Distributed Computing Program Hidden in Kazaa

The_THOMAS writes: "A federal securities filing Monday revealed that the hugely downloaded Kazaa P2P (file sharing) software contains a piggyback program which will create a second, new, network controlled by Brilliant Digital. They plan to awaken the software, already on millions of computers, within the next four weeks. The program will be used to host and distribute other companies' content and may be used for distributed computing. Read the details here."

Better than Spyware...

Which is better...something that reports back your habits, or something that uses spare cycle time for something constructive?

Joe

Re:You forgot two things...

Except (from the EULA displayed when installing the Kazaa software):

(b) You hereby grant BDE the right to access and use the unused computing power and storage space on your computer/s and/or internet access or bandwidth for the aggregation of content and use in distributed computing. The user acknowledges and authorizes this use without the right of compensation. Notwithstanding the above, in the event usage of your computer is initiated by a party other than you, BDE will grant you the ability to deny access.

You hit "I agree" on this thing in order to install the software. Thus, they are not exceeding the rights you have explicitly granted them.

Jouster

Re:The USA PATRIOT Act to the Rescue!

If this software utilized any cycles on my system, it will impact performance causing me expense which will rapidly increase to the $5000 threshold (a cumulative threshold). I granted no access nor privilage to use my systems, to any employee of Brilliant Digital Entertainment Inc. [slashdot.org] so as soon as any command is issued, affecting the behavior of any software installed on my computers, the employees and officers of Brilliant Digital Entertainment will imediately have become guilty of computer crimes under the Computer Fraud and Abuse Act as modified by the USA Patriot act.


Thank god you are helping us all in our noble fight against terrorism.

Let's Roll.

Re:The USA PATRIOT Act to the Rescue!

If you're using Kazaa, you did consent. Read the EULA sometime.

4. Upgrades and Access.
(a) You acknowledge that BDE may from time to time provide future programming fixes, updates and upgrades to you ("b3d Updates"), including automatic updates to KaZaA and other software bundled with KaZaA, through automatic electronic dissemination and other means. You consent to such automatic updates and agree that the terms and conditions of this Agreement will apply to all such b3d Updates.
(b) You hereby grant BDE the right to access and use the unused computing power and storage space on your computer/s and/or internet access or bandwidth for the aggregation of content and use in distributed computing. The user acknowledges and authorizes this use without the right of compensation. Notwithstanding the above, in the event usage of your computer is initiated by a party other than you, BDE will grant you the ability to deny access.

Of course, EULAs have yet to be stress-tested in our court system, but are *you* going to have the money to win the court case?

Erik

Fighting sneakware

I'm currently fed up with what I'll call sneakware, that's pre-installed software on my 2 yr old laptop which has woken up and installed software and changed default settings. I caught Adobe Photo Deluxe changing itself when I went to edit some photos. I can't even figure out how to stop it, short of yanking the phone cord out of the modem when it goes to connect to websites. Bastards.

You might have tried something like this already, but if not download or buy a package that monitors programs that try to access anything through TCP/IP and warns you when a program is trying to do something you haven't authorized over the network. Tiny Personal Firewall [tinysoftware.com] has worked out pretty well for me and is free for home use. It works in most cases, unless the application has a legit reason to use a particular port and also uses it for something you wouldn't expect. Adobe Photo Deluxe doesn't sound like it'd fit into that category, however...

reminds me of an old saying

P2P = good
Distributed computing = good
p2p + distributed computing = bad.

This reminds me of something my dad once told me regarding his school lunch as a boy. Just because kids like spaghetti, and kids like peanut butter, doesn't mean they'll like spaghetti and peanut butter.

Re:reminds me of an old saying

You can pick your friends. And you can pick your nose. But you can't pick your friend's nose.

Applied to P2P this would be:

You can pick your peers. And you can pick your computations. But you can't pick your peer's computations.

Re:reminds me of an old saying

> Just because kids like spaghetti, and kids like peanut butter, doesn't mean they'll like spaghetti and peanut butter.

