Botnet Uses Default Passwords To Conduct "Internet Census 2012"

An anonymous reader writes "By using four different login combinations on the default Telnet port (root/root, admin/admin, root/[no password], and admin/[no password]), an anonymous researcher was able to log into (and upload a binary to) 'several hundred thousand unprotected devices' and run 'a super fast distributed port scanner' to scan the enitre IPv4 address space." From the report: "While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study."

So this is what?

[Anonymous Coward]

267 months in federal prison?

Re:So this is what?

[Hatta]

The FBI only cares if you embarass a major campaign contributor. e.g. AT&T is the largest campaign contributor in the country, beating out even Goldman Sachs.

BitTorrent

[kramer2718]

The FBI only cares if you embarass a major campaign contributor. e.g. AT&T is the largest campaign contributor in the country, beating out even Goldman Sachs.

Or if you use BitTorrent for completely lawful purposes.

Re:

[Byrel]

Downloading copyrighted material? You mean, like everything? This post is copyrighted under US law! It's actually a matter of licensing.

Re:

[Farmer Pete]

I agree that it's better to watch 9 guilty men go free than convict one single man who is innocent, but that argument is flawed. Given the opportunity, I would come up with a new system to convict the 9 guilty men and let the one innocent go free. Or in this case, if BitTorrent is 95% used for illegal activity, there is no reason that bittorrent can't be made illegal, as long as a suitable replacement for the 5% legal use of Bittorrent.

Re:

[spire3661]

What is flawed is thinking you can develop a perfect justice system. When you wield life and death, it will ALWAYS be better to let 9 guilty go free vs imposing your tyranny on one. Why on earth would we outlaw an extremely well thought out tech to prop up THE ARTS?????? Seriously, fuck off you luddite.

Re:

[spire3661]

You really should stop talking about governance and law, you are in WAY over your head. Do not understand that bittorrent has SUBSTANTIAL non-commercial uses? Even on the commercial side, Blizzard Entertainment uses Bittorrent to distribute its (very large) patches and has for years. Most linux distros are available via bitorrent. These are not insignificant use-cases. Further, HTTP is used to facilitate a vast amount of piracy as does FTP, IRC, email etc so on and so forth. Should we ban them too?

Re:BitTorrent

[viperidaenz]

No one is refusing to prosecute illegal activity on peer to peer networks. There is a 3 strikes law in my country with the specific purpose of doing exactly this.

What is wrong is making the mechanism illegal because it can be used for illegal purposes. It's like banning teaspoons and lighters because people use them to take drugs.

Should it be illegal to buy steak knives, because people use them to commit murder?

Re:

[Stalks]

Bittorrent is an easily replaceable protocol. Going after it isn't going to stop any piracy. Its like outlawing a model of car because they're being used to traffic drugs.

Bittorrent is just a vehicle, of which there are 100's of different types to choose from that will replace it.

Re:

[viperidaenz]

It was perfectly just to burn a woman at the stake because they voiced an opinion the church didn't agree with. They must have been a witch.

Wait a minute...

Re:

[viperidaenz]

and 3 days later, that replacement will be 95% used for illegal purposes.
Please describe a network that can't be used for illegal purposes, yet removes the burden of bandwidth from a central source.
I just downloaded 8GB via Bittorrent from Blizzard. If every one who bought Heart of the Swarm downloaded it at the same time from a small number of user, the internet would fall apart. Or at least the international links will slow down considerably. (the installer insisted on downloading it all, even though the

Re:

[AaronLS]

This is the same principle for a good spam filter.

Re:

[moeinvt]

"The FBI only cares if you embarass a major campaign contributor..."

Unauthorized access to a government computer is a crime, even if you don't do any damage. The degree to which they will go after you and any resulting penalty will depend on whether or not the government likes you.

Re:

[Spiridios]

"The FBI only cares if you embarass a major campaign contributor..."

Unauthorized access to a government computer is a crime, even if you don't do any damage. The degree to which they will go after you and any resulting penalty will depend on whether or not the government likes you.

J-walking is a crime. Just because it's illegal doesn't mean you will be prosecuted for it.

Re:

[bhlowe]

AT&T Is not the largest campaign contributor.. Act Blue, Nation Educational Association, and American Fedn employees unions all spend more. AT&T is the biggest "non-partisan" campaign contributor. Source: http://www.opensecrets.org/orgs/list.php [opensecrets.org] The Republican's complain of union money... the Democrats complain of the Koch brothers and the NRA..

Re:So this is what?

[juancn]

He did 420000 intrusions, it's probably a lot more than that. In NY it would be up to 420000 years just for unauthorized computer use I believe.

