Grad Student Project Uses Wikis To Stash Data, Miffs Admins

Anonymous writes "Two graduate students at the Ivy League's Brown University built a P2P system to use abandoned wiki sites to store data. The students were stealing bandwidth from open MediaWiki sites to send data between users as an alternative to BitTorrent. There was immediate backlash as site operators quickly complained to the University. The project appears to be shutdown, but many of the pages still remain on the web. The project homepage was also taken down and the students posted an apology this afternoon." The same submitter links to two different forum discussions on the project.

Re:Theft?

[Jurily]

The fact that some "admin" abandoned a site, with open privileges to post on it, does not constitute theft.

It's clearly abuse though, and if the site has any terms of use, this one's in there.

It may not be theft...

[erayd]

...but it's far from ethical.

Most open wikis are left that way to encourage collaberation, and usually have a TOS somewhere that prohibits spamming. And even if the TOS doesn't prohibit this, it's bloody obvious that whoever runs the target site doesn't want a pile of meaningless content that isn't relevant and they can't use.

I say good on the university for pulling this project down, and whichever ethics committee approved this project should be replaced - they clearly haven't done their job properly!

Re:Theft?

[caffeinemessiah]

My response: cry me a river, and congrats to the grad students for their innovative work in the field of distributed communications.

I'd pause before calling this innovative. It doesn't really take much to encrypt data, chop it up and stash it on MediaWiki sites -- either in theory or in practice. If you want something "innovative" in the same vein, I'd vote for the guy who wrote the device driver that lets you use GMail as a drive (spawning many copies [sizlopedia.com]). Sure it isn't "distributed", but you could set up multiple GMail accounts to handle the contents of your drive. Clogging up other people's wikis is d**k at worst (and possibly a violation of the CFAA), and really not too much of a security threat at best ("oh? my disk is full? hmm...just dump this spammy user account, or restore the last backup, and password protect the whole business.").

What these grad students have done is demonstrate that open mediawiki setups can be spammed. Whee.

This Isn't Thinking Outside The Box

[Anonymous Coward]

It's just stupid. "Hey, we noticed that three quarters of that privately owned parking garage over there isn't being used at any given time. Why don't we open up a car salvage business and store all the derelict junkers that we're parting out in their unused parking spaces?"

These are graduate students?!?

Re:Theft?

[palegray.net]

I deal with this stuff all day long, predominantly from IP connections far outside U.S. jurisdiction. These students were, in my rather experienced and measured opinion, doing the community a favor by pointing out exactly how easy this sort of feat is to pull off.

Their note about using reCAPTCHA is sound advice. Admins who depend on TOS policies and their nation's legal framework to defend against networked threats are negligent in their duties. I don't waste my time worrying about chasing people around for violations of my sites' terms of service. Instead, I focus my efforts on deploying technical solutions that fix the issue.

Re:It may not be theft...

[palegray.net]

Ethical or not, if these students hadn't done it someone else would have, perhaps someone with far less respect for others. Reference my earlier reply [slashdot.org] in this thread for my opinion on the TOS angle.

Re:SlashdotFS

[adavies42]

this is terrifyingly plausible

Re:Why????

[Cyberax]

You're abusing TOR network, it was NOT meant to be used for high-bandwidth applications.

Please, stop doing it. Exit nodes do not have unlimited bandwidth.

Re:Theft?

[Jurily]

Admins who depend on TOS policies and their nation's legal framework to defend against networked threats are negligent in their duties.

True. But if I don't lock my front door, that doesn't mean it's ok for you to take my stuff.

Re:It may not be theft...

[Volante3192]

Except being "unethical" doesn't get you put in jail. Only being "illegal."

Re:Theft?

[palegray.net]

That depends entirely on your jurisdictional ability to prosecute me. By my personal code of ethics, I'd never engage in such behavior for commercial gain. Others aren't so picky (reference spammers, phishers, botnet operators, etc).

Add in the fact that wikis are specifically designed to allow open posting of content, and you've got yourself a problem if you're not competent enough to properly secure your site against even the most basic of threats.

Let me put it another way: if I own a gun and leave it on my front porch with a full magazine of ammo in it, I can't bitch when my weapon gets lifted and someone gets killed with it.

Re:Theft?

[palegray.net]

I agree with your points in principle, and would like to offer an alternative means by which the students could have demonstrated their methodology.

These days, $300 will buy you a whitebox computer (assembled yourself, of course) that is capable of running 20 virtual machines. By analyzing the version numbers of common target platforms in the wild, you could conceivably build a virtual network of "real world class" servers with which to demonstrate your technique. Scale this to three or four servers running various wiki platforms, and you've got yourself a virtualized software ecosystem that you can do whatever you want to without fear of repercussions.

