NEXT TIME you surf the Net, take a close look at the Web pages you open. Appearances can be deceptive. That seemingly innocuous website could be hijacking your computer’s power to carry out tasks or make money for someone – without your knowledge or consent.
It’s all thanks to the latest in a long line of cyberspace invaders. First came the hackers, digital burglars who break into computers to steal data or wreak havoc. Then came viruses and worms, tiny chunks of code that can turn your computer to junk. Now there’s parasites.
Rather than pilfering your data or trashing your PC, a parasite sets out to subvert the connectivity that the Internet provides, turning the Web’s billions of computers into one giant calculating machine that it can do with as it pleases.
Advertisement
The idea of harnessing computers across the Net to create one huge number-cruncher has already proved its worth in more legitimate circumstances. For example, when anthrax spores appeared in US mail last year, biologists enlisted a global army of volunteers armed with computers to help find an antidote. They agreed to help sort through 3.5 billion candidates by downloading software that would take control of their computers whenever the processor chips were idle, and set them to work. In only 24 days, this “distributed” computer logged 5436 years of computer time, spotting 12,000 likely candidates and another 375,000 hopefuls.
What makes distributed computing so attractive is that it allows anyone to assemble awesome amounts of computing power quickly and cheaply. It is estimated that the anthrax project, for example, cut the search time for a vaccine by up to eight years, yet cost little more than the price of the software.
Such potential hasn’t gone unnoticed. Distributed computing projects are blossoming across the Web: more than 100 are under way right now. And since the downloaded software runs in the background, often as a screen saver, the volunteers hardly notice it. You could be screening cancer drugs, simulating events inside particle accelerators or sorting through radio signals to look for life beyond Earth – at the same time as checking your email or writing reports.
The business community has also caught on to the power of distributed computing. According to United Devices, a Texas-based company that makes software which enables a computer network to work as one machine, demand is rising exponentially among oil companies, banks and pharmaceuticals firms keen to analyse complex data, run financial risk analyses or find new drugs.
But while projects to help cure cancer, for example, are deluged with volunteers, it’s far harder to capture the imagination of the computing community when a project is purely for commercial gain. Here the only way to get volunteers on board seems to be to offer hard cash, or to piggyback distributed computing software on the back of existing products (see “Not such a brilliant idea”).
Now there could be another way. What if someone with a large problem to crack could enlist vast numbers of computers in distributed networks without having to pay anyone, persuade them to care about the project’s results, or even let them know they are taking part?
People have been speculating for years that this might be possible, but no one could find a way to prove it. Then last year, two researchers at the University of Notre Dame, Indiana, had an idea. Together, physicist Albert-László Barabási and computer scientist Vincent Freeh realised that the key lay with a component of the Internet’s own communication system, the Transport Control Protocol.
TCP is an internationally agreed method by which computers pass data back and forth across the Net. To do this, TCP contains instructions and software routines that let computers recognise each other’s signals and exchange messages. Among these instructions is one called the TCP checksum, which determines whether a digital message has been corrupted in transit (see Diagram).
Just before a message is sent from one computer to another, TCP converts it into a sequence of 16-bit “words”. It then adds up the number of bits in the message and the total is attached at the beginning of the message as the checksum. When the recipient computer receives the message, it adds up all the bits again. If its answer matches the checksum assigned by the transmitter, the receiver regards the message as valid and acknowledges receipt. But if the checksums don’t match, the receiver assumes that the message has been damaged en route and ignores it. Should the sender not hear from the receiver within a certain time, it knows it has to send the message again.
Freeh’s inspiration was to construct messages in which a valid checksum, and the resulting receipt, would signal a correct solution to a computational problem. He packaged a possible solution in each of several computer messages and crafted the bits in each message so that the checksum wouldn’t add up for any but the correct answer. If no receipt came back from a particular machine, he’d know that the potential solution he sent to that machine was incorrect. By matching receipts to the messages they acknowledged, Freeh knew which potential solutions to the problem were right.
Going global
After a successful test at the university, Freeh and Barabási recruited colleagues in Asia, Europe, and North America to take part in a larger trial. The scientists agreed to let Barabási’s group dupe their machines into testing solutions to the “travelling salesman problem” (żěè¶ĚĘÓƵ, 1 June, p 26), for which answers can be found only by testing solutions rather than running algorithms.