Still, really cool hack (in the classic sense), it is conceptually similar to a Von Neumman probe [wikipedia.org].

correction

[slashmydots]

All data gathered during our research is released into the public domain for further study

More like: All data gathered during our research is released into the public domain for further getting the researchers arrested for unauthorized access and usage of computers systems. It adds up to almost 1 million years in prison if it's under current US law (I used that high school teacher who loaded a folding @ home calculating screen saver onto all school computers as a rough basis for the math. He was on the hook for like 300 years in prison).

Re:correction

[ls671]

So he is the guy responsible for all these logs on my firewall. I am glad he is over with his research. Those nasty log lines and the alerts I get should now go away!

Mar 19 14:08:29 myhost sshd[15477]: Failed password for root from 58.247.50.59 port 33203 ssh2
Mar 19 14:08:26 myhost sshd[15475]: Failed password for root from 58.247.50.59 port 60725 ssh2
Mar 19 14:08:24 myhost sshd[15473]: Failed password for root from 58.247.50.59 port 59984 ssh2
Mar 19 14:08:22 myhost sshd[15471]: Failed password for root from 58.247.50.59 port 59254 ssh2
Mar 19 14:08:19 myhost sshd[15469]: Failed password for root from 58.247.50.59 port 58527 ssh2
Mar 19 14:08:17 myhost sshd[15465]: Failed password for root from 58.247.50.59 port 57790 ssh2
Mar 19 14:08:16 myhost sshd[15463]: Failed password for root from 58.247.50.59 port 57082 ssh2
Mar 19 14:08:13 myhost sshd[15461]: Failed password for root from 58.247.50.59 port 56363 ssh2
Mar 19 14:08:11 myhost sshd[15459]: Failed password for root from 58.247.50.59 port 55647 ssh2
Mar 19 14:08:09 myhost sshd[15457]: Failed password for root from 58.247.50.59 port 54922 ssh2
Mar 19 14:08:06 myhost sshd[15455]: Failed password for root from 58.247.50.59 port 54195 ssh2
Mar 19 14:08:04 myhost sshd[15453]: Failed password for root from 58.247.50.59 port 53487 ssh2
Mar 19 14:08:01 myhost sshd[15449]: Failed password for root from 58.247.50.59 port 52734 ssh2
Mar 19 14:07:59 myhost sshd[15447]: Failed password for root from 58.247.50.59 port 52018 ssh2
Mar 19 14:07:57 myhost sshd[15445]: Failed password for root from 58.247.50.59 port 49218 ssh2
Mar 19 14:08:38 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12700 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
Mar 19 14:08:32 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12699 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
Mar 19 14:08:29 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12698 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0

Re:correction

[butalearner]

Why no fail2ban [fail2ban.org] or DenyHosts [sourceforge.net]? I suppose my sshd doesn't allow root login so stuff like that showing up on my logs is not a big concern anyway.

Re:correction

[Lumpy]

After 1 attempt for ROOT I blackhole the ip address for 90 days Nobody should ever try to log in as root, so any login attempt should black hole that IP forever. 3 minutes of script writing is all it takes to do that.

Re:

[Lost Race]

99.9% of the time those are (1) someone goofing around, not a real threat, or (2) drive-by from a botnet, never going to hit from that address again. So you're adding complexity and extra points of potential failure to your router with no real benefit.

Obviously I pulled that "99.9%" figure out of my ass, but seriously, whom do you think you're protecting yourself from with this script?

Re:

[michelcolman]

Lots of people use dynamic IP addresses. The address you are blocking now, may well belong to a perfectly innocent user tomorrow. You're blocking the wrong people.

Re:

[jimwelch]

Sounds like a good way for someone to shutdown your internet. Fake a root login attempt from every IP. You will lose all incoming internet for 90 days.

Re:

[Menkhaf]

Yeah, good luck trying to guess the sequence number needed to establish a TCP connection. This hasn't been an issue since, I don't know, the 90s?

Re:correction

[viperidaenz]

Just take a root login attempt from slashdots hosts. Then we won't have to hear from him for 90 days.

Ahahahaha (horrormirth)

[inode_buddha]

I don't know if it's hilarious or frightening that they did this with default words. I *do* wonder if they;re going to get into some trouble for doing this tho. You could make some serious money off a botnet like that.

I can see where this is going

[Daetrin]

Useful research into vulnerabilities, wasn't used for personal gain, was reported to educate others and so security lapses could be fixed.

