Reflections on Brilliant Digital: Single Points of 0wnership

nweaver writes "Some reflection on Brilliant Digital's plans shows that they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet. The implications are rather scary: Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service. Who needs a Warhol Worm?".Updated by HeUnique: use these instructions to remove the Brilliant part.

Dumb..Very Dumb

Here at work I pointed a couple of coworkers toward the previous articles on Kazaa. There response you might ask?

As long as I can get good download speed and have a large mp3 base what do I care?

Does this type of thinking occure elsewhere? I thought I worked with some bright people but they seem to think of their machines as black boxes and if they work great.

sigh.

Re:Dumb..Very Dumb

Well, it's unfortunate but that view is pervasively the norm. It doesn't apply to the technology arena alone. It's everywhere. People have convinced themselves that they don't want to know. They don't want to understand. They don't want to 'get it.' They only want the results and are not concerned about side-effects.

This is true in the food and drug arena. This is true in war and politics. This is true in biotech. This is true with trends in child-rearing. Somehow and somewhere, we have lost the notion of "wisdom." Not only have we forgotten how to become more wise, we are also underestimating (and ignoring) the value of the wisdom of others.

Socially, we're losing a lot of ground because we don't want to think any more. It's disturbing not only to watch, but also because I feel those trends infecting me as well.

"I don't care how we get it, just give me what I want." That's the growing mentality. "Rights!? I don't care about rights, just fight the evil demons in our midst!"

Okay... I'm going a bit too deep, but as a nation (I can't really say much about Europe or other places... I'm ignorant because I lack direct observational experience in the area) we're really getting too apathetic. It has been a long time in developing but our nation-wide apathy and our lack of long-term vision is affecting a lot.

I truly doubt that the RIAA and the MPAA are considering the long-term affects of their actions. Are they really so arrogant to think that their children will be any less affected than our children? Or is it that they aren't considering children at all... only themselves? Apathy. Lack of long-term vision.

Hehehe... what does this have to do with Brilliant Digital's Single Point of Ownership? Clearly, they have a lack of wisdom and long-term vision. If you want to own or control a large body from a single point, that single point bears the responsibility of DEFENDING it.

Defense is a responsibility that people tend to think is something they should pass off to government and law enforcement. Where did that moronic notion come from?!

Re:Dumb..Very Dumb

I've said it before and I'll say it again: things aren't getting worse. I agree that there's a sheep mentality, but it's been with us since the beginning of time. It's a well-known aspect of human psychology that we always tend to think the world is going down the drain and it was better before.

An Assyrian tablet from ~2000BC was found with words to that effect (e.g. kids aren't worshipping our pagan gods as much as they used to, the air is getting rotten, etc). The same thing has been said and re-said millions of times since. But it's just not true.

People aren't really getting more ignorant: we're more educated than at anytime in the past. If you think it's bad now, imagine how it was last century. Do you think those textile workers were curious to know how the sewing machines really worked? No, we should try to fight our innate tendency to think everything is getting worse, because in fact by most measures the state of humanity is getting better and better.

Information overload

The root cause of this problem is information overload. It used to be that most people couldn't know everything, but it wasn't really impossible if you didn't do anything else. Those days are centuries past.

Today everyone, no matter how smart, is submerged in a tide of information. The only way to survive and get anything out of it is to filter it. But how should one construct the filters???

Don't pat yourself on the back too hard, just because you understand computers. There's a lot more to this civilization than computers. And the rest is just as important.

All I've been able to do is demarcate a small area that I try to understand, and try to find other people that I trust to understand other areas for me. I don't know of a better method, even though that one is clearly flawed. Note that this is the same technique that almost all people adopt.

One of the critical flaws in the process is:

How does one choose trustworthy authorities? I sure don't have an answer. The best I can do is pick people that I don't know to be wrong for reasons that are unknown or unacceptable to me. This isn't great, but it's something. One of the good points about this system is that it distributes authority (I see centralized authority as inherently evil: consider that the central authority will have the same limitations [mentioned above] as anyone else, and the people that the central authority chooses to trust will have every motivation to give self-serving advice [as long as they aren't caught at it.])

