Slashdot Mirror


Reflections on Brilliant Digital: Single Points of 0wnership

nweaver writes "Some reflection on Brilliant Digital's plans shows that they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet. The implications are rather scary: Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service. Who needs a Warhol Worm?".Updated by HeUnique: use these instructions to remove the Brilliant part.

10 of 278 comments (clear)

  1. Doesn't XP already do this? by bc90021 · · Score: 4, Interesting

    With the ability to remotely control a user's computer built into Windows XP in order to provide "tech support", isn't a good portion of the world already vulnerable to a well-written worm? See "Remote Assistance" at http://www.microsoft.com/windowsxp/home/evaluation / eatures.asp.

  2. Sleeze. by mindstrm · · Score: 4, Interesting

    You know, EULA or not... what Kazaa did is slimy. VERY slimy. They decieved people into installing something and giving up something they know people will not realize they are giving up. It is deception, whether it fits the legal definition or not.

    I'm realistic... most people do not know or care of the difference, but they should.

    So my question is...

    What can we realistically do in order to force a bit more honesty in software providers?

  3. Re:Idiocy upon Idiocy by Hektor_Troy · · Score: 3, Interesting

    So you want security through obscurity?

    If this guy figured it out, don't you think there's at least a moderate chance, that some |33 h@x0r figured it out as well?

    By going public, and as a neat bonus having /. place the story on the front page, Nicholas Weaver is essentially forcing the people behind Brilliant Digital to fix their security problems ASAP.

    If they chose not to do anything, Brilliant can't claim, that they didn't know about it, if/when some |33 h@x0r hijacks 2 million computers and wreaks havoc on every single US government site just for fun, and they will (at the very least should) be held accountable as aiding and abetting terrorist activities, by not fixing the problems when they had the chance.

    Security through obscurity is like not telling the world about AIDS. There's no cure for AIDS, so there's no need to tell people to be carefull, because that would not cure AIDS.

    --
    We do not live in the 21st century. We live in the 20 second century.
  4. Re:Dumb..Very Dumb by glwtta · · Score: 3, Interesting

    I'd say you would pretty much have to be insane to use any P2P client on your main PC. That's the reason I keep my Win2K partition around - I do nothing but file-sharing on it, it's chock-full of various types of spam (something even insalled that GAIN nonsense), oodles of all sorts of spyware and trojans and any other crap that came with these things. So what? I use it twice a week, and it doesn't even know my email address. If things get too cumbersome, and good reinstall every few months fixes that... just like running Windows in the good old day, come to think of it ;)

    --
    sic transit gloria mundi
  5. Hmmm.. by ZaneMcAuley · · Score: 3, Interesting

    Actually, I would hope this does happen. Why? Because it would put the frightners on FUTURE SPYWARE being installed and FORCE a GOOD SELF-DISCLOSURE POLICY STANDARD.

    It would kill EVERY SPYWARE ON THE PLANET.

    --
    ----- Whats wrong with this picture? http://www.revoh.org:1234/whatswrong
  6. Not just KaZaA! by mcrbids · · Score: 3, Interesting

    What about the Red Hat Network? I subscribe 'cause it makes my job as admin SOOOO much easier - but the RHN largely consists of servers with BIG, FAT PIPES.

    (Who'd use RHN over a modem line!?!?)

    Seems like this also might be an excellent point from which to launch a big DDOS attack, no? How closely does RH watch their servers?

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  7. Re:Cooperation is key by erroneus · · Score: 3, Interesting

    You're absolutely on-target with that assertion.

    I tend to look at our internet and our computing power on the level of 'health.'

    Software designers should understand that they aren't just writing programs any more. We're not building new calculators with cool new functions. We're writing a great deal of software that interacts with a public network that affects the lives of everyone either directly or via the health of business and information exchange.

    Business and commerce are now more tightly bound to our ability to exchange, gather and disburse information as a commodity.

    I'll use Microsoft as an example but it's not limited to Microsoft... Cisco could easily be used as an example of a "responsible player" but I'm illustrating an "irresponsible player" at the moment.

    Microsoft in putting out unstable software on the server side (and putting out clients that include servers to unaware owners) has severely affected the health of our public internet and I believe they should be held liable and responsible for their negligence on the matter. There is no law that says "you're a criminal if you write bad software" but there is law that says you are criminally responsible if, through negligence, have endangered public security. And in that respect, Microsoft should be held as criminally responsible for their negligence. And no amount of EULA protection should be allowed on this matter.

