e.Digital Corporation (fka EDIG)

[culater33]

ot-The Dark Side of Hacking Bill
By Michelle Delio
2:00 a.m. July 27, 2002 PDT


Coming soon to a computer near you -- Hollywood Hackers.

Watch as they rifle through your files, dismantle your network, and delete all those songs and movies you can't prove have a legal right to exist on your hard drive. Hope the special effects don't include the accidental destruction of your data when your computer becomes a stunt double in Hollywood's latest blockbuster attempt to protect its copyrighted material.

California Congressman Howard Berman introduced his "Peer-to-Peer Piracy Prevention" Act in the House of Representatives Thursday. If the bill (PDF) passes, copyright owners could -- at least conceptually -- employ a variety of technological tools to prevent the illegal distribution of their copyrighted works over a P2P network such as Kazaa or LimeWire.

Security experts said the bill's wording is too vague and wonder exactly what sort of "technological tools" will be permitted. They also fear that approval of the bill could result in a multitude of clumsy and ill-conceived "hack" attacks that could have widespread, system-damaging effects on both file traders and those who have never downloaded a single song from a file-trading server.

"Basically, Berman is going to legalize all of the antisocial Internet activities that we have been trying to stamp out for the last decade," said Paul McNabb, chief technical officer of security firm Argus Systems Group.

While not specifically prohibited in the bill, Berman insists that media companies will not be allowed to unleash viruses or other malicious code or destroy personal, non-pirated files.

"Contrary to widespread, if uninformed speculation, our legislation is narrowly crafted, with strict bounds on acceptable behavior by the copyright owner," Berman said in a statement. "It gives copyright creators a very limited safe harbor from liability when they use technological tools for the narrow purpose of thwarting P2P piracy. It does not allow copyright owners to send viruses through P2P networks, destroy files, hack into the personal files of P2P users, or indiscriminately block lawful file-trading."

The tools Berman specifically suggested that companies might use include "interdiction" -- flooding a P2P file server with fake requests in order to slow or stop the system; "spoofing" -- providing slews of corrupt, damaged or incomplete files to P2P servers; and "redirection" -- faking the location of files to force traders to perform many futile system-resource-wasting searches.

But media companies wouldn't be limited to just those options.

"The bill is pretty vaguely worded so it's hard to know what Hollywood might do," security researcher Richard Smith said.

Smith guessed that, at minimum, media companies could overwhelm P2P servers with "ghost files," tying up the servers' resources as people try to download files that don't really exist.

"Another possibility would be to overload someone's computer by repeatedly requesting the same illegal file to be downloaded," Smith added.

Denial-of-service attacks, flooding servers with many requests for nonexistent files in order to crash or dramatically slow network performance, is specifically permitted under the bill. But P2P networks are created on the fly from whatever computers are logged on at any given time, so experts fear that innocent bystanders could also be smacked in a service attack.

"Berman is opening the door to massive denial-of-service attacks against perceived pirates, without the attacker having to get prior authorization to launch the attack," Argus' McNabb said. "This could have devastating effects on computers on the same network or in the line of fire.

"For instance, if everyone on your block has a cable modem, and someone is thought to be a pirate, a denial-of-service attack against that perceived pirate could take the entire neighborhood cable network down."

Security experts also wondered how Hollywood would come up with a battalion of skilled hack attackers. Would the pirate-battling forces be unassuming programmers, now ordered to come up with malicious programs to foil file traders? Or would Hollywood soon be hiring real hackers?

"If you hire average programmers and set them to work coming up with ideas on how to punish a pirate, you'll eventually get into trouble if you don't know what you're doing and don't strictly control them," said George Smith of virus information site Vmyths.

"There is no set definition of a 'virus' in the Internet mind, so it is easy to imagine a corporate programmer convincing his bosses and the legal department that his copy protection scheme is not a virus, only to find that when it gets into distribution and is taken apart by someone in the industry the first time it swats an innocent, it is labeled as something very bad."

Hackers said that very few of their skilled colleagues would consider taking pirate-persecuting jobs.

"I don't think Hollywood has a hell of a lot of support within the hacking community, so finding real talent might be a bit tough," hellNbak, a member of hacker laboratory Nomad Mobile Research Centre said. "That being said, there are always those who will, if the price is right, offer help and training."

Security experts also agreed that the Berman bill could serve as encouragement to a whole new class of criminals, drawn from the lowest common denominator of the computer underworld.

Under what security consultant and author Richard Forno calls the "Hollywood Hacking law," computer criminals could probably make the case that any malicious programs they wrote and released were actually intended to scour the Net to enforce copyrights.

"What a wonderful cover-your-arse law this will be for script kiddies and other cyber-cretins," Forno said.

Forno also wondered whether network administrators and computer owners would eventually be penalized for running secure systems.

"Will having a firewall -- or implementing strong system security practices or being a good system administrator -- become illegal and prosecuted as circumventing copyright controls under the existing Digital Millennium Copyright Act? If Hollywood can't easily inspect your system in their quest for copyright enforcement and world control, are you now a criminal suspect?"

"Be afraid." Forno added. "Be very afraid."
ahttp://www.wired.com/news/print/0,1294,54153,00.html
culater