More on Kazaa and Brilliant Digital Spyware

Vertigo01 writes: "There is an interesting article from CNN.com on the current state of the Kazaa controversy, and Brilliant Digital's plans for the future. Interesting quotes from the article include a statement saying that 'Altnet's seeded software [will be] awakened some time in May' and that 'Brilliant is negotiating with music labels and movie studios to market their material as well. The files will be copy-protected in some way, using Microsoft's digital rights management encryption technology.'"

Cancerware Ascendant

[ringbarer]

Imagine the fun the likes of Brilliant Digital could have when the courts force Microsoft to release their full APIs. Whole new ways to sneak their filthy cancerware onto our machines.

Interesting quote...

[GnomeKing]

During the KaZaA client update, users will be able to opt out of the Altnet service, the spokesperson says

So maybe they did listen to everyone after all? I await to see what "warnings" are given and how easy the opt out is...

Thinking of this - I have a question
How does altnet know what is "unused" in bandwidth terms?
as far as I was aware there was no prioritising in the windows tcp/ip stack where by one application does not get any bandwidth while others wish to use it
That would imply to me that they will just use ANY bandwidth they can - not just "un-used bandwidth"...

Spyware is bad, but...

[Anonymous Coward]

considering the fact that most people use kazaa to illegally download music, which does (!) harm musicians, using your spare CPU-cycles and bandwidth to pay these guys isn't even that ridiculous.

Interesting...

[gmanske]

A few weeks after Altnet's launch, Brilliant plans to introduce an Altnet "rewards program," enticing customers to swap PC bandwidth and hard drive space for points that can be redeemed by e-merchant partners, Bermeister says. If you agree to let Altnet's partners download to your hard drive multimedia-rich advertisements for later playback, you can earn points redeemable at e-merchants toward purchases.

I found this interesting, although not surprising... If companies such as Brilliant and Sharman Networks were to release 'clean' versions of their products, and they were totally upfront in an easy to read EULA (who reads those anyway right?), would you use it? Would you swap bandwidth and disk for the privilege?

Furthermore, would the 'average' person? Spyware, what's that? etc...

Why shouldn't they?

[Mattygfunk]

The way I see it their userbase, which is growing at a huge rate, generally know that they have spyware and dont care. Sure now there is two of the spyware programs big deal. They were already giving that information to one, no big deal from the users POV.

They won't realise that their bandwidth and disk space is eaten away slightly, they wont care when they do cos they're still getting free music. It is far too hard for the average user to install a new sharing program let alone find the name and site of one. "It's all too hard and this program works and im confortable with it."

Anyway if they are using Microsoft's digital rights management encryption technology then I look forward to having a look at what they send.

Corporate bandwidth, yum

[upside]

The best targets for Altnet are those corporate PCs left on overnight to suck in those MP3s etc. On that kind of bandwith you won't notice. They prolly couldn't care less about 56kers, though they are the ones that suffer.

Then again, perhaps it only activates when there are no other applications using the network.

XP has QoS enabled by default, though, right? It can be installed on w2k too.

Harm?

[Kindaian]

File sharing doens't mandatorially damages the authors nor anyone.
Don't mix correlation with causation please. I'm as most tired of having that kind of "trues" thrown at my ears.
And you can't prove that all downloads from kazaa are illegal (i could download a music of which i own the cd. under the fair use and format shift resolutions, it is legal for me to do it - at least in US - other countries may have legislative environments to the contrary).
I'm perfectly aware that the majority of the kazaa users use it illegally, but there are legal uses of it as well, they aren't just the "mainstream"
On the other hand, a download isn't mandatory to mean a cd that isn't brougt (even if some would like to make that relation).
Most people will use kazaa to download music to preview it before buying it. It more pratical then go to the disco and preview the cd there. There are more offer for preview.
Those that like the music and that can aford it, will eventually start to buy the new found authors music (another falacy is that everyone that downloads music can afford it and thrus represents a forfeit cd sell).
But i digress... Mayhappen some should go to economic universities and study macro-economy... Mayhappen they start to understand what a market is!

Cheers...

P.S.- And... what on the hell has spyware to do with "harm musicians"?

Infocalypse Now

[ringbarer]

As a generic moderator-on-crack appears to believe wholeheartedly that the juxtaposition of this news article and a previous one is 'Offtopic', I feel it best to explain a potential 'Nightmare Scenario' on the horizon...

Assumption One: Cancerware authors are amoral miscreants. Given the track record of the likes of Brilliant Digital, we can safely say that this is a given.

Assumption Two: One of the biggest advantages of a modularised Windows OS appears to be the ability to switch out the insecure MSHTML renderer as used in Internet Explorer to replace with Gecko and their ilk. Forcing Microsoft to publish the full API would enable a seamless changeover between rendering engines.

Let's follow this closely. The rendering engine runs as locally executed code, which brings with it additional security issues. I imagine, when push comes to shove, there will be plenty of Microsoft oriented warning messages along the lines of "It may be dangerous to change your rendering engine!" should a user want to make the switch.

However, fully expect the AOL / Netscape hegemony to complain loudly to the courts that this is FUD, and that it is PERFECTLY safe to switch to Gecko without notifying the user short of a generic EULA type click-through. Microsoft, having received a battering from all corners, will be forced to comply and take the warning out.

Which brings us back to Assumption One - Cancerware. Cancerware authors are forever looking for increasingly sneaky and devious ways to install their filthy code onto previously stable computers.

So, take one 'killer app', currently a P2P client, but who knows what the next one will be. Add a clause during installation that some vague 'browser enhancement' software will be installed as a requirement of the killer app. Many people will click through without reading, or just think "Enhancement - Cool!" and let it install.

