Slashdot Mirror


Reflections on Brilliant Digital: Single Points of 0wnership

nweaver writes "Some reflection on Brilliant Digital's plans shows that they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet. The implications are rather scary: Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service. Who needs a Warhol Worm?".Updated by HeUnique: use these instructions to remove the Brilliant part.

15 of 278 comments (clear)

  1. Dumb..Very Dumb by DCram · · Score: 4, Insightful

    Here at work I pointed a couple of coworkers toward the previous articles on Kazaa. There response you might ask?

    As long as I can get good download speed and have a large mp3 base what do I care?

    Does this type of thinking occure elsewhere? I thought I worked with some bright people but they seem to think of their machines as black boxes and if they work great.

    sigh.

    --
    If I were only smart enough to accomplish the things I dream about.. Or maybe too dumb to care.
    1. Re:Dumb..Very Dumb by Anonymous Coward · · Score: 3, Insightful

      This thinking happens everywhere. People don't give a damn until something bad happens -- until they get owned. Everything is perfect until the day the world actually falls apart - even though it has been happening for a matter of years - everything is fine until the day it happens. That's the kind of thinking.

      _
      WINDOWS USERS CLICK HERE!

    2. Re:Dumb..Very Dumb by erroneus · · Score: 4, Insightful

      Well, it's unfortunate but that view is pervasively the norm. It doesn't apply to the technology arena alone. It's everywhere. People have convinced themselves that they don't want to know. They don't want to understand. They don't want to 'get it.' They only want the results and are not concerned about side-effects.

      This is true in the food and drug arena. This is true in war and politics. This is true in biotech. This is true with trends in child-rearing. Somehow and somewhere, we have lost the notion of "wisdom." Not only have we forgotten how to become more wise, we are also underestimating (and ignoring) the value of the wisdom of others.

      Socially, we're losing a lot of ground because we don't want to think any more. It's disturbing not only to watch, but also because I feel those trends infecting me as well.

      "I don't care how we get it, just give me what I want." That's the growing mentality. "Rights!? I don't care about rights, just fight the evil demons in our midst!"

      Okay... I'm going a bit too deep, but as a nation (I can't really say much about Europe or other places... I'm ignorant because I lack direct observational experience in the area) we're really getting too apathetic. It has been a long time in developing but our nation-wide apathy and our lack of long-term vision is affecting a lot.

      I truly doubt that the RIAA and the MPAA are considering the long-term affects of their actions. Are they really so arrogant to think that their children will be any less affected than our children? Or is it that they aren't considering children at all... only themselves? Apathy. Lack of long-term vision.

      Hehehe... what does this have to do with Brilliant Digital's Single Point of Ownership? Clearly, they have a lack of wisdom and long-term vision. If you want to own or control a large body from a single point, that single point bears the responsibility of DEFENDING it.

      Defense is a responsibility that people tend to think is something they should pass off to government and law enforcement. Where did that moronic notion come from?!

    3. Re:Dumb..Very Dumb by Broccolist · · Score: 5, Insightful
      I've said it before and I'll say it again: things aren't getting worse. I agree that there's a sheep mentality, but it's been with us since the beginning of time. It's a well-known aspect of human psychology that we always tend to think the world is going down the drain and it was better before.

      An Assyrian tablet from ~2000BC was found with words to that effect (e.g. kids aren't worshipping our pagan gods as much as they used to, the air is getting rotten, etc). The same thing has been said and re-said millions of times since. But it's just not true.

      People aren't really getting more ignorant: we're more educated than at anytime in the past. If you think it's bad now, imagine how it was last century. Do you think those textile workers were curious to know how the sewing machines really worked? No, we should try to fight our innate tendency to think everything is getting worse, because in fact by most measures the state of humanity is getting better and better.

  2. Already Exists by nuggz · · Score: 4, Insightful

    MS has been doing this for years, many tools check for updates and install them.
    I noticed Need for Speed Porsche did this too.

    These friendly autopatchers could all be hacked.

    This is a serious risk with new subscription based services too.

  3. Re:Any comments? by Slash+Veteran · · Score: 5, Insightful
    I mean, if I were to attack the Internet root dns servers couldn't that cause all sorts of problems

    The difference is: we TRUST the owners of the root servers to keep their systems secure. The owner's of KaZaA don't have the same track record.

  4. preview misleading... by kritikal · · Score: 4, Insightful

    perhaps the whole situation isn't as bad as it seems. having read the article, one would realize that the author only hypothesizes on whether or not the network is secure. brilliant could have implemented all the things that he questioned as insecure. this is not a review of their technology, but rather a blatant guess at how their technology will work.

    1. Re:preview misleading... by JetScootr · · Score: 3, Insightful

      With rapid changes in technology, Security is a matter of timing, not an absolute. Make it as secure as technology allows today, and it's just a matter of time - weeks or months, seldom years - until the security is easily cracked or is completely broken.
      Because of this, and the logistics inherent in updating the security on 20+ million PCs, and you get the MSIE / Outlook express situation.
      The author's comment about "single point of ownership" is valid no matter what security is used on this.

      --
      Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
  5. Expect more of this! by MavEtJu · · Score: 5, Insightful

    Early 90's, the (usenet) world was shocked by the fact that somebody abused the network to send spam.