The experiment not only worked, it also left no hint in the participating computers that they’d been commandeered. “We only needed to use a few computers to prove the principle,” Freeh says. “In theory, we could have done it with every computer on the Web.”
In a letter to Nature last year, the researchers dubbed their technique “parasitic computing”. “This isn’t hacking or cracking,” Barabási emphasises. “We’re just using the resources that you make publicly available when you connect to the Internet.”
That’s not as ominous as it sounds, the researchers claim. TCP by itself isn’t sophisticated enough to carry useful computer programs. “What we can’t do using TCP is to induce a computer to run loops,” Barabási explains. “That makes this method too inefficient to use for serious computational work.” But he doesn’t discount someone else figuring out a way to do it. “We just thought the Internet community should discuss the possibilities before an efficient [technique] emerges,” he says.
According to Phil Frisbie, it already has. A programmer who runs Hawksoft.com, Frisbie began to wonder how he could harness Web pages for distributed computing. Then it hit him: he could use Java and JavaScript, the software that makes Web pages possible.
A Web page is crammed with computer code and data of all kinds, from animations to links to other pages, most of which are created using Java. It would be simple, Frisbie realised, to embed hidden instructions and data that would be loaded into a visitor’s computer whenever they opened a website’s home page. After all, it happens already: playing an audio or video clip from a website transfers programs and data to your computer.
Most pages notify you that you’re about to import some code to your machine. But what if a website didn’t bother? Merely opening a page could turn your PC into an unwitting servant.
At your command
“You’d be unaware of it, and the code and data could be very large,” Frisbie says. “It could all be done without making any changes to the way Java is written now.” Java can tell when a visitor is about to leave a website and could be made to send the results of calculations back to the server before the connection is broken. And every time you revisit the page, your computer could be slipped more data to analyse.
Freeh says he’s proved that Frisbie’s idea could work. Late last year, his group established a Web page that, when surfers visited it, harnessed their computers to calculate prime numbers. “We’ve proved that it can be made efficient,” Freeh says.
This will tempt the greedy. Anyone with a website could sign up to be part of a distributed computing project for cash. With just a few lines of extra Java code added to the site, anyone visiting it would unknowingly be enslaved, lining the pockets of the site’s owner.
Frisbie even suggests that visitors’ computers could be made to bombard other websites with requests for non-existent pages. “Maybe your competitor is introducing a new product,” he muses. “You could arrange for every computer visiting your website to bombard the competitor’s site with requests for non-existent Web pages.” Users wouldn’t notice anything unusual in their computers’ behaviour, but the competitor’s website would be crippled. “It’s easier than hacking,” Frisbee says. “Anyone could add a few lines of code, then very quickly erase it whenever they want. It could be very difficult to trace.”
When Frisbie revealed his idea on the message board on Slashdot last February, readers asserted that you would be bound to notice that your Web browser was suddenly using 100 per cent of your computer’s available processing power. Frisbie argues, however, that JavaScript has a function that allows it to stagger the workload and “throttle back” on processor use. He has even heard from a British website designer who created a site that included hidden Java code which loaded a secret file and tricked visiting computers into using their spare processor power to calculate successive digits of π. “The designer said that no one ever complained that their computers were running slow or told him that they had found out what he was doing,” Frisbee says.
With the doorway that Java provides now open, some might be tempted to cross the threshold. If they do they will face few technical barriers, and it remains to be seen if they face any serious legal hurdles either.
Lee Tien, a senior attorney at online freedom pressure group the Electronic Frontier Foundation, says that while many US states adopted computer trespass statutes, they’ve now fallen out of favour. And many have been drafted so vaguely that they criminalise routine Internet transactions. For example, an Internet retailer who places a cookie (a packet of data which tracks a user’s access to the retailer’s server) on a computer could end up in prison.
It’s a similar situation in Britain, says David Wall, director of the Cyberlaw Research Unit at the University of Leeds. The Computer Misuse Act 1990, directed against hacking, doesn’t apply when no “unauthorised modification” of files or machines takes place. Just the act of connecting to a network implies you consent to exchanging data, says Wall. Perhaps, he suggests, computer parasites could be charged with “abstraction of electricity” – if only you could prove it.