They're so going to jail. [slashdot.org]

Re:

[Virtucon]

That's what I was thinking, if the CFAA doesn't apply in this case, it needs to be retooled or scrapped altogether. They've now made their findings public, which strangely enough is just the kind of case the DOJ has been going after.

Re:I can see where this is going

[Anubis IV]

If you're an ethical researcher wanting to run a distributed scan of the 'net, the proper way to do it is to use something like PlanetLab [planet-lab.org], which has been designed for uses like that and is freely available for research use. It's what everyone else uses, and it works great. Either that, or go and use your grant money to provision yourself appropriately for a job like this, which is what we did when I was in grad school. Commandeering routers and other devices for personal use is inexcusable.

Honestly, my first thought was, "What research ethics committee gave him the go-ahead?" My guess: the researcher didn't ask, because none of them would ever let him do it. Besides consuming bandwidth for tens or hundreds of thousands of Internet users without their consent (some of whom were likely capped), he's also loaded code onto their machines: code which they have no guarantee will work as expected in all circumstances. In fact, for all they know, they may have bricked tens of thousands of devices without realizing they did so, then taken their lack of response later as a simple incompatibility with his code.

When I was in grad school, we were doing web crawler and search engine research that was considered to be a bit on the edge of what was permissible (and our work resulted in serious threats of lawsuits aimed at our university), but we would never consider doing something like what they did. No credible conference or journal would publish this sort of work either, which is as it should be. Researchers have a responsibility to act responsible, and this anonymous one didn't.

Also, you've said it was useful research, but it really wasn't. These vulnerabilities are widely documented, and those researchers were not only able to publish earlier, they were also able to do so without engaging in gross ethical violations.

Re:

[Anonymous Coward]

Beauty of the internet: you don't need the cooperation of a responsible conference or journal to get published.

Re:I can see where this is going

[ThatsNotPudding]

Honestly, my first thought was, "What research ethics committee gave him the go-ahead?"

The Google Street View ethics commitee?

Re:I can see where this is going

[Baloroth]

Useful research into vulnerabilities, wasn't used for personal gain, was reported to educate others and so security lapses could be fixed. They're so going to jail. [slashdot.org]

Of course. They used broke into others computers, uploaded and executed binary files on them, without their permission, for their own purposes. That is both illegal and unethical. They should be punished for that.

The reason why they did it is not terribly relevant (although it doesn't make it worse, since the end was not itself a crime). The ends do not justify the means. Breaking the door of a house down to tell the owners their door is easily broken down is still breaking and entering.

Re:

[DarkOx]

I would be willing to entrain the argument if your device is set the the manufacturers default published password with no banner making it clear the service is supposed to be publicly accessible; its not very analogue to breaking and entering.

Its much more like you have locks on your house but don't use them; and someone lets themselves in, has a look around does no harm and does not remove anything. No its still not allowed, you can't just march around someones private property with no expectation you wou

Re:I can see where this is going

[mcgrew]

No, they left binaries on the devices and took data. That's more analogous to someone going into your unlocked house and trading your copy of LOTR with a candy bar wrapper left on the floor. Much more than simple trespass, it's trespassing, littering, vandalism, and theft.

Re:

[fuzzywig]

They left the binaries in RAM, so just a reboot would remove them. They also left a text file with contact info and an explanation in, and they didn't take data from the affected systems, they used the systems to probe other IPs.

There's not really a physical analogy that fits here but the only damage they did to each individual device would be to slightly raise it's power consumption and bandwidth usage. Insignificant to any individual, although it might well have added up to quite a lot.

Re:

[Lazere]

The internet's a bad neighborhood. If you're in a bad neighborhood and don't lock your doors, then you do deserve some of the blame. Yes, the people that actually did it are horrible and should never have done it, but you knew where you were, and you knew the potential consequences for leaving your door unlocked.

Re:

[Hentes]

They deployed a botnet using other people's machines for their research. While I find it cool at some level, it's also definitely illegal.

Re:

[jeffmeden]

It was included in the very interesting report... 400 million or so that replied to pings (about 15% of all the possible valid addresses). That suggests either a LOT of the IPV4 space is blocking pings, or that a lot of it is poorly allocated (I bet it's a little of the former and a lot of the latter). Many huge blocks are allocated to groups that couldn't possibly use them, such as developing nations or specific institutions with a relatively small number of users/servers.

Re:

[0123456]

That suggests either a LOT of the IPV4 space is blocking pings, or that a lot of it is poorly allocated (I bet it's a little of the former and a lot of the latter).

I believe you'll find that Windows 7 defaults to blocking pings now. None of our Windows 7 machines respond to them.