Come on

If you use KaZaA, with all of its spyware, worm-like auto-updating, and history of escalating privacy invasion, you don't have a clue. You deserve to be 0wn3d d00d.

Already Exists

MS has been doing this for years, many tools check for updates and install them.
I noticed Need for Speed Porsche did this too.

These friendly autopatchers could all be hacked.

This is a serious risk with new subscription based services too.

Re:MS Windows isn't installed on millions of PCs?

True, (and belive me this is hard for me to say this next sentence...) I put more trust in Microsofts updater than Brilliants ... ick I cant belive I just said that :)

Re:Already Exists

No, see, Windows Update has security signatures on all of its packages. Plus, you are discounting that the auto-update feature is only available Windows ME and XP, and even so, it doesn't automatically install updates unless you explicitly set it to. That really narrows down the population. Don't forget all the corporate users who are subject to Windows Update corporate edition, where the admin decides which updates to install.

On the other hand, how many people are running Kazaa in comparison (on Win95, for example)? A lot more. What is worrysome is the corporate user running Kazaa behind an improperly set firewall. If he is on a large pipe, that can spell trouble. Imagine that problem multiplied by the number of users running Kazaa. Can you say "imagine a Beowulf cluster of DoS zombies?"

The good side

Maybe we could "attack" everyone with outlook express/IE patches, so we finally stop recieving all those self forwarding worms in our e-mail.

Distributed Computing on Kazaa

Ok, from what I understand, Kazaa is going to be attempting to get their users to give up their spare CPU cycles to help drive advertisements and other income-based projects for Kazaa?

Ok, not only would this concept be likely considered unwelcome even by casual Kazaa users, but think of all the other possibilities for an already heavily established (as those things go) P2P app like Kazaa...

In other words, they could try to get their users to share a distributed computing project working towards, say, the cure of a deadly disease or other medical project, then give ( or sell, which would be more likely) the results to whatever foundation would actually be able to use the data?

That way they could make money, a name for themselves, and generally the rest of humanity a bit happier.

Good for them

I think I understand their plan now:

1. Plant studip spamware on a gazillion computers worldwide

2. Head for a small island state somewhere in the middle of the Pacific Ocean and start blackmailing governments the world over by claiming to "0wn j00r 1nt4rw3b!". A gazillion children addicted to warez, pr0n and AIM complain to their respective parents, who demand action from their governments. Governments pay up.

3. Profit!

Then again, governments do have armies with guns and ships and stuff so things might get messy in the process. *shrug*

Re:Good for them

Dr. Evil: Gentlemen, it's come to my attention that a malicious distributed computing scheme called Brilliant Digital will be setting into motion their trojan in a few days. Here's the plan. We R00T their server, and we hold the world ransom...
(dramatic pause)
Dr. Evil: ...FOR ONE MILLION DOLLARS!

Number Two: Don't you think we should ask for more than a million dollars? A million dollars isn't that much money these days.

Dr. Evil: All right then...
(dramatic pause)
Dr. Evil: ...FIVE MILLION DOLLARS!

(uncomfortable pause)

Number Two: Jon Katz alone makes over nine billion dollars a year.

Dr. Evil: Oh, really?
Dr. Evil: One-hundred billion dollars.
(pause)
Dr. Evil: OK, make it happen. Anything else?

Re:Good for them

start blackmailing governments the world over by claiming to "0wn j00r 1nt4rw3b!"

Or, in the immortal words of Jeff K. [somethingawful.com], "HAHAHHAHHAHAHHAHHAHAHAHAHAH HOW DO YUO LIEK THEM APPALS FELLOWS?!? GRABUALsA!!!!"

Idiocy upon Idiocy

So, basically, they inadvertnatly created a cluster that can be hit and effectively screw everybody over.

Then this guy announces that he's found the cluster and that the reward for hitting these servers is beyond that previously imagined by HaX0rs.

The /. points to this report and hypes the reward for the attack.

Are we just begging for the |33 to attack? Please! Please! Please cripply and deciminate viruses! Things have gotten kinda boring?

This is about as bad as the AP publishing Daniel Pearl's kidanapper's email address.

