Slashdot Mirror
Reflections on Brilliant Digital: Single Points of 0wnership
nweaver writes "Some reflection on Brilliant Digital's plans shows that they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet. The implications are rather scary: Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service. Who needs a Warhol Worm?".Updated by HeUnique: use these instructions to remove the Brilliant part.
So, basically, they inadvertnatly created a cluster that can be hit and effectively screw everybody over.
/. points to this report and hypes the reward for the attack.
Then this guy announces that he's found the cluster and that the reward for hitting these servers is beyond that previously imagined by HaX0rs.
The
Are we just begging for the |33 to attack? Please! Please! Please cripply and deciminate viruses! Things have gotten kinda boring?
This is about as bad as the AP publishing Daniel Pearl's kidanapper's email address.
With the ability to remotely control a user's computer built into Windows XP in order to provide "tech support", isn't a good portion of the world already vulnerable to a well-written worm? See "Remote Assistance" at http://www.microsoft.com/windowsxp/home/evaluation / eatures.asp.
libertarianswag.com
You know, EULA or not... what Kazaa did is slimy. VERY slimy. They decieved people into installing something and giving up something they know people will not realize they are giving up. It is deception, whether it fits the legal definition or not.
I'm realistic... most people do not know or care of the difference, but they should.
So my question is...
What can we realistically do in order to force a bit more honesty in software providers?
In other words, they could try to get their users to share a distributed computing project working towards, say, the cure of a deadly disease or other medical project, then give ( or sell, which would be more likely) the results to whatever foundation would actually be able to use the data?
:) would be a great idea, IMO.
They could stick it in there with all the extra third-party partner software that the installer prompts you for. Combine that (the UD client) with Kazaa's user base, and that's something worthwhile.
Not trying to stray offtopic, but United Devices does something like this with cancer research.
Then again, _you_ download the client, and they don't sell the results to anyone; as i understand it they collaborate with the Dept. of Chemistry @ the University of Oxford.
Kazaa using this technology (with the consent of the user, of course
Number of aliens contacted by SETI@Home: 0
If I were part of Brilliant Digital, I would be bracing myself for lawsuits. The first DoS attack that comes from someone taking control of their trojans will open them up for big legal liability.
No matter how many "We will not be held responsible" statements they have in their license agreement, they won't be held harmless from the damage done to a third party.
When you think about it, any program that automatically goes out and updates itself could be a problem if a blackhat is able to fool the client into installing the blackhat's update.
The race isn't always to the swift... but that's the way to bet!
I'd say you would pretty much have to be insane to use any P2P client on your main PC. That's the reason I keep my Win2K partition around - I do nothing but file-sharing on it, it's chock-full of various types of spam (something even insalled that GAIN nonsense), oodles of all sorts of spyware and trojans and any other crap that came with these things. So what? I use it twice a week, and it doesn't even know my email address. If things get too cumbersome, and good reinstall every few months fixes that... just like running Windows in the good old day, come to think of it ;)
sic transit gloria mundi
Actually, I would hope this does happen. Why? Because it would put the frightners on FUTURE SPYWARE being installed and FORCE a GOOD SELF-DISCLOSURE POLICY STANDARD.
It would kill EVERY SPYWARE ON THE PLANET.
----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
The first wave of codered got a few boxes in the windowsupdate cluster. Of course, being an automated attack, it didn't use the servers for anything other than more scanning/propagation.
Of course, I would hope that the windowsupdate boxes would not have MS's private signing key on it. Both a compromise of MS's key (see: verisign stupidity), and a compromise of the windowsupdate servers have occured, just not at the same time.
What about the Red Hat Network? I subscribe 'cause it makes my job as admin SOOOO much easier - but the RHN largely consists of servers with BIG, FAT PIPES.
(Who'd use RHN over a modem line!?!?)
Seems like this also might be an excellent point from which to launch a big DDOS attack, no? How closely does RH watch their servers?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Well, I'm in the UK and I can't say things are much better. There was a big hoo-hah last year with the elections. Apparently turnout was somewhat low due to voter apathy.
