Reflections on Brilliant Digital: Single Points of 0wnership
nweaver writes "Some reflection on Brilliant Digital's plans shows that they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet. The implications are rather scary: Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service. Who needs a Warhol Worm?".Updated by HeUnique: use these instructions to remove the Brilliant part.
Here at work I pointed a couple of coworkers toward the previous articles on Kazaa. There response you might ask?
As long as I can get good download speed and have a large mp3 base what do I care?
Does this type of thinking occure elsewhere? I thought I worked with some bright people but they seem to think of their machines as black boxes and if they work great.
sigh.
If I were only smart enough to accomplish the things I dream about.. Or maybe too dumb to care.
MS has been doing this for years, many tools check for updates and install them.
I noticed Need for Speed Porsche did this too.
These friendly autopatchers could all be hacked.
This is a serious risk with new subscription based services too.
The difference is: we TRUST the owners of the root servers to keep their systems secure. The owner's of KaZaA don't have the same track record.
perhaps the whole situation isn't as bad as it seems. having read the article, one would realize that the author only hypothesizes on whether or not the network is secure. brilliant could have implemented all the things that he questioned as insecure. this is not a review of their technology, but rather a blatant guess at how their technology will work.
Early 90's, the (usenet) world was shocked by the fact that somebody abused the network to send spam.
Early 00's, the (slashdot) world is shocked by the fact that people don't care about installing spyware / trojaned software.
Be afraid, be very afraid.
bash$
Well, the guy is most certainly smarter than me. I do respect him. However, rant is rant, despite the velvet on the emperor's robe. The whole text is nothing more than a rant, and conjecture. I hope his thesis papers are not written this way. It is sad when people, with good intentions, discredit themselves in this way. People don't know what they don't know. and nobody knows anything about Brilliant's sneak-ware. For him to create a thought-experiment of what he believes to be true(or false), and rant about it, doesn't afford him any credibility. So until he actually disassembles the Kazza sneakware, there is nothing to write about. The only good part of the text is his questions to ask about Kazza. The rest is hot air.
It isn't a lie if you belive it.
....too bad I can't mark this one as insightful... 'cause you're right. I hadn't really looked at it that way.
We do tend to idealize the past beyond its reality. Still... apathy harms.
Today everyone, no matter how smart, is submerged in a tide of information. The only way to survive and get anything out of it is to filter it. But how should one construct the filters???
Don't pat yourself on the back too hard, just because you understand computers. There's a lot more to this civilization than computers. And the rest is just as important.
All I've been able to do is demarcate a small area that I try to understand, and try to find other people that I trust to understand other areas for me. I don't know of a better method, even though that one is clearly flawed. Note that this is the same technique that almost all people adopt.
One of the critical flaws in the process is:
How does one choose trustworthy authorities? I sure don't have an answer. The best I can do is pick people that I don't know to be wrong for reasons that are unknown or unacceptable to me. This isn't great, but it's something. One of the good points about this system is that it distributes authority (I see centralized authority as inherently evil: consider that the central authority will have the same limitations [mentioned above] as anyone else, and the people that the central authority chooses to trust will have every motivation to give self-serving advice [as long as they aren't caught at it.])
I think we've pushed this "anyone can grow up to be president" thing too far.
Instead of following HeUnique's instructions to get rid of Kazaa's spyware, try this:
;P
DON'T INSTALL IT TO BEGIN WITH.
tempest303, continuing his crusade to troll people that think fair use means never paying for media.
The Free desktop that Just Works
There's no need to take over the Brilliant servers. An attacker should be able to do it all from any suitably modified Brilliant client.
If someone writes an effective Brillant-based attack, it might contaminate most of the clients in a very short period of time. And most of them woudn't even notice, until it was too late.
Brilliant isn't exactly a tech-savvy company, either. Their previous business was producing hip-hop videos. They have 18 employees. Plus one software consultant. (Read their SEC filing.) They have no track record of producing secure systems. They make no claim that their product is secure against external takeover. And they don't have enough assets that if they screw up, they'll be able to pay for the damage.
If you have responsibility for any computers that do anything important, scan them all for this program immediately, remove it, and block it at your firewall.
It's possible that the Brilliant "projector" is so secure that it can't be used as a pathway for an attack. But without independent verification of its security, it has to be viewed as highly dangerous. All it takes is a buffer overflow and some carefully crafted "ad content" to use this as a virus distribution system.
Some of the same potential vulnerabilities apply to other peer-to-peer systems. Netnews/NNTP, for example. But Netnews is typically run on UNIX machines under its own userid, so even if an exploit in it exists, it can be contained within the Netnews world. And it's a mature system; the obvious holes were plugged long ago. Most of the other peer-to-peer systems, like Gnutella and Freenet, are pull-type systems; they only bring in content when the client asks for it in response to a user request. That slows down propagation and associates it with specific content, like an ordinary virus. But Brilliant, from their description of what they do, pushes automatically and peer to peer. That's much more dangerous.