Well, if they're the kids of typical computer geeks, they'll be very familiar with Thai and Vietnamese food, so peanut butter on spaghetti won't strike them as the least bit odd. But they might complain that you left out the scallions and bean sprouts, and maybe it could use a bit of hot pepper sauce.

Its real, alright.

Unfortunately, the clause to allow kazaa to use your CPU cycles has been around since the day morpheus came out..

Time to switch to giFT!

Re:April Fools?

Given that the supposed quote from the Terms of Service given in the page doesn't actually appear in the Terms of Use [kazaa.com] listed on the KaZaA site, it's probably safe to assume it's a joke.

Firestorm

While ignorance is no excuse, that seems the only one given that Kazaa/Brilliant apparently tip users off to this crazy strategem in the user agreement. That said, I can't understand how this isn't a trojan -- installing an app with no explicit warning on a third-party computer? Shame, shame.

Re:Firestorm

generic-man wrote:

> KaZaA is a program used exclusively to steal music, movies, and
> software.

I wouldn't know about that, having (thankfully) never used it. I get my mp3's off my extensive CD collection (Manilow, Mozart, Mothra, etc. -and that's just the M's ;).

> Windows XP is an operating system. It can be used for legitimate
> purposes.

Juno can be used for legitimate purposes. It started a distributed computing plan that required the user's computer to remain on at all times and connect to Juno regularly (at the user's expense if their access number was a toll number). That created a real storm of controversy.

Google can be used for legitimate purposes. Its toolbar is also a distributed computing application.

And please, do not think for a minute that Microsoft is far behind. Microsoft Research had a project called "Millenium" that called for distributed computing among other things. Millenium's marketing name appears to be ".Net". Ever heard of it?

If you have Windows XP, you have agreed to let Microsoft install any "upgrade" it wants to on your computer. That's all they need to sneak one of these applications on your computer and start harvesting CPU cycles, if they haven't already.

Ultimately, Millenium is to be a global super-cluster of all the Windows computers (if not all the computers period) in the world. Your data and applications will be stored where ever Millenium wants them to be stored (maybe even on one of your competitor's hard drives?!?). Both applications and multimedia content will run on a pay as you use basis (with digital rights management). The file system will be a universal data store based on SQL Server (say bye-bye to your favorite standard file formats). You will boot your new PC with the Millenium disk, and after a process similar to today's product activation, your computer will join (be assimilated by) the Millenium network. About the only thing different between .Net (the reality so far) and Millenium (the research project) is that Java (the Millenium Java VM was called "Borg") has been replaced by C#.

The above post is ***not*** an April Fools joke. It is based in part on documentation available on Microsoft's web site (http://www.research.microsoft.com/research/os/Mil lennium/mgoals.html and http://www.research.microsoft.com/research/sn/). The only "fool" is the person who sits by and lets Microsoft use this to gain control of the entire computing industry on this planet forever (or at least the thousand year kingdom that is what the word "Millenium" means).

What happens when you embrace and extend Godzilla? Nuclear heartburn!
See "Godzilla 2000" (released in Japan as "Godzilla 2000 Millenium") for details.

Trojan horse

If a trojan program is useful, does that make it any less of a trojan? Where do you draw the line? To my mind, people have downloaded a program, expecting it to do one thing, and really it has a payload that con do something completely different... Makes me wonder what else the makers of this 'brilliant' scheme aren't telling us about it :-)

Re:Trojan horse

That's why you should run open source software.

If you agree to terms that permit them
to do this, you don't have much to complain about.

Like this:

Allow me to explain by example.

void main()
{
doDownloadFiles();
doUploadFiles();
doSpyWare();
doDistributedComputing();
}

becomes

void main()
{
doDownloadFiles();
doUploadFiles();
/* doSpyWare();
doDistributedComputing(); */
}

Sure, it takes a high-school CS student to figure out what to comment out, but once its re-compiled and distributed on KaZaa, the modified version will spread like wildfire.

If the license is truly open source, this wouldn't even be illegal (not that KaZaa users really worry about that anyways).

Wait a second...

