Wearing a striped shirt and Matrix-style dark glasses, Onel de Guzman stared at the floor as he made his way through a crowd of photographers into a hastily arranged press conference in Quezon City, a suburb of the Philippines capital Manila.
Skinny, with a mop of black hair falling to his eyebrows, he appeared to barely register the journalists’ shouted questions, his only movement the occasional dabbing of sweat from his face with a white towel. Seated to his right, de Guzman’s lawyer Rolando Quimbohad to lean in close to hear the 23-year-old’s mumbled response, which he then repeated in English for the waiting press.
“He is not really aware that the acts imputed to him were indeed done by him,” the lawyer said. “So if you ask me whether or not he was aware of the consequences I would say that he is not aware.”
It was May 11, 2000, and if de Guzman was feeling shell-shocked, he had good reason to be. He was accused of authoring and releasing the first truly globalcomputer virus that had disrupted the operations of businesses and government agencies the world over, from Ford and Merrill Lynch to the Pentagon and the British Parliament, and was on track to cause a estimated US$10 billion in damages — all in the name of love.
Twenty years on, the ILOVEYOU virus remains one of the farthest reaching ever. Tens of millions of computers around the world were affected. The fight to contain the malware and track down its author was front page news globally, waking up a largely complacent public to the dangers posed by malicious cyber actors. It also exposed vulnerabilities which we are still dealing with to this day, despite two decades of advances in computer security and technology.
This account of the virus is based on interviews with law enforcement and investigators involved in the original case, contemporaneous CNN reporting and reports by the FBI, Philippines police and the Pentagon.
Multiple attempts to reach Onel de Guzman for this article, including through his family and former lawyer, were unsuccessful. De Guzman had not commented publicly since around 2000, until this week when author Geoff White tracked him down to the phone repair shop he now runs in Manila, where he admitted to authoring the virus.
LOVESTRUCK
On the afternoon of May 4, 2000, Michael Gazeley was in his office at Star Computer City, a warren of IT companies and shops selling electronics and gadgets overlooking Hong Kong’s Victoria Harbor.
A few months earlier, Gazeley and his longtime business partner, Mark Webb-Johnson, founded their own information security firm, Network Box, which specialized in protecting customers from online threats. Both men had decades of experience in the industry, and had just finished the grueling (though occasionally lucrative) work of preparing for the new millennium by staving off the Y2K bug that threatened to cause widespread damage to systems worldwide.
Though largely remembered today, much to the chagrin of those involved, as an overreaction — or worse, a hoax — the Y2K bug was real, and the potential costs massive. They were avoided thanks to the diligent efforts of programmers around the world working together. It was a sign of the new connectivity that the internet, still in its relative infancy, was fostering.
That connectivity cut both ways, however, as Gazeley was reminded of that afternoon.
All the phones in his office started ringing at once. First were his clients, then came non-customers, all calling frantically in the hope that Network Box could help stop a virus that was screaming through their systems, destroying and corrupting data as it went.
They all told the same story: Someone in the office had received an email with the subject “ILOVEYOU” and the message, “kindly check the attached LOVELETTER coming from me.” When they opened what appeared to be a text file — actually an executable program masquerading as one — the virus quickly took control, sending copies of itself to everyone in their email address book. Those recipients, thinking the email waseither some weird joke or a serious declaration of love, opened the attachment in turn, spreading it even further.
Office email servers were soon clogged as thousands of love letters went back and forth, disseminating the virus to more people. It turned out to be much worse than just a self-propelling chain letter. At the same time as it was replicating itself, the ILOVEYOU virus destroyed much of the victim’s hard drive, renaming and deleting thousands of files.
Many of the increasingly panicked callers Gazeley was fielding inquiries from did not have backups, and he had the awkward job of explaining to them that many of their files — everything from spreadsheets and financial records to photos and mp3s — were likely lost for good.
“This wasn’t something that people were used to as a concept, they didn’t realize that email could be so dangerous,” said Gazeley, recounting the first calls.
The entire concept of the internet was still relatively new in 2000. According to statistics from the International Telecommunications Union (ITU), a United Nations body, just 28% of Hong Kongers had access to the internet at that time, along with 27% of the United Kingdom, and 15% of France. Even in the United States, where the technology was invented, only some 43% of Americans were getting online.
