Slashdot Mirror

← Back to Stories (view on slashdot.org)

Reflections on Brilliant Digital: Single Points of 0wnership

Posted by michael on from the zombie-hordes dept.

nweaver writes "Some reflection on Brilliant Digital's plans shows that they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet. The implications are rather scary: Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service. Who needs a Warhol Worm?".Updated by HeUnique: use these instructions to remove the Brilliant part.

9 of 278 comments (clear)

  1. Re:Any comments? by Slash+Veteran · · Score: 5, Insightful
    I mean, if I were to attack the Internet root dns servers couldn't that cause all sorts of problems

    The difference is: we TRUST the owners of the root servers to keep their systems secure. The owner's of KaZaA don't have the same track record.

  2. Re:Any comments? by DCram · · Score: 5, Informative

    From the article the other day on root DNS servers.
    Story
    For the "internet" to be greatly affected multiple root servers must be brought down.

    "The DNS is built so that eight or more of the world's 13 master root servers would have to fail before ordinary Internet users started to see slowdowns, according to John Crain, manager of technical operations for the Internet Corporation for Assigned Names and Numbers (ICANN)."

    --
    If I were only smart enough to accomplish the things I dream about.. Or maybe too dumb to care.
  3. Good for them by knuu · · Score: 5, Funny

    I think I understand their plan now:

    1. Plant studip spamware on a gazillion computers worldwide

    2. Head for a small island state somewhere in the middle of the Pacific Ocean and start blackmailing governments the world over by claiming to "0wn j00r 1nt4rw3b!". A gazillion children addicted to warez, pr0n and AIM complain to their respective parents, who demand action from their governments. Governments pay up.

    3. Profit!

    Then again, governments do have armies with guns and ships and stuff so things might get messy in the process. *shrug*

    1. Re:Good for them by screwballicus · · Score: 5, Funny

      Dr. Evil: Gentlemen, it's come to my attention that a malicious distributed computing scheme called Brilliant Digital will be setting into motion their trojan in a few days. Here's the plan. We R00T their server, and we hold the world ransom...
      (dramatic pause)
      Dr. Evil: ...FOR ONE MILLION DOLLARS!

      Number Two: Don't you think we should ask for more than a million dollars? A million dollars isn't that much money these days.

      Dr. Evil: All right then...
      (dramatic pause)
      Dr. Evil: ...FIVE MILLION DOLLARS!

      (uncomfortable pause)

      Number Two: Jon Katz alone makes over nine billion dollars a year.

      Dr. Evil: Oh, really?
      Dr. Evil: One-hundred billion dollars.
      (pause)
      Dr. Evil: OK, make it happen. Anything else?

  4. Re:MS Windows isn't installed on millions of PCs? by CrackerJackz · · Score: 5, Funny

    True, (and belive me this is hard for me to say this next sentence...) I put more trust in Microsofts updater than Brilliants ... ick I cant belive I just said that :)

  5. What can we conclude? by sam_handelman · · Score: 5, Funny

    As such, all three proposed usages: Secure and secret storage, secure and secret computation, and secure content delivery, are all inherently flawed.

    This is all to true. Therefore, given Brilliant digital's wicked corporate pedigree, we conclude that they must have a secret, sinister master plan that they're not telling us about.

    They've been clever enough to use evil plans as a smokescreen - the plans they've described are just wicked enough that you might believe that they really are brilliant digital's brilliant evil plan. This means that the real evil plan must be extra... brilliant.

    Basically, we can divide the possible real evil plans into three categories:
    1) Defense related. They're going to hack into NORAD, and hold the world hostage from skull island. The fact that this is physically impossible (because NORAD isn't connected to the public 'net, and so on) never stops Dr. Evil, so it shouldn't be a hindrance for Brilliant Digital.

    2) Biblical. Enumerate the billion secret names of god, conjure forth their lord and master, Satan himself. You all saw Warlock, right? Like that.

    3) Astrononomical. I know that if I had the computing power of fiteen million consumer level CPU's at my disposal, I'd use it to pull the moon into the earth. 'nuff said.

    Either way, we're talking countdown to doomsday, here, and only one man can stop them. I hope Brilliant Digital CEO Kevin Bermeister's mistress is played by Zhang Ziyi; she is so hot.

    --
    The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
  6. Expect more of this! by MavEtJu · · Score: 5, Insightful

    Early 90's, the (usenet) world was shocked by the fact that somebody abused the network to send spam.

    Early 00's, the (slashdot) world is shocked by the fact that people don't care about installing spyware / trojaned software.

    Be afraid, be very afraid.

    --
    bash$ :(){ :|:&};:
  7. Re:Dumb..Very Dumb by Broccolist · · Score: 5, Insightful
    I've said it before and I'll say it again: things aren't getting worse. I agree that there's a sheep mentality, but it's been with us since the beginning of time. It's a well-known aspect of human psychology that we always tend to think the world is going down the drain and it was better before.

    An Assyrian tablet from ~2000BC was found with words to that effect (e.g. kids aren't worshipping our pagan gods as much as they used to, the air is getting rotten, etc). The same thing has been said and re-said millions of times since. But it's just not true.

    People aren't really getting more ignorant: we're more educated than at anytime in the past. If you think it's bad now, imagine how it was last century. Do you think those textile workers were curious to know how the sewing machines really worked? No, we should try to fight our innate tendency to think everything is getting worse, because in fact by most measures the state of humanity is getting better and better.

  8. The guy is right. It's serious. by Animats · · Score: 5, Insightful
    He's right. Brilliant is a push-type peer to peer auto update system. (See page 11 of the Brilliant SEC filing..) This allows an attack to hit a huge number of clients in a short period of time, with no user intervention and no user visibility. Worse, because it's a peer-to-peer system, clients know where to find other clients and can talk to them, so propagation would be far more effective than for most viruses. That's much more powerful than sending "I send this to you to get your advice" to everybody in the Outlook address book.

    There's no need to take over the Brilliant servers. An attacker should be able to do it all from any suitably modified Brilliant client.

    If someone writes an effective Brillant-based attack, it might contaminate most of the clients in a very short period of time. And most of them woudn't even notice, until it was too late.

    Brilliant isn't exactly a tech-savvy company, either. Their previous business was producing hip-hop videos. They have 18 employees. Plus one software consultant. (Read their SEC filing.) They have no track record of producing secure systems. They make no claim that their product is secure against external takeover. And they don't have enough assets that if they screw up, they'll be able to pay for the damage.

    If you have responsibility for any computers that do anything important, scan them all for this program immediately, remove it, and block it at your firewall.

    It's possible that the Brilliant "projector" is so secure that it can't be used as a pathway for an attack. But without independent verification of its security, it has to be viewed as highly dangerous. All it takes is a buffer overflow and some carefully crafted "ad content" to use this as a virus distribution system.

    Some of the same potential vulnerabilities apply to other peer-to-peer systems. Netnews/NNTP, for example. But Netnews is typically run on UNIX machines under its own userid, so even if an exploit in it exists, it can be contained within the Netnews world. And it's a mature system; the obvious holes were plugged long ago. Most of the other peer-to-peer systems, like Gnutella and Freenet, are pull-type systems; they only bring in content when the client asks for it in response to a user request. That slows down propagation and associates it with specific content, like an ordinary virus. But Brilliant, from their description of what they do, pushes automatically and peer to peer. That's much more dangerous.