Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Reflections on Brilliant Digital: Single Points of 0wnership 278

nweaver writes "Some reflection on Brilliant Digital's plans shows that they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet. The implications are rather scary: Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service. Who needs a Warhol Worm?".Updated by HeUnique: use these instructions to remove the Brilliant part.
This discussion has been archived. No new comments can be posted.

Reflections on Brilliant Digital: Single Points of 0wnership

Comments Filter:
  • Dumb..Very Dumb (Score:4, Insightful)

    by DCram ( 459805 ) on Sunday April 07, 2002 @04:35PM (#3300468)
    Here at work I pointed a couple of coworkers toward the previous articles on Kazaa. There response you might ask?

    As long as I can get good download speed and have a large mp3 base what do I care?

    Does this type of thinking occure elsewhere? I thought I worked with some bright people but they seem to think of their machines as black boxes and if they work great.

    sigh.
    • Re:Dumb..Very Dumb (Score:3, Insightful)

      by Anonymous Coward
      This thinking happens everywhere. People don't give a damn until something bad happens -- until they get owned. Everything is perfect until the day the world actually falls apart - even though it has been happening for a matter of years - everything is fine until the day it happens. That's the kind of thinking.

      _
      WINDOWS USERS CLICK HERE! [paware.com]
    • Re:Dumb..Very Dumb (Score:3, Interesting)

      by glwtta ( 532858 )
      I'd say you would pretty much have to be insane to use any P2P client on your main PC. That's the reason I keep my Win2K partition around - I do nothing but file-sharing on it, it's chock-full of various types of spam (something even insalled that GAIN nonsense), oodles of all sorts of spyware and trojans and any other crap that came with these things. So what? I use it twice a week, and it doesn't even know my email address. If things get too cumbersome, and good reinstall every few months fixes that... just like running Windows in the good old day, come to think of it ;)
    • Re:Dumb..Very Dumb (Score:4, Insightful)

      by erroneus ( 253617 ) on Sunday April 07, 2002 @05:33PM (#3300721) Homepage
      Well, it's unfortunate but that view is pervasively the norm. It doesn't apply to the technology arena alone. It's everywhere. People have convinced themselves that they don't want to know. They don't want to understand. They don't want to 'get it.' They only want the results and are not concerned about side-effects.

      This is true in the food and drug arena. This is true in war and politics. This is true in biotech. This is true with trends in child-rearing. Somehow and somewhere, we have lost the notion of "wisdom." Not only have we forgotten how to become more wise, we are also underestimating (and ignoring) the value of the wisdom of others.

      Socially, we're losing a lot of ground because we don't want to think any more. It's disturbing not only to watch, but also because I feel those trends infecting me as well.

      "I don't care how we get it, just give me what I want." That's the growing mentality. "Rights!? I don't care about rights, just fight the evil demons in our midst!"

      Okay... I'm going a bit too deep, but as a nation (I can't really say much about Europe or other places... I'm ignorant because I lack direct observational experience in the area) we're really getting too apathetic. It has been a long time in developing but our nation-wide apathy and our lack of long-term vision is affecting a lot.

      I truly doubt that the RIAA and the MPAA are considering the long-term affects of their actions. Are they really so arrogant to think that their children will be any less affected than our children? Or is it that they aren't considering children at all... only themselves? Apathy. Lack of long-term vision.

      Hehehe... what does this have to do with Brilliant Digital's Single Point of Ownership? Clearly, they have a lack of wisdom and long-term vision. If you want to own or control a large body from a single point, that single point bears the responsibility of DEFENDING it.

      Defense is a responsibility that people tend to think is something they should pass off to government and law enforcement. Where did that moronic notion come from?!
      • Well, I'm in the UK and I can't say things are much better. There was a big hoo-hah last year with the elections. Apparently turnout was somewhat low due to voter apathy.

        Another problem we have is the sheep mentality. The Liberal Democrats got far less seats than they should have because many 'supporters' voted Labour because "we have to make sure the Tories don't get back in power" did the fact that Labour still have a huge majority escape them? They could have safely voted Lib Dem and Labour would still have won easily. However, they wouldn't have such a powerful majority.
      • Defense is a responsibility that people tend to think is something they should pass off to government and law enforcement. Where did that moronic notion come from?!

        This idea came from the government, because it doesn't want the people able to defend themselves.
      • Re:Dumb..Very Dumb (Score:5, Insightful)

        by Broccolist ( 52333 ) on Sunday April 07, 2002 @07:09PM (#3301077)
        I've said it before and I'll say it again: things aren't getting worse. I agree that there's a sheep mentality, but it's been with us since the beginning of time. It's a well-known aspect of human psychology that we always tend to think the world is going down the drain and it was better before.