Cooperation is key

Interesting article. I think it effectively shows that Brilliant Digital -- along with just about 95% of our industry -- needs to learn that they can't just shove software down people's throats. Most interesting to these companies should be the legal liability questions raised.

I'd expect these companies to start adding stuff into their installation legalese with something to the effect of, "You agree not to reverse-engineer anything we might be doing with your computer. You agree to sit back and relax while we adjust the horizontal and vertical"..

preview misleading...

perhaps the whole situation isn't as bad as it seems. having read the article, one would realize that the author only hypothesizes on whether or not the network is secure. brilliant could have implemented all the things that he questioned as insecure. this is not a review of their technology, but rather a blatant guess at how their technology will work.

Doesn't XP already do this?

With the ability to remotely control a user's computer built into Windows XP in order to provide "tech support", isn't a good portion of the world already vulnerable to a well-written worm? See "Remote Assistance" at http://www.microsoft.com/windowsxp/home/evaluation / eatures.asp.

what nonsense

Even if you never touched KaZaA, your systems may be affected if someone manages to attack Brilliant Digital's update service.

How? If I never touch Kazaa (that means, never install it), this article doesn't tell me how it can affect me. In fact, the article doesn't seem to say anything we haven't already heard in Slashdot before, about attacks through the use of DNS redirects or man-in-the-middle, etc. But how does it affect me, when I haven't installed the program?

they have inadvertently created a Single Point of 0wnership: a single machine or small group of machines which, if succesfully attacked, can be used to gain effective control of the Internet.

Okay, now this is total FUD. You're telling me that if they get hacked, the entire Internet is at the mercy of the hackers. Why is that?

Alarmist: Servers down != Internet Down

OK. So KaZaa is a Trojan that could be hijacked by Black[er]Hats. So they can do DDoS against some sites. Why should I get my shorts in a knot?

Some domains will get banned, and some sites will go down. The Internet carries on. Packets still get through.

Yes, Trojans are bad. Hijackable Trojans are worse. Enough good reason to avoid them without hysteria.

Sleeze.

You know, EULA or not... what Kazaa did is slimy. VERY slimy. They decieved people into installing something and giving up something they know people will not realize they are giving up. It is deception, whether it fits the legal definition or not.

I'm realistic... most people do not know or care of the difference, but they should.

So my question is...

What can we realistically do in order to force a bit more honesty in software providers?

Superb slashdotting!

This is great, I've never witnessed a prominent university's server get slashdotted so fast!

Looks like those cs students will have to go back to the old drawing board!

Lawyer's heaven

If I were part of Brilliant Digital, I would be bracing myself for lawsuits. The first DoS attack that comes from someone taking control of their trojans will open them up for big legal liability.

No matter how many "We will not be held responsible" statements they have in their license agreement, they won't be held harmless from the damage done to a third party.

When you think about it, any program that automatically goes out and updates itself could be a problem if a blackhat is able to fool the client into installing the blackhat's update.

What can we conclude?

As such, all three proposed usages: Secure and secret storage, secure and secret computation, and secure content delivery, are all inherently flawed.

This is all to true. Therefore, given Brilliant digital's wicked corporate pedigree, we conclude that they must have a secret, sinister master plan that they're not telling us about.

They've been clever enough to use evil plans as a smokescreen - the plans they've described are just wicked enough that you might believe that they really are brilliant digital's brilliant evil plan. This means that the real evil plan must be extra... brilliant.

Basically, we can divide the possible real evil plans into three categories:
1) Defense related. They're going to hack into NORAD, and hold the world hostage from skull island. The fact that this is physically impossible (because NORAD isn't connected to the public 'net, and so on) never stops Dr. Evil, so it shouldn't be a hindrance for Brilliant Digital.

2) Biblical. Enumerate the billion secret names of god, conjure forth their lord and master, Satan himself. You all saw Warlock, right? Like that.

3) Astrononomical. I know that if I had the computing power of fiteen million consumer level CPU's at my disposal, I'd use it to pull the moon into the earth. 'nuff said.

Either way, we're talking countdown to doomsday, here, and only one man can stop them. I hope Brilliant Digital CEO Kevin Bermeister's mistress is played by Zhang Ziyi; she is so hot.

is the posting....

