Reflections on Brilliant Digital: Single Points of 0wnership

nweaver writes "Some reflection on Brilliant Digital's plans shows that they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet. The implications are rather scary: Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service. Who needs a Warhol Worm?".Updated by HeUnique: use these instructions to remove the Brilliant part.

Dumb..Very Dumb

[DCram]

Here at work I pointed a couple of coworkers toward the previous articles on Kazaa. There response you might ask?

As long as I can get good download speed and have a large mp3 base what do I care?

Does this type of thinking occure elsewhere? I thought I worked with some bright people but they seem to think of their machines as black boxes and if they work great.

sigh.

Re:Dumb..Very Dumb

This thinking happens everywhere. People don't give a damn until something bad happens -- until they get owned. Everything is perfect until the day the world actually falls apart - even though it has been happening for a matter of years - everything is fine until the day it happens. That's the kind of thinking.

_
WINDOWS USERS CLICK HERE!

Re:Dumb..Very Dumb

[erroneus]

Well, it's unfortunate but that view is pervasively the norm. It doesn't apply to the technology arena alone. It's everywhere. People have convinced themselves that they don't want to know. They don't want to understand. They don't want to 'get it.' They only want the results and are not concerned about side-effects.

This is true in the food and drug arena. This is true in war and politics. This is true in biotech. This is true with trends in child-rearing. Somehow and somewhere, we have lost the notion of "wisdom." Not only have we forgotten how to become more wise, we are also underestimating (and ignoring) the value of the wisdom of others.

Socially, we're losing a lot of ground because we don't want to think any more. It's disturbing not only to watch, but also because I feel those trends infecting me as well.

"I don't care how we get it, just give me what I want." That's the growing mentality. "Rights!? I don't care about rights, just fight the evil demons in our midst!"

Okay... I'm going a bit too deep, but as a nation (I can't really say much about Europe or other places... I'm ignorant because I lack direct observational experience in the area) we're really getting too apathetic. It has been a long time in developing but our nation-wide apathy and our lack of long-term vision is affecting a lot.

I truly doubt that the RIAA and the MPAA are considering the long-term affects of their actions. Are they really so arrogant to think that their children will be any less affected than our children? Or is it that they aren't considering children at all... only themselves? Apathy. Lack of long-term vision.

Hehehe... what does this have to do with Brilliant Digital's Single Point of Ownership? Clearly, they have a lack of wisdom and long-term vision. If you want to own or control a large body from a single point, that single point bears the responsibility of DEFENDING it.

Defense is a responsibility that people tend to think is something they should pass off to government and law enforcement. Where did that moronic notion come from?!

Re:Dumb..Very Dumb

[Broccolist]

I've said it before and I'll say it again: things aren't getting worse. I agree that there's a sheep mentality, but it's been with us since the beginning of time. It's a well-known aspect of human psychology that we always tend to think the world is going down the drain and it was better before.

An Assyrian tablet from ~2000BC was found with words to that effect (e.g. kids aren't worshipping our pagan gods as much as they used to, the air is getting rotten, etc). The same thing has been said and re-said millions of times since. But it's just not true.

People aren't really getting more ignorant: we're more educated than at anytime in the past. If you think it's bad now, imagine how it was last century. Do you think those textile workers were curious to know how the sewing machines really worked? No, we should try to fight our innate tendency to think everything is getting worse, because in fact by most measures the state of humanity is getting better and better.

Re:Dumb..Very Dumb

[clone304]

I had composed a very long and detailed rebuttal to your post, but either it was too long or it took me to long to compose it. I almost said, "Fuck it." But, then I read your post again.

I just had to say a few things:

Referencing a warning that predicts the death of a culture/civilization/way of life that is dead as proof that people who predict such things are wrong is rather unconvincing.

It's just that kind of "disaster never actually happens" attitude that causes more disasters to actually occur. Don't just stick your head in the sand. That's half-assed. Go ahead and stick it up your ass.