        An Assyrian tablet from ~2000BC was found with words to that effect (e.g. kids aren't worshipping our pagan gods as much as they used to, the air is getting rotten, etc). The same thing has been said and re-said millions of times since. But it's just not true.

        People aren't really getting more ignorant: we're more educated than at anytime in the past. If you think it's bad now, imagine how it was last century. Do you think those textile workers were curious to know how the sewing machines really worked? No, we should try to fight our innate tendency to think everything is getting worse, because in fact by most measures the state of humanity is getting better and better.

        • ....too bad I can't mark this one as insightful... 'cause you're right. I hadn't really looked at it that way.

          We do tend to idealize the past beyond its reality. Still... apathy harms.
        • Re:Dumb..Very Dumb (Score:3, Interesting)

          by iso ( 87585 )
          The quote from the tablet to which you were referring:

          "The Earth is degenerating these days. Bribery and corruption abound. Children no longer mind their parents, every man wants to write a book, and it is evident that the end of the world is fast approaching." - Assyrian stone tablet, c.2800bc

          - j
        • "The world is passing through troublous times. Young people of today think of nothing but themselves. They have no reverence for parents or old age. They are impatient of all restraint. They talk as if they alone know everything. As for girls, they are forward, immodest, and unwomanly in speech, behavior, and dress." -Written by someone in 1274 A.D.

          My grandad, viewing Earth's worn cogs,
          said things were going to the dogs;
          His grandad in the Flemish bogs
          said things were going to the dogs;
          His grandad in his old skin togs
          said things were going to the dogs;
          There's one thing that I have to state-
          The dogs have had a good long wait!

          -Anonymous
      • by HiThere ( 15173 ) <charleshixsn.earthlink@net> on Sunday April 07, 2002 @09:01PM (#3301368)
        The root cause of this problem is information overload. It used to be that most people couldn't know everything, but it wasn't really impossible if you didn't do anything else. Those days are centuries past.

        Today everyone, no matter how smart, is submerged in a tide of information. The only way to survive and get anything out of it is to filter it. But how should one construct the filters???

        Don't pat yourself on the back too hard, just because you understand computers. There's a lot more to this civilization than computers. And the rest is just as important.

        All I've been able to do is demarcate a small area that I try to understand, and try to find other people that I trust to understand other areas for me. I don't know of a better method, even though that one is clearly flawed. Note that this is the same technique that almost all people adopt.

        One of the critical flaws in the process is:

        How does one choose trustworthy authorities? I sure don't have an answer. The best I can do is pick people that I don't know to be wrong for reasons that are unknown or unacceptable to me. This isn't great, but it's something. One of the good points about this system is that it distributes authority (I see centralized authority as inherently evil: consider that the central authority will have the same limitations [mentioned above] as anyone else, and the people that the central authority chooses to trust will have every motivation to give self-serving advice [as long as they aren't caught at it.])

        • How does one choose trustworthy authorities?

          I like the idea of political duty. Think of it like jury duty, only longer. It basically states that random people will be picked to server as politicians (house menbers, senate members, etc.) for a period of time. They are then released and a new crop is picked. There are many problems with this, but there are many problems with the way things are done now.

          If the policitial duty was truly random, the views of the population are more likely to be represented. Though it would take a lot of effort to ensure the process is random and is not corrupted.
      • Re:Dumb..Very Dumb (Score:3, Interesting)

        by Telemakhos ( 548307 )

        That was an excellent comment. The idea of wisdom and vision you mentioned seems to me most easily summarized, however, in the concept of independence or autonomous living, which requires both wisdom and will.

        Early in American history, Jefferson praised the independent spirit, especially as found in the character of American farmers who provided for themselves with inititative and spirit; these same sort of men fought for independence during the American revolution. Horkheimer, Adorno, Marcuse, and others in twentieth century America lamented the common man's decline of interest in autonomous life as administered existence began to provide a higher standard of living -- people in general would rather be taken care of and have comfort than have to think and act for themselves.

        As another poster pointed out, we always tend to idealize the past; in this case, however, we see a clear regression. The average Joe is becoming less and less autonomous, more and more childlike, in response to the increased allure of a higher standard of living.

        To be specific (and to avoid that offtopic mod), man once made music for himself -- he sang, he played instruments, he created. Then came written musical notation, which allowed him to copy others' inventions by playing or singing songs he may never have heard; still he was making the sounds himself. Next, recorded music allowed him to spin a record/pop in a cassette/play a CD or .mp3 without any act of creation or imagination. Kazaa (and Napster before it) made procuring these mass-produced commodities, no longer created artisans per se but produced by a recording/culture industry, even easier -- he didn't have to pay for them or even leave the comfort of his desk.

