Tuesday, December 05, 2006

MySpace debacle: virtual weapon or virtual parasite?

This is why evolved (vs. designed, ie bioweapons) organisms don't kill their hosts immediately:
MySpace worm uses QuickTime for exploit:

... The social networking site MySpace.com is under what one computer security analyst called an 'amazingly virulent' attack caused by a worm that steals log-in credentials and spreads spam that promotes adware sites.

The worm is infecting MySpace profiles with such efficiency that an informal scan of 150 found that close to a third were infected, said Christopher Boyd, security research manager at FaceTime Communications Inc.

MySpace, owned by News Corp., is estimated to have at least 73 million registered users.

The worm works by using a cross-scripting weakness found about two weeks ago in MySpace and a feature within Apple Computer Inc.'s QuickTime multimedia player....

....MySpace's "seemingly random tendency" to expire user sessions or log out users makes it less noticeable to victims that an attack is under way, according to a Nov. 16 advisory by the Computer Academic Underground....

...spam messages contain a file that appears to be a movie but instead is a link to a pornographic site that also hosts adware from Zango Inc., Boyd said. Zango, formerly 180 Solutions Inc., settled last month with the U.S. Federal Trade Commission for $3 million over complaints that it didn't properly ask the consent of users before its adware was installed...
So, is this a (virtual) bioweapon aimed at Zango, with MySpace as a incidental casualty, a weapon aimed at MySpace with Zango as a red herring, or a very, very badly designed Zango-funded phishing scam?

If the latter, it's a great way to teach biology. Evolved parasites don't kill their hosts outright -- what's the point?

BTW, this is also technically interesting. The bug appears to be in MySpace, but there's a more subtle problem as well. QuickTime has a lot of embedded scripting power -- which can be used for good or ill. Flash does the same sort of thing. There's a tricky problem here with functional boundaries; features required for market success may become a part of emergent exploits. There must be biological equivalents; we should learn from how evolution manages compartmentalization. In the meantime, the advantages of adding functionality to software should be increasingly balanced against the likelihood of creating new exploits. One of the 2-3 buzzwords for the next 20 years will be 'complexity management'.

No comments: