Digg this story   Add to del.icio.us  
The Turkey that Bites
Jon Lasser, 2003-01-22

With last week's RIAA worm hoax, the scallywags at Gobbles raised security advisories to subversive performance art.

Reading Bugtraq is a lot like reading Nietzsche: there's a difference between what the words on the page mean literally and what the author expects the enlightened reader to understand.

A hoax pulled off by the security group Gobbles last week illustrates precisely this distinction between exoteric and esoteric meaning: while many readers panicked, most security professionals laughed. When the hoax was revealed, the trade press reported the incident in the same humorless voice as the latest recycled press release.

Gobbles unleashed this firestorm with an advisory claiming that the group had gone to work for the RIAA, and written a multi-platform worm that had infected 95% of computers on peer-to-peer file sharing networks.

Although the message included a real (if minor) exploit against the freely available mpg123 player for Linux and Unix systems, most readers paid more attention to the elaborate RIAA story.

This advisory was computer security as performance art: although the claim is obviously outrageous and beyond credibility, it nevertheless raises a number of serious computer security issues both political and technical.

First, there's the attack on the RIAA. The association has pushed for legislation that would legalize exactly the sort of vigilante justice that Gobbles pretended to have meted out. Indeed, mere days after the Gobbles hoax, a supposed whistleblower stepped forward claiming to have poisoned peer-to-peer networks at the behest of the RIAA and its international counterpart, the IFPI.

Second, there's the issue of trusting binary files from elsewhere. Long ago, the distinction between programs and data was sacrosanct: Security professionals, myself included, shouted from the rooftops that your computer could not get a virus from downloading data from the Internet, so long as you didn't run any executable files.

Lessons Learned
Word macro viruses proved us wrong, and bugs in Outlook (among other mail clients) showed that you need not actually download or try to run files in order for rogue code to be executed on your system. Although this mixture of code and data is deplorable, dynamic content is incredibly useful and will not be going away anytime soon. This is one battle that the computer security community has already lost, and perhaps we should move on.

Still, peer-to-peer networks are built around trust. Both artists and the RIAA have already undermined trust in the veracity of the other systems on the network via the "poisoning" of networks with garbage files and anti-piracy screeds. Bob Dylan once sang that "it takes an honest man to live outside the law," and the infiltration of latter-day Napsters by the record companies is intended to destroy trust among the media pirates.

But there's also the issue of trust in the client software: peer-to-peer networks themselves have subverted the systems on their networks to install spyware and redirect affiliate program profits, undermining the trust that they need to succeed.

Worse yet, client software quality is abysmal: the stuff is riddled with bugs (like the mpg123 bug Gobbles reported in the advisory) that can cause the execution of arbitrary code.

Improbable, but Possible
Though Gobbles' imaginary RIAA peer-to-peer worm is improbable, the class of remotely exploitable bugs means that it is not beyond the realm of possibility. Passive OS fingerprinting could be used to detect which variant of the worm should be aimed at a given system on the peer-to-peer network.

Why, then, was it clear that this was a hoax?

In part, it helps to have read Gobbles' previous advisories, and to understand the Gobbles sense of humor. But obvious clues should have tipped off any reader with a reasonable understanding of computer security. Is it likely that the RIAA would have tapped the notorious Gobbles for such a sensitive task? Does anyone believe that such a complex piece of software could be completed in a month, and "another month to bring it up to the standards of excellence that the RIAA demanded of us?" This sort of subtle jab immediately suggests that the surrounding text be taken less than seriously.

I've previously suggested that there should be separate mailing lists for generally relevant security alerts and for alerts of primary interest to the security community. Perhaps we need separate lists for the humor impaired as well.

SecurityFocus columnist Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
    Digg this story   Add to del.icio.us  
Comments Mode:
The Turkey that Bites 2003-01-22
Anonymous (1 replies)
The Turkey that Bites 2003-01-29
The Turkey that Bites 2003-01-28
Anonymous (1 replies)
The Turkey that Bites 2003-01-29
Jon Lasser
The Turkey that Bites 2003-02-02


Privacy Statement
Copyright 2010, SecurityFocus