According to their licensing agreement, they're allowed to use any extra storage space and/or cpu usage. What happens if you run out of space on your HD because of this and delete their files? Could they have the right to say that you aren't allowed to delete these files because it's their intellectual property?

They should pay you

Of course they need your permission to do this; in fact they should pay you when they use your cycles, bandwidth (that you already pay for), disk space, etc. My computers are all at 100%, thank you, I don't have any spare cycles to give away for free. Nor do I have disk space to store some l0ser's pr0n or crappy bootlegs. And don't even ask me about bandwidth.

At the very least, they should let you have a large discount on downloads when you opt-in. For example make them free. Plus a credit based on the bandwidth they steal *cough* use.

what a joke!

Im not sure if this is an april fools joke or not ... I would guess not because unlike the other jokes, this one is liabel. So assuming it is not, the quote "...We're trying to create a secure network based on end-user relationships."

Sneaking software onto peoples computers to create a good relationship with users ? ... or did they mean a good relationship with b3d's clients?

Re:what a joke!

I'm not sure if this is an april fools joke or not

It's in their annual report [yahoo.com] and I don't think the SEC like jokes.

Revenge

Once the client starts receiving and transmitting data it shouldn't be hard to get a rough idea of what's being transmitted and then we can start sending duff data to their servers.
It doesn't matter whether we know what the data is or not, it just going to be a binary chunk with probably a checksum somewhere. Fill their servers with random data and see how long they want to continue using our resources

Re:Revenge

As an alternative to your idea, the article stated that the software will be automatically "updated" to allow new features... once the data starts flowing, I wonder how hard it would be to, ah, "submit a patch". :)

I'll _finally_ have my beowulf cluster. :)

- Jester

Sigh...business as usual

I find it very sad, that companies will trick the user into installing the software without the knowledge. I mean, how many users would mind a spare cycle burner to help the service they like. I mean if they included the abviosly visible message (not hidden inside license agreements) saying something like "We are providing this service free of cost to you, but in return, this service will install software that will use your computer while it is not being actively used by you, and only while kazaa is running. Unfortunately, if you do not wish to run this program you will not be able to run kazaa as our finances depend on it. We promise that no information about you or your files will be used." If such a message came from a company with not a bad reputation (winamp comes to mind), i would install the program, as would many other users, adn both parties gain. When it is done in secret, it only damages the company rep, thus making it even harder for them to make money..

Furthermore, it seems that the wasted cpu tiem is becoming a precious commodity, which I am currently donating to seti, with no financial compension (in other words I am not selling the cpu time). I wonder how long till the government will accept donated cpu time as a real donation, so i can put it on my tax return....hmmm, i am thinking about at least a dollar per unit, and i am now at 780 units, that makes it 780$ deducted from taxes, and if it is a dollar per hour....

that could be a hefty some for stuff donated to a good cause....

maybe someone at seti would give me a receipt...hey, that would mean more people doing units for them...could be beneficial to both sides...

sad but true - it's real AND messy

It's legit, irritatingly enough.

The program hides itself in different locations all over your hard drive, including copies of itself in your OS root and /system32 folders (if you're running Windoze)

It's a bitch and a half to purge. There's no unistaller, and it's got dozens of registry entries to manually erase.

(Search for 'bde' and 'b3d' on your HD and your registry to make sure you get it all.)

I can only imagine the looks on people's faces when a gigantic 3D Cameron Diaz appears on people's computer screens and commandeers their system.

Time to stock up!

• "Everybody will get turned on in more or less a simultaneous fashion ... We're trying to create a secure network based on end-user relationships."
  

Whoa - time to stock up on condoms. I sense a worldwide shortage soon!

Download Kazaa now. Don't be left out!

IBHT, IHAGD

(I have been trolled, but I had a good day)

Looks to me like this is just a new way for marketers to say "spyware".

Let's read the article.

The company plans to wake up the millions of computers that have installed its software in as soon as four weeks. It plans to use the machines--with their owners' permission--to host and distribute other companies' content, such as advertising or music. Alternatively, it might borrow people's unused processing power to help with other companies' complicated computing tasks.

