The number of file-swapping, or peer-to-peer, Web sites, has grown more than five-fold in the past year, a study said on Monday, despite legal efforts by Hollywood, music companies and software firms to shut them down.
Peer-to-peer sites, including Kazaa and Morpheus Music City, have attracted millions of global users who trade all manner of files, primarily copyright-protected songs, films, software and computer games.
The record labels and Hollywood studios have made unsuccessful attempts to clamp down on the sites, which they claim are enabling a wave of mass consumer piracy that is eating into sales.
According to a new survey by U.S. technology firm Websense Inc., the number of peer-to-peer (P2P) sites totals nearly 38,000, up 535 percent in the past year.
Nearly one in three of the most popular applications downloaded off CNet's Download.com are for P2P services, the survey said.
The surge in P2P usage is impacting the workplace as employees increasingly use speedy corporate Internet connections to download songs and software, a potentially unlawful activity, Websense warned.
"Companies that look the other way may have copyright violations occurring in the workplace, and lawsuits are a potential outcome of such activity," Jennifer Kearns, an employment attorney at UK law firm Brobeck, Phleger and Harrison, said in a statement issued by Websense.
News source: Reuters - File-Swapping Sites Multiply Despite Legal Tangles
Peer-to-peer sites, including Kazaa and Morpheus Music City, have attracted millions of global users who trade all manner of files, primarily copyright-protected songs, films, software and computer games.
The record labels and Hollywood studios have made unsuccessful attempts to clamp down on the sites, which they claim are enabling a wave of mass consumer piracy that is eating into sales.
According to a new survey by U.S. technology firm Websense Inc., the number of peer-to-peer (P2P) sites totals nearly 38,000, up 535 percent in the past year.
Nearly one in three of the most popular applications downloaded off CNet's Download.com are for P2P services, the survey said.
The surge in P2P usage is impacting the workplace as employees increasingly use speedy corporate Internet connections to download songs and software, a potentially unlawful activity, Websense warned.
"Companies that look the other way may have copyright violations occurring in the workplace, and lawsuits are a potential outcome of such activity," Jennifer Kearns, an employment attorney at UK law firm Brobeck, Phleger and Harrison, said in a statement issued by Websense.
News source: Reuters - File-Swapping Sites Multiply Despite Legal Tangles
unlike previous exploits that went unanswered this one saw a prompt response:
Vendor response:
Finjan Malicious Code Research Center had an interesting discussion with Microsoft Security Response Center. This is their response:
Hi, Thanks very much for your note and for sending this on. We really appreciate it. To understand the issue fully, it would be good to expand this somewhat. There really are two issues here: One related to the ability to mount an attack successfully, and one related to how data is stored on a system and what could happen to that in light of a successful attack. To be clear, none of the attack scenarios that you've described are mounted through MBSA itself. Also, the attack you've described does not exploit a vulnerability in any product: in a default system this attack fails. It's only when a user chooses to run code from an untrusted source and proceed despite the security warnings provided that this attack could succeed. Protecting systems against untrusted code is vitally important, and we call this out in our 10 Immutable Laws of Security as Law #1 ( http://www.microsoft.com/technet/columns/security/10imlaws.asp ), to underscore its importance. If an attacker were able to convince a user to run their code, that code would then be able to take any actions on the system that the user can take. While it is true that MBSA stores its information in a known location, storing it in an unpredictable location would not measurably change the situation. An attacker's code could just as easily search the local system for the file. Likewise, it is true that MBSA's information can be read by the user (or code running as the user). However, even if the MBSA information were not present on the system, code running as the user would be able to determine the presence or absence of patches, simply by consulting the time/date information contained in the publicly available MSSecure XML database. Again, it is a question of degree rather than feasibility. The larger issue in both cases is the presence of code running with the user's privileges. If the attacker cannot run code, it does not matter how the MBSA data is stored, because the attacker cannot access it. If the attacker can run code, he or she does not need the MBSA data, as they already have all the privileges needed to duplicate the MBSA processing. (For that matter, the attacker could simply run MBSA itself and do a "screen scrape"). That said, we are always looking to make improvements and we appreciate concerns and feedback like this. Our MBSA team is looking at these suggestions along with others that we have received and consider them as they design future versions of this tool.
Thanks again for sending this on, we really appreciate it.
Regards,
secure@microsoft.com
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.