http://www.siliconvalley.com/docs/news/svfront/049987.htm [The Notre Dame scientists might be suprised to know how many parties are using Back Orifice 2000 to make significant gains on their Seti@Home & Distributed.net scores :) - WK] Wednesday, Aug. 29, 2001 SAN JOSE, Calif. (AP) -- Uncovering a new but relatively benign Internet vulnerability, researchers tricked Web servers around the world into solving math problems without permission. Unlike hackers who exploit flaws to gain direct access to machines, the University of Notre Dame computer scientists created a simple virtual computer by relying on the protocols used in everyday Internet communications. Each problem was broken down into smaller components that were evaluated by the unknowing servers located in North America, Europe and Asia. The results from each were used to build a solution. The process works a lot like distributed computing, which draws massive processing power from multiple Internet-connected computers for such tasks as searching for alien life and cracking encryption keys. In parasitic computing, however, the work is performed without the server owner's knowledge or permission. Because parasitic computing traffic masquerades as regular network requests -- and is no more challenging to process -- it is unlikely that any laws were broken. Still, the approach raises some ethical questions, said Vincent Freeh, a Notre Dame computer science professor and study co-author. ``When you're on the road, do you use a McDonald's restroom without buying a hamburger?'' he said. ``That's the ethics of what we're dealing with.'' The research, reported in Thursday's journal Nature, is primarily an academic exercise. For one, sending out data over the Internet requires more work than the simple problems solved by the virtual computer. ``In no case did we say it could be efficiently exploited,'' Freeh said. By more cleverly breaking down complex problems and running remote computations in parallel, it might be possible to improve the efficiency. The Notre Dame team, however, set up their system only as a proof of concept. The attack sends less data to a server than a typical request for a Web page. The researchers did not disclose targeted servers, except to say they were distributed around the world. Nobody noticed their masqueraded data packets, which were insignificant compared to regular Internet traffic. More widespread attempts at the exploit could have the same effect as a denial of service attack -- in which the server is so busy processing bogus data that it cannot perform its intended job. Still, anyone attempting to overload a machine is better off with the usual tactic of useless data, said Scott Blake, director of security strategy at BindView Corp., a network security firm. ``If you're going to flood the machine, you're better off flooding it with dumb data,'' he said. ``Being able to do (computations) depends on getting valid data from the system you're targeting. If you're overloading it, you're not going to get any data.'' Because the attack involves ubiquitous networking components required for the Internet to operate, it would be difficult to stop similar attempts to harness computing power, security experts said. In particular, the exploit uses a calculation called the checksum -- used to confirm that information is not corrupted during transmission -- in what is known as the Transmission Control Protocol. Even though TCP is used in all Internet communication, it is unlikely that the technique will be exploited because the system is simply too inefficient, Blake said. ``We don't think anyone should think their computer is going to be used for nefarious purposes,'' he said. ``This is entirely theoretical. I'm not convinced there is going to be a practical application of it.'' - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 30 2001 - 03:21:50 PDT