Slashdot Mirror
Security Hole in Morpheus
Saint Aardvark writes: "The BBC reports that they've been contacted by a group claiming to be able to copy any file off
some Morpheus user's hard drives. Apparently a bug allows for a great deal more file-sharing for some users of the software than intended ..." Man this thing got submitted a lot. I've never
actually seen Morpheus, but apparently a lot of readers have! There
really isn't a lot of information except that if you're running
Morpheus, you might as well consider your hard drive world readable ;)
Whoever these "hackers" didn't fully research before they decided to stroke their own egos and create a scare. I just tested this remotely (yes, on some stranger) and on my own local machine. My findings? You have access to EVERYTHING IN THE FOLDER THEY HAVE SPECIFICALLY SHARED OUT! Yes, you can download through your web browser what you could have downloaded already through Morpheus/Kazaa. Not a worthy exploit in my book, calm down everyone.
This story seems a little short on details, and in Kazaa - which runs on the same proprietary engine and, I assume, would be vulnerable to the same worms as Morpheus (of course, closed source => I don't know) - you can just check the box next to your hard drive and share all of its contents. Are they certain that the people they've found didn't do that? That said, maybe Kazaa can't get the worm, if there is one, but when I turn sharing off, my friend can't get any files from my computer (just checked now, he's on the phone) at all; if you're worried, have a friend query your username and see what they can get.
My inner paranoid, who left the fetal position to read the RIAA thread, thinks this is a music industry plot. I want to say that that is totally preposterous, but after they asked for legislation to make it legal for them to hack our hard drives, I can't totally dispel the suspicion.
The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
"We're not sure what it is that makes some Morpheus members vulnerable to this" Could it be that those users were just stupid enough to tell morpheus to share their entire c: drive? It wouldn't surprise me...
Anyone else getting the feeling that this "story" is in fact disinformation that probably originates with RIAA?
Okay, yeah, that was my first thought, as well. Given all of the flak that MS has gotten over security holes, it is the sort of thing that a dumbshit trying to commit PR sabotage would try and pull off. If you recall that the RIAA let it be known (I don't think the bill was actually submitted) that they want protection against damages they inflict while hacking our hard drives, we can conclude that the RIAA is unscrupulous enough to try something like this.
Now, firstly, all of that is pretty circumstancial. Smoke and mirrors, hearsay.
The reason I don't think it was the RIAA is that it wasn't slick enough. The RIAA may not be smart, but they are smooth. Glossy and convincingly packaged. This story reads like a communication between a reporter and his friend, a second rate hacker in a garage somewhere (Hey, I know both of these people!) Second rate hacker says "Hey, I think I've found a security hole in Morpheus! Probably a worm." Reporter says "Can I print that?" Hacker says "Uh.... don't put my name on it."
Given the tenor of the article, the (frankly obscure) place it shows up, and the lack of exact quotes - an RIAA "agent" would have given smooth reading soundbytes - I think that it's simply a screw up, with no malicious or deceptive intent. Never ascribe to malice what can be explained by stupidity.
Now, I know, it is still possible that the RIAA was clever enough to figure this out, and figure the way to make it look convincing. It is also possible that this is some sort of RIAA test to see how much attention this thing attracts, before setting off real hoaxes. That, however, is paranoia.
On the other hand, just because you're paranoid..... doesn't mean that this won't give the RIAA ideas.
The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
Christ, get a grip. Go into Morpheus, search for a file, right click on the file you want, select "find more of the same=>user" and there you go, every file the user is sharing.
it's the same damn thing as grabbing their ip with netstat -n in dos (with the port 1214) and plopping it into your browser. Big deal. So instead of using morpheus, you use your browser and a bit more work to look at the contents a user is sharing.
The person on the other end sharing files, STILL RETAINS CONTROL OF WHAT HE OR SHE **WANTS** TO SHARE. True, some are idiots and share their entire hard drive, but that doesn't matter since you can't upload a damn thing using your browser.
Your post clearly indicates your ignorance of the topic, as well as a shameless plug for some inferior open source p2p network.
A penny for my thoughts? Here's my two cents. I got ripped off
A Penny for my thoughts? Here's my two cents. I got ripped off!
I realize this is the same thing that everyone else is saying, but it's just HTTP (a protocal ...) on a different port. Woop-dee-doo. Have any of you watched Morpheus traffic on a firewall, though? It's rather amusing how close they got to being completely oblivious to a casual sys admin like myself. The client appears to change mp3 file names to .jpg, and send them as http requests on a different port. If they had put it on port 80 I probably wouldn't have caught it 'back in the day'.
... but I've been known to pull that much webdata from a website before. And if you really want to get hardcore (for the hardcore content checking firewalls) you could change the header information in the files so that they appeared as jpgs, or html files. Super shneeky.
If you really want to make a 'hidden service', you'd make the client break the files up into smaller packages (much like warez RARs), name them random files from the Internet Cache folder, send them on port 80, include a file that tells the receiving end how to put them back together, and you'd be set. It would just look like someone was browsing the Internet. It would be four megabytes worth of webdata
~LoudMusic
No sig for you. YOU GET NO SIG!
Wow it looks like those crackers cited by BBC are really top notch! They've certainly got people-management skillz like Mitnik, if my reading of the BBC article has anything to say..
It should be obvious to anybody reading this thing that the "random list of shared personal filez" and such is a big user booboo. Obviously some people are st00p1d enough to leave personal details n docs in a shared folder..
How much did the RIAA pay to get this posted?
A worm???
Like Code Red? Or NIMDA?
This sounds like some crack addled reporters posing as computer hackers.
Scenario 1: There is a hole and it will be confirmed through trustworthy channels. It is a buffer overflow or http path traversal problem. The reporters or editors got confused when the brainiacs described it to them and attempted to describe it in terms everyone understands, hence a coding mistake from FastTrak or Morpheus being described as a 'worm'.
Scenario 2: There is a worm exploiting Morpheus. Fat chance the first we hear of this is from BBC.
Scenario 3: They discovered that Morpheus uses http over port 1214 as a transport layer and were amazed to find out that some people have shared their entire hard drive. Wanna find everyone that has their entire hard drive shared? Just search for some windows component that shouldn't be shared. Try it, you'll be amazed. Others have covered this in greater detail, including variations that make even more sense.
Scenario 4: Conspiracy. Also more details in other posts.
Bleh!
Read the decision in the Napster case. Nothing in that ruling specifies that file-sharing is illegal. What was illegal was copyright infringement. To prove copyright infringement, the copyright holder has to demonstrate an instance in which his copyright was violated. An instance of pirated software is illegal regardless of whether it is shared over a network. As previously mentioned, MP3 files are not inherently illegal.
Child pornography is illegal regardless of whether you share it over a network. You can email child pornography. For that matter, you can email a copyrighted image or copyrighted text, thus creating an infringing copy of the material. Does that make email illegal?
I realize you're just trolling, but given the opportunity I'm always happy to try to educate or persuade people who may not quite grasp the intricasies of these matters. I can easily gloss over flame bait originating from cowardly pipsqueaks if it gives me the opportunity to do so, or just laugh it off if it doesn't.
So what else ya got??
--------
"No live organism can continue for long to exist sanely under conditions of absolute reality;..."