Two years earlier, Hollywood star Meg Ryan asked “is it infidelity if you’re involved with somebody on email?” as the movie “You’ve Got Mail” introduced people to the idea of cyber-romance — and that email could be used for something other than boring office work.
COMPUTER CHAOS
From Hong Kong, where the virus crippled the communications and ravaged file systems of investment banks, public relations firms and the Dow Jones newswire, the love bug spread westward as the May 4 workday started.
Graham Cluley was on stage at a security conference in Stockholm, Sweden, when the virus hit Europe. He had just finished describing an unrelated virus which targeted a now-defunct operating system, hijacking users’ accounts to broadcast messages to their coworkers, including “Friday I’m in LOVE.” This, Cluley cracked, was likely to cause severe embarrassment for most people, but could potentially lead to some office romance.
As the conference broke for coffee, attendees’ mobile phones and pagers began going off wildly. Several guests approached Cluley, asking if the virus he’d described was spread via email. He assured them it wasn’t — and, anyway, it was limited to a niche system that most people didn’t use.
“They said, Well, that’s weird because we’re suddenly getting loads of emails with the subject line ‘I love you,'” Cluley said in an interview from his home in the United Kingdom.
When Cluley turned on his own phone, he was bombarded with notifications of missed calls, voice mails and text messages. Back home, Cluley’s employer, the anti-virus firm Sophos, had been getting “absolutely hammered” with phone calls from clients begging for help and journalists trying to understand what the hell was going on.
Cluley raced to the airport to catch a flight to London, and even traded phone batteries with a generous taxi driver as the constant stream of messages drained his Nokia cellphone of power. When he landed in the United Kingdom, a car was waiting to whisk him to a TV studio to discuss what had by now become one of the biggest tech stories in the world.
In five hours, ILOVEYOU spread across Asia, Europe and North America, some 15 times faster than the Melissa virus did when it struck a year before, infecting over 1 million computers.
Soon after starting business on May 4, the United Kingdom’s House of Commons had to take its overloaded email servers offline, as did the Ford Motor Company and even Microsoft, whose Outlook software was the primary means of spreading the virus.
At the time, Windows controlled more than 95% of the personal computer market, and Outlook came bundled with Microsoft Office, then all-but-required for doing business on a computer. For most people, Outlook was email.
Unlike today, when many email services are run via centralized servers — think Outlook.com or Gmail — companies in 2000 were running email off the same servers on which they hosted their website. This could be janky, slow and startling insecure.
Back then, Cluley said, “many companies didn’t have in place filters their email gateways to try and stop spam, let alone viruses.”
Even though the United States had advance warning, the virus spread just as quickly there — as almost everyone seemed apparently unable to resist opening the “love letter.” Within the Pentagon, there was consternation as the virus hit the United States Army Forces Command (FORSCOM) mailing list, with 50,000 subscribers.
From there, almost every major military base in the country — barring a handful that didn’t use Outlook — watched as their email services were crippled and forced offline for hours as the problem was fixed.
SEARCHING FOR THE CULPRIT
Across the Potomac River, at the FBI’s Washington, DC, headquarters, Michael Vatis was scrambling to get a handle on the crisis.
As director of the National Infrastructure Protection Center (NIPC), a relatively new intergovernmental agency tasked with tackling cyber threats, Vatis was awoken early May 4 with news of the ILOVEYOU virus hitting the United States. The NIPC soon sent out an alert warning of a “new, in-the-wild worm virus identified as LoveLetter or LoveBug [that] is being propagated globally via e-mail,” but it came too late to prevent much of the US government and military, as well as dozens of private companies, from being affected.
As anti-virus companies slowly began rolling out patches, stemming the damage and enabling companies to come back online, attention within the FBI turned to tracking down those responsible. The investigation was led by the New York field office, which soon found evidence pointing back east, beyond Hong Kong, to the Philippines.
“In a very short period of time, we ended up identifying individuals in the Philippines and seeking the assistance of Philippine law enforcement,” said Vatis, now a partner at the New York law firm Steptoe. “And a very short time after that, the Philippine authorities ultimately made an arrest.”