An advertising company plans to use your machine to host and distribute other companies' (not user-selected) content, such as advertising or music [or next week's winning lottery numbers], or it might use the CPU power for something other than advertising.

Color me cynical, but I advertising think I know advertising what type of advertising content will be advertising hosted by this advertising new "network" hosted by an advertising company.

The immediate plans for Altnet, Brilliant and the new peer-to-peer network remain unclear.

Bermeister said the company had been testing the technology along with ad giants DoubleClick as a way to serve ordinary Web ads more quickly. Under this plan, an ad that a person sees on a Web site might be hosted by a nearby computer running Brilliant's Altnet instead of on a central ad server, as now typically happens with DoubleClick.

Gee, not only was I not too cynical, I wasn't cynical enough!

Brilliant's CEO was quick to note that people would be asked before their computers were used for this or other purposes. He said the software would show a pop-up box explaining the network's function and giving people a chance to turn it off.

And of course, we all know that the description of the functionality won't say "we use your computer to serve banner ads!", it'll be "This is part of a new stealth P2P network! Join now!"

(This leaves aside the larger issue - namely, every spyware manufacturer makes similar claims. "It makes your cursor look cool!" "It enhances your web experience!" "It's like a buddy who helps you while you surf on the web!" Need I go on?)

People who allow their computers to be used will be compensated somehow, possibly with gift certificates or free videos, the company's filing said. [...]

However, people who accept "terms of service" already distributed with Brilliant's and Kazaa's software are already agreeing to let their computers be used without any payment at all.

[...]

Anybody who declines this provision is not able to install the Kazaa file-swapping software."

And if you're really lucky, we'll send you some stuff. Sign up today! We don't have to send you anything or compensate you for the use of your bandwidth for our advertising network, but, uh, we might, if you give us all your personal data! Honest, we might!

Moral of the story:
It calls itself a new stealth P2P network that'll "turn on" millions of PCs. But it looks like a spyware duck, quacks like a spyware duck, and leaves runny turds that look an awful lot like duckshit.

I call it a duck.

Here we are, after spending a whole day bitching at the Slashdot editors for an April Fool's Joke about advertorials, and nobody notices an advertorial when it's staring them right in the face.

(Of course, if this is CNET's own version of the "Advertorial April Fool's Joke", I admit it - it's scummy enough to be believable, and the advertorial is from a source I believe to engage in advertorializing. So if it's a joke, I admit it - they got me fair and square. Wotthehell, I thought the idea of Teoma going after Google was an AF joke too ;-)

Re:URL! Always look at the URL!

jeez, april fools day has turned all us slashdotters into a bunch of cranky, trust-no-one cynics.

oh wait..

Fun and games

I see great potential for fun here. Think about it, They rent out your hard drive to someone, who uses it host advertisment, or demoware or music. You, being the wiley Hacker guy, replace the content porno or pirated music/software and let the fun begin. Optionaly you can sue them for using your hardware and bandwidth for morally objectionable purposes.

There's a subtle logic at work here

There's something tricky going on here that is not immediately apparent if all you do is look at and knee-jerk react to this story:

I download Kazaa. I download Kazaa because Napster doesn't work anymore. Napster doesn't work anymore because the music companies say it rips them off. I don't care about ripping off music companies. But that makes me think: I can see how I'm ripping off artists. Gawd I love Kazaa! But I feel bad about ripping off artists.

BDE through Kazaa wants to use my computer cycles? Well geez, I feel bad about getting all this great music for free... I owe somebody something... Oh alright, that's a fair exchange.

The power of guilt.

Mark my words, people will accept this barter, except for one small problem: the artists still aren't getting paid!

BDE is getting away with murder: benefiting off of artists by proxy, and benefiting off of consumers, through guilt.

Re:There's a subtle logic at work here

the artists still aren't getting paid!

With the current cd for cash model, the artist doesn't really get paid either!