Re:

[wolrahnaes]

That depends on what you answer when asked what type of a network you're on. Public puts the firewall in to lockdown mode, Home and Work are pretty much identical and allow normal local network traffic.

If they're directly internet connected and answered correctly they should be blocking most traffic, but directly connecting a machine to the internet these days is rare due to the general demand for wireless and multiple devices.

Blocking ping outright is pretty dumb overall, IMO. It removes a useful diagnos

Re:

[Beardo the Bearded]

My router drops all ping requests.

Re:I can see where this is going

[Flea of Pain]

Oh ya? My router drops ALL requests...

It may be time for a new router.

Re:

[nullchar]

But do you have any open ports on your router?

From the paper:

420 Million pingable IPs + 36 Million more that had one or more ports open

Your router may be counted in the 36 million non-pingable but still had an open port.

Good tester , A+++++

[alphatel]

Thanks for your test of the internet devices. Although I do not know what this means we have been able to determine that you have committed several criminal acts, and should expect at least a few years of jail time. Don't worry though, it's all for the greater good.

enitre

[1u3hr]

"scan the enitre IPv4 address space."

Slashdot "editors".

Otherwise, this seems even more blatant than the case a few days ago: 41 Months In Prison For Man Who Leaked AT&T iPad Email Addresses [slashdot.org]. And these guys actually cracked passwords, despite them being trivial defaults, that still crossed over a legal line.

Re:

[SJHillman]

If they scanned the entire (or enitre) IPv4 space, I wonder if they found an unsecured router at 192.168.1.1. That's where I usually find one.

Re:

[Nadaka]

ha, mine is at 192.168.1.2, good luck cracking that one open!

Re:

[NatasRevol]

Mine's on the SUPER secret 172 address space. No way I'm giving out the rest of the octets!

Re:

[SJHillman]

You must be a moron for it to go so far over your head. And you forgot 172.16.x.x-172.31.x.x and 169.254.x.x

Even if it's non-routable, it'd still be part of IPv4

Re:

[Anonymous Coward]

Yeah, but what about the all the people who actually *chose* those passwords?

As a tax payer, don't waste my money

[Anonymous Coward]

If no actual harm was done then chasing after the researchers for prosecution is a waste of public money in my opinion, speaking as a tax payer.

And I mean actual harm, not the made-up harm of "unlawful use of computer equipment" or similar ones which are just infringements in principle, without actual harm done.

There are so many really bad guys out there to chase that this researcher should be way down on the priority list for enforcement, or using a bit of commonsense, not on it at all. And if he is ide

Re:

[TheSkepticalOptimist]

Oh buddy, if you only new how much of your taxes were wasted you would die several hundred deaths from apoplexy. This would be a drop is a very very large bucket.

Re:

[Farmer Pete]

I would say that about 50% of your tax money could be literally burnt in a fire and no one would notice a change in the services provided. Of the remaining 50%, I would guess that half of that is used for programs the government has no business dealing with. So I'd guess that only about 25% of the total you pay in taxes is really necessary. The number would be incredibly less if you aren't considering SS.

Re:

[RandomFactor]

If s/he was truly careful enough that no systems showed issues and noone noticed, it is entirely possible law enforcement won't pay much attention (no complaints, bigger fish). Just needs to be careful not to fall into their laps.

Still, I wouldn't be surprised if some of the security research community doesn't take at least a passing look at things to see if they can track back to the author.

Re:

[moeinvt]

As long as you pay the taxes in full and on time, the government doesn't give a damn about what you think.

Comment removed

[account_deleted]

Comment removed based on user account deletion

re: not about the technical situation

[King_TJ]

I have to disagree with you on this....

First of all, I'm not sure there's really that much useful gained from such a project? An Internet Census for 2012 made with questionable code loaded onto all sorts of devices in unknown states without anyone's permission? How much validity can I put into those results? (How many devices didn't perform as intended while doing the port scans due to all sorts of possibilities outside the control of the people doing this research? Anything from people having firewalls b

Re:

[malakai]

Only new technical implementation is via the Torrent link, you can download his database which has the responses for different Ports. With a simple query of his DB, you can tell the vulnerability of an IP address...

Takes the guess work out of it really... That's something new, in the sense that the every day script kiddie didn't have this prior to this research release.

After a reboot ...original state

[Dareth]

"After a reboot the device was back in its original state including weak or no password with none of our binaries or data stored on the device anymore."

How do you calculate damages for lost uptime?

Re:After a reboot ...original state

[malakai]

They didn't force the reboot. So they don't need to calculate for lost uptime.
But they do concede what bandwidth they used and processing time. You could argue they used extra energy, CPU load, and bandwidth, and that equates to money.