What does this browser enhancement do? It acts as a fully functional replacement for the MSHTML module. Thanks to the efforts of Microsoft's competitors, it will install seamlessly, running code with local privledges.

What can it do? Anything that cancerware does already. Spying, gathering important data like CC numbers, taking control of your machine, uber DDoS, etc. etc. The possibilities rest purely with the devious malevolence of the author. It will, of course, be auto-updating, so even if it's caught out initially as being just another Purple Ape, it can download enhancements to itself to get past most security problems.

Remember that NO-ONE in the hacking community knew about Brilliant Digital's plans until they made their press releases. Sleeper cancerware, ready to awaken when the stars are right. As MSHTML is part of the Operating System now, for good or ill, it will be loaded on startup, even if the user doesn't open a browser.

But won't this be noticed by firewall software? Well, assuming consumer-grade firewalls work like Zonealarm, then no. Zonealarm checks for EXE files attempting to access parts of the net that they shouldn't be. But of course, Internet Explorer, being the most common Internet application, will be allowed through. The .exe itself hasn't changed, just a shared library that the exe uses.

And of course, the only way to uninstall this version of MSHTML would be to delete it, thus breaking anything that wants to use it. Like, err, everything!

Regardless of any non-Microsoft eliteness, the fact remains that Windows is the most popular PC Operating System for now, and shall be for a long time. This scenario outlined above is one of many potential fallabilities. I can assure you that minds far more devious than my own are concocting their own plans.

Cancerware is nothing more than barely-legitimized cracking. It seems that replacing "3133t hax0r sp33k" with the terse pseudo-legalese wording of EULAs makes this all acceptable. It isn't. And the sooner more people realise this, the better.

Of course, any company releasing something like this shall eventually become a target for the authorities. But the arrest of the author of the Melissa Virus didn't magically undo all the damage it caused, right?

Re:Corporate bandwidth, yum

[benjymous]

I'd imagine the worst hit will be those who pay per the megabyte for their bandwidth. I'm guessing that the altnet client will install itself to run in the background all the time even when KaZaA isn't open, meaning if someone leaves their PC on all the time, without KaZaA running, they may suddenly be faced with a big bandwidth bill thanks to altnet using all of their "free" bandwidth

Future apps will have this as standard...

[n4zgl]

remember when you thought the idea of *them* being able to track your every purchase was some Orwellian nightmare that should never see the light of day? Skip forward to 2002, and you will see the majority of society blithely going about their day to day business, blissfully unaware of the implications of cash and credit cards being the tools that map -you- onto any given barcode. Permanent records of your habits and tastes are steadily being built up. Perhaps the spyware people ought to take a look at how history has made the formerly horrific into a tranquil reality.

How is this not terrorism???

[Kombat]

I don't understand this at all. When a university student launches a program out into the net, and that program sneaks onto your machine and mucks with your registry and steals your CPU cycles, it's a "virus." The kid is labeled a hacker and is arrested. And now, thanks to 9/11, the kid has the additional dubious classification of a "terrorist."

However, if this EXACT SAME THING is done by a corporation, in the name of profit, it is viewed completely differently! Why? What's the difference? It's a VIRUS! Software forces itself onto your machine and changes things without your permission. That's a virus. That's illegal. Why are we tolerating it???

So which is worse?

[night_flyer]

The RIAAs claim that people are stealing music...
OR
Another company making a profit off of this supposed theft?

*** DANGER DANGER DANGER WILL ROBINSON ***

[Pig Hogger]

Read the bleepin' article. Neatly buried in the middle, you'll find this gem:

And on the copying and fair use front, Hemming is lobbying Congress for an Intellectual Property Use Fee to settle the quandary of responsibility for distributing copyrighted material. The proposal calls for charging ISPs a fee to compensate copyright holders.

Notice that this says "copyright holder" and not "creative artists"

Microsoft DRM

[Hard_Code]

This wouldn't happen to be the DRM that has already been broken [com.com]?

Re:Infocalypse Now

[Asprin]

Of course, there's the other way it could swing too...with malware-authors using some kind of legal argument against anti-malware programs like Ad-Aware...I wouldn't put it past them to call it a "Circumvention Device" or somesuch under the DMCA, and attempt to have it banned, although I can't see anything short of a huge bribe convincing any reasonable judge of the validity of such an argument.

How close are we, for that matter, to some of these bozos putting a line in their EULA stating "you may not uninstall this software or reformat your HD" and sealing the uninstaller with a DMCA-enforcable mechanism, so that the software can't be uninstalled w/o violating the DMCA?

Violation of ISP's terms of use?

[candover]

It occurs to me that many users could get in trouble with their ISPs for using Altnet's software. Your typical home account, or any educational network, is likely to have terms of service prohibiting the use of their network for commercial purposes. Since Altnet is sharing commercial content off of your computer, will we see users being kicked off?

(This does give ISPs a valid reason to block Altnet at their routers for such customers, though. Tempting!)

Privacy Issues?

[toupsie]

What is to stop Kazaa and Brilliant Digital from using their software to scan the music & movie files on your hard drive, develop a signature and transfer that back to the RIAA and MPAA? Could Kazaa be a trojan horse company set up by music companies to spy on the p2p habits of music lovers? If they now claim that using the bathroom during a commercial break is a technical violation of the copyright laws, this doesn't seem to far fetched.

Some victim company should sue Brilliant

[Animats]

If you find this on a corporate system, sue Brilliant Digital under the Computer Fraud and Abuse Act, for "exceeding authorized access". If they claim their access is "authorized", demand to see a document signed by an officer of the company. Some random employee clicking on a dialog box isn't enough. Only someone with authority to bind the company can authorize access. It's a straight "hacking" case.