...saying "Ownership" or "0wnership"?

0, not O

anyone else notice how the article title has a zero instead of an 'O'?

Congratulations to nweaver

...for slashdotting his own site

The post is a rant!

I took the time to read the linkage, but was very disapointed at the substance..... This was nothing more than a rant from a disgruntled college student. Obviously he is more emotional, and passionat than he was logical, and compelling. The arguments he raises have little weight, or simply state the obvious. There was zero information about anything pratical, just conjecture, theory, and a bunch of what-if's. The person who wrote the rant is nothing more than a Teachers aid, at Berkley... he is not anybody worth listening to, at least not until he gets his degree, and a few more years of wisdom.

I think everyone can aggree that Brilliant's sleeper software is dubious at best, a straight up violation of law at the worst. However, this persons rant doesn't help anybody.

Hmmm..

Actually, I would hope this does happen. Why? Because it would put the frightners on FUTURE SPYWARE being installed and FORCE a GOOD SELF-DISCLOSURE POLICY STANDARD.

It would kill EVERY SPYWARE ON THE PLANET.

Here's how to uninstall

c|net has an article [com.com] on removing this stuff, and kazaa will still work afterwords. Not much info besides goto add/remove programs and remove b3d, but at least they list what files should be removed.

For Their Own Good

D'you reckon someone should do some DNS hijacking and send code out via Brilliant Digital's 'Singularity' to wipe Kazaa user's hard disks? It would be better than a ten million user DDOS attack against who knows where, sent by a cracker with less ethical aspirations. And on the plus side, the Kazaa users would learn a lesson and remember it because it hurts to lose all your precious mp3, and maybe (IANAL) they would get to sue Brilliant Digital for negligence. Thus, three birds killed with one stone. (Bird 1 = Security Risk, Bird 2 = Ignorant Kazaa Users, Bird 3 = Brilliant Digital itself.)

This all applies to Grokster as well

Just to make people aware that the trojan is also distributed with other FastTrack browsers such as Grokster. It is not just confined to KaZaa. I've never downloaded or installed KaZaa but I am running Grokster (with the spyware removed and dummy cydoor dll in place) and I was infected as well. If you're running Grokster check out your Windows directory. If there's a folder in there called BDE and you aren't running the Borland Databse Engine then you're infected as well.

Warhol, Flash, and Extortion worms

The next evolutionary step after the Warhol Worm [berkeley.edu] is the Flash Worm [silicondefense.com] and the Extortion Worm [fungible.com].

Not just KaZaA!

What about the Red Hat Network? I subscribe 'cause it makes my job as admin SOOOO much easier - but the RHN largely consists of servers with BIG, FAT PIPES.

(Who'd use RHN over a modem line!?!?)

Seems like this also might be an excellent point from which to launch a big DDOS attack, no? How closely does RH watch their servers?

Where do i sign up

There is nothing which prevents a misbehaving client from only serving banner advertisements which say "Brilliant Digital and Doubleclick Can Bite My Shiny Metal Ass".

Please, where do i sign up? :)

Bah - hack Windows Update

Seems to me that the most obvious "single point of attack" on the Internet is anything having to do with the Windows Update mechanism hardwired into Windows XP and, one would assume, all future versions of the OS... MS-bashing aside, I am certain that Microsoft has taken all reasonable precautions to prevent the co-option or subversion of this channel into millions of computers, but the fact remains that Windows Update is proprietary "security through obscurity..."

on a related note, does anyone have any insight as to HOW the MS Windows Update mechanism works, and how it is secured? Seems as though it must run on a massive server installation, given how much traffic it has to handle...

A thousand points of Not Bright

It's too easy for the script kiddies to highjack. Any distributed system that has more then one single purpose (i.e. Seti) is going to be used by someone else.

Download the app

fire it up

watch the port activity. Get the code.

Seti's FAQ

"The data server doesn't download any executable code to your computer. "

Can we trust Brilliant Digital to build in such safeguards? I trust Seti mostly for pure motivation.

I have thrown a lot of time and effort into securing my systems. I am not going to drop my pants for some lame deal like this. Just say NO to distributed DOS...

--

Just say No to Religion.

