Reflections on Brilliant Digital: Single Points of 0wnership

nweaver writes "Some reflection on Brilliant Digital's plans shows that they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet. The implications are rather scary: Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service. Who needs a Warhol Worm?".Updated by HeUnique: use these instructions to remove the Brilliant part.

Dumb..Very Dumb

[DCram]

Here at work I pointed a couple of coworkers toward the previous articles on Kazaa. There response you might ask?

As long as I can get good download speed and have a large mp3 base what do I care?

Does this type of thinking occure elsewhere? I thought I worked with some bright people but they seem to think of their machines as black boxes and if they work great.

sigh.

Re:Dumb..Very Dumb

This thinking happens everywhere. People don't give a damn until something bad happens -- until they get owned. Everything is perfect until the day the world actually falls apart - even though it has been happening for a matter of years - everything is fine until the day it happens. That's the kind of thinking.

_
WINDOWS USERS CLICK HERE!

Re:Dumb..Very Dumb

[glwtta]

I'd say you would pretty much have to be insane to use any P2P client on your main PC. That's the reason I keep my Win2K partition around - I do nothing but file-sharing on it, it's chock-full of various types of spam (something even insalled that GAIN nonsense), oodles of all sorts of spyware and trojans and any other crap that came with these things. So what? I use it twice a week, and it doesn't even know my email address. If things get too cumbersome, and good reinstall every few months fixes that... just like running Windows in the good old day, come to think of it ;)

Re:Dumb..Very Dumb

[erroneus]

Well, it's unfortunate but that view is pervasively the norm. It doesn't apply to the technology arena alone. It's everywhere. People have convinced themselves that they don't want to know. They don't want to understand. They don't want to 'get it.' They only want the results and are not concerned about side-effects.

This is true in the food and drug arena. This is true in war and politics. This is true in biotech. This is true with trends in child-rearing. Somehow and somewhere, we have lost the notion of "wisdom." Not only have we forgotten how to become more wise, we are also underestimating (and ignoring) the value of the wisdom of others.

Socially, we're losing a lot of ground because we don't want to think any more. It's disturbing not only to watch, but also because I feel those trends infecting me as well.

"I don't care how we get it, just give me what I want." That's the growing mentality. "Rights!? I don't care about rights, just fight the evil demons in our midst!"

Okay... I'm going a bit too deep, but as a nation (I can't really say much about Europe or other places... I'm ignorant because I lack direct observational experience in the area) we're really getting too apathetic. It has been a long time in developing but our nation-wide apathy and our lack of long-term vision is affecting a lot.

I truly doubt that the RIAA and the MPAA are considering the long-term affects of their actions. Are they really so arrogant to think that their children will be any less affected than our children? Or is it that they aren't considering children at all... only themselves? Apathy. Lack of long-term vision.

Hehehe... what does this have to do with Brilliant Digital's Single Point of Ownership? Clearly, they have a lack of wisdom and long-term vision. If you want to own or control a large body from a single point, that single point bears the responsibility of DEFENDING it.

Defense is a responsibility that people tend to think is something they should pass off to government and law enforcement. Where did that moronic notion come from?!

Re:Dumb..Very Dumb

[Broccolist]

I've said it before and I'll say it again: things aren't getting worse. I agree that there's a sheep mentality, but it's been with us since the beginning of time. It's a well-known aspect of human psychology that we always tend to think the world is going down the drain and it was better before.

An Assyrian tablet from ~2000BC was found with words to that effect (e.g. kids aren't worshipping our pagan gods as much as they used to, the air is getting rotten, etc). The same thing has been said and re-said millions of times since. But it's just not true.

People aren't really getting more ignorant: we're more educated than at anytime in the past. If you think it's bad now, imagine how it was last century. Do you think those textile workers were curious to know how the sewing machines really worked? No, we should try to fight our innate tendency to think everything is getting worse, because in fact by most measures the state of humanity is getting better and better.

