October 02, 2003
Hackers, Twinkies, Somebody Did It But It Wasn't Me

Entrapment -- Incriminating Peer to Peer Network Users (pdf) by Anonymous (or "have2Banonymous") is a seemingly academic paper that suggests some "twinkie" defenses for those subpoenaed or sued by the RIAA for file sharing. Basically, the idea is that if accused, rather than settling, the accused could say that malicious attackers or hackers tricked the accused into downloading and unknowingly sharing the files, or, the attackers planted say, 1000 files (around 2 gbs?? How do you slip that past someone?).

New Scientist has an article on the paper, Innocent file-sharers could appear guilty, that suggests the paper's assertions are reasonable. While security experts quoted in their article do say attacks could happen, and technically, it does appear to be possible on some networks under certain circumstances, why would anyone do it? And by manipulating file requests on those networks, how would they get enough files planted on any one user's harddrive to cause problems? I mean, a user would have to be on filesharing networks often, for long periods, and send many file requests, and the hacker would then have to alter each request, and then the user would have to select the files the hacker intended the user to select, for download. Yes, it's possible, but it seems extremely unlikely, and as a defense? What judge would take this seriously?

There was the recent case where a guy who says he didn't download child porn, used this kind of defense to say that he didn't know he had it and thought it was placed on his system by some spyware Trojan horse he probably surfed/clicked past. That seems more plausible, because porn purveyors have an incentive to get people to come to their sites and to install spyware to watch where users go and what they do there, to try to get more business.

Why would a hacker/spyware/other program put files on your computer? I can see putting a couple of child porn pictures (small k download so it's quick and relatively unnoticeable, and the idea is to entice you to their site to spend money), but 3mg mp3 files would be bigger, inconvenient to hide, and what is the incentive to place them on your system? I can't see a judge buying it other than accepting a general computer ignorance by the user. But if the user's machine has something like KaZaa installed, and had a 1000 unauthorized files on their system, and the RIAA downloaded 10 or 20 of those files to verify them as unauthorized files, the accused would have a hard time claiming that they were tricked by attackers into downloading files some of the files, or tricked by KaZaa into sharing them. It may be true, but they installed a file sharing program, had some files intentionally, and were still sharing unauthorized files.

This paper has an anonymous author, and though it's written in an academic style, with some code that looks real, it's strange. Why would the author not want anyone to know who they were if they were advancing something reasonable? They might not want the information connected to them, but at that point, it's much harder to take this seriously. For example, at the very end of the paper, the author suggests that someone accused of filesharing copyrighted works could show "the authorities" the paper to claim the files were placed there, and "they probably were." Why would any judge believe a paper with no author that advances a questionable defense? First of all, if you get sued, you don't go "directly to the authorities", because these suits are a civil matter. You get a lawyer or defend yourself, and the only authority in the case if it goes to trial is a judge, not the police. And how does the author know a user's files were placed on the user's system by someone else, as he suggests?

This paper reminds me of those old hoax email that prey on people's ignorance, in this case about computers, and what is reasonable. I just don't see the motivation for planting mp3s on people's systems, except in rare cases of personal vendetta. Which also seems ridiculous, because I can think of much easier ways to get to someone if you wanted to do it. It just seems farfetched.

Frank also mentions this, and /. discusses.

Update: Fred Von Lohmann, Meditations on Trusted Computing. He talks about being in control of and trusting your own system, as well as having others trust your system. An interesting contrast to the paper mentioned above. And Seth Schoen posts his paper: Trusted Computing: Promise and Risk which, according to Cory, is a "...long-awaited, brilliant white-paper on Trusted Computing. Seth has been briefed as an outside technical analyst by all the companies working of Trusted Computing architecture, and has had his paper vetted by some of the leading security experts in the field. This is the most exhaustive, well-reasoned, balanced analysis of Trusted Computing you can read today. Don't miss it." /. discusses.

Posted by Mary Hodder at October 02, 2003 07:48 AM
Post a comment

Email Address:



Remember info?