World Tribune.com

Home Systems: Great Deals from Dell

Coming soon: WorldTechTribune

Spyware in your theftware? How did it get there?

By Scott McCollum
SPECIAL TO WORLD TRIBUNE.COM
January 14, 2002

People using Internet peer-to-peer (or ÒP2PÓ) file swapping applications like Morpheus, Limewire and Grokster did not install them intent on decreasing their companiesÕ dependencies on expensive dedicated file servers. No, these individuals are loading these apps on their PCs in order to steal copyrighted music. When the mother of all Internet music theft apps, Napster, was shut down in 2001, the digital thieves migrated to the myriad of Napster knock-off apps previously mentioned. These mostly open source file swapping apps found their way onto millions of PCs around the world in the hopes that digital thieves could stay one step ahead of the authorities. During the first week of January, something really humorous happened to the millions of users of Limewire and Grokster ø they found out that their music stealing apps were sending their personal information by programs used to surreptitiously gather information from their PCs (known to IT wonks as ÒspywareÓ). This so-called spyware, attached to the theftware of Grokster and Limewire, was linked to marketing firms who bought names and emails of people who donÕt want to pay for anything to begin with.

Yes, in their efforts to cheat the big evil corporations out of sales revenue, millions of digital thieves were buried in ÒGet out of debt and be a gazillionaire while surfing the web!!Ó and ÒLose your unsightly warts in ten days GUARANTEED!!!Ó emails from big evil corporations who purchased their information from the ones who enabled them to cheat the big evil corporations. Even funnier is the response of the thieves, who publicly criticized the theftware makers of Limewire and Grokster for allowing their personal information to be gathered and sold. Users of Limewire and Grokster were quoted in the tech press as being ÒbitterÓ and angered at the use of spyware. Some comments from these users claimed the spyware was planted by the Recording Industry Association of America in an effort to curb music theft via an elaborate conspiracy. Sad, isnÕt it?

What exactly was the mechanism used in this alleged spyware conspiracy? According to the antivirus experts at the Symantec Corporation, these file swapping apps contained code similar to an email virus. The viral code, named ÒW32.DIDer,Ó was classified as a ÒTrojan horse virusÓ, or a piece of code that takes over parts of a person's computer unseen in order to carry out its own instructions. In this case, the Trojan horse virus would appear as a banner advertisement inside Grokster or Limewire. When thieves installed Grokster or Limewire, the Trojan horse would silently attach itself to the thiefÕs computer and send any personal information it could find to email marketing servers on the Internet.

One dirty little secret the elite tech media has avoided is the fact that many file swapping apps are open source. Most notably, Limewire and the open source project to which it belongs, are open source rip offs of NullsoftÕs MP3 file swapping app called Gnutella (itself a rip off of Napster). MP3 player software maker Nullsoft was acquired by America On-Line in 1999 at the beginning of AOLÕs bid to be a media conglomerate. When AOL merged with Time Warner, NullsoftÕs Gnutella MP3 file swapping project was abandoned due to obvious conflicts with Time WarnerÕs music division. Unfortunately, Nullsoft licensed Gnutella as open source and the project was picked up by open source programmers who knew NapsterÕs time was short in the face of the mounting legal action against it.

As previously mentioned, many file swapping apps are open source. The basic idea of open source is that because everyone can see this code, it cannot be copyrighted and owned by a company. Because of this, open source apps are Òcommunity propertyÓ protected by the vast and benevolent group of idealistic open source programmers. LetÕs not gloss over the fact that Limewire, protected by the community of benevolent open source programmers, was still infected with viral code. While ducking the blame, the theftware makers were quick to remove the offending code and profusely apologize. Both Limewire and GroksterÕs makers claimed to not know about the viral code and proceeded to alienate their promotional partners by putting all the blame on the banner ad companies. GroksterÕs PR flacks even blamed the evil advertisers for not sharing their source code with them before Grokster installed their ads.

The most frightening aspect of all this is that P2P file swapping programs are in use by respected corporations like Intel. P2P is not frightening by itself, but the idea that many of these P2P technologies are based around open source technologies. Analysts say that peer-to-peer technologies will become more prevalent in the next five years, but these technologies must be proprietary. Can you imagine the kind of damage that could be done to IntelÕs research and development department if all of their P2P communications were being secretly routed to competitorÕs servers? Businesses and government IT departments should be extremely cautious of any P2P technology based on open source technologies because of this fact. Open source, by its very nature, is completely insecure. Remember, anyone can contribute their malicious code to an open source project. Ryan Russell, security expert for Internet security firm SecurityFocus, said open source virus code like the extremely dangerous Linux virus RST.b would be "dead simple" to upload to popular open source download sites like SourceForge and quickly spread amongst the benevolent (and apparently na•ve) open source community.

A good example of this flawed thinking was the recent AOL Instant Messenger security issue. AOL's popular chat program AOL Instant Messenger has determined to have a server-side security exploit that allowed hackers to control AOL IM usersÕ computers. Òw00w00Ó, the group of Òinformation anarchistÓ hackers (most media outlets referred to them as Òa security groupÓ) who found the bug, tells AOL to fix it back in late December 2001. In January, because the leftist hackers at w00w00 felt the big faceless corporation AOL was not quick enough in fixing their problem, w00w00 pointed security-minded AOL IM users to download a w00w00-approved fix cobbled together by the open source community. Is this just more proof that big evil corporations need to switch to the open source method?

No, because the "fix" was installing viral code into AOL IM - allowing the "fix" author (a sixteen year-old boy) to redirect users to porn sites and click-through-for-profit websites that the "fix" author actually profits from. The kid notes that his "fix" isn't really a fix but "started out as a little thing to crash my friends" and he "didn't expect people to care," because "only [he] could use [the backdoor functions], and no damage or lost information could come to [people's] computers through using the filter."

Notice that the media-darling security experts in w00w00 look really stupid for endorsing this major back door exploit. Also notice that the teenage kid released his source code for the exploit (a day or so later than he released the fix), but the experts at w00w00 didn't find the viral back door in the source code until a week later. In that weekÕs time, the damage was done. AOL claims that over 100 million people use the AOL IM, how many of those were duped by this "fix"? How much damage did that open source back door cause? Why didn't the security experts catch it sooner? Why didn't the vast and benevolent open source community at large figure out that the fix was a back door exploit before w00w00? I would hope that itÕs plain to everyone that the idea of security to the open source crowd is to have everyone in the world take a look at your secrets and have a level playing field. IsnÕt this the idiotic attitude that started the Cold War and got the Rosenbergs fried?

Linux/open source shills say that by allowing everyone to view the source code of a program is the only way to guarantee security. It's always been a lie but there's never been a well-publicized incident to bring the lie to the people. Proprietary controls between software developers, vendors and users are the key to security. Don't let anyone tell you differently.

Email your comments to scott@worldtechtribune.com
 


<>

Print this Article Print this Article Email this article Email this article Subscribe to this Feature Free Headline Alerts