June 23, 2003
By HIAWATHA BRAY, Globe Staff
Senator Orrin Hatch, Republican of Utah, made a rather spectacular fool of himself last week during a hearing on electronic data piracy. Too bad for Hatch, but good clean fun for any technology writer who enjoys asking the question: Can they do that?
Do what? Why, destroy millions of computers by remote control, like the villainous Blofeld killing incompetent underlings in an old James Bond movie. Hatch is interested in the deployment of just such a technology, to punish people who swap illegal music, video, and software over the Internet.
''If we can find some way to do this without destroying their machines, we'd be interested in hearing about that,'' Hatch said during last week's hearing of the Senate Judiciary Committee, which he chairs. But then he added: ''If that's the only way, then I'm all for destroying their machines.''
Hatch went on to say that if a few hundred thousand people saw their computers ruined, maybe the millions of other file-swappers would get the idea and stop downloading digital entertainment without paying for it.
Some have laughed at the gargantuan absurdity of the idea, while others have trembled to think of such an arrogant intrusion into our lives. Still others note that, under existing law, such a tactic would be flagrantly illegal. But the humble technologist returns to the simple question: Can they do that?
Chris Wysopal, research scientist at the Cambridge computer security firm At Stake Inc., replied with a definite maybe. The challenge, said Wysopal, is the same one every computer vandal faces. It's the art of ''getting root'' - gaining administrative control over every aspect of the computer.
''If you can run code on the machine with administrative access, or root access,'' said Wysopal, ''you can pretty much do anything.''
For instance, an intrusion program that managed to get root could merely delete all the MP3 music files from the computer. Or it could wipe the operating system, rendering the machine unbootable until the software is laboriously reinstalled.
But there are worse fates.
''The more interesting things are things where you can actually render the machine inoperable,'' said Wysopal. That is, permanently inoperable - so utterly wasted that you'll need major repairs to get going again.
Wysopal's favorite target for such malice is the computer's Basic Input-Output System, or BIOS. These are the simple instructions that let a machine boot up and load its operating system. The BIOS is stored on a chip attached to the motherboard.
Nowadays, most such chips are designed to be reprogrammable. Slip a malicious program on board a machine, and it could simply overwrite the chip. Try to reboot, and absolutely nothing happens. The only fix is a new BIOS chip - or, more likely, a whole new motherboard.
OK, so how would you get such a nasty piece of software onto the file-swappers' machines? Wysopal figures you could hide it in some Trojan Horse files, purporting to be hot new porn videos or something. But even then, the system would only work if it could exploit some security bug in the video player to seize control of the computer. Such flaws have been discovered in the past, and there may be more.
But here's where the idea comes apart. First, even if you could inject such a nasty bit of code into a file-swapping network, it would only work against people with buggy video players. All others would be safe.
Next, remember that file pirates watch each other's backs. As soon as any sizable number of them are infected, they'd put the word out to all others - don't download the defective file, and get an updated version of your video software so future attacks won't work. After a day or two, the news has spread worldwide, nobody downloads the attack program any more, and video piracy continues unabated.
In short, you could manage to shut down a relative handful of machines this way, but not enough to matter. For real disruption, you'd need to embed your self-destruct system right in the computer's hardware.
Remember last year's proposal by Senator Fritz Hollings, Democrat of South Carolina? He wanted to force computer makers to build in devices that would simply prevent privacy. It seems Hatch wants to go further - perhaps a dollop of plastic explosive glued to the motherboard?
Wysopal says that such a computer, connected to the Internet, could indeed be remotely wrecked.
''The thing is, you'd have to make a law that would force people to buy that machine,'' he said. ''No one in his right mind would buy a computer that someone could disable remotely over the Internet.''
And no legislator in his right mind would try to compel the sale of booby-trapped PCs. Never mind that the voters would want his guts for garters. The plan would also make our computers radically less secure. Every tech-savvy maniac from Cambridge to Karachi will seek ways to hack the self-destruct system - and they might well succeed.
Would a nuclear power plant buy machines that might be blown up some day by a team of Al Qaeda hackers? Would the Defense Department buy them? How about you, Senator Hatch?
So in answer to our question - yes, you can do that. Next question: Why?
Hiawatha Bray can be reached at bray@globe.com.
This story ran on page C2 of the Boston Globe on 6/23/2003.
© Copyright 2003 Globe Newspaper Company.