EULA

No hoax here, folks:

From the Kazaa EULA, addendum section on BDE:

4(b) You hereby grant BDE the right to access and use the unused computing power and storage space on your computer/s and/or internet access or bandwidth for the aggregation of content and use in distributed computing. The user acknowledges and authorizes this use without the right of compensation. Notwithstanding the above, in the event usage of your computer is initiated by a party other than you, BDE will grant you the ability to deny access.

Interestingly as well:
5. Term; Termination.
(a) This Agreement will be effective as of the date you accept this Agreement and will remain effective until terminated by either party ("Use Period").
(b) BDE may terminate this Agreement at any time by providing notice to you. You may terminate this Agreement at any time by ceasing use of the Software and Services and destroying or removing from all hard drives, networks, and other storage media all copies of the Software. Upon any termination, all licenses and rights to use the Software and the Services shall terminate and you must remove the Software from your computer equipment and dispose of all originals and copies of the Software in your possession. The following Sections shall survive any termination of this Agreement: 2, 3, 4, 5, 6, 7, 8, 9 and 10.

So you can't terminate once you've accidentally clicked "OK". Although you sort of wonder how they're going to apply section 4 once you've "destroyed or removed from all hard drives, networks, and other storage media all copies of the Software."

Will I be taxed?

So Brilliant Digital is providing me with a service, the Kazaa network, in return for another service, use of my computer's storage and spare CPU cycles... First of all, it's a great idea. But I wonder whether or not users of this service will be legally required to pay taxes on their barter income [irs.gov], and more importantly, whether Brilliant will have to mail out 10,000,000 1099-Bs (along with collecting 10,000,000 social security numbers).

Distributed doubleclick?

Under this plan, an ad that a person sees on a Web site might be hosted by a nearby computer running Brilliant's Altnet instead of on a central ad server, as now typically happens with DoubleClick.

Well, this seems pretty much to be the end of ad blocking through firewall rules... Pretty easy to see why doubleclick would like this scheme.

You'd basically never know what host would be spamming your browser...

*sigh*

Incredible

Am I the only one who thinks these P2P apps are evil?

I used Grokster on my networked Win2K box at home. This box contains my personal files, such as financial info and I also use it to do online banking. So my privacy really matters. I also use this box for work and I have it streamlined and tweaked to run as efficiently as possible. No foolish system tray or startup apps etc...

Well it seems that P2P apps like Kazaa or Grokster work hard to breach my privacy and fudge my system. I've never known software to be so malicious. First, I see that Grokster has web-based ad support. Okay, that's tolerable, they need some form of revenue. But don't think I haven't noticed your "secret" stash of cached ads in my system directory, Mr Grokster. Then I notice the popup ads. Also annoying.. but again I tolerate. I didn't run Grokster for longer than a day and my system can handle twenty browser windows. But then, incredibly, it turns out that the required advert component also sends out information about me, including my browser history. Big no-no, Mr Grokster. Now I have to spend time to counteract this. I found a replacement set of libraries which do not send personal information. From that point on, I figured I was safe. Oh no... this weekend, after a Grokster session, I spotted a strange "extract.exe" on my desktop. Hmmm. How did that get there? I took a look inside and found various executables and libraries. How quaint. I most certainly did not download it. So I searched my system and lo and behold, it seems some ActiveX has automatically downloaded and run this program for me, spreading half a dozen files around my system. Looking through the registry I see that in fact it's installed a browser toolbar. Oh lovely.. just what I wanted. Took me a good half hour to rid my system of it's leeches.

The moral of the story, don't run Grokster. Well fine, I've learnt my lesson and I'm fortunate enough to have another disposable machine to unleash the Grok on. But my concern is the X million people who don't have a clue. The sort who click on "www.yahoo.com.exe". They see Grokster or Kazaa on download.com or whatever, download it and use it blissfully ignorant of what I consider to be a virus. In fact, the only difference I see between Grokster, Kazaa etc.. and viruses is a service. Package your virus as an application and you earn amnesty from antivirus software.

Slashdot articles and anti-spyware sites keep us geeks in the loop, but that doesn't help the masses. Only laws help the masses. There must be some law somewhere that states such practices to be illegal. Tricks used by these programs such as placing independent components in the system directory posing as actual system files, running programs without permission, not informing users of these hidden "features" and so on, are clearly malicious.