        In return, he has sacrificed various freedoms, by which I mean his power over the music. First, he gave up the power of creativity; now, he gives up the power over his own computer's spare CPU cycles. Our user gets easier downloading, but he surrenders control over part of his computer and (possibly) renders himself open to attack by hackers. Taken collectively as a society of freeloaders, we may be risking a chunk of the internet for easy .mp3 pirating.

        This is not wisdom, and it is not independence. Those who read Slashdot are likely not covered here -- Slashdot readers tend to be the ones who build their own boxen, who write their own code, who value privacy and who see the importance of doing for oneself. Slashdotters tend to be autonomous. The majority, however, are heteronomous: willing to surrender their independence and unwisely to make unknown risks for the sake of allegedly "better" living through false needs, such as 100-gigabyte hoards of Britney Spears and NSYNC .mp3's.

        Meanwhile, the recording industry attempts to take from us the right to fair use of what we have bought legally. Between our own childishness and their greed, we risk our computers and whatever increased standard of living mass-produced music has brought us. Beautiful.

        This is the progress of Jefferson's America: from our forefathers' earning with their blood the right of liberty, to surrendering freedoms so we can steal the latest Backstreet Boys hit. It almost makes me want to cheer for the RIAA -- hoping that if they win, they'll shoot themselves in the foot by forcing cheapskates like myself, and many others, to go make music instead of consuming it.

        Not that ranting here is going to help things a bit -- the unwashed and .mp3-hoarding masses won't listen anyway, and most don't read Slashdot. I'm done venting now.

    • Happens all the time. "well i've got nothing to hide so they can hack me".

      Then I explain what can be done with an owned box, they nod, uninstall kazaa, and merrily doubleclick the next .exe in their outlook inbox. Oh well.
  • Already Exists (Score:4, Insightful)

    by nuggz ( 69912 ) on Sunday April 07, 2002 @04:36PM (#3300474) Homepage
    MS has been doing this for years, many tools check for updates and install them.
    I noticed Need for Speed Porsche did this too.

    These friendly autopatchers could all be hacked.

    This is a serious risk with new subscription based services too.
    • Need for Speed isn't installed on 10 million PCs. And, unlike Kazaa (I refuse to type that #$%@ capitalization), it's probably not running more or less 24/7 on a good percentage of those boxes.

      True, windowsupdate.microsoft.com is a big fat target too, but at least that was designed primarily with security in mind, and AFAIK it hasn't been hacked yet in the 4 years since it was introduced. Also, Windows Update will NOT install anything without your explicit consent. (Now, as for Windows Media... it says right in the EULA that MS reserves the right to update your codecs without your permission, at the very least...)
    • Re:Already Exists (Score:4, Informative)

      by cscx ( 541332 ) on Sunday April 07, 2002 @05:37PM (#3300736) Homepage
      No, see, Windows Update has security signatures on all of its packages. Plus, you are discounting that the auto-update feature is only available Windows ME and XP, and even so, it doesn't automatically install updates unless you explicitly set it to. That really narrows down the population. Don't forget all the corporate users who are subject to Windows Update corporate edition, where the admin decides which updates to install.

      On the other hand, how many people are running Kazaa in comparison (on Win95, for example)? A lot more. What is worrysome is the corporate user running Kazaa behind an improperly set firewall. If he is on a large pipe, that can spell trouble. Imagine that problem multiplied by the number of users running Kazaa. Can you say "imagine a Beowulf cluster of DoS zombies?"
      • I'm running Win95b with IE 5.5, IE does check for updates every time I start it
        • I'm running Win95b with IE 5.5, IE does check for updates every time I start it

          Then change your home page and or options. Assuming you don't want it to. And, evidently, it doesn't auto install the updates or you'd presumably be running IE6.

    • Not only MS. Debian and Red Hat have been doing the same. They don't install automatic tools (at least Debian), but nobody checks anything before upgrading so that's basicly the same.
  • by InsaneCreator ( 209742 ) on Sunday April 07, 2002 @04:38PM (#3300482)
    Maybe we could "attack" everyone with outlook express/IE patches, so we finally stop recieving all those self forwarding worms in our e-mail.
  • Ok, from what I understand, Kazaa is going to be attempting to get their users to give up their spare CPU cycles to help drive advertisements and other income-based projects for Kazaa?

    Ok, not only would this concept be likely considered unwelcome even by casual Kazaa users, but think of all the other possibilities for an already heavily established (as those things go) P2P app like Kazaa...

