Skinny, with a mop of black hair falling on his eyebrows, he barely seemed to record the screaming questions of journalists, his only movement being the occasional dab of sweat from his face with a white towel. Sitting on his right, Guzman's lawyer, Rolando QuimboHe had to bend over to hear the mumbling response from the 23-year-old, which he then repeated in English for the waiting press.
"He does not really know that the acts alleged against him have been attributed to him," said the lawyer. "So if you ask me whether he was aware of the consequences or not, I would say that he is not aware."
Twenty years later, the ILOVEYOU virus remains one of the most distant ever reached. Tens of millions of computers worldwide have been affected. The fight to contain the malware and find its author has hit the headlines around the world, waking up a largely indulgent audience to the dangers posed by malicious cyber actors. It also exposed vulnerabilities that we still face today, despite two decades of advancements in computer security and technology.
This account of the virus is based on interviews with law enforcement and investigators involved in the original case, contemporary CNN reports, and reports from the FBI, Philippine police, and the Pentagon.
Several attempts to reach Onel de Guzman for this article, including through his family and his former lawyer, have failed. De Guzman has not made public comments on the case since 2000 and it is unknown where he is currently.
Lover
In the afternoon of May 4, 2000, Michael Gazeley was in his office in Star Computer City, a maze of computer companies and stores selling electronics and gadgets overlooking the Victoria Harbor in Hong Kong.
However, this connectivity has changed in both directions, as Gazeley recalled this afternoon.
All the phones in his office started ringing at the same time. Its customers were first and then became non-customers, all of them frantically calling in the hope that Network Box could help stop a virus that was screaming through their systems, destroying and corrupting data as it went.
They all told the same story: someone in the office had received an e-mail with the subject "ILOVEYOU" and the message "please check the attached LOVELETTER from me." When they opened what appeared to be a text file - actually an executable program masquerading as one - the virus quickly took control, sending copies of itself to everyone in their email address book . These recipients, thinking that the email waseither a bizarre joke or a serious declaration of love, opened the attachment in turn, spreading it even further.
Office mail servers were quickly obstructed as thousands of love letters came and went, spreading the virus to more people. It turned out to be much worse than a simple self-propelled chain of letters. At the same time as it reproduced, the ILOVEYOU virus destroyed a large part of the victim's hard drive, renaming and deleting thousands of files.
With many callers increasingly panicked, Gazeley sent inquiries, had no backups, and had the daunting task of explaining that many of their files - from spreadsheets to financial records to photos and MP3 files - were probably lost for good.
"It was not something people were used to as a concept, they didn't realize that email could be so dangerous," said Gazeley, recounting the first calls.
Two years earlier, Hollywood star Meg Ryan asked "is it unfaithfulness if you're involved with someone via email?" like the movie "You've Got Mail" introduced people to the idea of cyber-romance - and this email could be used for something other than boring office work.
Computer chaos
From Hong Kong, where the virus paralyzed communications and devastated file systems of investment banks, public relations companies and the Dow Jones news wire, the love bug has spread west at the start of the May 4 workday.
Graham Cluley was on stage at a security conference in Stockholm, Sweden, when the virus hit Europe. He had just completed the description of an independent virus targeting an operating system that is now gone, hijacking users' accounts to send messages to their colleagues, including "Friday I'm in LOVE". This, Cluley snapped, was likely to cause serious embarrassment to most people, but could potentially lead to some romance in the office.
As the conference broke for coffee, the participants' cell phones and pagers began to explode. Several guests approached Cluley to ask him if the virus he had described had spread by email. He assured them that it was not - and, anyway, it was limited to a niche system that most people did not use.
"They said," Well, it's weird because we suddenly get a lot of emails with the subject "I love you," "Cluley said in an interview from his home in the UK.
When Cluley turned on his own phone, he was bombarded with missed call, voicemail and text message notifications. Back home, Cluley's employer, the anti-virus company Sophos, had been "absolutely hammered" with phone calls from customers asking for help and journalists trying to figure out what was going on.
Cluley ran to the airport to catch a flight to London, and even swapped phone batteries with a generous taxi driver as the constant flow of messages used up his Nokia cell phone. When he landed in the UK, a car was waiting to take him to a TV studio to discuss what had become one of the greatest technological stories in the world.
Unlike today, when many e-mail services are run via centralized servers - think Outlook.com or Gmail - in 2000, companies were running e-mail on the same servers on which they hosted their websites. It could be unhealthy, slow and surprising.
At the time, said Cluley, "many companies had not put filters in place for their email gateways to try to stop spam, let alone viruses."
From there, almost every major military base in the country - with the exception of a handful who did not use Outlook - had their email services paralyzed and forced offline for hours on end, the problem being resolved.
In search of the culprit
On the other side of the Potomac River, at the FBI headquarters in Washington, DC, Michael Vatis was scrambling to contain the crisis.
As antivirus companies slowly began to deploy patches, stemming the damage and allowing companies to return online, the FBI's attention focused on finding the culprits. The investigation was conducted by the New York field office, which quickly found evidence pointing east, beyond Hong Kong, to the Philippines.
"In a very short time, we ended up identifying individuals in the Philippines and asking for help from the police force in the Philippines," said Vatis, now a partner in the New York law firm Steptoe. "And very soon after that, the Philippine authorities finally arrested."
