defense team was unable to muster the kind of sophisticated defense necessary to mitigate Jim Bates' expertise. For Pile's prosecution, Bates furnished collection and evaluation of evidence relating to the spread of the Pile/SMEG viruses and damages attributed to them. Pile, said Bates, had attached a SMEG virus to a computer game and uploaded it to a bulletin board system in the United Kingdom. The virus writer had also targeted the Dutch-made Thunderbyte anti-virus software, initially by infecting one of the company's anti-virus programs distributed via the shareware route. After examining software and source code for Pile's computer virus encryption engine, named the SMEG, Bates also maintained Pile had invested a great deal of time in fine-tuning subsequent editions of it so it specifically generated computer virus samples opaque to the Thunderbyte anti-virus scanning software. This, Bates said, indicated an pro-longed effort and intent aimed at ensuring the spread of the SMEG computer viruses. Although there has been little unusual about this habit of virus writers since 1993, it surely must have seemed remarkable techno-magic to the English Crown Court. The judge treated it so. "I dare say you were looking forward to reading in the computer press about the exploits of the Black Baron," said judge Jeremy Griggs to the defendant. "Those who seek to wreak mindless havoc on one of the vital tools of our age cannot expect lenient treatment," he added before sending Pile over for eighteen months. In the wake of Pile's sentencing, English newspapers continually exaggerated the virus-writer as an international menace. The Times of London echoed The Independent's hyperbole, maintaining Pile had written a "training manual" for virus-writers found "in America and Northern Ireland where it was being used by criminals." By nature, the computer underground distributes its technology quickly, sometimes worldwide in a matter of hours or minutes. And, indeed, so it was with Pile's virus specimens and his "training manuals." However, it must have seemed bitterly ironic that absolutely no one in the computer underground used Pile's technology and advice in their own efforts, despite the opinions of the British press. Rather, they become only a few more easily forgotten electronic curiosities stored on the dark and dusty shelves of virus-writers roaming the Internet. Ali Rafati, as part of Pile's legal defense, said his client was a "sad recluse." The real Pile is difficult to describe in any detail even though an excessively overwrought and lugubrious "Biography of a virus-writer" was written about him by a cyber acquaintance and circulated widely in the computer virus underground in 1994, just days before he was arrested by New Scotland Yard. As bombastic as anything written by The Independent, Black Baron's biography begins: "In 1969 Neil Armstrong stepped onto the moon. It was a momentous year for the world. But no-one [sic] at the time paid much attention to a baby boy being born in a town in southern England. This baby boy was destined to grow into one of the most infamous computer virus writers of all time. In 1969 The Black Baron was born!" Curiously, almost 80 percent of the Black Baron's "biography" is a reprint of material written by Ross M. Greenberg, a semi-retired programmer who wrote the Flu_Shot and VirexPC sets of anti-virus software. The reprint dates from 1988 and contains standard anti-virus rant and rave, calling virus-writers "worms." One supposes it could be called mildly irritating by the thin-skinned. In any case, if the Black Baron's biography is taken at face value, Greenberg's anti-virus-writer spiel was the seed that formed the basis of Pile's desire to write viruses as a means toward impressing people. Black Baron's biography reads (errors reprinted), ". . . when computers stop attracting social inadequates, but whom I am refering to the arrogant members of the anti-virus lobby as well as the nefarious virus authors. But what of the Black Baron? What is he? Is he a malicious criminal? A computer terrorist? A social inadequate trying to reassure himself of his own inadequacies through destroying computer data? I don't [believe] so. I have spoken to Black Baron on a number of occassions. He is happy to discuss his work, and, at my request, he has even released a document detailing the design of SMEG. He doesn't feed on the panic and fear that SMEG viruses such as Pathogen and Queeg cause. Rather he revels in the embarrasement and panic which his software causes the arrogant anti-virus writers." At the time, Pile was unemployed. The "biography" concludes: "After talking with him, I understand the Black Baron. I feel sorry for him as well. He is a highly gifted individual who has not been given a chance by computer society. So he has made his own chance. We all need recognition. Mainly through employment, but we as thinking machines must receive recognition for our abilities. Otherwise we sink into melancholy and paranoida. Black Baron has received his recognition. We, the society are responsible for the creation of Pathogen, Queeg, SMEG and all the other computer viruses. We have no one to blame but ourselves. It is our desire to keep the computer fraternity a closed club which has alienated so many of our colleagues. By rubbing their noses in it, so to speak, we have begged for trouble, and like the inhabitants of Troy, we have received it." English newspapers reported Pile had confessed to police he had written the viruses to "increase his self-esteem" and because England appeared not to have produced any virus writers capable of programming samples capable of spreading in the real world. The legal offices of Rafferty and Woodmansea, Pile's legal team were contacted repeatedly by Crypt Newsletter but could not be reached for opinion. Surprisingly, a secretary on the end of the phone claimed they lacked e-mail addresses. (c) 1996 Crypt Newsletter