Another problem we have is the sheep mentality. The Liberal Democrats got far less seats than they should have because many 'supporters' voted Labour because "we have to make sure the Tories don't get back in power" did the fact that Labour still have a huge majority escape them? They could have safely voted Lib Dem and Labour would still have won easily. However, they wouldn't have such a powerful majority.
You're absolutely on-target with that assertion.
I tend to look at our internet and our computing power on the level of 'health.'
Software designers should understand that they aren't just writing programs any more. We're not building new calculators with cool new functions. We're writing a great deal of software that interacts with a public network that affects the lives of everyone either directly or via the health of business and information exchange.
Business and commerce are now more tightly bound to our ability to exchange, gather and disburse information as a commodity.
I'll use Microsoft as an example but it's not limited to Microsoft... Cisco could easily be used as an example of a "responsible player" but I'm illustrating an "irresponsible player" at the moment.
Microsoft in putting out unstable software on the server side (and putting out clients that include servers to unaware owners) has severely affected the health of our public internet and I believe they should be held liable and responsible for their negligence on the matter. There is no law that says "you're a criminal if you write bad software" but there is law that says you are criminally responsible if, through negligence, have endangered public security. And in that respect, Microsoft should be held as criminally responsible for their negligence. And no amount of EULA protection should be allowed on this matter.
I suggest that Cisco wears a white hat in this simply because of reputation. They are not known for their security problems. They are not known for having 'viruses' or being vulnerable to attacks. Of course they are vulnerable. Of course they have bugs and weaknesses. But due to the fact that they are both huge and still manage to remain 'untargetted' is some indication that they are taking their public responsibility seriously and are successful at it.
If Microsoft behaved more like Cisco in that respect, I think the world would still be in love with Microsoft today though not nearly as appreciated because it's not in out nature to appreciate, but to find fault and hate.
Since installing Ximian is "conveniently" performed by running "lynx -source http://go-gnome.org | sh" (as root, of course), what happens when someone registers go-gnom.org or similar typos? (Credit to my brother for thinking of that one.)
Now I did issue the above command, but ensured that the DNS records were compliant and my local DNS server reported the same distant end IP as the authoritative one for the domain, but I doubt many folks do the same.
Also, when installing packages via RedCarpet (again, has to be done as root), what are the cryptographic signatures checked against? (Note: I haven't even researched this. Just typing off the top of my head...) I would hope that the proper response from GPG is hard-coded in the red-carpet binary...
Basically, I think that a lot of new update technologies are vulnerable to this - from windowsupdate.microsoft.com as mentioned in the article to more trusted (by this community, anyway) sites. Semi-automatic updating is great, but it still takes people at the keyboard to think before they do something. Not likely to see a widespread change in that mentality for some time to come.
Automagic updates are all well and good, as long as there's good authentication, preferably good encryption, and at least some amount of "Hey, User, you want to install this?" with the default being [Yes], not no, and of course a pointer to more information.
Brilliant here has (apparently?) done away with all three. They just do it (like Nike), and from the sound of the article, they are not even very secure about the way they do it.
The reassuring thing (for the moment) is that so far these tactics of behind-the-scenes trojans have been confined to leaf nodes - to my knowledge, no routers etc. have had this kind of shit happen to them. As long as the major routing backbones of the internet never become 0wned, there's a modicum of hope for restoring order to the network (banning IPs at the fringes of the backbones until they shape up?) should an emergency occur (banning IPs always scared me, so I don't necessarily like that solution, but it's the easiest and the one that jumped to mind first. I'm sure people more clever than I can think of better ones).
OTOH, 1M fringe nodes can, as the article says, be unstopable. If somebody were truly evil and wrote a decentralized worm (never called home, only talked with other copies of itself), it would be incredibly hard to stop such a beast, and the DDOS commands could be given in an anonymous, untrackable way (can anybody imagine the worms playing Dining Cryptographers? ^_^) [Dining Cryptographers would be anonymous as long as the line wasn't tapped. And I'm sure with some good encryption over the links, it'd be anonymous for all practical purposes anyway.]
Y'know, as bad as it'd be, I'd want to see such a worm (just it's source, I *swear* - I'm not about to go risking the internet's well-being - you have to admit it'd be an interesting read). Maybe the vx community has something similar as a proof of concept?