    I suggest that Cisco wears a white hat in this simply because of reputation. They are not known for their security problems. They are not known for having 'viruses' or being vulnerable to attacks. Of course they are vulnerable. Of course they have bugs and weaknesses. But due to the fact that they are both huge and still manage to remain 'untargetted' is some indication that they are taking their public responsibility seriously and are successful at it.

    If Microsoft behaved more like Cisco in that respect, I think the world would still be in love with Microsoft today though not nearly as appreciated because it's not in out nature to appreciate, but to find fault and hate.

  8. Ximian Install and RedCarpet are the same by psychosis · · Score: 4, Interesting

    Since installing Ximian is "conveniently" performed by running "lynx -source http://go-gnome.org | sh" (as root, of course), what happens when someone registers go-gnom.org or similar typos? (Credit to my brother for thinking of that one.)
    Now I did issue the above command, but ensured that the DNS records were compliant and my local DNS server reported the same distant end IP as the authoritative one for the domain, but I doubt many folks do the same.
    Also, when installing packages via RedCarpet (again, has to be done as root), what are the cryptographic signatures checked against? (Note: I haven't even researched this. Just typing off the top of my head...) I would hope that the proper response from GPG is hard-coded in the red-carpet binary...
    Basically, I think that a lot of new update technologies are vulnerable to this - from windowsupdate.microsoft.com as mentioned in the article to more trusted (by this community, anyway) sites. Semi-automatic updating is great, but it still takes people at the keyboard to think before they do something. Not likely to see a widespread change in that mentality for some time to come.

  9. Re:Dumb..Very Dumb by iso · · Score: 3, Interesting

    The quote from the tablet to which you were referring:

    "The Earth is degenerating these days. Bribery and corruption abound. Children no longer mind their parents, every man wants to write a book, and it is evident that the end of the world is fast approaching." - Assyrian stone tablet, c.2800bc

    - j

  10. Re:Dumb..Very Dumb by Telemakhos · · Score: 3, Interesting

    That was an excellent comment. The idea of wisdom and vision you mentioned seems to me most easily summarized, however, in the concept of independence or autonomous living, which requires both wisdom and will.

    Early in American history, Jefferson praised the independent spirit, especially as found in the character of American farmers who provided for themselves with inititative and spirit; these same sort of men fought for independence during the American revolution. Horkheimer, Adorno, Marcuse, and others in twentieth century America lamented the common man's decline of interest in autonomous life as administered existence began to provide a higher standard of living -- people in general would rather be taken care of and have comfort than have to think and act for themselves.

    As another poster pointed out, we always tend to idealize the past; in this case, however, we see a clear regression. The average Joe is becoming less and less autonomous, more and more childlike, in response to the increased allure of a higher standard of living.

    To be specific (and to avoid that offtopic mod), man once made music for himself -- he sang, he played instruments, he created. Then came written musical notation, which allowed him to copy others' inventions by playing or singing songs he may never have heard; still he was making the sounds himself. Next, recorded music allowed him to spin a record/pop in a cassette/play a CD or .mp3 without any act of creation or imagination. Kazaa (and Napster before it) made procuring these mass-produced commodities, no longer created artisans per se but produced by a recording/culture industry, even easier -- he didn't have to pay for them or even leave the comfort of his desk.

    In return, he has sacrificed various freedoms, by which I mean his power over the music. First, he gave up the power of creativity; now, he gives up the power over his own computer's spare CPU cycles. Our user gets easier downloading, but he surrenders control over part of his computer and (possibly) renders himself open to attack by hackers. Taken collectively as a society of freeloaders, we may be risking a chunk of the internet for easy .mp3 pirating.

    This is not wisdom, and it is not independence. Those who read Slashdot are likely not covered here -- Slashdot readers tend to be the ones who build their own boxen, who write their own code, who value privacy and who see the importance of doing for oneself. Slashdotters tend to be autonomous. The majority, however, are heteronomous: willing to surrender their independence and unwisely to make unknown risks for the sake of allegedly "better" living through false needs, such as 100-gigabyte hoards of Britney Spears and NSYNC .mp3's.

    Meanwhile, the recording industry attempts to take from us the right to fair use of what we have bought legally. Between our own childishness and their greed, we risk our computers and whatever increased standard of living mass-produced music has brought us. Beautiful.

    This is the progress of Jefferson's America: from our forefathers' earning with their blood the right of liberty, to surrendering freedoms so we can steal the latest Backstreet Boys hit. It almost makes me want to cheer for the RIAA -- hoping that if they win, they'll shoot themselves in the foot by forcing cheapskates like myself, and many others, to go make music instead of consuming it.

    Not that ranting here is going to help things a bit -- the unwashed and .mp3-hoarding masses won't listen anyway, and most don't read Slashdot. I'm done venting now.