Both the technical fix and first break in the case came so fast because, for all its rapid dissemination around the world, the ILOVEYOU virus was clumsily coded and startlingly unsophisticated. It mashed together several existing pieces of malware and did little to hide its workings.
“Every single victim of the love bug got a copy of the love bug’s code, the actual source code,” said Cluley, the Sophos analyst. “So it was simple to write an antidote. It was no more complex than any of the other thousands and thousands of viruses we’d seen that day. But of course, this one was particularly successful at spreading itself.”
As well as containing the blueprint for defeating it, the code also included some lines pointing to the identity of its author. It contained two email addresses — spyder@super.net.ph and mailme@super.net.ph — both of which were based in the Philippines. There was also a reference to GRAMMERSoft Group, which it said was based in the country’s capital.
While investigators were wary that those clues could be a smokescreen, the virus also communicated with a server hosted by the Manila-based Sky Internet, to which it sent passwords scraped from victims’ computers. Sky quickly took the server offline, which stopped at least part of the virus in its tracks.
Without the servers to send information to — and it appears the virus’s author was never able to access what was sent to the server, or at least act upon it — ILOVEYOU became purely an engine of chaos and destruction. It churned through email inboxes around the world and deleted files, while not actually serving the apparent original purpose of scraping passwords.
A SUSPECT EMERGES
Four days after the virus began spreading, Philippines police searched an apartment in Manila and seized computer magazines, telephones, disks, wires and cassette tapes. They also arrested one of the occupants, Reomel Ramones.
Ramones, a curly-haired 27-year-old who worked at a local bank, seemed like an unlikely computer hacker, and investigators wondered if they had arrested the wrong guy. Attention turned to the apartment’s two other residents: Ramones’ girlfriend, Irene de Guzman, and her brother, Onel.
Onel de Guzman — who was not in the apartment when it was raided, and could not be found — was a student at AMA Computer College. The college was home to a self-described hacking group, the now-defunct GRAMMERSoft, which specialized in helping other students cheat on their homework. While police could not prove initially that de Guzman was a member, officials at the school shared with them a rejected final thesis he had written, which contained the code for a program bearing a startling resemblance to ILOVEYOU.
In the draft thesis, de Guzman wrote that the goal of his proposed program was to “get Windows passwords” and “steal and retrieve internet accounts [from] the victim’s computer.” At the time, dial-up internet access in the Philippines was paid for by the minute, in contrast to the blanket-use fees in much of Europe and the United States. De Guzman’s idea was that users in the developing world could piggyback on the connections of those in richer countries and “spend more time on [the] internet without paying.”
Reading his proposal, de Guzman’s teacher was outraged, and wrote “we don’t produce burglars” and “this is illegal” in the margins. But while the thesis would cost de Guzman his degree, his teacher’s argument about illegality would be proven incorrect.
LEGAL LOOPHOLE
After several days out of the public eye, de Guzman appeared at the press conference in Quezon, flanked by his lawyer and sister. Asked whether he might have been responsible for the virus, he responded through his lawyer: “It is possible.”
“He did not even know that the actions on his part would really come to the results which have been reported,” his lawyer said. To a ripple of laughter from reporters, the lawyer added, after a mumbled consultation with de Guzman: “The internet is supposed to be educational so it should be free.”
Asked what he felt about the damage caused by the virus, de Guzman said “nothing, nothing.”
Nothing would also turn out to be de Guzman’s punishment, despite reams of evidence gathered by police in the Philippines and the agreement of the country’s National Bureau of Investigation (NBI), the FBI and private security investigators, that he was the culprit.
The problem was not a lack of proof, but the lack of an appropriate law to charge him with. The Philippines, like a number of countries at the turn of the millennium, had not legislated against computer crime. And an attempt to prosecute de Guzman on fraud charges was later dropped. While the Philippines did have an extradition treaty with the United States, it only applied to crimes prosecutable in both countries. Once the case was dropped, there was little chance of sending de Guzman abroad.
While Philippines lawmakers did rush through a law criminalizing computer hacking soon after the ILOVEYOU incident, it could not be applied retroactively.