    In other words, they could try to get their users to share a distributed computing project working towards, say, the cure of a deadly disease or other medical project, then give ( or sell, which would be more likely) the results to whatever foundation would actually be able to use the data?

    That way they could make money, a name for themselves, and generally the rest of humanity a bit happier.
    • In other words, they could try to get their users to share a distributed computing project working towards, say, the cure of a deadly disease or other medical project, then give ( or sell, which would be more likely) the results to whatever foundation would actually be able to use the data?

      Not trying to stray offtopic, but United Devices [ud.com] does something like this with cancer research.

      Then again, _you_ download the client, and they don't sell the results to anyone; as i understand it they collaborate with the Dept. of Chemistry @ the University of Oxford.

      Kazaa using this technology (with the consent of the user, of course :) would be a great idea, IMO. They could stick it in there with all the extra third-party partner software that the installer prompts you for. Combine that (the UD client) with Kazaa's user base, and that's something worthwhile.

      Number of aliens contacted by SETI@Home: 0
  • by knuu ( 449167 ) on Sunday April 07, 2002 @04:43PM (#3300511)
    I think I understand their plan now:

    1. Plant studip spamware on a gazillion computers worldwide

    2. Head for a small island state somewhere in the middle of the Pacific Ocean and start blackmailing governments the world over by claiming to "0wn j00r 1nt4rw3b!". A gazillion children addicted to warez, pr0n and AIM complain to their respective parents, who demand action from their governments. Governments pay up.

    3. Profit!

    Then again, governments do have armies with guns and ships and stuff so things might get messy in the process. *shrug*
    • by screwballicus ( 313964 ) on Sunday April 07, 2002 @05:51PM (#3300788)
      Dr. Evil: Gentlemen, it's come to my attention that a malicious distributed computing scheme called Brilliant Digital will be setting into motion their trojan in a few days. Here's the plan. We R00T their server, and we hold the world ransom...
      (dramatic pause)
      Dr. Evil: ...FOR ONE MILLION DOLLARS!

      Number Two: Don't you think we should ask for more than a million dollars? A million dollars isn't that much money these days.

      Dr. Evil: All right then...
      (dramatic pause)
      Dr. Evil: ...FIVE MILLION DOLLARS!

      (uncomfortable pause)

      Number Two: Jon Katz alone makes over nine billion dollars a year.

      Dr. Evil: Oh, really?
      Dr. Evil: One-hundred billion dollars.
      (pause)
      Dr. Evil: OK, make it happen. Anything else?
    • by s20451 ( 410424 ) on Sunday April 07, 2002 @07:03PM (#3301056) Journal

      start blackmailing governments the world over by claiming to "0wn j00r 1nt4rw3b!"

      Or, in the immortal words of Jeff K. [somethingawful.com], "HAHAHHAHHAHAHHAHHAHAHAHAHAH HOW DO YUO LIEK THEM APPALS FELLOWS?!? GRABUALsA!!!!"

    • I think I understand their plan now:
      This is actually a huge improvement over their original plan:
      Phase One: Collect underpants.


      Phase Three: Profit!
      --
      Damn the Emperor!
  • Cooperation is key (Score:2, Insightful)

    by jmulvey ( 233344 )
    Interesting article. I think it effectively shows that Brilliant Digital -- along with just about 95% of our industry -- needs to learn that they can't just shove software down people's throats. Most interesting to these companies should be the legal liability questions raised.

    I'd expect these companies to start adding stuff into their installation legalese with something to the effect of, "You agree not to reverse-engineer anything we might be doing with your computer. You agree to sit back and relax while we adjust the horizontal and vertical"..
    • by erroneus ( 253617 )
      You're absolutely on-target with that assertion.

      I tend to look at our internet and our computing power on the level of 'health.'

      Software designers should understand that they aren't just writing programs any more. We're not building new calculators with cool new functions. We're writing a great deal of software that interacts with a public network that affects the lives of everyone either directly or via the health of business and information exchange.

      Business and commerce are now more tightly bound to our ability to exchange, gather and disburse information as a commodity.

      I'll use Microsoft as an example but it's not limited to Microsoft... Cisco could easily be used as an example of a "responsible player" but I'm illustrating an "irresponsible player" at the moment.

      Microsoft in putting out unstable software on the server side (and putting out clients that include servers to unaware owners) has severely affected the health of our public internet and I believe they should be held liable and responsible for their negligence on the matter. There is no law that says "you're a criminal if you write bad software" but there is law that says you are criminally responsible if, through negligence, have endangered public security. And in that respect, Microsoft should be held as criminally responsible for their negligence. And no amount of EULA protection should be allowed on this matter.