Hey, that's what I would have done, but I only have a GED and 15 years of network administration and programming experience ;).

Why go external to begin with?

[tinkertim]

This could be demonstrated just as well on sites that they own / control. For instance, with a single domain name, 100 pastebin clones, 100 wikis could be set up and configured differently (i.e. subdomains).

Some of them could have active SPAM policing, captchas, etc .. others could behave as though they had a lazy / dead admin. Others could just mysteriously vanish (i.e. domain expired, no longer hosted, etc).

The results are the same, either way. I wonder why they bothered going for external sites to begin with? All they needed was a cheap p4 and some scripts to automate mediawiki installs.

Why didn't they just stay in the sandbox?

Re:Theft?

[aliquis]

Don't ask me how you're supposed to know this...

Common sense? Works for most of us ..

Theft!

[Anonymous Coward]

The fact is that not all of the wiki sites they spammed were abandoned. Does that change your answer?

Apologize?

[Talisman]

"...the students posted an apology this afternoon."

In the words of Vince Vaughn, "Apologize for what, baby? Being awesome?"

Re:Theft?

[shentino]

It's not quite an invitation...

In real life, you can also REVOKE your invitation by

1) telling your guest they are no longer welcome
2) order them to leave, and tell them they are not to return
3) have the police escort them away and give them a trespass warning.
4) have them arrested if they refuse to leave, or return in spite of an official trespass warning
5) Watch them get clapped in irons if they come back again.
6) Repeat step 5 as needed

With spam, it's more like your guest

1) Found your hide-a-key (harvested your address, possibly by decrypting an image)
2) Barged in through an unlocked door (that they unlocked thmselves)
3) Increasingly, disable your security system (aka getting past your filters)
4) Threw a messy party
5) (the possible worst part) Bribed the police so they don't get escorted away (aka signed a pink contract)
6) Has an extensive collection of disguises that protects them from being dinged twice in the same face (botnets and address forgeries)
7) Possibly got tipped off to your address through the slip of the tongue of one of your buddies through the grapevine (sleazy companies that leak your address or sell it)

So anyone who calls spam the natural result of negligence on the part of the account holder is either high and doesn't have a clue what's going on, or is a woefully apathetic approver of the "survival of the fittest" arms race between spammers, providers, and subscribers.

Re:Theft?

[andy.ruddock]

Ah, but trespass is a tort, not a criminal offence (which is why all "trespassers will be prosecuted" signs can safely be ignored).
OTOH "Trespassers will be shot and fed to the dogs" signs should ALWAYS be heeded.

Re:Theft?

[palegray.net]

I guess I should have secured that outlet to prevent unauthorized access. My property, my responsibility. There's an old saying that your freedoms are only valid to the extent that you're able to defend them.

Re:Theft?

[Anonymous Coward]

So, unless someone has multiple Medeco locks on all doors, bars on the windows, and TS/SCI level of security for any computers, it is OK to steal from them?

Re:It may not be theft...

[nyctopterus]

"If I didn't do it, somebody else would" is one of the lamest defenses invented by man.

Originality could get you anything...from A to F

[ciderVisor]

He experimented further. In one class he had everyone write all hour about the back of his thumb. Everyone gave him funny looks at the beginning of the hour, but everyone did it, and there wasn't a single complaint about "nothing to say."

In another class he changed the subject from the thumb to a coin, and got a full hour's writing from every student. In other classes it was the same. Some asked, "Do you have to write about both sides?" Once they got into the idea of seeing directly for themselves they also saw there was no limit to the amount they could say. It was a confidence-building assignment too, because what they wrote, even though seemingly trivial, was nevertheless their own thing, not a mimicking of someone else's. Classes where he used that coin exercise were always less balky and more interested.

As a result of his experiments he concluded that imitation was a real evil that had to be broken before real rhetoric teaching could begin. This imitation seemed to be an external compulsion. Little children didn't have it. It seemed to come later on, possibly as a result of school itself.

That sounded right, and the more he thought about it the more right it sounded. Schools teach you to imitate. If you don't imitate what the teacher wants you get a bad grade. Here, in college, it was more sophisticated, of course; you were supposed to imitate the teacher in such a way as to convince the teacher you were not imitating, but taking the essence of the instruction and going ahead with it on your own. That got you A's. Originality on the other hand could get you anything...from A to F. The whole grading system cautioned against it.