You claim that we're more educated than ever before. How so? Because more people have basic reading skills? More people can count? More people know the latest celebrity gossip? Bullshit. People today, as in the past, are "educated" with respect to the things that they need to know to survive. By contrast, if you take away the conveniences of our pampered modern society, how many people would be qualified to survive? Very few, IMO. Yet, the "uneducated" people of ancient cultures managed to learn many complex skills that allowed them to survive despite challenges that would easily best most people that I know. So, who's educated? It seems to me that rather than more educated, today's people have become more dependent on experts to provide them with the tools to survive. In the past, practical knowledge was passed down directly from people who knew to people who would HAVE to know. How many people do you know that know how to build a microwave from scratch. How many people do you know that can even cook a good meal? Forget about actually acquiring food stuff from the wild. Compare our people with the people of past generations and you'll find that they are invariably less capable human beings on the whole. And further, they don't even learn anything from the inadequate "education" they do recieve. And, do most of them learn anything from their parents? Likely not, since their parents are away working overtime at mindless corporate jobs all day. Instead, children learn that their parents are suckers (which is not far from the truth) by contrast with the cool, glamourous people that populate the lessons taught to them by their teacher: television.

I had to quote you on this one:
"Do you think those textile workers were curious to know how the sewing machines really worked?"

I'm really not sure what you're referencing here. Which textile workers? Are we talking ancient times textile workers? I don't think they had sewing machines. Looms, maybe. How much do you know about looms, smarty pants? Today's textile workers? You mean the sweatshop laborers that provide us with cheap designer knockoffs at K-Mart? I'd venture a guess. I think they know more about how a sewing machine works than YOU do. Who do you think makes sure that that machine keeps knockin out cheap crap? They may not be curious, but they damn well do know how to keep that sewing machine running. That sewing machine is their livelihood. Have you EVER met a starving motherfucker who didn't make it his business to know what he needs to know to keep getting fed?

Things ARE getting worse, or at least more dangerous. We "may" not have more ignorant people on a percentage basis than in the past, though this is extremely debatable, but every single one of our current ignorant bastards has a billion times more destructive power.

Shit, all you have to do is be an unrepentant American consumer and you're already wasting a completely unsustainable amount of natural resources. Ignorance, apathy, complacency, and greed will make sure that this destruction continues.

So, say it and keep saying it. All you're really saying is that you are yet another one of the ignorant fools who are unwilling to see the writing on the wall until you drive into it at 60 miles per hour. Ignorance is bliss, right? Does it feel good?

.

Come on

[Slash+Veteran]

If you use KaZaA, with all of its spyware, worm-like auto-updating, and history of escalating privacy invasion, you don't have a clue. You deserve to be 0wn3d d00d.

Already Exists

[nuggz]

MS has been doing this for years, many tools check for updates and install them.
I noticed Need for Speed Porsche did this too.

These friendly autopatchers could all be hacked.

This is a serious risk with new subscription based services too.

Re:Any comments?

[Slash+Veteran]

I mean, if I were to attack the Internet root dns servers couldn't that cause all sorts of problems

The difference is: we TRUST the owners of the root servers to keep their systems secure. The owner's of KaZaA don't have the same track record.

Distributed Computing on Kazaa

[Kargan]

Ok, from what I understand, Kazaa is going to be attempting to get their users to give up their spare CPU cycles to help drive advertisements and other income-based projects for Kazaa?

Ok, not only would this concept be likely considered unwelcome even by casual Kazaa users, but think of all the other possibilities for an already heavily established (as those things go) P2P app like Kazaa...

In other words, they could try to get their users to share a distributed computing project working towards, say, the cure of a deadly disease or other medical project, then give ( or sell, which would be more likely) the results to whatever foundation would actually be able to use the data?

That way they could make money, a name for themselves, and generally the rest of humanity a bit happier.

Re:Any comments?

That's a good point - but still, you can trust someone to keep a system secure but things still happens - right? Sure the chances are cut, but it doesn't rule anything out. The safest way to design a system is to make it safe *by design* in addition to maintaining the safety. Wouldn't a valid argument be made for the Internet root DNS servers or am I totally off-base?