      I suggest that Cisco wears a white hat in this simply because of reputation. They are not known for their security problems. They are not known for having 'viruses' or being vulnerable to attacks. Of course they are vulnerable. Of course they have bugs and weaknesses. But due to the fact that they are both huge and still manage to remain 'untargetted' is some indication that they are taking their public responsibility seriously and are successful at it.

      If Microsoft behaved more like Cisco in that respect, I think the world would still be in love with Microsoft today though not nearly as appreciated because it's not in out nature to appreciate, but to find fault and hate.
  • by kritikal ( 247499 ) on Sunday April 07, 2002 @04:48PM (#3300529)
    perhaps the whole situation isn't as bad as it seems. having read the article, one would realize that the author only hypothesizes on whether or not the network is secure. brilliant could have implemented all the things that he questioned as insecure. this is not a review of their technology, but rather a blatant guess at how their technology will work.
    • With rapid changes in technology, Security is a matter of timing, not an absolute. Make it as secure as technology allows today, and it's just a matter of time - weeks or months, seldom years - until the security is easily cracked or is completely broken.
      Because of this, and the logistics inherent in updating the security on 20+ million PCs, and you get the MSIE / Outlook express situation.
      The author's comment about "single point of ownership" is valid no matter what security is used on this.
  • by bc90021 ( 43730 ) <bc90021NO@SPAMbc90021.net> on Sunday April 07, 2002 @04:48PM (#3300531) Homepage
    With the ability to remotely control a user's computer built into Windows XP in order to provide "tech support", isn't a good portion of the world already vulnerable to a well-written worm? See "Remote Assistance" at http://www.microsoft.com/windowsxp/home/evaluation / eatures.asp.
    • by Anonymous Coward
      That's certainly a security risk with XP, basically they've extended RDP (which was available in W2K Server) onto the desktop. From an administration point of view this is a god-send. Additionally, I would note that by default RDP is not enabled on systems, and by default when you enable it, it's to allow someone you know to access your system, to whom you send an e-mail with a special link/key and then give them a password through a separate (we hope secure... but that's the end user's own issue) method. So far I haven't seen any proof-of-concepts for a sever compromise via RDP, and realistically speaking, this is a lot like SSH is to *nix... it gives you access to the 'command line' of windows... the gui... Certainly RDP is a security risk for everyone running it, but so is connecting to the Internet - from what I've seen there are many more, much larger vulnerabilities in m$ products than this one poses.
    • Shortly after the XP release, a Microsoft representative came to campus to preach the virtues of XP. When we asked him about the security of the Remote Access feature, he refused to give us a straight answer. He neither assured us it is secure nor did he admit he didn't know if it is secure or not. Makes me suspicious.
  • Sleeze. (Score:4, Interesting)

    by mindstrm ( 20013 ) on Sunday April 07, 2002 @04:53PM (#3300550)
    You know, EULA or not... what Kazaa did is slimy. VERY slimy. They decieved people into installing something and giving up something they know people will not realize they are giving up. It is deception, whether it fits the legal definition or not.

    I'm realistic... most people do not know or care of the difference, but they should.

    So my question is...

    What can we realistically do in order to force a bit more honesty in software providers?

    • Not use their friggin software, when we don't like what the do? What a concept!
      • The problem is, that doesn't work until you have already started using their software. How can we have checks on vendors honesty before everyone and his brother starts using their software?

        I use free software almost exclusively, and use almost no zero cost commercial software, which seems to help, but is there anything people who need/want to use commercial software can do about this?
  • Lawyer's heaven (Score:2, Interesting)

    by Eric Damron ( 553630 )
    If I were part of Brilliant Digital, I would be bracing myself for lawsuits. The first DoS attack that comes from someone taking control of their trojans will open them up for big legal liability.

    No matter how many "We will not be held responsible" statements they have in their license agreement, they won't be held harmless from the damage done to a third party.

    When you think about it, any program that automatically goes out and updates itself could be a problem if a blackhat is able to fool the client into installing the blackhat's update.
    • What do you want to bet that Doofus Digital is somewhere that UCITA has passed. (I.E. Virginia, and one other state...)

      That basically exempts the manufacturer from liability in situations just like this.

      UCITA - just the start of scummy legislation that screwes us all over. The saving grace with UCITA is that it hass to pass through all the states. This makes lots more hands to grease, and thus the corps that would love to see us screwed, have a much harder time of it.

      Cheers!
  • As such, all three proposed usages: Secure and secret storage, secure and secret computation, and secure content delivery, are all inherently flawed.

    This is all to true. Therefore, given Brilliant digital's wicked corporate pedigree, we conclude that they must have a secret, sinister master plan that they're not telling us about.

