Slashdot Mirror
Secret Kazaa Documents Revealed in Court
Dan Warne writes "A fascinating range of Kazaa's internal documents were revealed in Federal Court in the ongoing court case against the Australian-based company today. One extraordinary philosophical manifesto by the company's chief technical officer showed that he was aware that Kazaa's activities were a huge legal risk. He also feared being 'out-innovated' by other P2P programs that didn't come bundled with adware. "if consumers can connect to FT (as well as Gnutella 2, eDonkey and Bittorrent) and it has no ads or adware then it would seem a good choice," Philip Morle says in the his manifesto. The documents are full of all sorts of other admissions-that-you'd-be-crazy-to-put-on-paper like how Kazaa employees "hate" installing the Kazaa Media Desktop on their machines because all the bundled adware slows your machine down and can hijack your web browser."
Never write anything in a letter, e-mail, diary, memo or any other quotable medium that you don't want the other guys lawyer holding up in court.
Help Brendan pay off his student loans
That maybe this chap wasn't -entirely- on side with the business strategy of the company.
To me this sounds like a techy complaining that the business is subverting the idea. In many cases this is because the techy doesn't understand the business model, but here it sounds more as if the business didn't understand the market.
An Eye for an Eye will make the whole world blind - Gandhi
When your own employees hate installing the very software of their employeer you know its a recipe for disaster. With those kinds of feelings flowing around the office its suprising the documents werent 'leaked' earlier. For some odd reason I don't see anybody coming to Kazaa's defense in court now like Napster saw when they were up on the chopping block.
Always be careful, thanks to the language ambigiouty, even the simplest statements can be turned around to form the opposite instead.
Even in saying "Kazaa does not come with spyware bundled", followed by "Kazaa and the bundled software do not collect personal information" still leaves quite a large hole for them to just walk straight through. What if one of the bundled applications reroutes your HTTP traffic through third-party servers? All the application does is re-route your traffic, it doesn't collect any information at all. The information collecting may just as well happen elsewhere.
Again, always remain on the look-out for these things, however minor they may seem.
At the risk of inflaming passions, ANY OS is only as secure as its user. With a little common sense and attention to detail, it is relatively easy to keep a Windows XP installation spyware/malware/virus free.
It's even easier in the workplace where XP can be locked down on the security front.
<grumpiness size="extreme" style="curmudgeonly">
If Kazaa goes down, there could well be a flood of low-quality Britney_Spears_naked111.mpg traders and leeches coming onto the good p2p systems. I don't think I want that.
It'll be like AOL day all over again.
Support Kazaa -- or America's highschoolers will be trading on your network!
</grumpiness>
Whence? Hence. Whither? Thither.
It's one thing for it to have spyware; it's something else for one of the company's head honcho to admit it.
1) People install Kazaa because they want to pirate music, pictures, video and software from the Internet
2) Kazaa puts spyware crap in their product
3) Users think this is unfair
4) Kazaa is in court because of what they did
Am I crazy? Is there someone out there forcing people to install Kazaa? How many people were installing it for legit legal use?
You don't want spyware crap? Don't install shady programs.
This is like sueing a drug addict because he let you share his needle and you contracted HIV. I really don't get what all the fuss is about.
Some people, simply put, don't give a rat's ass about "correct" or about damage done. They only care about making money. Period.
If it weren't explicitly illegal, they'd even poison a town's water supply just for some money. Not an exaggeration: companies dumped toxic stuff into rivers right until the law forced them to stop. Or into the air. And even then, every time someone told them to use filters, there was endless moaning and bitching and lobbying about it.
Spam, tele-marketting, link-spam, spyware, etc, are just a symptom of the same thing: if it makes money and it's not illegal, hell yeah. Let's pollute and destroy another resource.
There was an interview with a link-spammer on The Register this week. Dunno, I found it surrealistic how the guy basically had _zero_ morals. Not even an "eh, it's wrong, but I need the money" kinda attitude. Nope. The general tone all over was along the lines of "who the damn has time to care about collateral damage? It makes money and it's not illegal. Period. If you have a problem with it, tough shit. Sucks to be you."
Basically it's the same with spyware. These people don't care, that's all. As long as it makes them a buck and isn't explicitly illegal, they'll clog your computer without thinking twice. If it was possible and made them a buck, they'd even make that computer explode without thinking twice.
A polar bear is a cartesian bear after a coordinate transform.