_
WINDOWS USERS CLICK HERE!

Cooperation is key

[jmulvey]

Interesting article. I think it effectively shows that Brilliant Digital -- along with just about 95% of our industry -- needs to learn that they can't just shove software down people's throats. Most interesting to these companies should be the legal liability questions raised.

I'd expect these companies to start adding stuff into their installation legalese with something to the effect of, "You agree not to reverse-engineer anything we might be doing with your computer. You agree to sit back and relax while we adjust the horizontal and vertical"..

preview misleading...

[kritikal]

perhaps the whole situation isn't as bad as it seems. having read the article, one would realize that the author only hypothesizes on whether or not the network is secure. brilliant could have implemented all the things that he questioned as insecure. this is not a review of their technology, but rather a blatant guess at how their technology will work.

Re:preview misleading...

[JetScootr]

With rapid changes in technology, Security is a matter of timing, not an absolute. Make it as secure as technology allows today, and it's just a matter of time - weeks or months, seldom years - until the security is easily cracked or is completely broken.
Because of this, and the logistics inherent in updating the security on 20+ million PCs, and you get the MSIE / Outlook express situation.
The author's comment about "single point of ownership" is valid no matter what security is used on this.

Not on this scale...

[FaithAndReason]

Need for Speed isn't installed on 10 million PCs. And, unlike Kazaa (I refuse to type that #$%@ capitalization), it's probably not running more or less 24/7 on a good percentage of those boxes.

True, windowsupdate.microsoft.com is a big fat target too, but at least that was designed primarily with security in mind, and AFAIK it hasn't been hacked yet in the 4 years since it was introduced. Also, Windows Update will NOT install anything without your explicit consent. (Now, as for Windows Media... it says right in the EULA that MS reserves the right to update your codecs without your permission, at the very least...)

Expect more of this!

[MavEtJu]

Early 90's, the (usenet) world was shocked by the fact that somebody abused the network to send spam.

Early 00's, the (slashdot) world is shocked by the fact that people don't care about installing spyware / trojaned software.

Be afraid, be very afraid.

Anti-Virus Programs

[Reknamorken]

I would guess that nearly 100% of /. readers have an Anti-Virus scanner of some sort loaded on their desktop/laptop. These all have systems that are designed to automatically d/l updates, including core functionality/engines.

I have seen TrendMicro's PC-Cillin d/l executables before.

So, while Brilliant Digital is out of line and while Weaver makes good points, the reality is that this threat has been around for a very long time.

For that matter, have you considered what might happen if someone 0wns the Akamai system?

Re:what nonsense

[RovingSlug]

How does it affect me, when I haven't installed the program?

The answer to this question is painfully simple: You are connected to and attempting to use the same network. Internet users, slashdot readers especially, should appreciate the effect that(tens/hundreds of) thousands of "other people" can have on such a network.

You are blatantly ignoring the context of "How does it affect me". The intended context is: Does it directly compromise my system and my data? The context you address is: Does it affect remote resources that I'm accustom to having access to?

The article summary implies the former: direct compromise of a system. ("Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service.") If it's actually implying the latter remote resource issue, then it's irresposible reporting.

And, I agree with the first poster. There's no evidence to suggest that assuming control of Kazaa machines gives access to non-Kazaa machines.

Re:The post is a rant!

[JDizzy]

Well, the guy is most certainly smarter than me. I do respect him. However, rant is rant, despite the velvet on the emperor's robe. The whole text is nothing more than a rant, and conjecture. I hope his thesis papers are not written this way. It is sad when people, with good intentions, discredit themselves in this way. People don't know what they don't know. and nobody knows anything about Brilliant's sneak-ware. For him to create a thought-experiment of what he believes to be true(or false), and rant about it, doesn't afford him any credibility. So until he actually disassembles the Kazza sneakware, there is nothing to write about. The only good part of the text is his questions to ask about Kazza. The rest is hot air.

