Will You Install a Bot for Money?

SETI@home (http://setiathome.berkeley.edu/) and Folding@home (http://folding.stanford.edu/) are interesting, if not cool uses of technology, but they do bear a striking resemblance to a nefarious threat called a botnet. Now with Sony contemplating a commercial "PS3 Grid"  (http://blogs.pcworld.com/digitalworld/archives/2007/04/sony_looking_to.html) one wonders where the lines will blur.

There are similarities between a botnets, SETI, Folding@home. The term botnet is used to describe a collection of PCs that are remotely controlled without the knowledge and/or consent of the owner. Purpose, awareness, and consent are the primary differentiators between botnets and SETI or Folding@home. Botnets and the proposed PS3 grids would bot involve the use of remotely controlled distributed networks of home computing equipment to make money. The fact that the user is able to make a choice to participate is a significant differentiator but this does not eliminate risk. In the botnet world it is not uncommon to find botnets stolen from bad guys by bad guys.

In a commercial context, control of a network of computers is a concern. If a hacker can break into the network, then the functionality of the client software and the operating system will determine the amount of control a remote hacker would have over the end user PS3's. If Sony is successful then the marketing scheme will obviously jump to Windows, Linux, and Macs.

Ignoring the security risks of relinquishing your computer to a third party, future “Grids” will almost certainly include the following components.

• Corporations will be allowed to install and execute software on the users computing device.
• Corporations will be allowed to update said software without user intervention.
• Corporations will be allowed to collect information from user systems.
• Nefarious and cryptic end user license agreements (EULAs) will allow corporations to sell data collected from user’s computers.
• Many, if not most, users will be unaware of the extent of the information collected and sold.
• EULAs aimed at maximum legal corporate protection and minimum understandability will accompany such enterprises.

The threat of the abuse of trust is not without precedence: https://www.cnet.com/news/microsoft-draws-fire-for-stealth-test-program/  

Microsoft went to great length to convince consumers to enable "Automatic Update" to keep their computers up-to-date with critical security patches. Microsoft then installed Windows Genuine Advantage (WGA) via automatic update. An early version of WGA that was installed was arguably spyware and in no way was it a security update. For users with legally licensed software there was, and is, no security benefit to WGA. WGA is an ongoing source of problems for legitimate users. Data was collected by Microsoft. This was arguably an example of horrendous stupidity rather than nefarious intent but it is not hard to imagine other companies pulling a viler bait and switch.

"Grid" may well be tomorrow's euphemism for commercial botnet. Users should beware. Somehow it is difficult to think of Sony without immediately thinking “rootkit” and Sony's flippant attitude of "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

There is plenty of reason to care about how much access a corporate entity has to your private property. Should the GridNet become popular I believe we will see eventual government involvement to regulate abuses. Early adopters may well become early litigants.

Randy Abrams
Director of Technical Education