    They've been clever enough to use evil plans as a smokescreen - the plans they've described are just wicked enough that you might believe that they really are brilliant digital's brilliant evil plan. This means that the real evil plan must be extra... brilliant.

    Basically, we can divide the possible real evil plans into three categories:
    1) Defense related. They're going to hack into NORAD, and hold the world hostage from skull island. The fact that this is physically impossible (because NORAD isn't connected to the public 'net, and so on) never stops Dr. Evil, so it shouldn't be a hindrance for Brilliant Digital.

    2) Biblical. Enumerate the billion secret names of god, conjure forth their lord and master, Satan himself. You all saw Warlock, right? Like that.

    3) Astrononomical. I know that if I had the computing power of fiteen million consumer level CPU's at my disposal, I'd use it to pull the moon into the earth. 'nuff said.

    Either way, we're talking countdown to doomsday, here, and only one man can stop them. I hope Brilliant Digital CEO Kevin Bermeister's mistress is played by Zhang Ziyi; she is so hot.
    • 1) Defense related. They're going to hack into NORAD, and hold the world hostage from skull island. The fact that this is physically impossible (because NORAD isn't connected to the public 'net, and so on) never stops Dr. Evil, so it shouldn't be a hindrance for Brilliant Digital.

      Unfortunately, you're failing to account for the four star CO who decided he must have his e-mail access to his wife from inside the mountain, and ordered his IT officers to install it against their recommendation...

      (Don't laugh too much; there are documented cases of serious military security breaches due to exactly this combination of rank and technical naivety.)

  • ...for slashdotting his own site
  • Hmmm.. (Score:3, Interesting)

    by ZaneMcAuley ( 266747 ) on Sunday April 07, 2002 @05:20PM (#3300661) Homepage Journal
    Actually, I would hope this does happen. Why? Because it would put the frightners on FUTURE SPYWARE being installed and FORCE a GOOD SELF-DISCLOSURE POLICY STANDARD.

    It would kill EVERY SPYWARE ON THE PLANET.

    • Right. Just like every previous Outlook virus killed all other outlook viruses that worked on the same principles, and just like every worm making use of long-known IIS vulnerabilities killed all other worms that made use of other well-known IIS vulnerabilities.

      The only thing this happening would cause is make some people commit suicide because they wouldn't be able to play Everquest anymore ;-) - and perhaps if trouble lasted long enough it might make other people start to read a good book for a change. :-)
      • Well, if they had a few million zombies ready to take out some BIG host or essential service. More oomph and publicity and something might be done. Im not talking about some lame worm or virus here. I mean complete outtage. Think bigger.
  • c|net has an article [com.com] on removing this stuff, and kazaa will still work afterwords. Not much info besides goto add/remove programs and remove b3d, but at least they list what files should be removed.
  • by markh1967 ( 315861 ) on Sunday April 07, 2002 @05:26PM (#3300690)
    Just to make people aware that the trojan is also distributed with other FastTrack browsers such as Grokster. It is not just confined to KaZaa. I've never downloaded or installed KaZaa but I am running Grokster (with the spyware removed and dummy cydoor dll in place) and I was infected as well. If you're running Grokster check out your Windows directory. If there's a folder in there called BDE and you aren't running the Borland Databse Engine then you're infected as well.
    • If there's a folder in there called BDE and you aren't running the Borland Databse Engine then you're infected as well.

      This Brilliant tempest is giving Borland/Inprise/Borland a lot of press. I haven't heart of the BDE in years, but in the past week I've seen mention of it at least a dozen times.

      What's really cool is the extent to which the instructions go to make sure you aren't deleting something useful.

  • Not just KaZaA! (Score:3, Interesting)

    by mcrbids ( 148650 ) on Sunday April 07, 2002 @05:34PM (#3300725) Journal
    What about the Red Hat Network? I subscribe 'cause it makes my job as admin SOOOO much easier - but the RHN largely consists of servers with BIG, FAT PIPES.

    (Who'd use RHN over a modem line!?!?)

    Seems like this also might be an excellent point from which to launch a big DDOS attack, no? How closely does RH watch their servers?
    • What about the Red Hat Network? ... Seems like this also might be an excellent point from which to launch a big DDOS attack, no?

      <SARCASM>
      Actually, what you are proposing is impossible. Everyone knows that all hackers and virus writers prefer to code in Visual Basic. They would have too much trouble trying to get Wine to run their virus so they could take over RHN, and they'd just give up.

      Does that make you feel any better? I didn't think so. Hey, it was worth a try.
      </SARCASM>
    • What about the Red Hat Network? I subscribe 'cause it makes my job as admin SOOOO much easier - but the RHN largely consists of servers with BIG, FAT PIPES.