Re:Dumb..Very Dumb (mod parent up!)

[erroneus]

....too bad I can't mark this one as insightful... 'cause you're right. I hadn't really looked at it that way.

We do tend to idealize the past beyond its reality. Still... apathy harms.

Information overload

[HiThere]

The root cause of this problem is information overload. It used to be that most people couldn't know everything, but it wasn't really impossible if you didn't do anything else. Those days are centuries past.

Today everyone, no matter how smart, is submerged in a tide of information. The only way to survive and get anything out of it is to filter it. But how should one construct the filters???

Don't pat yourself on the back too hard, just because you understand computers. There's a lot more to this civilization than computers. And the rest is just as important.

All I've been able to do is demarcate a small area that I try to understand, and try to find other people that I trust to understand other areas for me. I don't know of a better method, even though that one is clearly flawed. Note that this is the same technique that almost all people adopt.

One of the critical flaws in the process is:

How does one choose trustworthy authorities? I sure don't have an answer. The best I can do is pick people that I don't know to be wrong for reasons that are unknown or unacceptable to me. This isn't great, but it's something. One of the good points about this system is that it distributes authority (I see centralized authority as inherently evil: consider that the central authority will have the same limitations [mentioned above] as anyone else, and the people that the central authority chooses to trust will have every motivation to give self-serving advice [as long as they aren't caught at it.])

Re:Information overload

[alcmena]

How does one choose trustworthy authorities?

I like the idea of political duty. Think of it like jury duty, only longer. It basically states that random people will be picked to server as politicians (house menbers, senate members, etc.) for a period of time. They are then released and a new crop is picked. There are many problems with this, but there are many problems with the way things are done now.

If the policitial duty was truly random, the views of the population are more likely to be represented. Though it would take a lot of effort to ensure the process is random and is not corrupted.

Solution to the Kazaa problem

[tempest303]

Instead of following HeUnique's instructions to get rid of Kazaa's spyware, try this:

DON'T INSTALL IT TO BEGIN WITH. ;P

tempest303, continuing his crusade to troll people that think fair use means never paying for media.

The guy is right. It's serious.

[Animats]

He's right. Brilliant is a push-type peer to peer auto update system. (See page 11 of the Brilliant SEC filing..) This allows an attack to hit a huge number of clients in a short period of time, with no user intervention and no user visibility. Worse, because it's a peer-to-peer system, clients know where to find other clients and can talk to them, so propagation would be far more effective than for most viruses. That's much more powerful than sending "I send this to you to get your advice" to everybody in the Outlook address book.

There's no need to take over the Brilliant servers. An attacker should be able to do it all from any suitably modified Brilliant client.

If someone writes an effective Brillant-based attack, it might contaminate most of the clients in a very short period of time. And most of them woudn't even notice, until it was too late.

Brilliant isn't exactly a tech-savvy company, either. Their previous business was producing hip-hop videos. They have 18 employees. Plus one software consultant. (Read their SEC filing.) They have no track record of producing secure systems. They make no claim that their product is secure against external takeover. And they don't have enough assets that if they screw up, they'll be able to pay for the damage.

If you have responsibility for any computers that do anything important, scan them all for this program immediately, remove it, and block it at your firewall.

It's possible that the Brilliant "projector" is so secure that it can't be used as a pathway for an attack. But without independent verification of its security, it has to be viewed as highly dangerous. All it takes is a buffer overflow and some carefully crafted "ad content" to use this as a virus distribution system.

Some of the same potential vulnerabilities apply to other peer-to-peer systems. Netnews/NNTP, for example. But Netnews is typically run on UNIX machines under its own userid, so even if an exploit in it exists, it can be contained within the Netnews world. And it's a mature system; the obvious holes were plugged long ago. Most of the other peer-to-peer systems, like Gnutella and Freenet, are pull-type systems; they only bring in content when the client asks for it in response to a user request. That slows down propagation and associates it with specific content, like an ordinary virus. But Brilliant, from their description of what they do, pushes automatically and peer to peer. That's much more dangerous.