He discussed this with a professor of psychology who lived next door to him, an extremely imaginative teacher, who said, "Right. Eliminate the whole degree-and-grading system and then you'll get real education."

From Zen and the Art of Motorcycle Maintenance [virtualschool.edu] by Robert M. Pirsig

Re:It may not be theft...

[palegray.net]

You couldn't be more wrong. When it comes to proof-of-concept research that illustrates a vulnerability, "If I didn't do it, somebody else would" is one of the noblest defenses known to man.

Re:Theft?

[palegray.net]

Since you referenced TS/SCI I'm going to assume you have a military or defense contracting background. In light of that, if you'd read the entire thread, you really should know better than this. The first sentence of my GP reply was mostly in jest. The second and third sentences were serious.

This entire story stinks of a distinct lack of personal responsiblity. As far as analogies go, think of it as someone who abandons a property for months on end, allowing the grass to grow high, paint to begin peeling off the siding, and animals to take up residence in the living room. The owner returns to said derelict property and is shocked to find a family of raccoons nesting in his lounger.

This is why we actively maintain property, according to the very real tenet that you only own property to the extent that you can defend it against assault.

Re:Theft?

[Angostura]

>That depends entirely on your jurisdictional ability to prosecute me.

Not at all. Whether it is OK or not does not depend on jurisdictional reach. It depends on whether you believe its OK to go and burgle someone's house simply because their house is unlocked. Whether the cops see you is neither here nor there.

That depends entirely

[wiredog]

So it's only unethical if you get caught?

Or worse

[TheLink]

Next, using viruses to spread and stash data in humans.

Imagine when the relevant technologies involved get affordable and some kid thinks it would be cool/neat to do that.

Many people think that scientific progress requires allowing everyone to research whatever they want. To me certain research paths shouldn't be done _yet_, and left till later till humans and human societies are more ready to cope with the long term consequences and potential effects.

We are getting a bit close to the time when creating "The Big Red Button (That Kills Everyone)" becomes cheap enough to be some grad student's project.

Re:Theft?

[Chris Mattern]

On the contrary, societies live and die by their internalized code of ethics. Law cleans up the small minority that refuse to follow that code, and helps tidy up the corner cases where there is dispute as to the correct path, but it cannot revise or create that code of ethics by fiat.

Re:Theft?

[mea37]

What I find the most amazing about this thread, is that each participant seems to assume that one, but not both, of the following statements are true:

1) It is wrong to take what isn't yours even if it is easy (i.e. because nobody has put security mesaures in place that can stop you).

2) It is foolish not to have decent security measures in place.

Now, I agree that the use of the term "stealing" in TFS was a stretch; but that has everything to do with the fact that the offense was one completely different from theft and nothing to do with whether the sites' security was as it should be.

The thing is, what constitutes "decent security" depends on the society and the situation. There are many places in the world where even today it is considered normal not to lock the doors of your home. This does not magically mean those places don't have property rights.

When 3rd party harm is a concern (securing a gun, etc.), the standards are different -- but even then the guy who takes the unsecured gun and abuses it is not blameless even if the gun owner also isn't blameless. With the world of botnets, etc., networked computers belong in a category somewhere more sensitive than an electrical outlet on your porch but less sensitive than a gun.

"There's an old saying that your freedoms are only valid to the extent that you're able to defend them"

One of the principle means by which we defend our freedoms is by organizing into a society of laws.

Re:Theft?

[Duradin]

Yup, A-OK since they probably neglected to construct their walls out of reinforced concrete (and of a sufficient thickness).

The "you only have the rights you can defend -- and I defend mine very well crowd" tend to talk big about personal responsibility and rights until a superior force decides to pay attention to them and proves that no, they really couldn't defend those rights.

Don't get me wrong, I support individual rights. I just don't have the delusion that I alone can defend them. I could devote all my resources to creating a fortified enclave for myself and it would easily all come to naught. The best defense for individual rights and property is being part of a society that accepts, embraces and defends those concepts. Unfortunately that in itself requires a high degree of personal responsibility and restraint which is why we're slowly sliding towards little points of light hidden in a vast sea of darkness.

Re:Theft?

[quickOnTheUptake]

No argument can say that that is true from the axioms of logic.

Have you taken a course in logic? You can never get content from the axioms of logic alone. It doesn't just apply to ethics. Try proving any of rules of physics from the axioms of logic.

Any social code of ethics is most likely derived from a leap of faith, and so should not be respected

This is such sweeping generalization I don't know where to start. Do you really deny that we have a sort of native sense of wrong? Is a five year old's sense of being wronged when a bully pushes him around, calls him names, and takes his lunch money based on a "leap of faith"?