Re:Dumb..Very Dumb

[iso]

The quote from the tablet to which you were referring:

"The Earth is degenerating these days. Bribery and corruption abound. Children no longer mind their parents, every man wants to write a book, and it is evident that the end of the world is fast approaching." - Assyrian stone tablet, c.2800bc

- j

Re:Dumb..Very Dumb

[Telemakhos]

That was an excellent comment. The idea of wisdom and vision you mentioned seems to me most easily summarized, however, in the concept of independence or autonomous living, which requires both wisdom and will.

Early in American history, Jefferson praised the independent spirit, especially as found in the character of American farmers who provided for themselves with inititative and spirit; these same sort of men fought for independence during the American revolution. Horkheimer, Adorno, Marcuse, and others in twentieth century America lamented the common man's decline of interest in autonomous life as administered existence began to provide a higher standard of living -- people in general would rather be taken care of and have comfort than have to think and act for themselves.

As another poster pointed out, we always tend to idealize the past; in this case, however, we see a clear regression. The average Joe is becoming less and less autonomous, more and more childlike, in response to the increased allure of a higher standard of living.

To be specific (and to avoid that offtopic mod), man once made music for himself -- he sang, he played instruments, he created. Then came written musical notation, which allowed him to copy others' inventions by playing or singing songs he may never have heard; still he was making the sounds himself. Next, recorded music allowed him to spin a record/pop in a cassette/play a CD or .mp3 without any act of creation or imagination. Kazaa (and Napster before it) made procuring these mass-produced commodities, no longer created artisans per se but produced by a recording/culture industry, even easier -- he didn't have to pay for them or even leave the comfort of his desk.

In return, he has sacrificed various freedoms, by which I mean his power over the music. First, he gave up the power of creativity; now, he gives up the power over his own computer's spare CPU cycles. Our user gets easier downloading, but he surrenders control over part of his computer and (possibly) renders himself open to attack by hackers. Taken collectively as a society of freeloaders, we may be risking a chunk of the internet for easy .mp3 pirating.

This is not wisdom, and it is not independence. Those who read Slashdot are likely not covered here -- Slashdot readers tend to be the ones who build their own boxen, who write their own code, who value privacy and who see the importance of doing for oneself. Slashdotters tend to be autonomous. The majority, however, are heteronomous: willing to surrender their independence and unwisely to make unknown risks for the sake of allegedly "better" living through false needs, such as 100-gigabyte hoards of Britney Spears and NSYNC .mp3's.

Meanwhile, the recording industry attempts to take from us the right to fair use of what we have bought legally. Between our own childishness and their greed, we risk our computers and whatever increased standard of living mass-produced music has brought us. Beautiful.

This is the progress of Jefferson's America: from our forefathers' earning with their blood the right of liberty, to surrendering freedoms so we can steal the latest Backstreet Boys hit. It almost makes me want to cheer for the RIAA -- hoping that if they win, they'll shoot themselves in the foot by forcing cheapskates like myself, and many others, to go make music instead of consuming it.

Not that ranting here is going to help things a bit -- the unwashed and .mp3-hoarding masses won't listen anyway, and most don't read Slashdot. I'm done venting now.

Already Exists

[nuggz]

MS has been doing this for years, many tools check for updates and install them.
I noticed Need for Speed Porsche did this too.

These friendly autopatchers could all be hacked.

This is a serious risk with new subscription based services too.

Re:Already Exists

[cscx]

No, see, Windows Update has security signatures on all of its packages. Plus, you are discounting that the auto-update feature is only available Windows ME and XP, and even so, it doesn't automatically install updates unless you explicitly set it to. That really narrows down the population. Don't forget all the corporate users who are subject to Windows Update corporate edition, where the admin decides which updates to install.

On the other hand, how many people are running Kazaa in comparison (on Win95, for example)? A lot more. What is worrysome is the corporate user running Kazaa behind an improperly set firewall. If he is on a large pipe, that can spell trouble. Imagine that problem multiplied by the number of users running Kazaa. Can you say "imagine a Beowulf cluster of DoS zombies?"

The good side

[InsaneCreator]

Maybe we could "attack" everyone with outlook express/IE patches, so we finally stop recieving all those self forwarding worms in our e-mail.