    Early 00's, the (slashdot) world is shocked by the fact that people don't care about installing spyware / trojaned software.

    Be afraid, be very afraid.

    --
    bash$ :(){ :|:&};:
  6. Re:The post is a rant! by JDizzy · · Score: 3, Insightful

    Well, the guy is most certainly smarter than me. I do respect him. However, rant is rant, despite the velvet on the emperor's robe. The whole text is nothing more than a rant, and conjecture. I hope his thesis papers are not written this way. It is sad when people, with good intentions, discredit themselves in this way. People don't know what they don't know. and nobody knows anything about Brilliant's sneak-ware. For him to create a thought-experiment of what he believes to be true(or false), and rant about it, doesn't afford him any credibility. So until he actually disassembles the Kazza sneakware, there is nothing to write about. The only good part of the text is his questions to ask about Kazza. The rest is hot air.

    --
    It isn't a lie if you belive it.
  7. Re:Dumb..Very Dumb (mod parent up!) by erroneus · · Score: 3, Insightful

    ....too bad I can't mark this one as insightful... 'cause you're right. I hadn't really looked at it that way.

    We do tend to idealize the past beyond its reality. Still... apathy harms.

  8. Information overload by HiThere · · Score: 4, Insightful
    The root cause of this problem is information overload. It used to be that most people couldn't know everything, but it wasn't really impossible if you didn't do anything else. Those days are centuries past.

    Today everyone, no matter how smart, is submerged in a tide of information. The only way to survive and get anything out of it is to filter it. But how should one construct the filters???

    Don't pat yourself on the back too hard, just because you understand computers. There's a lot more to this civilization than computers. And the rest is just as important.

    All I've been able to do is demarcate a small area that I try to understand, and try to find other people that I trust to understand other areas for me. I don't know of a better method, even though that one is clearly flawed. Note that this is the same technique that almost all people adopt.

    One of the critical flaws in the process is:

    How does one choose trustworthy authorities? I sure don't have an answer. The best I can do is pick people that I don't know to be wrong for reasons that are unknown or unacceptable to me. This isn't great, but it's something. One of the good points about this system is that it distributes authority (I see centralized authority as inherently evil: consider that the central authority will have the same limitations [mentioned above] as anyone else, and the people that the central authority chooses to trust will have every motivation to give self-serving advice [as long as they aren't caught at it.])

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
    1. Re:Information overload by alcmena · · Score: 3, Insightful

      How does one choose trustworthy authorities?

      I like the idea of political duty. Think of it like jury duty, only longer. It basically states that random people will be picked to server as politicians (house menbers, senate members, etc.) for a period of time. They are then released and a new crop is picked. There are many problems with this, but there are many problems with the way things are done now.

      If the policitial duty was truly random, the views of the population are more likely to be represented. Though it would take a lot of effort to ensure the process is random and is not corrupted.

  9. Solution to the Kazaa problem by tempest303 · · Score: 3, Insightful

    Instead of following HeUnique's instructions to get rid of Kazaa's spyware, try this:

    DON'T INSTALL IT TO BEGIN WITH. ;P

    tempest303, continuing his crusade to troll people that think fair use means never paying for media.

  10. The guy is right. It's serious. by Animats · · Score: 5, Insightful
    He's right. Brilliant is a push-type peer to peer auto update system. (See page 11 of the Brilliant SEC filing..) This allows an attack to hit a huge number of clients in a short period of time, with no user intervention and no user visibility. Worse, because it's a peer-to-peer system, clients know where to find other clients and can talk to them, so propagation would be far more effective than for most viruses. That's much more powerful than sending "I send this to you to get your advice" to everybody in the Outlook address book.

    There's no need to take over the Brilliant servers. An attacker should be able to do it all from any suitably modified Brilliant client.

    If someone writes an effective Brillant-based attack, it might contaminate most of the clients in a very short period of time. And most of them woudn't even notice, until it was too late.

    Brilliant isn't exactly a tech-savvy company, either. Their previous business was producing hip-hop videos. They have 18 employees. Plus one software consultant. (Read their SEC filing.) They have no track record of producing secure systems. They make no claim that their product is secure against external takeover. And they don't have enough assets that if they screw up, they'll be able to pay for the damage.

    If you have responsibility for any computers that do anything important, scan them all for this program immediately, remove it, and block it at your firewall.

    It's possible that the Brilliant "projector" is so secure that it can't be used as a pathway for an attack. But without independent verification of its security, it has to be viewed as highly dangerous. All it takes is a buffer overflow and some carefully crafted "ad content" to use this as a virus distribution system.

    Some of the same potential vulnerabilities apply to other peer-to-peer systems. Netnews/NNTP, for example. But Netnews is typically run on UNIX machines under its own userid, so even if an exploit in it exists, it can be contained within the Netnews world. And it's a mature system; the obvious holes were plugged long ago. Most of the other peer-to-peer systems, like Gnutella and Freenet, are pull-type systems; they only bring in content when the client asks for it in response to a user request. That slows down propagation and associates it with specific content, like an ordinary virus. But Brilliant, from their description of what they do, pushes automatically and peer to peer. That's much more dangerous.