Expect more of this!

Early 90's, the (usenet) world was shocked by the fact that somebody abused the network to send spam.

Early 00's, the (slashdot) world is shocked by the fact that people don't care about installing spyware / trojaned software.

Be afraid, be very afraid.

The sky is falling, the sky is falling.

The internet has been relatively insecure since day one. It's no one particular company's fault or one particular person's fault. The internet protocols weren't originally designed to prevent massive DDoS attacks. It wasn't designed to be particularly secure on the individual machines because when it was originally created, the network was secure by the fact that every computer on it was known. The number of computers didn't extend into the thousands, probably until the 90s, and even then, it was about 98% educational institutes, DOD, and companies.

Any competent programmer, familiar with several TCP/IP protocols, and TCP/IP programming, could easily bring the internet to a grinding halt. The fact that it hasn't happened in years (1988 with Robert Morris' infamous internet worm) is what astounds me.

Anti-Virus Programs

I would guess that nearly 100% of /. readers have an Anti-Virus scanner of some sort loaded on their desktop/laptop. These all have systems that are designed to automatically d/l updates, including core functionality/engines.

I have seen TrendMicro's PC-Cillin d/l executables before.

So, while Brilliant Digital is out of line and while Weaver makes good points, the reality is that this threat has been around for a very long time.

For that matter, have you considered what might happen if someone 0wns the Akamai system?

Ximian Install and RedCarpet are the same

Since installing Ximian is "conveniently" performed by running "lynx -source http://go-gnome.org | sh" (as root, of course), what happens when someone registers go-gnom.org or similar typos? (Credit to my brother for thinking of that one.)
Now I did issue the above command, but ensured that the DNS records were compliant and my local DNS server reported the same distant end IP as the authoritative one for the domain, but I doubt many folks do the same.
Also, when installing packages via RedCarpet (again, has to be done as root), what are the cryptographic signatures checked against? (Note: I haven't even researched this. Just typing off the top of my head...) I would hope that the proper response from GPG is hard-coded in the red-carpet binary...
Basically, I think that a lot of new update technologies are vulnerable to this - from windowsupdate.microsoft.com as mentioned in the article to more trusted (by this community, anyway) sites. Semi-automatic updating is great, but it still takes people at the keyboard to think before they do something. Not likely to see a widespread change in that mentality for some time to come.

Yesterday's Ad-Aware update 5.71 uninstalls this

Just an FYI.

Add a signature to AV software

If this 'Brilliant' software presents a serious threat to the security of your system, (ie a trojan), AV vendors will add a signature to their database which should detect and remove the trojan. They do afterall detect and remove rogue distributed.net clients which are distributed maliciously, so why not this?

The only difference - this is being spread by a known company, and is likely to retaliate with lawsuits etc if the AV vendors do add it to their database. I personally have had some of my programs marked and detected as trojans by AV vendors (password revelation software, and clearly marked and distributed as such), but I can see these guys getting away with it though.

Privacy loss can be staggering

All Brilliant Digital has to do now is read your hidden log files to find out where you've been, what you've seen, etc. Checkout http://www.fuckmicrosoft.com/content/ms-hidden-fil es.shtml"

i'm not a criminal, but i play one on tv

Far be it from me to do anything of the sort, but some of these "hacker" groups should make themselves useful and attack Brilliant's systems, instead of Yahoo or something *beneficial* to the Internet.

I say hit 'em, and hit 'em hard...let them know what we think.

To paraphrase Malcolm X,

We didnt land on your advertising, you crammed your advertising down our throats without asking, bitches

Solution to the Kazaa problem

Instead of following HeUnique's instructions to get rid of Kazaa's spyware, try this:

DON'T INSTALL IT TO BEGIN WITH. ;P

tempest303, continuing his crusade to troll people that think fair use means never paying for media.

The guy is right. It's serious.

He's right. Brilliant is a push-type peer to peer auto update system. (See page 11 of the Brilliant SEC filing. [sec.gov].) This allows an attack to hit a huge number of clients in a short period of time, with no user intervention and no user visibility. Worse, because it's a peer-to-peer system, clients know where to find other clients and can talk to them, so propagation would be far more effective than for most viruses. That's much more powerful than sending "I send this to you to get your advice" to everybody in the Outlook address book.