      As I understand it, it won't be easy to sneak a trojan into RHN, just by cracking RH's RHN servers, since all the RPMS are gpg /pgp signed (+md5sum). So an altered rpm-file, will fail the Up2date agents gpg check against RH's public key, and AFAIK therefore not be automatically installed.

      So installing Red Hat rpm's, even from "untrusted" mirrors, should be safe, provided that RH can keep their private key secret, and you actually verify the gpg signing (easy to do).

      Seems like this also might be an excellent point from which to launch a big DDOS attack, no? How closely does RH watch their servers?

      I do think that RH actually monitors their servers (and bandwith), but perhaps much more important, I am quite sure, that they will respond quickly, if people reported a DDoS attack from their IP-range.

      IMHO a big part of the DDoS /SPAM /skript-kiddie problem is, that so many boxes, are running totally unattended and / or administrated by less than entirely competent people, who may not even read mail adressed to eg. postmaster@example.com, or without the skills to comprehend the described problem.

      A 2 hour DoS is nuisance, a 10 day DoS a disaster.

    • Reading his rant you would know that yes, any auto-updater has these potential risks but why Kazaa?

      1: Shitload of users (lots more then RHN and WinUpdate, etc.)
      2: Likelyhood that there is no security authentication (dig sigs, etc).
      • 3) Less educated users (RHN is mostly tech-oriented people whereas Kazaa is typically teenagers and college students) 4) Many leave it on whether or not they are actually using it, not realizing the ramifications of this.
  • by MavEtJu ( 241979 ) <<gro.ujtevam> <ta> <todhsals>> on Sunday April 07, 2002 @05:55PM (#3300812) Homepage
    Early 90's, the (usenet) world was shocked by the fact that somebody abused the network to send spam.

    Early 00's, the (slashdot) world is shocked by the fact that people don't care about installing spyware / trojaned software.

    Be afraid, be very afraid.
    • Here's my take on it...people either have been warned, or have been too careless to find out exactly what they've installed on their system. Let them suffer for their mistakes. Sometimes a little hardship is the only thing that will teach them.
      • Until one day all the DDoS attacks shut down all your root name servers and a good chunk of the backend routers. I guess you should suffer also [through the lack of a usuable internet] because you didn't do anything about this before it happend.

        Not to run around and shout the sky is falling or anything. This is potentially a major problem. When a company's business plan focuses on tricking the user to install their application, you know they care relatively little about security or the damage that they can do.
  • The internet has been relatively insecure since day one. It's no one particular company's fault or one particular person's fault. The internet protocols weren't originally designed to prevent massive DDoS attacks. It wasn't designed to be particularly secure on the individual machines because when it was originally created, the network was secure by the fact that every computer on it was known. The number of computers didn't extend into the thousands, probably until the 90s, and even then, it was about 98% educational institutes, DOD, and companies.

    Any competent programmer, familiar with several TCP/IP protocols, and TCP/IP programming, could easily bring the internet to a grinding halt. The fact that it hasn't happened in years (1988 with Robert Morris' infamous internet worm) is what astounds me.
  • I would guess that nearly 100% of /. readers have an Anti-Virus scanner of some sort loaded on their desktop/laptop. These all have systems that are designed to automatically d/l updates, including core functionality/engines.

    I have seen TrendMicro's PC-Cillin d/l executables before.

    So, while Brilliant Digital is out of line and while Weaver makes good points, the reality is that this threat has been around for a very long time.

    For that matter, have you considered what might happen if someone 0wns the Akamai system?

    • I would guess that nearly 100% of /. readers have an Anti-Virus scanner of some sort loaded on their desktop/laptop. These all have systems that are designed to automatically d/l updates, including core functionality/engines.

      Huh? What's an Anti-Virus scanner? Oh, a virus is that thing that can damage your computer if you are stupid and run everything as root or run an operating system that lacks any security mechanisms.

      I guess I'm part of the 0% of /. readers who use a real operating system [linux.com] and therefore do not need Anti-Virus scanners.

      All I know is that if someone hijacks one of these networks, my computer and all my data will be fine.
    • I certainly don't have a virus scanner running, and I'm even on Windows.

      You just have to be careful about what executables you run and don't do stupid shit like use outlook express, and you don't get Viruses / Adware.