The technical fix and the first break-up of the case arrived so quickly because, despite its rapid spread around the world, the ILOVEYOU virus was awkwardly coded and surprisingly unsophisticated. He mixed up several existing malware and did little to hide it.
"Each love bug victim got a copy of the love bug code, the actual source code," said Cluley, the Sophos analyst. "So it was simple to write an antidote. It was no more complex than the thousands and thousands of viruses that we had seen that day. But of course, this one was particularly successful in spreading."
In addition to containing the plan to defeat it, the code also included a few lines pointing to the identity of its author. It contained two email addresses - [email protected] and [email protected] - both based in the Philippines. There was also a reference to the GRAMMERSoft Group, which he said was based in the country's capital.
Without the servers to which to send information - and it seems that the author of the virus could never access what was sent to the server, or at least act accordingly - ILOVEYOU has become purely an engine of chaos and destruction . He churned out email inboxes around the world and deleted files, while not actually serving the apparent initial purpose of scraping passwords.
A suspect emerges
Ramones, a 27-year-old curly-haired man who worked at a local bank, appeared to be an unlikely hacker, and investigators wondered if they had arrested the wrong guy. Attention turned to the other two residents in the apartment: Ramones girlfriend, Irene de Guzman, and brother, Onel.
Onel de Guzman - who was not in the apartment during the descent and could not be found - was a student at AMA Computer College. The college housed a self-described hacking group, the now-extinct GRAMMERSoft, which specialized in helping other students cheat on their homework. While the police could not initially prove that de Guzman was a member, school officials shared with them a rejected final thesis he had written, which contained the code for a program that looked surprisingly like ILOVEYOU.
In the thesis project, de Guzman wrote that the goal of his proposed program was to "recover Windows passwords" and "steal and recover Internet accounts". [from] the victim's computer. "At the time, dial-up Internet access in the Philippines was paid by the minute, unlike general user charges in much of Europe and the United States. De Guzman's idea was that users from developing world could piggyback on connections from those from wealthy countries and "spend more time on [the] Internet without paying. "
Reading his proposal, Guzman's professor was outraged and wrote "we don't make burglars" and "it's illegal" on the sidelines. But while the thesis would cost Guzman his diploma, his teacher's argument about illegality would prove to be incorrect.
Legal loophole
After several days out of public view, de Guzman appeared at the press conference in Quezon, accompanied by his lawyer and his sister. When asked if he was possibly responsible for the virus, he replied through his lawyer: "It is possible."
"He did not even know that his actions would really lead to the results that have been reported," said his lawyer. To a laugh from journalists, the lawyer added, after a mumbled consultation with de Guzman: "The Internet is supposed to be educational, so it should be free".
When asked what he thought of the damage caused by the virus, de Guzman replied "nothing, nothing".
Although Filipino lawmakers rushed through a law criminalizing hacking soon after the ILOVEYOU incident, it could not be applied retroactively.
Two decades later, this reaction still annoys Cluley, the Sophos investigator. "It's the kind of thing that makes you rub your head against a wall of frustration," he said. "That's when malware just started to get a little nastier, a little more malicious and more financially motivated."
"It was not the message we wanted to convey to young people, that it was good."
Long heritage
"It had a huge effect," said Vatis, the former director of the NIPC. "It has been in the headlines worldwide for at least several days in such a way that the computer attacks have not been in the past."
While previous attacks had caused more direct damage and those in the future would be more sophisticated and much more effective in their objective, their scope was also much more limited.Other viruses have targeted specific locations, companies, or governments. ILOVEYOU could affect just about anyone running Windows Outlook.
"He struck home in a way that other previous attacks have not done," said Vatis. "It made people realize that it's not just something that happens to defense agencies or website owners, it's something that can happen to any Joe or Jane sitting at home on the computer or in the office, and it can stop you and really interfere with your ability to function. "
And although email clients are better able to filter out malicious messages, the main weakness exploited by ILOVEYOU remains impossible to correct.
"You can update your operating systems or have the best email filters in the world, but you can't fix the human brain," said Cluley.
"Humans are still the weak link," said Vatis. "It is almost always easier to exploit a human through a social engineering gambit than to break, you know, a technological defensive measure."
One thing that has changed somewhat since ILOVEYOU is the preparation of most companies for such an incident. Most have at least some sort of virus protection and back up their data. But all the experts who attacked ILOVEYOU two decades ago have agreed that there is a surprising degree of complacency in the face of potentially devastating cyberattacks.
"The scary thing is that 20 years later there are still a lot of organizations that don't take this seriously until they are affected," said Hong Kong expert Gazeley. in cybersecurity. "So many people are still not planning."
What largely prevents such an attack is that most companies and individuals outsource running mail servers to those who can do it best - mainly Microsoft and Google - and rely on them to filter incoming messages, eliminate spam and warn of possible attacks.
If a worm like ILOVEYOU could find a way to bypass these filters and spread quickly enough to prevent companies from deploying a patch, the possibility of it doing major damage remains. There is no reason to expect the average user to become less complacent today. With email providers doing most of the work to spot questionable messages, they can actually be more so.
Vatis said the potential effect on online communications of such a worm could be "devastating", as could the impact on the global economy as businesses go offline or lose business at the same time. He compared the situation to people who avoid getting the flu shot every year.
"It is not a problem for society as a whole until the vaccination rate drops below a certain percentage," he said. "And then there are a lot of people who get really sick."
