M. E. Kabay, PhD, CISSP-ISSMP
Professor of Computer Information Systems
Norwich University, Northfield, VT
This is another in a continuing series
devoted to how ordinary people can protect themselves when using the Internet.
Pranksters have been using e-mail to fool gullible people for years using a
particular sort of incorrect information: deliberate hoaxes. A hoax
is a mischievous trick, especially one based on a made-up story. There are
two major kinds of hoaxes circulating on the Internet: urban myths and false
information about viruses. The archives in the Urban Myths Web site are full
of hilarious hoaxes, some of which have been circulating for years. Before
we get into the details, let's think about the reasons that hoaxes can last
so long on the 'Net? Why don't they die out?
The problem is the distributed nature of the Internet. Information is not distributed
solely from a centrally-controlled site; on the contrary, anyone can broadcast
any kind of data any time. There are neither reliable creation dates nor obligatory
expiry dates on files, so if someone receives a five-year-old document, they
may have no obvious way of recognizing its age and they almost certainly have
no instant way of knowing that its information is obsolete or flatly wrong.
All they see is that the document has been sent to them recently, usually by
someone they know personally.
Here are some notorious examples of the bizarre and sometimes disturbing urban
myths that are thoroughly debunked on the http://www.urbanmyths.com
- Expensive cookies: someone claims that a Nieman-Marcus employee
charged $250 to a credit card for the recipe to some good chocolate chip cookies
(this story has been traced to a false claim dating back to 1948 in which
a store was accused of charging $25 for the recipe to a fudge cake.
- Don't flash your car lights: in a gang-initiation ritual,
hoodlums drive down a highway with their car lights off. Flash your lights
at them and die!
- Watch out for poisoned needles: insane, vengeful druggies
leave needles tipped with HIV+ blood in movie theater seats / gas pump handles
/ telephone change-return slots.
- Lose your kidneys: visit a foreign city, go drinking with
strangers, and wake up in the morning in a bathtub of ice with two neat incisions
where both your kidneys have been removed.
- Poor little guy wants postcards: Craig Shergold is just one
of the many real or imaginary children about whom well-meaning people circulate
chain letters asking for postcards / business cards / prayers and even money.
Shergold was born in 1980; when he was nine, he was diagnosed with brain cancer
and friends started a project to cheer him up – they circulated messages asking
people to send him postcards so he could be listed in the Guiness Book
of World Records. By 1991, he had received 30M cards and an American
philanthropist arranged for brain surgery, which worked: Shergold went into
remission. The postcard deluge didn’t. By 1997, the local post office had
received over 250M postcards for him and he was long since sick of
the whole project.
- Wish you would stop Making a Wish: Around the mid 1990s,
some prankster inserted false information about the Make-A-Wish Foundation
into the outdated chain letters concerning Shergold. The unfortunate organization
was promptly inundated with e-mail and postal mail, none of which is in any
way useful or relevant to their work.
No corporation or charity will pay you for forwarding an e-mail message.
No one is monitoring how many copies of an e-mail message are
sent to your correspondents.
- Key indicators that a message is a hoax:
- use of exclamation marks (no official warning uses them);
- use of lots of UPPERCASE text (typical of youngsters);
- misspellings and bad grammar;
- no date of origination or expiration;
- inclusion of words like “yesterday” when there is no date on the message;
- references to official-sounding sources (e.g., Microsoft, CIAC, CERT)
but no specific document URLs for details (URLs for the general site don't
- no valid digital signature from a known security organization;
- requests to circulate widely (no such request is made in official documents);
- claims that someone is counting the number of e-mail messages containing
copies of the hoax;
- threats about dire consequences if someone “breaks the chain” by refusing
to forward the message;
- claims of monetary rewards that, upon reflection, make no sense (e.g.,
the Disney organization will send you $5,000 – for forwarding an e-mail
- use of complicated technical language such as “n-th dimensional complexity
infinite control loops” that doesn’t make sense;
- claims of damage to computer hardware from viruses or other computer software.
- Before alerting anyone to apprehended threats, check the anti-hoax
pages on the Web, as suggested in the Resources listing below.
Alt.folklore.urban and Urban Legends Archive < http://www.urbanlegends.com >
CIAC Hoaxbusters < http://hoaxbusters.ciac.org/HoaxBustersHome.html
Hoax FAQ < http://chekware.com/hoax/
Urban Legends and Folklore < http://urbanlegends.about.com/science/urbanlegends/
Urban Myths < http://www.urbanmyths.com/
Gullibility on the Net < http://www.cwrl.utexas.edu/~roberts/gullibility.html