Re:Any comments?

[Slash+Veteran]

I mean, if I were to attack the Internet root dns servers couldn't that cause all sorts of problems

The difference is: we TRUST the owners of the root servers to keep their systems secure. The owner's of KaZaA don't have the same track record.

Re:Any comments?

[DCram]

From the article the other day on root DNS servers.
Story
For the "internet" to be greatly affected multiple root servers must be brought down.

"The DNS is built so that eight or more of the world's 13 master root servers would have to fail before ordinary Internet users started to see slowdowns, according to John Crain, manager of technical operations for the Internet Corporation for Assigned Names and Numbers (ICANN)."

Good for them

[knuu]

I think I understand their plan now:

1. Plant studip spamware on a gazillion computers worldwide

2. Head for a small island state somewhere in the middle of the Pacific Ocean and start blackmailing governments the world over by claiming to "0wn j00r 1nt4rw3b!". A gazillion children addicted to warez, pr0n and AIM complain to their respective parents, who demand action from their governments. Governments pay up.

3. Profit!

Then again, governments do have armies with guns and ships and stuff so things might get messy in the process. *shrug*

Re:Good for them

[screwballicus]

Dr. Evil: Gentlemen, it's come to my attention that a malicious distributed computing scheme called Brilliant Digital will be setting into motion their trojan in a few days. Here's the plan. We R00T their server, and we hold the world ransom...
(dramatic pause)
Dr. Evil: ...FOR ONE MILLION DOLLARS!

Number Two: Don't you think we should ask for more than a million dollars? A million dollars isn't that much money these days.

Dr. Evil: All right then...
(dramatic pause)
Dr. Evil: ...FIVE MILLION DOLLARS!

(uncomfortable pause)

Number Two: Jon Katz alone makes over nine billion dollars a year.

Dr. Evil: Oh, really?
Dr. Evil: One-hundred billion dollars.
(pause)
Dr. Evil: OK, make it happen. Anything else?

Re:Good for them

[s20451]

start blackmailing governments the world over by claiming to "0wn j00r 1nt4rw3b!"

Or, in the immortal words of Jeff K., "HAHAHHAHHAHAHHAHHAHAHAHAHAH HOW DO YUO LIEK THEM APPALS FELLOWS?!? GRABUALsA!!!!"

preview misleading...

[kritikal]

perhaps the whole situation isn't as bad as it seems. having read the article, one would realize that the author only hypothesizes on whether or not the network is secure. brilliant could have implemented all the things that he questioned as insecure. this is not a review of their technology, but rather a blatant guess at how their technology will work.

Re:preview misleading...

[JetScootr]

With rapid changes in technology, Security is a matter of timing, not an absolute. Make it as secure as technology allows today, and it's just a matter of time - weeks or months, seldom years - until the security is easily cracked or is completely broken.
Because of this, and the logistics inherent in updating the security on 20+ million PCs, and you get the MSIE / Outlook express situation.
The author's comment about "single point of ownership" is valid no matter what security is used on this.

Doesn't XP already do this?

[bc90021]

With the ability to remotely control a user's computer built into Windows XP in order to provide "tech support", isn't a good portion of the world already vulnerable to a well-written worm? See "Remote Assistance" at http://www.microsoft.com/windowsxp/home/evaluation / eatures.asp.

Re:Doesn't XP already do this?

That's certainly a security risk with XP, basically they've extended RDP (which was available in W2K Server) onto the desktop. From an administration point of view this is a god-send. Additionally, I would note that by default RDP is not enabled on systems, and by default when you enable it, it's to allow someone you know to access your system, to whom you send an e-mail with a special link/key and then give them a password through a separate (we hope secure... but that's the end user's own issue) method. So far I haven't seen any proof-of-concepts for a sever compromise via RDP, and realistically speaking, this is a lot like SSH is to *nix... it gives you access to the 'command line' of windows... the gui... Certainly RDP is a security risk for everyone running it, but so is connecting to the Internet - from what I've seen there are many more, much larger vulnerabilities in m$ products than this one poses.