I'm for P2P networks, but clients such as these seriously rub me the wrong way and I'll be glad when the RIAA eats them. I just pray for a nicer client to take their place.

criminal trespass

Given that no EULA has the force of contract law anywhere in the U.S., it's rather doubtful that it could be used as 'consent' for utilizing spare cycles in a legal fashion. The company is treading dangerous ground here and just begging to be bitch-slapped with a lawsuit.

While I doubt a serious argument could be made for damages, unless the EULA is upheld by some clueless court then using the spare cpu cycles of personal computers clearly constitutes criminal electronic trespass as outlined in the PATRIOT act. And, as we know, this automatically brands one as a terrorist.

I don't use Kazaa but I can't imagine that very many users will be happy to have their 'spare' cpu cycles appropriated for someone else's gain. Just another reason to dump this software in the electronic crapper.

Max

Some observations

• Bermeister said the company had been testing the technology along with ad giants DoubleClick as a way to serve ordinary Web ads more quickly. Under this plan, an ad that a person sees on a Web site might be hosted by a nearby computer running Brilliant's Altnet instead of on a central ad server, as now typically happens with DoubleClick.

"Quickly" is mendatious. The majority of end users will have port 80 traffic cached by their ISP, and you can bet that cache will be juicy-full of DoubleClick stuff. My ISP routes all traffic via my local access point, even traffic to other people under that access point, and they run a cache at the access point. So even if I were to get ads from the guy next door, it would still be slower than getting them from the cache. All this would do would be to cut down DoubleClick's bills for uncached accesses, and (interestingly) stop me blocking DoubleClick using my hosts file. If this latter reason is actually material, then it's a sad indicator that the ad market has given up any pretence that ads are in any way connected to revenue. If I've gone out of my way to actively block your adverts, and you force them on me anyway, what exactly are your chances of gaining one red cent in revenue from me? Farcical.

• Bermeister said. "This will be an opt-in program..." [...] the software would show a pop-up box explaining the network's function and giving people a chance to turn it off

Hey, opt-in, opt-out, what's the difference, eh? To apply an equally muddled metaphor, they'll probably burn that bridge when they come to it.

• People who allow their computers to be used will be compensated somehow, possibly with gift certificates or free videos, the company's filing said.

Ah. Anybody with a typical residential DSL/cable connection should check their contracts. There will almost certainly be a clause in there that prohibits providing services to third parties, and especially selling services to third parties. Most ISP's have tolerated filesharing up to now because it's (generally) an active use thing. And CETI@home is low bandwidth, fully opt-in from the user side, and non-commercial. But this might be different. It's a commercial company using ISP bandwidth to make profit, and pass some of that (a very, very little) back to residential users, who have only agreed in general to provide services, not on an active case by case basis. This might be where ISP's start to draw the line.

Don't want to bitch at this but...

"we're sorry for the spyware"

they remove it

a month later

"We're sorry for the spyware"

they remove it

goto 10.

As much as I love the P2P concept, if these guys go out of buisness or get the crap sued from them, I just hope EFF won't protect them in the name of P2P, because these guys aren't the Good Guys(tm). They are opportunists that are hiding behind ignorants and people that want to defend P2P to play their dirty scheme instead of being just dead honest.

It doesn't kill a buisness to mention any spyware or whatever, if people skip the warning and download it, well now It's their problem, but running it and acting like if you were transparent is just plain unethical, they did it many times, it simply piss me off. That's why I am using winMX since the first time I saw Kazaa doing crap to their users. It's been at least reported 2 times here if not more.

Again, being honnest about it won't change much, it'll just remove a FEW users like me and most of slashdot readers that want their privacy. Most of the people won't give a damn, so why being so dishonnest!? it could just trigger lawsuits against them for absolutely no gain.

The proof to this? well look at how many times you saw kazaa and spyware, and look at their userbase still growing (which doesn't make sense but again, MOST people just don't care, they'd sell their souls for free stuff).