“We were unable to bring to justice a wrongdoer who caused harm to millions of people and companies around the world,” Senator Edgardo J. Angara said years later, echoing the embarrassment felt by many Philippines politicians and law enforcement officers.
For others in the country, de Guzman was a hero. “Here is a Filipino genius who has put the Philippines on the world map,” wrote one newspaper columnist. “[He] has proven that the Filipino has the creativity and ingenuity to turn, for better or for worse, the world upside down.” It even spawned a movie, “Subject: I love you,” which depicted the virus creator as a lovelorn man trying to reconnect “with the only woman he had ever loved.”
At de Guzman’s college, a fellow student told the New York Times, the virus had “made us proud.” Another basked in the ability of a Filipino hacker to “penetrate the Pentagon … even though the Philippines is a third-world country, even though we’re behind in technology, they were able to do that.”
Two decades on, this reaction still annoys Cluley, the Sophos investigator. “It’s the kind of thing that has you thumping your head against a wall in frustration,” he said. “This was when malware was just beginning to get a little nastier and a little more malicious and more financially motivated.”
“This wasn’t the message we wanted to give young people, that this was all right.”
LONG LEGACY
There were admirers of de Guzman’s work outside the Philippines, too. Within hours of ILOVEYOU spreading, remixed copycats had sprung up, with messages such as “very funny,” “joke,” “Mother’s Day,” or, most cynically, “VIRUS ALERT!!!” Amazingly, despite the near wall-to-wall mediacoverage of the ILOVEYOU virus at the time, this did not stop many people opening suspicious attachments which bore a different message.
The love bug and its variants would cause some $10 billion of damage, the FBI later estimated, before updates to anti-virus software and email clients reined them in. To this day, ILOVEYOU remains one of the farthest reaching viruses, striking millions of machines in countries across the world.
“It had an enormous effect,” said Vatis, the former NIPC director. “It was really worldwide front page news for at least several days in a way that computer attacks had not been in the past.”
While previous attacks had caused more direct damage, and those in the future would be more sophisticated and far more effective in their goal, they were also much more limited in scope.Other viruses have targeted specific locations, businesses or governments. ILOVEYOU could affect just about anyone running Windows Outlook.
“It hit home in a way that other previous attacks did not,” Vatis said. “It made people aware that this is not just something that happens to defense agencies or owners of websites, this is something that can happen to any Joe or Jane sitting at home on the computer or in the office, and it can shut you down and really disrupt your ability to operate.”
And while email clients have gotten better at filtering out malicious-seeming messages, the main weakness that ILOVEYOU exploited remains impossible to fix.
“You can update your operating systems or you can have the best email filters in the world, but you can’t patch the human brain,” said Cluley.
To this day, some of the most successful cyber attacks — whether they be linked to nation-state actors, criminal organizations or lone-wolf hackers — have used social engineering as their primary weapon. The hackers that stole emails from the Democratic National Committee (DNC) in 2016 did so by tricking Hillary Clinton’s campaign chairman John Podesta into handing over the password to his Google account. Those who targeted Google in 2003 went after the company’s employees over instant messaging. And ransomware attacks, an increasingly common form of scam whereby victims’ computers and accounts are frozen until they pay to unlock them, almost always work by getting people to click a dodgy link.
While some hackers use zero-day exploits, previously unrevealed vulnerabilities in key software, or purpose built spying tools to go after their victims, many do not use code much more sophisticated than that seen in the ILOVEYOU attack. They don’t need to.
“Humans are always the weak link,” Vatis said. “It’s almost always easier to exploit a human through some social engineering gambit than it is to crack, you know, some technological defensive measure.”
One thing that has changed somewhat since ILOVEYOU is how prepared most companies are for such an incident. Most at least have some kind of anti-virus protection, and back up their data. But all the experts who tackled ILOVEYOU two decades ago agreed that there remains a startling degree of complacency over potentially devastating cyber attacks.
“What’s frightening is that 20 years after, there are still plenty of organizations who don’t take this seriously until they are hit,” said Gazeley, the Hong Kong cybersecurity expert. “So many people still don’t plan ahead.”
What largely prevents such an attack is that most companies and individuals outsource running email servers to those who know how to do it best — primarily Microsoft and Google — and rely on them to filter incoming messages, cut out spam and warn of potential attacks.