Sleeze.

[mindstrm]

You know, EULA or not... what Kazaa did is slimy. VERY slimy. They decieved people into installing something and giving up something they know people will not realize they are giving up. It is deception, whether it fits the legal definition or not.

I'm realistic... most people do not know or care of the difference, but they should.

So my question is...

What can we realistically do in order to force a bit more honesty in software providers?

Re:MS Windows isn't installed on millions of PCs?

[CrackerJackz]

True, (and belive me this is hard for me to say this next sentence...) I put more trust in Microsofts updater than Brilliants ... ick I cant belive I just said that :)

What can we conclude?

[sam_handelman]

As such, all three proposed usages: Secure and secret storage, secure and secret computation, and secure content delivery, are all inherently flawed.

This is all to true. Therefore, given Brilliant digital's wicked corporate pedigree, we conclude that they must have a secret, sinister master plan that they're not telling us about.

They've been clever enough to use evil plans as a smokescreen - the plans they've described are just wicked enough that you might believe that they really are brilliant digital's brilliant evil plan. This means that the real evil plan must be extra... brilliant.

Basically, we can divide the possible real evil plans into three categories:
1) Defense related. They're going to hack into NORAD, and hold the world hostage from skull island. The fact that this is physically impossible (because NORAD isn't connected to the public 'net, and so on) never stops Dr. Evil, so it shouldn't be a hindrance for Brilliant Digital.

2) Biblical. Enumerate the billion secret names of god, conjure forth their lord and master, Satan himself. You all saw Warlock, right? Like that.

3) Astrononomical. I know that if I had the computing power of fiteen million consumer level CPU's at my disposal, I'd use it to pull the moon into the earth. 'nuff said.

Either way, we're talking countdown to doomsday, here, and only one man can stop them. I hope Brilliant Digital CEO Kevin Bermeister's mistress is played by Zhang Ziyi; she is so hot.

Re:Idiocy upon Idiocy

[Hektor_Troy]

So you want security through obscurity?

If this guy figured it out, don't you think there's at least a moderate chance, that some |33 h@x0r figured it out as well?

By going public, and as a neat bonus having /. place the story on the front page, Nicholas Weaver is essentially forcing the people behind Brilliant Digital to fix their security problems ASAP.

If they chose not to do anything, Brilliant can't claim, that they didn't know about it, if/when some |33 h@x0r hijacks 2 million computers and wreaks havoc on every single US government site just for fun, and they will (at the very least should) be held accountable as aiding and abetting terrorist activities, by not fixing the problems when they had the chance.

Security through obscurity is like not telling the world about AIDS. There's no cure for AIDS, so there's no need to tell people to be carefull, because that would not cure AIDS.

Re:what nonsense

[FrostyWheaton]

How does it affect me, when I haven't installed the program?

The answer to this question is painfully simple: You are connected to and attempting to use the same network. Internet users, slashdot readers especially, should appreciate the effect that(tens/hundreds of) thousands of "other people" can have on such a network.

" You're telling me that if they get hacked, the entire Internet is at the mercy of the hackers. Why is that?"

Because, the actions of millions of compromised machines have the ability to bring internet traffic to a standstill. millions of boxes, spread throught the world all participating in a coordinated DoS attack, would be, as the article states, "unstoppable"

Hmmm..

[ZaneMcAuley]

Actually, I would hope this does happen. Why? Because it would put the frightners on FUTURE SPYWARE being installed and FORCE a GOOD SELF-DISCLOSURE POLICY STANDARD.

It would kill EVERY SPYWARE ON THE PLANET.

This all applies to Grokster as well

[markh1967]

Just to make people aware that the trojan is also distributed with other FastTrack browsers such as Grokster. It is not just confined to KaZaa. I've never downloaded or installed KaZaa but I am running Grokster (with the spyware removed and dummy cydoor dll in place) and I was infected as well. If you're running Grokster check out your Windows directory. If there's a folder in there called BDE and you aren't running the Borland Databse Engine then you're infected as well.