-Knots
Anarchy$ dd if=/dev/random of=~/.signature bs=120 count=1
The quote from the tablet to which you were referring:
"The Earth is degenerating these days. Bribery and corruption abound. Children no longer mind their parents, every man wants to write a book, and it is evident that the end of the world is fast approaching." - Assyrian stone tablet, c.2800bc
- j
That was an excellent comment. The idea of wisdom and vision you mentioned seems to me most easily summarized, however, in the concept of independence or autonomous living, which requires both wisdom and will.
Early in American history, Jefferson praised the independent spirit, especially as found in the character of American farmers who provided for themselves with inititative and spirit; these same sort of men fought for independence during the American revolution. Horkheimer, Adorno, Marcuse, and others in twentieth century America lamented the common man's decline of interest in autonomous life as administered existence began to provide a higher standard of living -- people in general would rather be taken care of and have comfort than have to think and act for themselves.
As another poster pointed out, we always tend to idealize the past; in this case, however, we see a clear regression. The average Joe is becoming less and less autonomous, more and more childlike, in response to the increased allure of a higher standard of living.
To be specific (and to avoid that offtopic mod), man once made music for himself -- he sang, he played instruments, he created. Then came written musical notation, which allowed him to copy others' inventions by playing or singing songs he may never have heard; still he was making the sounds himself. Next, recorded music allowed him to spin a record/pop in a cassette/play a CD or .mp3 without any act of creation or imagination. Kazaa (and Napster before it) made procuring these mass-produced commodities, no longer created artisans per se but produced by a recording/culture industry, even easier -- he didn't have to pay for them or even leave the comfort of his desk.
In return, he has sacrificed various freedoms, by which I mean his power over the music. First, he gave up the power of creativity; now, he gives up the power over his own computer's spare CPU cycles. Our user gets easier downloading, but he surrenders control over part of his computer and (possibly) renders himself open to attack by hackers. Taken collectively as a society of freeloaders, we may be risking a chunk of the internet for easy .mp3 pirating.
This is not wisdom, and it is not independence. Those who read Slashdot are likely not covered here -- Slashdot readers tend to be the ones who build their own boxen, who write their own code, who value privacy and who see the importance of doing for oneself. Slashdotters tend to be autonomous. The majority, however, are heteronomous: willing to surrender their independence and unwisely to make unknown risks for the sake of allegedly "better" living through false needs, such as 100-gigabyte hoards of Britney Spears and NSYNC .mp3's.
Meanwhile, the recording industry attempts to take from us the right to fair use of what we have bought legally. Between our own childishness and their greed, we risk our computers and whatever increased standard of living mass-produced music has brought us. Beautiful.
This is the progress of Jefferson's America: from our forefathers' earning with their blood the right of liberty, to surrendering freedoms so we can steal the latest Backstreet Boys hit. It almost makes me want to cheer for the RIAA -- hoping that if they win, they'll shoot themselves in the foot by forcing cheapskates like myself, and many others, to go make music instead of consuming it.
Not that ranting here is going to help things a bit -- the unwashed and .mp3-hoarding masses won't listen anyway, and most don't read Slashdot. I'm done venting now.
I say hit 'em, and hit 'em hard...let them know what we think.
To paraphrase Malcolm X,
We didnt land on your advertising, you crammed your advertising down our throats without asking, bitches
Beer, now there's a temporary solution -- Homer Jay S.
They got a very bad press from the lemmings, and the lemmings clearly just thought they were another bunch of lemmings with their own cliff. Since most people get their data from the Lemming Press (TM), they assumed that they might as well follow the blind man in front of them, rather than another, probably blind, man somewhere else.This is not surprising. America was founded by a bunch of rebels, and lets face it, they are mainstream lemmings now!
The main difference between now and "the good old days" is that there is no longer anywhere you can go that is out of reach of lemming based civilisation. Even the Taliban's rather foolish attempt failed, and lets face it, they were armed and dangerous. You wont get far with a VW bus and some magic mushrooms today - but at least you can download "The Greatful Dead" with Kazaa.
Anybody know if "The Furry Freak Brothers" and Fat Freddies Cat" comics are available online?
Sent from my ASR33 using ASCII