Were a worm like ILOVEYOU to find a way past those filters, and spread fast enough to prevent the companies rolling out a patch, the possibility of it doing major damage remains. There is no reason to expect that the average user has grown any less complacent today. With email providers doing most of the work in spotting dodgy messages, they may actually be more so.
Vatis said that the potential effect on online communications of such a worm could be “devastating,” as could the knock on the global economy as companies go offline or lose business all at once. He compared the situation to people who avoid getting vaccinated for the flu every year.
“That’s not a problem for society as a whole until the vaccination rate drops below a certain percentage,” he said. “And then you have a lot of people getting really sick.”
The federal government is ordering the dissolution of TikTok’s Canadian business after a national security review of the Chinese company behind the social media platform, but stopped short of ordering people to stay off the app.
Industry Minister François-Philippe Champagne announced the government’s “wind up” demand Wednesday, saying it is meant to address “risks” related to ByteDance Ltd.’s establishment of TikTok Technology Canada Inc.
“The decision was based on the information and evidence collected over the course of the review and on the advice of Canada’s security and intelligence community and other government partners,” he said in a statement.
The announcement added that the government is not blocking Canadians’ access to the TikTok application or their ability to create content.
However, it urged people to “adopt good cybersecurity practices and assess the possible risks of using social media platforms and applications, including how their information is likely to be protected, managed, used and shared by foreign actors, as well as to be aware of which country’s laws apply.”
Champagne’s office did not immediately respond to a request for comment seeking details about what evidence led to the government’s dissolution demand, how long ByteDance has to comply and why the app is not being banned.
A TikTok spokesperson said in a statement that the shutdown of its Canadian offices will mean the loss of hundreds of well-paying local jobs.
“We will challenge this order in court,” the spokesperson said.
“The TikTok platform will remain available for creators to find an audience, explore new interests and for businesses to thrive.”
The federal Liberals ordered a national security review of TikTok in September 2023, but it was not public knowledge until The Canadian Press reported in March that it was investigating the company.
At the time, it said the review was based on the expansion of a business, which it said constituted the establishment of a new Canadian entity. It declined to provide any further details about what expansion it was reviewing.
A government database showed a notification of new business from TikTok in June 2023. It said Network Sense Ventures Ltd. in Toronto and Vancouver would engage in “marketing, advertising, and content/creator development activities in relation to the use of the TikTok app in Canada.”
Even before the review, ByteDance and TikTok were lightning rod for privacy and safety concerns because Chinese national security laws compel organizations in the country to assist with intelligence gathering.
Such concerns led the U.S. House of Representatives to pass a bill in March designed to ban TikTok unless its China-based owner sells its stake in the business.
Champagne’s office has maintained Canada’s review was not related to the U.S. bill, which has yet to pass.
Canada’s review was carried out through the Investment Canada Act, which allows the government to investigate any foreign investment with potential to might harm national security.
While cabinet can make investors sell parts of the business or shares, Champagne has said the act doesn’t allow him to disclose details of the review.
Wednesday’s dissolution order was made in accordance with the act.
The federal government banned TikTok from its mobile devices in February 2023 following the launch of an investigation into the company by federal and provincial privacy commissioners.
— With files from Anja Karadeglija in Ottawa
This report by The Canadian Press was first published Nov. 6, 2024.
LONDON (AP) — Most people have accumulated a pile of data — selfies, emails, videos and more — on their social media and digital accounts over their lifetimes. What happens to it when we die?
It’s wise to draft a will spelling out who inherits your physical assets after you’re gone, but don’t forget to take care of your digital estate too. Friends and family might treasure files and posts you’ve left behind, but they could get lost in digital purgatory after you pass away unless you take some simple steps.
Here’s how you can prepare your digital life for your survivors:
Apple
The iPhone maker lets you nominate a “ legacy contact ” who can access your Apple account’s data after you die. The company says it’s a secure way to give trusted people access to photos, files and messages. To set it up you’ll need an Apple device with a fairly recent operating system — iPhones and iPads need iOS or iPadOS 15.2 and MacBooks needs macOS Monterey 12.1.
For iPhones, go to settings, tap Sign-in & Security and then Legacy Contact. You can name one or more people, and they don’t need an Apple ID or device.