There's no need to take over the Brilliant servers. An attacker should be able to do it all from any suitably modified Brilliant client.

If someone writes an effective Brillant-based attack, it might contaminate most of the clients in a very short period of time. And most of them woudn't even notice, until it was too late.

Brilliant isn't exactly a tech-savvy company, either. Their previous business was producing hip-hop videos. They have 18 employees. Plus one software consultant. (Read their SEC filing. [sec.gov]) They have no track record of producing secure systems. They make no claim that their product is secure against external takeover. And they don't have enough assets that if they screw up, they'll be able to pay for the damage.

If you have responsibility for any computers that do anything important, scan them all for this program immediately, remove it, and block it at your firewall.

It's possible that the Brilliant "projector" is so secure that it can't be used as a pathway for an attack. But without independent verification of its security, it has to be viewed as highly dangerous. All it takes is a buffer overflow and some carefully crafted "ad content" to use this as a virus distribution system.

Some of the same potential vulnerabilities apply to other peer-to-peer systems. Netnews/NNTP, for example. But Netnews is typically run on UNIX machines under its own userid, so even if an exploit in it exists, it can be contained within the Netnews world. And it's a mature system; the obvious holes were plugged long ago. Most of the other peer-to-peer systems, like Gnutella and Freenet, are pull-type systems; they only bring in content when the client asks for it in response to a user request. That slows down propagation and associates it with specific content, like an ordinary virus. But Brilliant, from their description of what they do, pushes automatically and peer to peer. That's much more dangerous.

Kazaa exec defends sleeper software

When it wakes does it Yell "THE SLEEPER HAS AWAKEN!" ?

Lame? yes, but I couldn't resist :)

Porn

All I can figure is what they're *really* planning is the world's best porn-harvesting tool.

Genius.

Windows security problems -- Oh my!

From the article: And yes, this problem has existed for a considerable period of time, with Microsoft automatic updates (starting with ME and continuing in XP) being the most widespread possibility. But this is the first time we have had a company with such willful ignorance of security (based on their business plan) distributing an autoupdating piece of code.

Er, uhm. Is he talking about Microsoft here, or the Kaza people??

Intentional Attack??

Any attacker who can control 100,000 machines is a major force on the internet, while someone with a million or more is currently unstoppable: able to launch massively diffuse DDOS attacks, perform needle in a hayfield searches, and commit all sorts of other mayhem...

Doesn't take an attacker to bring about mayhem. I think we can safely trust BD to screw up their very first release (if it ever gets that far). I bet their little P2P scheme will DDoS SOMETHING purely unintentionally through incompetence (of which they're shown plenty so far).

Spyware and recording monopolies

The problem is that P2P really impacts sales of recording monopolies a lot. So, the confounded spyware hype is created to divert people from using P2P tools.

It is the recording companies who make those who develop P2P networks include spyware into their client software, and not for the sake of the information this software can collect (though it is quite useful too), but TO MAKE PEOPLE AFRAID OF INSTALLING P2P BECAUSE OF SPYWARE.

Sic

possible solution to all this stuff

Every worm has a payload, you can make a signature
of the payload packets, then you could instruct
several backbone routers to drop packets that
match that signature. This would move the response to virii from the end user to the
maintainers of the backbone, and it would slow
down the propagation of a worm or virus once
detected.

Of course such a system could also be hacked :)

Brilliant' real business plan

It just occurred to me that there's one party that's very interested in getting access to the machines of all those "KaZaa pirating bastards".
Rather than playing out Dr. Evil scenarios to attack NORAD, Brilliant simply sells its assets to the RIAA, so they can finally finish that distributed processing run of 'format C:'

I wonder...

...what Brilliant's response would be if anti-virus companies added definitions to their software that would seek and destroy the client. Or if Microsoft created a 'security patch' that disabled/removed the software.

University of California issues security alert

See this alert [ucdavis.edu]. They view the Brilliant system as unauthorized commercial use of University of California resources.

