Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reflections on Brilliant Digital: Single Points of 0wnership

Posted by michael on from the zombie-hordes dept.

nweaver writes "Some reflection on Brilliant Digital's plans shows that they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet. The implications are rather scary: Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service. Who needs a Warhol Worm?".Updated by HeUnique: use these instructions to remove the Brilliant part.

20 of 278 comments (clear)

  1. Dumb..Very Dumb by DCram · · Score: 4, Insightful

    Here at work I pointed a couple of coworkers toward the previous articles on Kazaa. There response you might ask?

    As long as I can get good download speed and have a large mp3 base what do I care?

    Does this type of thinking occure elsewhere? I thought I worked with some bright people but they seem to think of their machines as black boxes and if they work great.

    sigh.

    --
    If I were only smart enough to accomplish the things I dream about.. Or maybe too dumb to care.
    1. Re:Dumb..Very Dumb by erroneus · · Score: 4, Insightful

      Well, it's unfortunate but that view is pervasively the norm. It doesn't apply to the technology arena alone. It's everywhere. People have convinced themselves that they don't want to know. They don't want to understand. They don't want to 'get it.' They only want the results and are not concerned about side-effects.

      This is true in the food and drug arena. This is true in war and politics. This is true in biotech. This is true with trends in child-rearing. Somehow and somewhere, we have lost the notion of "wisdom." Not only have we forgotten how to become more wise, we are also underestimating (and ignoring) the value of the wisdom of others.

      Socially, we're losing a lot of ground because we don't want to think any more. It's disturbing not only to watch, but also because I feel those trends infecting me as well.

      "I don't care how we get it, just give me what I want." That's the growing mentality. "Rights!? I don't care about rights, just fight the evil demons in our midst!"

      Okay... I'm going a bit too deep, but as a nation (I can't really say much about Europe or other places... I'm ignorant because I lack direct observational experience in the area) we're really getting too apathetic. It has been a long time in developing but our nation-wide apathy and our lack of long-term vision is affecting a lot.

      I truly doubt that the RIAA and the MPAA are considering the long-term affects of their actions. Are they really so arrogant to think that their children will be any less affected than our children? Or is it that they aren't considering children at all... only themselves? Apathy. Lack of long-term vision.

      Hehehe... what does this have to do with Brilliant Digital's Single Point of Ownership? Clearly, they have a lack of wisdom and long-term vision. If you want to own or control a large body from a single point, that single point bears the responsibility of DEFENDING it.

      Defense is a responsibility that people tend to think is something they should pass off to government and law enforcement. Where did that moronic notion come from?!

    2. Re:Dumb..Very Dumb by Broccolist · · Score: 5, Insightful
      I've said it before and I'll say it again: things aren't getting worse. I agree that there's a sheep mentality, but it's been with us since the beginning of time. It's a well-known aspect of human psychology that we always tend to think the world is going down the drain and it was better before.

      An Assyrian tablet from ~2000BC was found with words to that effect (e.g. kids aren't worshipping our pagan gods as much as they used to, the air is getting rotten, etc). The same thing has been said and re-said millions of times since. But it's just not true.

      People aren't really getting more ignorant: we're more educated than at anytime in the past. If you think it's bad now, imagine how it was last century. Do you think those textile workers were curious to know how the sewing machines really worked? No, we should try to fight our innate tendency to think everything is getting worse, because in fact by most measures the state of humanity is getting better and better.

  2. Already Exists by nuggz · · Score: 4, Insightful

    MS has been doing this for years, many tools check for updates and install them.
    I noticed Need for Speed Porsche did this too.

    These friendly autopatchers could all be hacked.

    This is a serious risk with new subscription based services too.

    1. Re:Already Exists by cscx · · Score: 4, Informative

      No, see, Windows Update has security signatures on all of its packages. Plus, you are discounting that the auto-update feature is only available Windows ME and XP, and even so, it doesn't automatically install updates unless you explicitly set it to. That really narrows down the population. Don't forget all the corporate users who are subject to Windows Update corporate edition, where the admin decides which updates to install.

      On the other hand, how many people are running Kazaa in comparison (on Win95, for example)? A lot more. What is worrysome is the corporate user running Kazaa behind an improperly set firewall. If he is on a large pipe, that can spell trouble. Imagine that problem multiplied by the number of users running Kazaa. Can you say "imagine a Beowulf cluster of DoS zombies?"

  3. The good side by InsaneCreator · · Score: 4, Funny

    Maybe we could "attack" everyone with outlook express/IE patches, so we finally stop recieving all those self forwarding worms in our e-mail.

  4. Re:Any comments? by Slash+Veteran · · Score: 5, Insightful
    I mean, if I were to attack the Internet root dns servers couldn't that cause all sorts of problems

    The difference is: we TRUST the owners of the root servers to keep their systems secure. The owner's of KaZaA don't have the same track record.