You’ll have to share an access key with your contact. It can be a digital version sent electronically, or you can print a copy or save it as a screenshot or PDF.
Take note that there are some types of files you won’t be able to pass on — including digital rights-protected music, movies and passwords stored in Apple’s password manager. Legacy contacts can only access a deceased user’s account for three years before Apple deletes the account.
Google
Google takes a different approach with its Inactive Account Manager, which allows you to share your data with someone if it notices that you’ve stopped using your account.
When setting it up, you need to decide how long Google should wait — from three to 18 months — before considering your account inactive. Once that time is up, Google can notify up to 10 people.
You can write a message informing them you’ve stopped using the account, and, optionally, include a link to download your data. You can choose what types of data they can access — including emails, photos, calendar entries and YouTube videos.
There’s also an option to automatically delete your account after three months of inactivity, so your contacts will have to download any data before that deadline.
Facebook and Instagram
Some social media platforms can preserve accounts for people who have died so that friends and family can honor their memories.
When users of Facebook or Instagram die, parent company Meta says it can memorialize the account if it gets a “valid request” from a friend or family member. Requests can be submitted through an online form.
The social media company strongly recommends Facebook users add a legacy contact to look after their memorial accounts. Legacy contacts can do things like respond to new friend requests and update pinned posts, but they can’t read private messages or remove or alter previous posts. You can only choose one person, who also has to have a Facebook account.
You can also ask Facebook or Instagram to delete a deceased user’s account if you’re a close family member or an executor. You’ll need to send in documents like a death certificate.
TikTok
The video-sharing platform says that if a user has died, people can submit a request to memorialize the account through the settings menu. Go to the Report a Problem section, then Account and profile, then Manage account, where you can report a deceased user.
Once an account has been memorialized, it will be labeled “Remembering.” No one will be able to log into the account, which prevents anyone from editing the profile or using the account to post new content or send messages.
X
It’s not possible to nominate a legacy contact on Elon Musk’s social media site. But family members or an authorized person can submit a request to deactivate a deceased user’s account.
Passwords
Besides the major online services, you’ll probably have dozens if not hundreds of other digital accounts that your survivors might need to access. You could just write all your login credentials down in a notebook and put it somewhere safe. But making a physical copy presents its own vulnerabilities. What if you lose track of it? What if someone finds it?
Instead, consider a password manager that has an emergency access feature. Password managers are digital vaults that you can use to store all your credentials. Some, like Keeper,Bitwarden and NordPass, allow users to nominate one or more trusted contacts who can access their keys in case of an emergency such as a death.
But there are a few catches: Those contacts also need to use the same password manager and you might have to pay for the service.
___
Is there a tech challenge you need help figuring out? Write to us at onetechtip@ap.org with your questions.
LONDON (AP) — Britain’s competition watchdog said Thursday it’s opening a formal investigation into Google’s partnership with artificial intelligence startup Anthropic.
The Competition and Markets Authority said it has “sufficient information” to launch an initial probe after it sought input earlier this year on whether the deal would stifle competition.
The CMA has until Dec. 19 to decide whether to approve the deal or escalate its investigation.
“Google is committed to building the most open and innovative AI ecosystem in the world,” the company said. “Anthropic is free to use multiple cloud providers and does, and we don’t demand exclusive tech rights.”
San Francisco-based Anthropic was founded in 2021 by siblings Dario and Daniela Amodei, who previously worked at ChatGPT maker OpenAI. The company has focused on increasing the safety and reliability of AI models. Google reportedly agreed last year to make a multibillion-dollar investment in Anthropic, which has a popular chatbot named Claude.
Anthropic said it’s cooperating with the regulator and will provide “the complete picture about Google’s investment and our commercial collaboration.”
“We are an independent company and none of our strategic partnerships or investor relationships diminish the independence of our corporate governance or our freedom to partner with others,” it said in a statement.
The U.K. regulator has been scrutinizing a raft of AI deals as investment money floods into the industry to capitalize on the artificial intelligence boom. Last month it cleared Anthropic’s $4 billion deal with Amazon and it has also signed off on Microsoft’s deals with two other AI startups, Inflection and Mistral.
