杏吧原创

Take a byte

Watch out! Cyberparasites could be sucking the processing power from your PC. Bennett Daviss reports

NEXT TIME you surf the Net, take a close look at the Web pages you open. Appearances can be deceptive. That seemingly innocuous website could be hijacking your computer鈥檚 power to carry out tasks or make money for someone 鈥 without your knowledge or consent.

It鈥檚 all thanks to the latest in a long line of cyberspace invaders. First came the hackers, digital burglars who break into computers to steal data or wreak havoc. Then came viruses and worms, tiny chunks of code that can turn your computer to junk. Now there鈥檚 parasites.

Rather than pilfering your data or trashing your PC, a parasite sets out to subvert the connectivity that the Internet provides, turning the Web鈥檚 billions of computers into one giant calculating machine that it can do with as it pleases.

The idea of harnessing computers across the Net to create one huge number-cruncher has already proved its worth in more legitimate circumstances. For example, when anthrax spores appeared in US mail last year, biologists enlisted a global army of volunteers armed with computers to help find an antidote. They agreed to help sort through 3.5 billion candidates by downloading software that would take control of their computers whenever the processor chips were idle, and set them to work. In only 24 days, this 鈥渄istributed鈥 computer logged 5436 years of computer time, spotting 12,000 likely candidates and another 375,000 hopefuls.

What makes distributed computing so attractive is that it allows anyone to assemble awesome amounts of computing power quickly and cheaply. It is estimated that the anthrax project, for example, cut the search time for a vaccine by up to eight years, yet cost little more than the price of the software.

Such potential hasn鈥檛 gone unnoticed. Distributed computing projects are blossoming across the Web: more than 100 are under way right now. And since the downloaded software runs in the background, often as a screen saver, the volunteers hardly notice it. You could be screening cancer drugs, simulating events inside particle accelerators or sorting through radio signals to look for life beyond Earth 鈥 at the same time as checking your email or writing reports.

The business community has also caught on to the power of distributed computing. According to United Devices, a Texas-based company that makes software which enables a computer network to work as one machine, demand is rising exponentially among oil companies, banks and pharmaceuticals firms keen to analyse complex data, run financial risk analyses or find new drugs.

But while projects to help cure cancer, for example, are deluged with volunteers, it鈥檚 far harder to capture the imagination of the computing community when a project is purely for commercial gain. Here the only way to get volunteers on board seems to be to offer hard cash, or to piggyback distributed computing software on the back of existing products (see 鈥淣ot such a brilliant idea鈥).

Now there could be another way. What if someone with a large problem to crack could enlist vast numbers of computers in distributed networks without having to pay anyone, persuade them to care about the project鈥檚 results, or even let them know they are taking part?

People have been speculating for years that this might be possible, but no one could find a way to prove it. Then last year, two researchers at the University of Notre Dame, Indiana, had an idea. Together, physicist Albert-L谩szl贸 Barab谩si and computer scientist Vincent Freeh realised that the key lay with a component of the Internet鈥檚 own communication system, the Transport Control Protocol.

TCP is an internationally agreed method by which computers pass data back and forth across the Net. To do this, TCP contains instructions and software routines that let computers recognise each other鈥檚 signals and exchange messages. Among these instructions is one called the TCP checksum, which determines whether a digital message has been corrupted in transit (see Diagram).

Take a byte

Just before a message is sent from one computer to another, TCP converts it into a sequence of 16-bit 鈥渨ords鈥. It then adds up the number of bits in the message and the total is attached at the beginning of the message as the checksum. When the recipient computer receives the message, it adds up all the bits again. If its answer matches the checksum assigned by the transmitter, the receiver regards the message as valid and acknowledges receipt. But if the checksums don鈥檛 match, the receiver assumes that the message has been damaged en route and ignores it. Should the sender not hear from the receiver within a certain time, it knows it has to send the message again.

Freeh鈥檚 inspiration was to construct messages in which a valid checksum, and the resulting receipt, would signal a correct solution to a computational problem. He packaged a possible solution in each of several computer messages and crafted the bits in each message so that the checksum wouldn鈥檛 add up for any but the correct answer. If no receipt came back from a particular machine, he鈥檇 know that the potential solution he sent to that machine was incorrect. By matching receipts to the messages they acknowledged, Freeh knew which potential solutions to the problem were right.

Going global

After a successful test at the university, Freeh and Barab谩si recruited colleagues in Asia, Europe, and North America to take part in a larger trial. The scientists agreed to let Barab谩si鈥檚 group dupe their machines into testing solutions to the 鈥渢ravelling salesman problem鈥 (New 杏吧原创, 1 June, p 26), for which answers can be found only by testing solutions rather than running algorithms.