      Tim
  • by psychosis ( 2579 ) on Sunday April 07, 2002 @06:12PM (#3300890)
    Since installing Ximian is "conveniently" performed by running "lynx -source http://go-gnome.org | sh" (as root, of course), what happens when someone registers go-gnom.org or similar typos? (Credit to my brother for thinking of that one.)
    Now I did issue the above command, but ensured that the DNS records were compliant and my local DNS server reported the same distant end IP as the authoritative one for the domain, but I doubt many folks do the same.
    Also, when installing packages via RedCarpet (again, has to be done as root), what are the cryptographic signatures checked against? (Note: I haven't even researched this. Just typing off the top of my head...) I would hope that the proper response from GPG is hard-coded in the red-carpet binary...
    Basically, I think that a lot of new update technologies are vulnerable to this - from windowsupdate.microsoft.com as mentioned in the article to more trusted (by this community, anyway) sites. Semi-automatic updating is great, but it still takes people at the keyboard to think before they do something. Not likely to see a widespread change in that mentality for some time to come.
    • Make sure your /etc/apt/sources.list is accurate and up to date. If you do this, than you can't go wrong -

      The one you should be using for red carpet is
      http://red-carpet.ximian.com/debian
      as in: line in sources.list
      deb http://red-carpet.ximian.com/debian stable main

      apt-get update
      apt-get install task-helix-core
      apt-get install task-helix-gnome
      apt-get install task-ximian-gnome
      ...depending on what you're after and what you have.

      If you misspell the commands, nothing will happen except that it will tell you incorrect syntax (or that you're not root, you bastard). Just make sure the master list is correct.

      Here, i'll even write you a shell script:

      #!/bin/csh

      set sources=`grep http://red-carpet.ximian.com/debian /etc/apt/sourc es.list` | wc -l

      if ("$sources"=0) then
      echo "deb http://red-carpet.ximian.com/debian stable main" >> /etc/apt/sources.list
      endif

      echo `apt-get update`
      echo `apt-get install task-ximian-gnome`
      echo "all done"
      exit
      ###end of file

  • Far be it from me to do anything of the sort, but some of these "hacker" groups should make themselves useful and attack Brilliant's systems, instead of Yahoo or something *beneficial* to the Internet.

    I say hit 'em, and hit 'em hard...let them know what we think.

    To paraphrase Malcolm X,

    We didnt land on your advertising, you crammed your advertising down our throats without asking, bitches

  • by tempest303 ( 259600 ) <jensknutson AT yahoo DOT com> on Sunday April 07, 2002 @10:05PM (#3301514) Homepage
    Instead of following HeUnique's instructions to get rid of Kazaa's spyware, try this:

    DON'T INSTALL IT TO BEGIN WITH. ;P

    tempest303, continuing his crusade to troll people that think fair use means never paying for media.
  • by Animats ( 122034 ) on Sunday April 07, 2002 @10:29PM (#3301562) Homepage
    He's right. Brilliant is a push-type peer to peer auto update system. (See page 11 of the Brilliant SEC filing. [sec.gov].) This allows an attack to hit a huge number of clients in a short period of time, with no user intervention and no user visibility. Worse, because it's a peer-to-peer system, clients know where to find other clients and can talk to them, so propagation would be far more effective than for most viruses. That's much more powerful than sending "I send this to you to get your advice" to everybody in the Outlook address book.

    There's no need to take over the Brilliant servers. An attacker should be able to do it all from any suitably modified Brilliant client.

    If someone writes an effective Brillant-based attack, it might contaminate most of the clients in a very short period of time. And most of them woudn't even notice, until it was too late.

    Brilliant isn't exactly a tech-savvy company, either. Their previous business was producing hip-hop videos. They have 18 employees. Plus one software consultant. (Read their SEC filing. [sec.gov]) They have no track record of producing secure systems. They make no claim that their product is secure against external takeover. And they don't have enough assets that if they screw up, they'll be able to pay for the damage.

    If you have responsibility for any computers that do anything important, scan them all for this program immediately, remove it, and block it at your firewall.

    It's possible that the Brilliant "projector" is so secure that it can't be used as a pathway for an attack. But without independent verification of its security, it has to be viewed as highly dangerous. All it takes is a buffer overflow and some carefully crafted "ad content" to use this as a virus distribution system.

    Some of the same potential vulnerabilities apply to other peer-to-peer systems. Netnews/NNTP, for example. But Netnews is typically run on UNIX machines under its own userid, so even if an exploit in it exists, it can be contained within the Netnews world. And it's a mature system; the obvious holes were plugged long ago. Most of the other peer-to-peer systems, like Gnutella and Freenet, are pull-type systems; they only bring in content when the client asks for it in response to a user request. That slows down propagation and associates it with specific content, like an ordinary virus. But Brilliant, from their description of what they do, pushes automatically and peer to peer. That's much more dangerous.

  • All I can figure is what they're *really* planning is the world's best porn-harvesting tool.

    Genius.

The first 90% of a project takes 90% of the time, the last 10% takes the other 90% of the time.

Working...