If the RIAA can't keep its site up, who can?

For one reason or another your business or organization has raised the ire of some very tech savvy individuals and you can't seem to keep your Web site up and running. What do you do?

That may just be what the Recording Industry Association of America Inc. (RIAA) is asking itself, given that its site came under attack yet again on Friday.

The recent downing is just the latest in a string of assaults on the music industry group's site, apparently stemming from the RIAA's recent crackdown on illegal peer-to-peer (P-to-P) file swapping.

The takeoff of P-to-P sites, beginning with the advent of Napster Inc. -- pushed out of business by an RIAA lawsuit -- and continuing with players such as Kazaa and Morpheus, has been considered a serious threat to record labels' business. The RIAA has expressed growing concern as more and more Net users opt to trade music for free rather than buy CDs. Hence, the group's problems.

The group, which represents the Big Five record labels, has had its site felled repeatedly, and for longer periods of time, over the last several months. Hackers have even gone as far as modifying the RIAA site by adding links to illegal music downloads. The latest attack came last month, and IDG News Service staffers noted that they were not able to access the site for at least three days.

At that time, the RIAA announced that the U.S. Federal Bureau of Investigation (FBI) and the Secret Service were investigating.

But because the RIAA has been reticent in commenting on the subject, and issued a standard statement Friday that it is "investigating the latest attack," it is unclear why the deep-pocketed group has not been able to more adequately defend itself.

Records posted on Netcraft Ltd.'s Web site, which offers reports on networks connected to the Internet, show that the group has switched hosting providers twice in the last two months, moving from UUNET Technologies Inc. to Digex Inc. in December and then from Digex to Tomorrow's Solutions Today Inc. (TST) on Jan. 29.

TST, a small company, owns a block of IP addresses hosted by Savvis Communications. Alif Terranson, lead operations security network engineer at Savvis, confirmed that his company replaced Digex as the RIAA's hosting provider. He also added that the RIAA had been bombarded by hackers and "script-kiddies" for some time now.

"It's part of the problem of attracting so much attention," Terranson said. "These kids have so much time to spare."

The RIAA's move to Savvis would seem like a logical choice, given that the hosting company is offering a high-technology criminal investigation program to federal, state and local law enforcement agencies, according to a press release posted on the company's Web site earlier this week. Coincidently the release was pulled from Savvis' site shortly after posting because the program was not supposed to be officially launched until next week.

But the downing of the RIAA site again on Friday raises the question of why a hosting provider that is planning to train law enforcement officials and the FBI and Secret Service cannot keep the site up.

"The federal government is going out to see if they can get the private industry to help for areas where they are lacking expertise," Terranson said, discussing efforts to collaborate on Internet security. "They don't have the background or expertise necessary to track attacks on a moment to moment basis."

He added that traditional law enforcement training does not always prepare investigators to conduct efficient investigations of security-related crime.

A pair of security experts also voiced their concerns about how much ground the federal government will ever be able to cover in cyberspace due to the challenging nature of Internet security.

"It's an arms race," said Steve Bellovin, a security researcher at AT&T Labs.

As a high-profile site, the RIAA faces an army of hackers and, like any business, must deal with bad software code. "Most security problems are due to buggy code, and all the security in the world does not solve that problem," Bellovin said. "We can make progress, but there are no answers."

Revelations that the security industry and federal government have a long way to go in filling online security holes come at an uneasy time when the U.S. has been forced to shore up its Internet security amid increased terrorist threats.

A reorganization of the FBI following the Sept. 11, 2001 terrorist attacks has put an emphasis on securing cyberspace, yet it is still unclear how the agency will sharpen its skills and knowledge in the field.

Avi Rubin, associate professor of computer science at Johns Hopkins University, in Baltimore, said problems with Internet security are only exacerbated by the government's use of secrecy in its investigations.

"The government is paying a lot of lip service right now to cybersecurity and making a big deal out of it," Rubin said. "It is not uncommon for politicians to go after whatever they think is important. The government by their very nature does a lot of research that is classified and that may work for some things, but in security nothing works better than sharing information with peers."

When asked this week about the probe into the RIAA site hackings, an FBI representative said the agency does not comment on ongoing investigations. However, with its appeal to private companies such as Savvis for help, it seems clear the agency is taking cyber crime issues seriously.

Meanwhile, the challenges of Net security seem to change and grow with the advent of new technologies and even more savvy hackers, leaving both the security industry and the government struggling to keep up, Bellovin said.

How authorities respond to these challenges remains to be seen. Considering reports Friday that President George W. Bush has directed the government to develop a policy on waging cyber-warfare, the issue most likely will continue to garner attention.

However, Bellovin said there is only so much that can be done to help a site under attack.

"There are no magic answers to this problem," he said.

For the RIAA, and other Web site owners who have become the target of hackers, that fact may be cold comfort.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about ADVENTAT&TDigexFBIFederal Bureau of InvestigationKaZaALogicalMorpheusNapsterNetcraftRecording Industry Association of AmericaSavvisSavvis CommunicationsUunetUUNET Technologies

Show Comments