  5. Re:Any comments? by DCram · · Score: 5, Informative

    From the article the other day on root DNS servers.
    Story
    For the "internet" to be greatly affected multiple root servers must be brought down.

    "The DNS is built so that eight or more of the world's 13 master root servers would have to fail before ordinary Internet users started to see slowdowns, according to John Crain, manager of technical operations for the Internet Corporation for Assigned Names and Numbers (ICANN)."

    --
    If I were only smart enough to accomplish the things I dream about.. Or maybe too dumb to care.
  6. Good for them by knuu · · Score: 5, Funny

    I think I understand their plan now:

    1. Plant studip spamware on a gazillion computers worldwide

    2. Head for a small island state somewhere in the middle of the Pacific Ocean and start blackmailing governments the world over by claiming to "0wn j00r 1nt4rw3b!". A gazillion children addicted to warez, pr0n and AIM complain to their respective parents, who demand action from their governments. Governments pay up.

    3. Profit!

    Then again, governments do have armies with guns and ships and stuff so things might get messy in the process. *shrug*

    1. Re:Good for them by screwballicus · · Score: 5, Funny

      Dr. Evil: Gentlemen, it's come to my attention that a malicious distributed computing scheme called Brilliant Digital will be setting into motion their trojan in a few days. Here's the plan. We R00T their server, and we hold the world ransom...
      (dramatic pause)
      Dr. Evil: ...FOR ONE MILLION DOLLARS!

      Number Two: Don't you think we should ask for more than a million dollars? A million dollars isn't that much money these days.

      Dr. Evil: All right then...
      (dramatic pause)
      Dr. Evil: ...FIVE MILLION DOLLARS!

      (uncomfortable pause)

      Number Two: Jon Katz alone makes over nine billion dollars a year.

      Dr. Evil: Oh, really?
      Dr. Evil: One-hundred billion dollars.
      (pause)
      Dr. Evil: OK, make it happen. Anything else?

    2. Re:Good for them by s20451 · · Score: 4, Funny

      start blackmailing governments the world over by claiming to "0wn j00r 1nt4rw3b!"

      Or, in the immortal words of Jeff K., "HAHAHHAHHAHAHHAHHAHAHAHAHAH HOW DO YUO LIEK THEM APPALS FELLOWS?!? GRABUALsA!!!!"

      --
      Toronto-area transit rider? Rate your ride.
  7. preview misleading... by kritikal · · Score: 4, Insightful

    perhaps the whole situation isn't as bad as it seems. having read the article, one would realize that the author only hypothesizes on whether or not the network is secure. brilliant could have implemented all the things that he questioned as insecure. this is not a review of their technology, but rather a blatant guess at how their technology will work.

  8. Doesn't XP already do this? by bc90021 · · Score: 4, Interesting

    With the ability to remotely control a user's computer built into Windows XP in order to provide "tech support", isn't a good portion of the world already vulnerable to a well-written worm? See "Remote Assistance" at http://www.microsoft.com/windowsxp/home/evaluation / eatures.asp.

    --
    libertarianswag.com
  9. Sleeze. by mindstrm · · Score: 4, Interesting

    You know, EULA or not... what Kazaa did is slimy. VERY slimy. They decieved people into installing something and giving up something they know people will not realize they are giving up. It is deception, whether it fits the legal definition or not.

    I'm realistic... most people do not know or care of the difference, but they should.

    So my question is...

    What can we realistically do in order to force a bit more honesty in software providers?

  10. Re:MS Windows isn't installed on millions of PCs? by CrackerJackz · · Score: 5, Funny

    True, (and belive me this is hard for me to say this next sentence...) I put more trust in Microsofts updater than Brilliants ... ick I cant belive I just said that :)

  11. What can we conclude? by sam_handelman · · Score: 5, Funny

    As such, all three proposed usages: Secure and secret storage, secure and secret computation, and secure content delivery, are all inherently flawed.

    This is all to true. Therefore, given Brilliant digital's wicked corporate pedigree, we conclude that they must have a secret, sinister master plan that they're not telling us about.

    They've been clever enough to use evil plans as a smokescreen - the plans they've described are just wicked enough that you might believe that they really are brilliant digital's brilliant evil plan. This means that the real evil plan must be extra... brilliant.

    Basically, we can divide the possible real evil plans into three categories:
    1) Defense related. They're going to hack into NORAD, and hold the world hostage from skull island. The fact that this is physically impossible (because NORAD isn't connected to the public 'net, and so on) never stops Dr. Evil, so it shouldn't be a hindrance for Brilliant Digital.

    2) Biblical. Enumerate the billion secret names of god, conjure forth their lord and master, Satan himself. You all saw Warlock, right? Like that.