You've gone over every line of the source code you use? All of it? The entire kernel, all the drivers, all the utilities, all the apps and so on? You've checked carefully, to ensure that there's no backdoors spread across a number of functions (you can have some thigns that are innocent and harmless on their own, that work together to do something bad)?
Are you also sure about your compiler, have you checked it? Not the source I mean, but do you know that the binary is a faithful reproduction of the source? The problem with a compiler, is that you compile it with an old version of itself. What if it has a backdoor that exists only in binary form, never in the source, but propagates on compile (see http://www.acm.org/classics/sep95/)?
There's nothing about OSS that inherantly protects you. This is espically true since I'm guessing indeed you have NOT done the audit I described. Few people have the programming skills necessary to do so in a useful way and even fewer have the mountain of free time it takes. Rather, you are taking it on faith that others have audited the software you use, done a good job when doing so, and have spoken the truth and been heard if a problem was found.
A more realistic way to check to see if the software is all above board, and one that works equally well on closde source software, is to check the install. By that I mean log everything that is added, modified, or deleted. Then, when running the software, look for anomalous behaviour, like loading modules it shouldn't, trying to establish network connections, spawning other processes, etc. If you do that correctly, it's not hard to tell if something is acting evil or comes with stuff that does. It's also something that you could realisticly spend the time to do for all the programs you use.
Even then, I doubt you'd bother unless you are super paranoid. I'm sure you generally trust that others have looked in to it, and you'd have heard about it if there were problems. I personally only check the install and operation of a program that I find suspicious. Retail software, OSS, and 99% of downloads I don't bother since experience shows that there's nothing to worry about. I take on faith that there's nothing bad in there, and if there is one of my cleaner tools will catch it soon enough.
But my point here isn't to attack OSS, if that's what you are thinking, just to point out that this warm, fuzzy feeling that many people get from the openess is a false sense of security. They think because the code is open, and able to be checked, it means that there's nothing bad in there. Well, that's probably true, but only in the same way it's probably true that if you buy retail software it's also free of malware. Neither is a gaurentee of anything, and since 99.999% (or more) of people aren't actually using the openness to do their own audit, it's a false sense of security.
Basically, when you get down to it, you can never be sure there isn't something lurking there, unknown to the general population. The only way you could feel confident is if you wrote your own assembler from machine code, your own basic OS and compiler from that, audited every line of code in the OS, compiler and apps you were going to run, and then proceeded to build them 100% from source using your own tools. Even then, you still might miss something. Remember: We find holes in software all the time, we call them bugs or exploits, meaning they weren't intended by the developers. This happens even to OSS, even to major peices of OSS that have been looked at thousands of times over. Sometimes, you just miss things.
And none of these exploits were trying to be sneaky or hide on purpose.
I'm not trying to say grab the AFDB and trust no one, that's pretty stupid clearly. I'm just pointing out that you should put the same amount of stock in OSS you haven't audited as in CSS you can't. Consider the source, and if it's suspicious, do a checked install, and have programs setup to watch how it runs. With 30 minutes of work you can generally tell if it's safe or not.
I'm assuming you're trolling but for those who may not recognize the fallacy in your comparison, I'll point it out.
Kazaa says "Trust me. My software is clean. Please install it on your computer." I say "Ha! Prove that your software is clean and then maybe I'll think about installing it to my machine. If you're clean, yous shouldn't have anything to hide by showing me your source code." Kazaa says, "No, I don't won't to show you my source code." I say "Cool. You keep your source code secret and I'll keep it off my machine."
Ashcroft says "We think you might be a terrorist. We want to come in and search through your hard drive for incriminating files." I say "I'm not a terrorist. I don't have to prove anything to you. You may not search my hard drive unless you have evidence and get a warrant." Ashcorft says "If you're not a terrorist, you have nothing to hide. The Unpatriotic Act III says I don't need a warrant. So when my secret agent takes his knee out of your back and lets you get up, please stay out of our way. You might be able to get your hard drive back in a year or two when we're done with it. Have a nice day!"
Do you see just a tad bit of difference in those two scenarios?
"The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.
Is your company using Linux? You could be at legal risk to a SCO lawsuit. Collect personal data on your customers? You could be at legal risk if that data gets hacked. Run a bungee jumping business? Legal risk. It doesn't say "he was aware they were performing illegal activities", it says he was aware of a risk. That is simply awareness that a) there was a real chance a lawsuit would be filed against them, and b) there was a non-trivial chance that, if sued, they would lose. Risk awareness does not imply guilt.
Seen any BadMarketing lately?