Not just KaZaA!

[mcrbids]

What about the Red Hat Network? I subscribe 'cause it makes my job as admin SOOOO much easier - but the RHN largely consists of servers with BIG, FAT PIPES.

(Who'd use RHN over a modem line!?!?)

Seems like this also might be an excellent point from which to launch a big DDOS attack, no? How closely does RH watch their servers?

Re:Cooperation is key

[erroneus]

You're absolutely on-target with that assertion.

I tend to look at our internet and our computing power on the level of 'health.'

Software designers should understand that they aren't just writing programs any more. We're not building new calculators with cool new functions. We're writing a great deal of software that interacts with a public network that affects the lives of everyone either directly or via the health of business and information exchange.

Business and commerce are now more tightly bound to our ability to exchange, gather and disburse information as a commodity.

I'll use Microsoft as an example but it's not limited to Microsoft... Cisco could easily be used as an example of a "responsible player" but I'm illustrating an "irresponsible player" at the moment.

Microsoft in putting out unstable software on the server side (and putting out clients that include servers to unaware owners) has severely affected the health of our public internet and I believe they should be held liable and responsible for their negligence on the matter. There is no law that says "you're a criminal if you write bad software" but there is law that says you are criminally responsible if, through negligence, have endangered public security. And in that respect, Microsoft should be held as criminally responsible for their negligence. And no amount of EULA protection should be allowed on this matter.

I suggest that Cisco wears a white hat in this simply because of reputation. They are not known for their security problems. They are not known for having 'viruses' or being vulnerable to attacks. Of course they are vulnerable. Of course they have bugs and weaknesses. But due to the fact that they are both huge and still manage to remain 'untargetted' is some indication that they are taking their public responsibility seriously and are successful at it.

If Microsoft behaved more like Cisco in that respect, I think the world would still be in love with Microsoft today though not nearly as appreciated because it's not in out nature to appreciate, but to find fault and hate.

Expect more of this!

[MavEtJu]

Early 90's, the (usenet) world was shocked by the fact that somebody abused the network to send spam.

Early 00's, the (slashdot) world is shocked by the fact that people don't care about installing spyware / trojaned software.

Be afraid, be very afraid.

Re:Bah - hack Windows Update

[evilquaker]

MS-bashing aside, I am certain that Microsoft has taken all reasonable precautions...

Why would you expect that? Recall that Windows Update got infected with Code Red, even though a security fix was available a month earlier...

Ximian Install and RedCarpet are the same

[psychosis]

Since installing Ximian is "conveniently" performed by running "lynx -source http://go-gnome.org | sh" (as root, of course), what happens when someone registers go-gnom.org or similar typos? (Credit to my brother for thinking of that one.)
Now I did issue the above command, but ensured that the DNS records were compliant and my local DNS server reported the same distant end IP as the authoritative one for the domain, but I doubt many folks do the same.
Also, when installing packages via RedCarpet (again, has to be done as root), what are the cryptographic signatures checked against? (Note: I haven't even researched this. Just typing off the top of my head...) I would hope that the proper response from GPG is hard-coded in the red-carpet binary...
Basically, I think that a lot of new update technologies are vulnerable to this - from windowsupdate.microsoft.com as mentioned in the article to more trusted (by this community, anyway) sites. Semi-automatic updating is great, but it still takes people at the keyboard to think before they do something. Not likely to see a widespread change in that mentality for some time to come.

Re:The post is a rant!

[JDizzy]

Well, the guy is most certainly smarter than me. I do respect him. However, rant is rant, despite the velvet on the emperor's robe. The whole text is nothing more than a rant, and conjecture. I hope his thesis papers are not written this way. It is sad when people, with good intentions, discredit themselves in this way. People don't know what they don't know. and nobody knows anything about Brilliant's sneak-ware. For him to create a thought-experiment of what he believes to be true(or false), and rant about it, doesn't afford him any credibility. So until he actually disassembles the Kazza sneakware, there is nothing to write about. The only good part of the text is his questions to ask about Kazza. The rest is hot air.

