Ed Stoffel

People who viewed Inaugural coverage from CNN’s website have unknowingly allowed the network to install peer-to-peer software on their computers. The service from Octoshape Grid Delivery uses customers computers and their bandwidth to deliver content to other users, saving CNN a lot of money, shifting significant costs to end users.

Brian Livingston of Windows Secrets writes:

The Internet Storm Center, an Internet security organization, reported that traffic on Jan. 20 had jumped to a level thousands of times higher than usual on port 8247, which is used for UDP, the User Datagram Protocol. The center quickly identified the source as legitimate - CNN - but security consultant Raul Siles warned in his report, “It would be easy for an attacker to hide his actions on this port if we simply ignore it.” In a telephone interview, Octoshape’s P2P nature was confirmed by Mike Wise, group technical advisor for platform R&D at Turner Broadcasting System, the parent of CNN.

Livingston accuses CNN of “deceptive marketing, cost-shifting to ISPs, cost to end users, and ludicrous license terms” among other things. CNN has also used the software for some other streaming videos on their website. Livingston informs users how to remove the sneaky software.

An encrypted digital certificate is used to assure you that you’re really on the website you think you are. But what if the certificate can be faked? That’s the scary scenario painted by researchers at UC Berkeley, who have found a way to crack the MD5 hash used to encrypted some certificates…

The researchers say they implemented an attack laid out theoretically in a published paper last year. To pull off their substitution, the researchers had to generate a CA certificate and a website certificate that would produce the same MD5 hash — otherwise the digital signature wouldn’t match the modified certificate. The effort was complicated by two variables in the signed certificate that they couldn’t control: the serial number and the validity period. To do the actual math of finding the MD5 collision, they used the “PlayStation Lab,” a research cluster of about 200 PlayStation 3s wired together at the EPFL in Lausanne, Switzerland. Using the powerful processors, they were able to crunch out their forgery in about three days.

They recommend signing authorities switch to a newer encryption method and drop MD5, but such changes will take time to occur worldwide. Most certifying authorities have abandoned MD5, but some continue to use it.