,
With last week's RIAA worm hoax, the scallywags at Gobbles raised security advisories to subversive performance art.
Reading Bugtraq is a lot like reading Nietzsche: there's a difference between what the words on the page mean literally and what the author expects the enlightened reader to understand.A
Gobbles unleashed this firestorm with an advisory claiming that the group had gone to work for the RIAA, and written a multi-platform worm that had infected 95% of computers on peer-to-peer file sharing networks.
Although the message included a real (if minor) exploit against the freely available
This advisory was computer security as performance art: although the claim is obviously outrageous and beyond credibility, it nevertheless raises a number of serious computer security issues both political and technical.
First, there's the attack on the RIAA. The association has pushed for
Second, there's the issue of trusting binary files from elsewhere. Long ago, the distinction between programs and data was sacrosanct: Security professionals, myself included, shouted from the rooftops that your computer could not get a virus from downloading data from the Internet, so long as you didn't run any executable files.
Lessons Learned
Word macro viruses proved us wrong, and bugs in Outlook (among other mail clients) showed that you need not actually download or try to run files in order for rogue code to be executed on your system. Although this mixture of code and data is deplorable, dynamic content is incredibly useful and will not be going away anytime soon. This is one battle that the computer security community has already lost, and perhaps we should move on.
Still, peer-to-peer networks are built around trust. Both artists and the RIAA have already undermined trust in the veracity of the other systems on the network via the "poisoning" of networks with garbage files and anti-piracy screeds. Bob Dylan once sang that "it takes an honest man to live outside the law," and the infiltration of latter-day Napsters by the record companies is intended to destroy trust among the media pirates.
But there's also the issue of trust in the client software: peer-to-peer networks themselves have subverted the systems on their networks to
Worse yet, client software quality is abysmal: the stuff is riddled with bugs (like the mpg123 bug Gobbles reported in the advisory) that can cause the execution of arbitrary code.
Improbable, but Possible
Though Gobbles' imaginary RIAA peer-to-peer worm is improbable, the class of remotely exploitable bugs means that it is not beyond the realm of possibility.
Why, then, was it clear that this was a hoax?
In part, it helps to have read Gobbles' previous advisories, and to understand the Gobbles sense of humor. But obvious clues should have tipped off any reader with a reasonable understanding of computer security. Is it likely that the RIAA would have tapped the notorious Gobbles for such a sensitive task? Does anyone believe that such a complex piece of software could be completed in a month, and "another month to bring it up to the standards of excellence that the RIAA demanded of us?" This sort of subtle jab immediately suggests that the surrounding text be taken less than seriously.
I've