Slashdot Mirror
Reflections on Brilliant Digital: Single Points of 0wnership
nweaver writes "Some reflection on Brilliant Digital's plans shows that they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet. The implications are rather scary: Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service. Who needs a Warhol Worm?".Updated by HeUnique: use these instructions to remove the Brilliant part.
Mozilla does this now...
From the article the other day on root DNS servers.
Story
For the "internet" to be greatly affected multiple root servers must be brought down.
"The DNS is built so that eight or more of the world's 13 master root servers would have to fail before ordinary Internet users started to see slowdowns, according to John Crain, manager of technical operations for the Internet Corporation for Assigned Names and Numbers (ICANN)."
If I were only smart enough to accomplish the things I dream about.. Or maybe too dumb to care.
That's certainly a security risk with XP, basically they've extended RDP (which was available in W2K Server) onto the desktop. From an administration point of view this is a god-send. Additionally, I would note that by default RDP is not enabled on systems, and by default when you enable it, it's to allow someone you know to access your system, to whom you send an e-mail with a special link/key and then give them a password through a separate (we hope secure... but that's the end user's own issue) method. So far I haven't seen any proof-of-concepts for a sever compromise via RDP, and realistically speaking, this is a lot like SSH is to *nix... it gives you access to the 'command line' of windows... the gui... Certainly RDP is a security risk for everyone running it, but so is connecting to the Internet - from what I've seen there are many more, much larger vulnerabilities in m$ products than this one poses.
How does it affect me, when I haven't installed the program?
The answer to this question is painfully simple: You are connected to and attempting to use the same network. Internet users, slashdot readers especially, should appreciate the effect that(tens/hundreds of) thousands of "other people" can have on such a network.
" You're telling me that if they get hacked, the entire Internet is at the mercy of the hackers. Why is that?"
Because, the actions of millions of compromised machines have the ability to bring internet traffic to a standstill. millions of boxes, spread throught the world all participating in a coordinated DoS attack, would be, as the article states, "unstoppable"
Comments should be like skirts. Short enough to keep your attention, but long enough to cover the subject
no, no, no. You're missing the point.
If I compromise and poison D.ROOT-SERVERS.NET, it remains poisoned until the next push (twice daily). Anyone who does a DNS lookup, on average, refers to D.ROOT-SERVERS.NET once out of every 13 lookups, and therefore is subject to poisoning 1 out of 13 lookups. You'd never know, except when goatse shows up on your screen instead of microsoft.com ;)
There is no system in place (at least, publicly known) whereby the root servers (or other major internet sites) compare the root servers' databases. They are simply trusted as "correct."
Poisoning the master (A.ROOT-SERVERS.NET) would be even more disasterous, since, on the next push, it would corrupt the remaining 12.
Similar end games exist for poisoning the trusted certifying authorities (root CAs) for RSA certificates. In the end, you have to trust something, and that something needs to be secure.
Just to make people aware that the trojan is also distributed with other FastTrack browsers such as Grokster. It is not just confined to KaZaa. I've never downloaded or installed KaZaa but I am running Grokster (with the spyware removed and dummy cydoor dll in place) and I was infected as well. If you're running Grokster check out your Windows directory. If there's a folder in there called BDE and you aren't running the Borland Databse Engine then you're infected as well.
Input error. Replace user and press any key to continue.
No, see, Windows Update has security signatures on all of its packages. Plus, you are discounting that the auto-update feature is only available Windows ME and XP, and even so, it doesn't automatically install updates unless you explicitly set it to. That really narrows down the population. Don't forget all the corporate users who are subject to Windows Update corporate edition, where the admin decides which updates to install.
On the other hand, how many people are running Kazaa in comparison (on Win95, for example)? A lot more. What is worrysome is the corporate user running Kazaa behind an improperly set firewall. If he is on a large pipe, that can spell trouble. Imagine that problem multiplied by the number of users running Kazaa. Can you say "imagine a Beowulf cluster of DoS zombies?"
The A.ROOT is the master of them all. That's the one that they _really_ worry about, and the one referred to in that article (with all the security, etc.)
If it gets corrupted, even accidentally, the results would be disasterous. Although, I'm sure as soon as they realized it's been hosed, they'd cancel the next push (to the other root servers, keeping them "sane") and take the A.ROOT offline.
The A.ROOT is updated manually by Verisign engineers, after (I'm sure) meticulously checking the new database for errors. There's no room for a cronjob here. The database is generated on several other computers housed in that secure facility, compiling the changes from the various ICANN registrars around the world. Each registrar's changes are checked for consistency and compliance (the .au registrar can't change .com entries, etc.)
cheers.
Why would you expect that? Recall that Windows Update got infected with Code Red, even though a security fix was available a month earlier...
To within half a percent, pi seconds is a nanocentury. -- Tom Duff
Just an FYI.