    3) Astrononomical. I know that if I had the computing power of fiteen million consumer level CPU's at my disposal, I'd use it to pull the moon into the earth. 'nuff said.

    Either way, we're talking countdown to doomsday, here, and only one man can stop them. I hope Brilliant Digital CEO Kevin Bermeister's mistress is played by Zhang Ziyi; she is so hot.

    --
    The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
  12. Expect more of this! by MavEtJu · · Score: 5, Insightful

    Early 90's, the (usenet) world was shocked by the fact that somebody abused the network to send spam.

    Early 00's, the (slashdot) world is shocked by the fact that people don't care about installing spyware / trojaned software.

    Be afraid, be very afraid.

    --
    bash$ :(){ :|:&};:
  13. Ximian Install and RedCarpet are the same by psychosis · · Score: 4, Interesting

    Since installing Ximian is "conveniently" performed by running "lynx -source http://go-gnome.org | sh" (as root, of course), what happens when someone registers go-gnom.org or similar typos? (Credit to my brother for thinking of that one.)
    Now I did issue the above command, but ensured that the DNS records were compliant and my local DNS server reported the same distant end IP as the authoritative one for the domain, but I doubt many folks do the same.
    Also, when installing packages via RedCarpet (again, has to be done as root), what are the cryptographic signatures checked against? (Note: I haven't even researched this. Just typing off the top of my head...) I would hope that the proper response from GPG is hard-coded in the red-carpet binary...
    Basically, I think that a lot of new update technologies are vulnerable to this - from windowsupdate.microsoft.com as mentioned in the article to more trusted (by this community, anyway) sites. Semi-automatic updating is great, but it still takes people at the keyboard to think before they do something. Not likely to see a widespread change in that mentality for some time to come.

  14. Information overload by HiThere · · Score: 4, Insightful
    The root cause of this problem is information overload. It used to be that most people couldn't know everything, but it wasn't really impossible if you didn't do anything else. Those days are centuries past.

    Today everyone, no matter how smart, is submerged in a tide of information. The only way to survive and get anything out of it is to filter it. But how should one construct the filters???

    Don't pat yourself on the back too hard, just because you understand computers. There's a lot more to this civilization than computers. And the rest is just as important.

    All I've been able to do is demarcate a small area that I try to understand, and try to find other people that I trust to understand other areas for me. I don't know of a better method, even though that one is clearly flawed. Note that this is the same technique that almost all people adopt.

    One of the critical flaws in the process is:

    How does one choose trustworthy authorities? I sure don't have an answer. The best I can do is pick people that I don't know to be wrong for reasons that are unknown or unacceptable to me. This isn't great, but it's something. One of the good points about this system is that it distributes authority (I see centralized authority as inherently evil: consider that the central authority will have the same limitations [mentioned above] as anyone else, and the people that the central authority chooses to trust will have every motivation to give self-serving advice [as long as they aren't caught at it.])

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  15. The guy is right. It's serious. by Animats · · Score: 5, Insightful
    He's right. Brilliant is a push-type peer to peer auto update system. (See page 11 of the Brilliant SEC filing..) This allows an attack to hit a huge number of clients in a short period of time, with no user intervention and no user visibility. Worse, because it's a peer-to-peer system, clients know where to find other clients and can talk to them, so propagation would be far more effective than for most viruses. That's much more powerful than sending "I send this to you to get your advice" to everybody in the Outlook address book.

    There's no need to take over the Brilliant servers. An attacker should be able to do it all from any suitably modified Brilliant client.

    If someone writes an effective Brillant-based attack, it might contaminate most of the clients in a very short period of time. And most of them woudn't even notice, until it was too late.

    Brilliant isn't exactly a tech-savvy company, either. Their previous business was producing hip-hop videos. They have 18 employees. Plus one software consultant. (Read their SEC filing.) They have no track record of producing secure systems. They make no claim that their product is secure against external takeover. And they don't have enough assets that if they screw up, they'll be able to pay for the damage.

    If you have responsibility for any computers that do anything important, scan them all for this program immediately, remove it, and block it at your firewall.

    It's possible that the Brilliant "projector" is so secure that it can't be used as a pathway for an attack. But without independent verification of its security, it has to be viewed as highly dangerous. All it takes is a buffer overflow and some carefully crafted "ad content" to use this as a virus distribution system.

    Some of the same potential vulnerabilities apply to other peer-to-peer systems. Netnews/NNTP, for example. But Netnews is typically run on UNIX machines under its own userid, so even if an exploit in it exists, it can be contained within the Netnews world. And it's a mature system; the obvious holes were plugged long ago. Most of the other peer-to-peer systems, like Gnutella and Freenet, are pull-type systems; they only bring in content when the client asks for it in response to a user request. That slows down propagation and associates it with specific content, like an ordinary virus. But Brilliant, from their description of what they do, pushes automatically and peer to peer. That's much more dangerous.