Even if you could, you’re unlikely to make much money from it. In 2000, the state of Georgia charged David McOwen, a network administrator at DeKalb Technical College, with violating its law against “computer trespass”. In 1998, McOwen installed software on the college’s network that used it to try to crack a complex code as part of a legitimate distributed computing project. When the college found out, it sacked McOwen and demanded he pay for the computer time he had used, at a rate of 59 cents per minute a – total liability, the college claimed, of $415,951.49. Yet 18 months later, the state dropped its demand to just $2,100. In effect, this put the value of each minute of sneaked computer time at three-thousandths of a cent.
This seems to reflect the going rate for the unused processor time of an average PC – just under $5 a year, according to some, scarcely enough to pay for the electricity it takes to run the machine. Most lawyers agree that the value of an individual’s loss isn’t likely to be enough to induce a prosecution. So publicity is likely to remain the strongest weapon individual Internet users have against parasites.
Most computer users are extremely sensitive to this kind of threat. Reports of Barabás’s test, for example, caused an uproar. “After news reports of our demonstration, we got a lot of angry emails telling us, Don’t touch my computer’,” Barabási says.
The exposure of Brilliant Digital Entertainment’s plans brought a similar response. “The prospect of incurring the kind of publicity that Brilliant has had is a powerful deterrent in itself,” says Eugene Schultz, a computer scientist at SANS, a US organisation promoting computer security training. And observers agree that the growing public discussion of parasitic computing is likely to bring a new vigilance in the Internet community. But that may send crafty entrepreneurs and Internet bandits to take a second look through the doorway that Barabási’s group has opened.
“Using the TCP checksum was brilliant, a conceptual breakthrough,” says Schultz. And ultimately, he believes, it poses a much greater danger than Java because modified TCP would be completely untraceable. “Just because it’s too inefficient to be useful now doesn’t mean that it couldn’t become a threat later.” The same thought troubles Barabási. “This is something we need to begin thinking about right now,” he says.
Some may argue we need to do more than think about the issue, that steps need to be taken now to guard against parasites. But with technical capability riding roughshod over weak legislation, the issue – as with so many others surrounding the Internet – may only be resolved when users themselves take a stand.
Not such a brilliant idea
A number of companies have set out to buy spare processor power and sell it on to clients. So far, though, this hasn’t been much of a commercial success – one pioneer, Popular Power, has folded and others are struggling. Other businesses hoping to make a buck from distributed computing have decided to try something different.
Earlier this year, Altnet, a joint venture between California-based Brilliant Digital Entertainment and Joltid, began giving away a new version of Kazaa, a program that lets computers swap files across the Internet. Before installing the program, users had to accept its terms of service by clicking a button at the bottom of the small print. But buried in the 2,600-word document lurked a clause granting Brilliant the right to tap unused computing power and storage space on user’s computers – with no right to compensation. Altnet’s backers hoped to turn Kazaa users into a distributed network that could be rented out. In theory, careless computer owners could find their computers enslaved.
It was a controversial plan. Millions agreed to the terms and downloaded Kazaa but it’s likely that most didn’t bother to read the contract. When details were made public in March, the Internet community howled in protest. Brilliant pledged to be more open, promising that users would be able to decide how much of their computing power to contribute.
Yet Brilliant wasn’t the first to try this ruse. In 2001, US Internet service provider Juno set up a similar scheme, offering free Internet access in exchange for subscribers’ unused processor power, which it hoped to sell to the biotech industry. Again the details were buried in the small print. Finally this May, after numerous protests, the New York State Attorney-General’s office ordered Juno to make its terms of service more transparent.
Even worse could be to come. IBM, Toshiba and Sony are working on new software and processors that will go into Sony’s next PlayStation, for example. Link such machines across the Internet and games players will have a virtual supercomputer, giving them access to the latest generation of graphics-hungry games. The idea seems to be taking the games industry by storm, but with it could come a whole new market for those keen to exploit other people’s computing power.
- “Parasitic computing” by Albert-László Barabási and others, Nature (vol 412, p 894)