From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Fri May 03 2002 - 08:08:58 MDT
I don't want to re-open the debate about whether KaZaA is a trojan-horse
or not. When I discussed this before on this list, a lot of people
insisted that the only way to get this trojan horse was to knowingly
install it.
Ignoring that issue, however, it still provides an interesting example
of mega-scale hacking or hijacking that might be possible in the
future. This has happened before when hundreds of U.S. military
computers were found to be cracking large encryption keys in the
background and e-mailing the results to a hacker. This is merely a
commercial attempt at a similar thing. This probably will become a new
target goal for hackers in the future to produce larger and more
cooperative world-wide hacks.
Below is a description of what KaZaA is trying to do.
http://www.theage.com.au/articles/2002/04/26/1019441306209.html
Secreted in KaZaA software is Altnet - and it's about to be activated,
warns Nathan Cochrane.
The 20 million users of KaZaA Media Desktop, the world's most popular
file-swapping software,
have little more than a month to decide if they want their computers
hijacked.
That's the time-frame laid down last Wednesday by Sharman Networks chief
executive Nikki
Hemming for the activation of Altnet, an alternative network to the
Internet used to create a
giant virtual supercomputer.
KaZaA Media Desktop is software bought by Sharman in January that lets
computer owners swap
music and other digital content. Technology boffins call it filesharing
or peer-to-peer (P2P)
because users communicate directly with each other.
Hidden inside KaZaA, however, is Altnet - Trojan software that aims to
harness the spare
processing, storage and communications power of the millions of
computers connected to KaZaA's
FastTrack network, a concept known as "distributed computing".
The Altnet software was created by Brilliant Digital Entertainment
(BDE), a California-based
multimedia company founded by former Australian entertainment software
entrepreneur Kevin
Bermeister.
Since March at least, Altnet has been downloaded, often without users'
knowledge, secreted in
the KaZaA software.
It is scheduled to be activated by a signal Sharman will send to users'
PCs, in the next four
to five weeks.
"The world is full of unused computing power," BDE said in a disclosure
to the US Securities
and Exchange Commission at the beginning of the month.
"You pay for this capacity whether you use it or not. Businesses,
meanwhile, buy expensive
facilities at massive . . . supercomputer centres.
"Altnet seeks to bring these two groups together."
Distributed computing has searched for extraterrestrial intelligence
(SETI@Home) and an
understanding of living cells (Folding@Home), although with the user's
explicit consent and not
clandestinely downloaded through a third-party software program.
But the prospect that more than a million PCs could be hijacked en masse
chills information
security specialists.
"Any attacker who can control 100,000 machines is a major force on the
Internet, while someone
with a million or more is currently unstoppable," Berkeley University
computer science academic
Nicholas Weaver wrote this month.
"As for Brilliant Digital, their horribly flawed business plan shows a
grave misunderstanding
of security. Since their proposed business can't possibly work, they
should both protect
themselves from legal liability . . . by producing a program on their
update server which
removes all traces of their trojan."
Australian distributed-computing researcher Rajkumar Buyya is optimistic
that a successful
deployment of Altnet will spur further development.
"It is wonderful to know that the industry is moving towards invisible
distributed computing,"
Buyya says.
"(But) I have concern about their security protocols for activating the
client and running
programs that utilise idle resources . . . If someone finds out that,
anybody can request your
machine to do what they want, which is scary."
KaZaA, like the infamous file-swapping software before it, Napster, has
been vilified by the
recording industry for allegedly aiding and abetting theft.
Last September the chief of the Recording Industry Association of
America (RIAA), Hilary Rosen,
called for crisis talks with the heads of a dozen media groups to head
off the "overwhelming
volume" of piracy on the P2P networks.
Sharman's Nikki Hemming says she will schedule talks with Rosen soon. In
the meantime, Hemming
is eroding Rosen's support base by talking directly to artists' groups
instead of publishers.
KaZaA, more wily than its file-swapping brethren, hired a Washington
lobbyist, lawyer Phil
Corwin, who previously represented the American Bankers' Association.
He is hawking the Intellectual Property Use Fee, an Internet tax, to be
levied by ISPs on their
customers.
"A similar levy . . . applied to a much broader base of parties, could
provide a significant
new revenue stream to copyright owners to compensate them for the
inevitable 'leakage' (theft)
resulting from Internet distribution," Corwin said in an April 8
submission to a US House
judiciary committee on digital copyright.
That revenue would amount to $US2 billion a year in the US if a $US1 tax
was charged on top of
access fees, Corwin said.
"Every party from hardware manufacturers to ISPs to publishers of
ripping software would pay a
royalty . . . and provide a royalty stream to compensate (music
artists)," Hemming said last
week.
"At the end of the day we totally believe that artists, creators and
those who represent them
should be rightfully rewarded for creation of content."
Hemming said she was pursuing the authors, users and sponsors of KaZaA
Lite, software that
removes Altnet and other hidden software in the branded KaZaA software.
"There's a lot of concern in the market around these scam sites because
they release ripped-off
unstable code and it puts users at risk," she said.
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:13:47 MST