If the security analysts that contacted the BBC are referring to
this problem. There isn't much to look at. Being a.com with little money they needed a protocol to exchange files with and they chose some form of http.
If you are running morpheus or kazaa or whatever client of the fasttrack network you can try this: open up your browser and type "http://localhost:1214"
you will see an index of all the files you are currently sharing. Just for fun you can also try to download files. If you know of a friend who is running kazaa or morpheus, find his ip and place in the place of localhost. See if he has any good pr0n.
I seriously doubt this constitutes a breach of security it doesn't reveal any information that isn't available already.
The problem is rooted much deeper than you might think. People are simply not going to upgrade software out of security reasons. They don't care about anything as long as the software keeps working.
People should be held accountable for bad security, this is the only way to get them to friggin secure their internet connected boxes and thereby dramatically reducing the chance that a worm will ever reach proportions like Code Red II again..
The first thing people tell me when I try to convince them they need to keep up with security patches is that they "don't have anything interesting for a cracker to find"(TM). But they forget that if their servers get cracked into, the first thing the cracker is going to do is crack other boxes from there. So by not securing your internet connected boxes u are actually helping crackers(or worms) crack more and more boxes without anyone being able to trace them.
Worms like code red are just the beginning, I have already made a worm concept that will be far worse than Code Red II. Just add some P2P like networking between the compromised systems and u can actually make the worm aware of itself, by making it react if large numbers of hosts are being disconnected by starting to spread again. Even anonymous communication with the worm is possible through means of something like Freenet, and by communicating with the worm someone could feed new ip-ranges to scan or even upgrade the worm to use new exploits. Someone could have (close) to realtime control of hundreds of thousands of internet connected boxes. This is just a simple example of what a well written worm can do, and it will be practically unstoppable.
So instead of being one step behind all the time maybe it's time for some regulation here. If your box gets cracked using an exploit that has been patched over say... six months ago (whether it be done by a worm *or* a cracker), then you *should* be held accountable for the damage your system causes. It's just plain irresponsible to keep an insecure box connected to the internet, and if people won't use their common sense and thereby cousing problems for other innocent people they deserve getting in trouble.
Slashdot Mirror
I think the Russian police wouldn't be motivated at all to extradite anyone to the USA for any Kazaa related charge.
Kazaa was a Dutch business, based in Amsterdam. Recently it has been sold to Sharman networks in Australia.
So there's really no point in sending anyone to the USA to stand trial since there's not a single American citizen or company involved here...
If the security analysts that contacted the BBC are referring to this problem. There isn't much to look at. Being a .com with little money they needed a protocol to exchange files with and they chose some form of http.
If you are running morpheus or kazaa or whatever client of the fasttrack network you can try this: open up your browser and type "http://localhost:1214"
you will see an index of all the files you are currently sharing. Just for fun you can also try to download files. If you know of a friend who is running kazaa or morpheus, find his ip and place in the place of localhost. See if he has any good pr0n.
I seriously doubt this constitutes a breach of security it doesn't reveal any information that isn't available already.
that's it. move along.
This is not gonna help by far.
The problem is rooted much deeper than you might think. People are simply not going to upgrade software out of security reasons. They don't care about anything as long as the software keeps working.
People should be held accountable for bad security, this is the only way to get them to friggin secure their internet connected boxes and thereby dramatically reducing the chance that a worm will ever reach proportions like Code Red II again..
The first thing people tell me when I try to convince them they need to keep up with security patches is that they "don't have anything interesting for a cracker to find"(TM). But they forget that if their servers get cracked into, the first thing the cracker is going to do is crack other boxes from there. So by not securing your internet connected boxes u are actually helping crackers(or worms) crack more and more boxes without anyone being able to trace them.
Worms like code red are just the beginning, I have already made a worm concept that will be far worse than Code Red II. Just add some P2P like networking between the compromised systems and u can actually make the worm aware of itself, by making it react if large numbers of hosts are being disconnected by starting to spread again. Even anonymous communication with the worm is possible through means of something like Freenet, and by communicating with the worm someone could feed new ip-ranges to scan or even upgrade the worm to use new exploits. Someone could have (close) to realtime control of hundreds of thousands of internet connected boxes. This is just a simple example of what a well written worm can do, and it will be practically unstoppable.
So instead of being one step behind all the time maybe it's time for some regulation here. If your box gets cracked using an exploit that has been patched over say... six months ago (whether it be done by a worm *or* a cracker), then you *should* be held accountable for the damage your system causes. It's just plain irresponsible to keep an insecure box connected to the internet, and if people won't use their common sense and thereby cousing problems for other innocent people they deserve getting in trouble.
pfew... end rant here...
--
Heisenberg could have been here...