The experiment not only worked, it also left no hint in the participating computers that they鈥檇 been commandeered. 鈥淲e only needed to use a few computers to prove the principle,鈥 Freeh says. 鈥淚n theory, we could have done it with every computer on the Web.鈥

In a letter to Nature last year, the researchers dubbed their technique 鈥減arasitic computing鈥. 鈥淭his isn鈥檛 hacking or cracking,鈥 Barab谩si emphasises. 鈥淲e鈥檙e just using the resources that you make publicly available when you connect to the Internet.鈥

That鈥檚 not as ominous as it sounds, the researchers claim. TCP by itself isn鈥檛 sophisticated enough to carry useful computer programs. 鈥淲hat we can鈥檛 do using TCP is to induce a computer to run loops,鈥 Barab谩si explains. 鈥淭hat makes this method too inefficient to use for serious computational work.鈥 But he doesn鈥檛 discount someone else figuring out a way to do it. 鈥淲e just thought the Internet community should discuss the possibilities before an efficient [technique] emerges,鈥 he says.

According to Phil Frisbie, it already has. A programmer who runs Hawksoft.com, Frisbie began to wonder how he could harness Web pages for distributed computing. Then it hit him: he could use Java and JavaScript, the software that makes Web pages possible.

A Web page is crammed with computer code and data of all kinds, from animations to links to other pages, most of which are created using Java. It would be simple, Frisbie realised, to embed hidden instructions and data that would be loaded into a visitor鈥檚 computer whenever they opened a website鈥檚 home page. After all, it happens already: playing an audio or video clip from a website transfers programs and data to your computer.

Most pages notify you that you鈥檙e about to import some code to your machine. But what if a website didn鈥檛 bother? Merely opening a page could turn your PC into an unwitting servant.

At your command

鈥淵ou鈥檇 be unaware of it, and the code and data could be very large,鈥 Frisbie says. 鈥淚t could all be done without making any changes to the way Java is written now.鈥 Java can tell when a visitor is about to leave a website and could be made to send the results of calculations back to the server before the connection is broken. And every time you revisit the page, your computer could be slipped more data to analyse.

Freeh says he鈥檚 proved that Frisbie鈥檚 idea could work. Late last year, his group established a Web page that, when surfers visited it, harnessed their computers to calculate prime numbers. 鈥淲e鈥檝e proved that it can be made efficient,鈥 Freeh says.

This will tempt the greedy. Anyone with a website could sign up to be part of a distributed computing project for cash. With just a few lines of extra Java code added to the site, anyone visiting it would unknowingly be enslaved, lining the pockets of the site鈥檚 owner.

Frisbie even suggests that visitors鈥 computers could be made to bombard other websites with requests for non-existent pages. 鈥淢aybe your competitor is introducing a new product,鈥 he muses. 鈥淵ou could arrange for every computer visiting your website to bombard the competitor鈥檚 site with requests for non-existent Web pages.鈥 Users wouldn鈥檛 notice anything unusual in their computers鈥 behaviour, but the competitor鈥檚 website would be crippled. 鈥淚t鈥檚 easier than hacking,鈥 Frisbee says. 鈥淎nyone could add a few lines of code, then very quickly erase it whenever they want. It could be very difficult to trace.鈥

When Frisbie revealed his idea on the message board on Slashdot last February, readers asserted that you would be bound to notice that your Web browser was suddenly using 100 per cent of your computer鈥檚 available processing power. Frisbie argues, however, that JavaScript has a function that allows it to stagger the workload and 鈥渢hrottle back鈥 on processor use. He has even heard from a British website designer who created a site that included hidden Java code which loaded a secret file and tricked visiting computers into using their spare processor power to calculate successive digits of 蟺. 鈥淭he designer said that no one ever complained that their computers were running slow or told him that they had found out what he was doing,鈥 Frisbee says.

With the doorway that Java provides now open, some might be tempted to cross the threshold. If they do they will face few technical barriers, and it remains to be seen if they face any serious legal hurdles either.

Lee Tien, a senior attorney at online freedom pressure group the Electronic Frontier Foundation, says that while many US states adopted computer trespass statutes, they鈥檝e now fallen out of favour. And many have been drafted so vaguely that they criminalise routine Internet transactions. For example, an Internet retailer who places a cookie (a packet of data which tracks a user鈥檚 access to the retailer鈥檚 server) on a computer could end up in prison.

It鈥檚 a similar situation in Britain, says David Wall, director of the Cyberlaw Research Unit at the University of Leeds. The Computer Misuse Act 1990, directed against hacking, doesn鈥檛 apply when no 鈥渦nauthorised modification鈥 of files or machines takes place. Just the act of connecting to a network implies you consent to exchanging data, says Wall. Perhaps, he suggests, computer parasites could be charged with 鈥渁bstraction of electricity鈥 鈥 if only you could prove it.