Re:Dumb..Very Dumb (mod parent up!)

[erroneus]

....too bad I can't mark this one as insightful... 'cause you're right. I hadn't really looked at it that way.

We do tend to idealize the past beyond its reality. Still... apathy harms.

Information overload

[HiThere]

The root cause of this problem is information overload. It used to be that most people couldn't know everything, but it wasn't really impossible if you didn't do anything else. Those days are centuries past.

Today everyone, no matter how smart, is submerged in a tide of information. The only way to survive and get anything out of it is to filter it. But how should one construct the filters???

Don't pat yourself on the back too hard, just because you understand computers. There's a lot more to this civilization than computers. And the rest is just as important.

All I've been able to do is demarcate a small area that I try to understand, and try to find other people that I trust to understand other areas for me. I don't know of a better method, even though that one is clearly flawed. Note that this is the same technique that almost all people adopt.

One of the critical flaws in the process is:

How does one choose trustworthy authorities? I sure don't have an answer. The best I can do is pick people that I don't know to be wrong for reasons that are unknown or unacceptable to me. This isn't great, but it's something. One of the good points about this system is that it distributes authority (I see centralized authority as inherently evil: consider that the central authority will have the same limitations [mentioned above] as anyone else, and the people that the central authority chooses to trust will have every motivation to give self-serving advice [as long as they aren't caught at it.])

Re:Information overload

[alcmena]

How does one choose trustworthy authorities?

I like the idea of political duty. Think of it like jury duty, only longer. It basically states that random people will be picked to server as politicians (house menbers, senate members, etc.) for a period of time. They are then released and a new crop is picked. There are many problems with this, but there are many problems with the way things are done now.

If the policitial duty was truly random, the views of the population are more likely to be represented. Though it would take a lot of effort to ensure the process is random and is not corrupted.

Solution to the Kazaa problem

[tempest303]

Instead of following HeUnique's instructions to get rid of Kazaa's spyware, try this:

DON'T INSTALL IT TO BEGIN WITH. ;P

tempest303, continuing his crusade to troll people that think fair use means never paying for media.

The guy is right. It's serious.

[Animats]

He's right. Brilliant is a push-type peer to peer auto update system. (See page 11 of the Brilliant SEC filing..) This allows an attack to hit a huge number of clients in a short period of time, with no user intervention and no user visibility. Worse, because it's a peer-to-peer system, clients know where to find other clients and can talk to them, so propagation would be far more effective than for most viruses. That's much more powerful than sending "I send this to you to get your advice" to everybody in the Outlook address book.

There's no need to take over the Brilliant servers. An attacker should be able to do it all from any suitably modified Brilliant client.

If someone writes an effective Brillant-based attack, it might contaminate most of the clients in a very short period of time. And most of them woudn't even notice, until it was too late.

Brilliant isn't exactly a tech-savvy company, either. Their previous business was producing hip-hop videos. They have 18 employees. Plus one software consultant. (Read their SEC filing.) They have no track record of producing secure systems. They make no claim that their product is secure against external takeover. And they don't have enough assets that if they screw up, they'll be able to pay for the damage.

If you have responsibility for any computers that do anything important, scan them all for this program immediately, remove it, and block it at your firewall.

It's possible that the Brilliant "projector" is so secure that it can't be used as a pathway for an attack. But without independent verification of its security, it has to be viewed as highly dangerous. All it takes is a buffer overflow and some carefully crafted "ad content" to use this as a virus distribution system.

Some of the same potential vulnerabilities apply to other peer-to-peer systems. Netnews/NNTP, for example. But Netnews is typically run on UNIX machines under its own userid, so even if an exploit in it exists, it can be contained within the Netnews world. And it's a mature system; the obvious holes were plugged long ago. Most of the other peer-to-peer systems, like Gnutella and Freenet, are pull-type systems; they only bring in content when the client asks for it in response to a user request. That slows down propagation and associates it with specific content, like an ordinary virus. But Brilliant, from their description of what they do, pushes automatically and peer to peer. That's much more dangerous.