• You may receive offers for gift certificates and free videos in exchange from Brilliant Digital, or a subsidiary, for permission to use your computer and network connection for use of your computer and network resources. Please be aware that commercial use of university computing and network resources that has not been authorized by the University of California is a violation of the campus acceptable use policy. In addition, granting an external organization permission to use your computer could jeopardize the integrity and availability of your computer and data as well as impose risks to your personal privacy.

  If you permit your computer and a UC Davis network connection to be used for unauthorized commercial use, such use will be a violation of the campus acceptable use policy (PPM 310-16, Exhibit A). We advise you to respond negatively to a Kazaa, or Kazaa affiliate request to use your computer and UC Davis network connection for commercial use that has not been authorized by the University of California.

  A violation of the campus acceptable use policy could result in the temporary or permanent loss of access privileges or the modification of those privileges. Violators may be subject to disciplinary action up to and including dismissal or expulsion under applicable University policies and collective bargaining agreements. Violators may be referred to their sponsoring advisor, supervisor, manager, dean, vice chancellor, Student Judicial Affairs, or the Misuse of University Resources Coordinating Committee or other appropriate authority for further action.

Re:Any comments?

I mean, if I were to attack the Internet root dns servers couldn't that cause all sorts of problems

The difference is: we TRUST the owners of the root servers to keep their systems secure. The owner's of KaZaA don't have the same track record.

Re:Any comments?

From the article the other day on root DNS servers.
Story [slashdot.org]
For the "internet" to be greatly affected multiple root servers must be brought down.

"The DNS is built so that eight or more of the world's 13 master root servers would have to fail before ordinary Internet users started to see slowdowns, according to John Crain, manager of technical operations for the Internet Corporation for Assigned Names and Numbers (ICANN)."

The server won't BE slashdotted

Come on. Look at the page. There are no banner ads or images. It's all handwritten HTML, totaling up to less than 8K of static content! The guy probably designed the page to withstand a slashdotting. Control-V posts are helpful in some cases. Like when the site requires "free registration", or when people are actually bitching they can't read it and you have it in your cache. If this particular Control-V gets modded up, it's proof that the moderator hasn't even tried to read the article.

Re:subject

Automagic updates are all well and good, as long as there's good authentication, preferably good encryption, and at least some amount of "Hey, User, you want to install this?" with the default being [Yes], not no, and of course a pointer to more information.

Brilliant here has (apparently?) done away with all three. They just do it (like Nike), and from the sound of the article, they are not even very secure about the way they do it.

The reassuring thing (for the moment) is that so far these tactics of behind-the-scenes trojans have been confined to leaf nodes - to my knowledge, no routers etc. have had this kind of shit happen to them. As long as the major routing backbones of the internet never become 0wned, there's a modicum of hope for restoring order to the network (banning IPs at the fringes of the backbones until they shape up?) should an emergency occur (banning IPs always scared me, so I don't necessarily like that solution, but it's the easiest and the one that jumped to mind first. I'm sure people more clever than I can think of better ones).

OTOH, 1M fringe nodes can, as the article says, be unstopable. If somebody were truly evil and wrote a decentralized worm (never called home, only talked with other copies of itself), it would be incredibly hard to stop such a beast, and the DDOS commands could be given in an anonymous, untrackable way (can anybody imagine the worms playing Dining Cryptographers? ^_^) [Dining Cryptographers would be anonymous as long as the line wasn't tapped. And I'm sure with some good encryption over the links, it'd be anonymous for all practical purposes anyway.]

Y'know, as bad as it'd be, I'd want to see such a worm (just it's source, I *swear* - I'm not about to go risking the internet's well-being - you have to admit it'd be an interesting read). Maybe the vx community has something similar as a proof of concept?

-Knots

Re:How?

The Brilliant client gets executable code downloaded from the Brilliant servers and download of the code is under the control of the servers, not the client. If someone got control of the Brilliant servers they could download code to your machine that either used your access or exploited a security hole to gain admin access and completely compromise your machine. It could then set up a server like Back Orifice and wait for orders.

Scenarios like that are one reason I refuse to install software that does things under the control of someone else's servers. I can control my machine and what I do, I can't control their servers and what they do, and if I don't have control I have no way of insuring that nothing happens that breaks security.