Even if you could, you鈥檙e unlikely to make much money from it. In 2000, the state of Georgia charged David McOwen, a network administrator at DeKalb Technical College, with violating its law against 鈥渃omputer trespass鈥. In 1998, McOwen installed software on the college鈥檚 network that used it to try to crack a complex code as part of a legitimate distributed computing project. When the college found out, it sacked McOwen and demanded he pay for the computer time he had used, at a rate of 59 cents per minute a 鈥 total liability, the college claimed, of $415,951.49. Yet 18 months later, the state dropped its demand to just $2,100. In effect, this put the value of each minute of sneaked computer time at three-thousandths of a cent.

This seems to reflect the going rate for the unused processor time of an average PC 鈥 just under $5 a year, according to some, scarcely enough to pay for the electricity it takes to run the machine. Most lawyers agree that the value of an individual鈥檚 loss isn鈥檛 likely to be enough to induce a prosecution. So publicity is likely to remain the strongest weapon individual Internet users have against parasites.

Most computer users are extremely sensitive to this kind of threat. Reports of Barab谩s鈥檚 test, for example, caused an uproar. 鈥淎fter news reports of our demonstration, we got a lot of angry emails telling us, Don鈥檛 touch my computer鈥,鈥 Barab谩si says.

The exposure of Brilliant Digital Entertainment鈥檚 plans brought a similar response. 鈥淭he prospect of incurring the kind of publicity that Brilliant has had is a powerful deterrent in itself,鈥 says Eugene Schultz, a computer scientist at SANS, a US organisation promoting computer security training. And observers agree that the growing public discussion of parasitic computing is likely to bring a new vigilance in the Internet community. But that may send crafty entrepreneurs and Internet bandits to take a second look through the doorway that Barab谩si鈥檚 group has opened.

鈥淯sing the TCP checksum was brilliant, a conceptual breakthrough,鈥 says Schultz. And ultimately, he believes, it poses a much greater danger than Java because modified TCP would be completely untraceable. 鈥淛ust because it鈥檚 too inefficient to be useful now doesn鈥檛 mean that it couldn鈥檛 become a threat later.鈥 The same thought troubles Barab谩si. 鈥淭his is something we need to begin thinking about right now,鈥 he says.

Some may argue we need to do more than think about the issue, that steps need to be taken now to guard against parasites. But with technical capability riding roughshod over weak legislation, the issue 鈥 as with so many others surrounding the Internet 鈥 may only be resolved when users themselves take a stand.

Not such a brilliant idea

A number of companies have set out to buy spare processor power and sell it on to clients. So far, though, this hasn鈥檛 been much of a commercial success 鈥 one pioneer, Popular Power, has folded and others are struggling. Other businesses hoping to make a buck from distributed computing have decided to try something different.

Earlier this year, Altnet, a joint venture between California-based Brilliant Digital Entertainment and Joltid, began giving away a new version of Kazaa, a program that lets computers swap files across the Internet. Before installing the program, users had to accept its terms of service by clicking a button at the bottom of the small print. But buried in the 2,600-word document lurked a clause granting Brilliant the right to tap unused computing power and storage space on user鈥檚 computers 鈥 with no right to compensation. Altnet鈥檚 backers hoped to turn Kazaa users into a distributed network that could be rented out. In theory, careless computer owners could find their computers enslaved.

It was a controversial plan. Millions agreed to the terms and downloaded Kazaa but it鈥檚 likely that most didn鈥檛 bother to read the contract. When details were made public in March, the Internet community howled in protest. Brilliant pledged to be more open, promising that users would be able to decide how much of their computing power to contribute.

Yet Brilliant wasn鈥檛 the first to try this ruse. In 2001, US Internet service provider Juno set up a similar scheme, offering free Internet access in exchange for subscribers鈥 unused processor power, which it hoped to sell to the biotech industry. Again the details were buried in the small print. Finally this May, after numerous protests, the New York State Attorney-General鈥檚 office ordered Juno to make its terms of service more transparent.

Even worse could be to come. IBM, Toshiba and Sony are working on new software and processors that will go into Sony鈥檚 next PlayStation, for example. Link such machines across the Internet and games players will have a virtual supercomputer, giving them access to the latest generation of graphics-hungry games. The idea seems to be taking the games industry by storm, but with it could come a whole new market for those keen to exploit other people鈥檚 computing power.

  • 鈥淧arasitic computing鈥 by Albert-L谩szl贸 Barab谩si and others, Nature (vol 412, p 894)

More from New 杏吧原创

Explore the latest news, articles and features