What they really got 'lucky' on, is that they didn't code in a fatal flaw and accidentally create something that had a race condition that resulted in distributed DOS to every IP on the network. We've seen things come close to that in the past with worms. I put quotes around lucky, because I think these guys did their homework, and specifically validated their experiment in a limited environment before releasing it.

That said, your test environment is rarely a perfect simulacrum for the real world.

It's a very scary grey hat project. I thought this finding was interesting though:

So, how big is the Internet?
That depends on how you count. 420 Million pingable IPs + 36 Million more that had one or more ports open, making 450 Million that were definitely in use and reachable from the rest of the Internet. 141 Million IPs were firewalled, so they could count as "in use". Together this would be 591 Million used IPs. 729 Million more IPs just had reverse DNS records. If you added those, it would make for a total of 1.3 Billion used IP addresses. The other 2.3 Billion addresses showed no sign of usage.

Based in their rather thorough analysis, only about half the IPV4 address space is being actively used.

I kind of feel this is a little akin to working with scientific research that comes from morally grey or even black experiments...

Another thing to consider about this, is based on the platform they built, they could go for the Black Knight approach, and rescue all the flawed devices without their consent. You could easily see taking this project and saying "How do we patch the devices in a way that causes the least amount of harm, and adds the most amount of security".....

Inoculation can kill though...

Fine line... very fine line. End of the day, these guys hacked and compromised systems with their own binaries, and then used them to compromise other devices. They'd go to jail if they were discovered. Simple truth.

Re:

[melikamp]

It's a very scary grey hat project.

This is a black hat project because computers and resources were used without owners' knowledge or consent. They said they reverted them to the pre-hack state, but they can't even begin to justify this claim, since they have not a slightest idea about the respective OS configurations. The motive had a selfish component: fame. I would call it a grey-hat hack if it provided significant benefit to people whose computers got hacked, but this is not the case here.

Guy deserves any jail time he gets

[byeley]

While I personally support this kind of research,

The author is presumably an academic or industry professional (based on the formatting). As such, he knew what he was doing was illegal and had a significantly detrimental effect on low-resource systems. Furthermore, he can't blame a conviction on over-zealous prosecution or recent anti-hacker sentiment because he's obviously emulating Robert Morris (who received three years jail time for the Morris worm - convicted in 1990).

I also question how useful his sci

Which is why

[Overzeetop]

Which is why I always use admin/root for username and password on my systems. You'd think these people would learn not to be so careless. :-)

Expand this into survey research

[coldsalmon]

Have a team go door-to-door during working hours, when most people are not home. If they find an empty house with an unlocked door, go inside and use the phone to call a bunch of people and conduct your research. As long as you publish the addresses of all of the houses for academic purposes, nobody should mind.

Why are there no counter attacks?

[TheSkepticalOptimist]

I mean it should be possible to create a system that emulates an "open" server, but when a hacker opens up a connection and tries to upload or download data, then fire off a counter measure that will cripple the hacker's system?

I mean after 30+ years of connected networks there is no such thing as an offensive strike in cyber terrorism?

I can't believe that hackers are that smart as to outwit servers attempting to back-deploy payloads onto their systems, or even could block a counter attack. I mean with the mentioned botnet hack, it would seem pretty easy that if it "broke" into an unprotected server that server could send back a crippling packet or something. The botnet is running a service that scans and returns data so the violated server should be able to exploit that and dump terabytes of garbage data back to cripple the botnet. A Denial of Hack.

Actually if I was an active hacker I would rather enjoy luring other hackers to my "unprotected" servers only to f**k with them and mess up their systems.

Re:

[Stuarticus]

I have a program that will do all this and make the hackers computer explode, email me $500 to buy it.

Re:Why are there no counter attacks?

[Jah-Wren Ryel]

I mean after 30+ years of connected networks there is no such thing as an offensive strike in cyber terrorism?

Because it is a terrible, terrible idea. If automated counter-attacks were to become the norm, then all it would take to start a "war" between two groups is for someone to compromise just one system at the first group and set it to attacking the second group. Think mutual assured destruction except Anonymous has their finger on the button and it's labeled "lulz."

Re:Why are there no counter attacks?

[Cassini2]

This used to be done, back in the early dails of email and usenet. If someone was sending spam, someone else would send their server 10,000 email messages and knock if off line.

It doesn't really work anymore:
a) Users are dumb - they don't even know their account/computer has been compromised, and might not care even if it has.
b) One mail server serves millions of users. That means millions of people pay the price for the actions of one bozo.
c) Revenge mails look like spam. It gets the sender blacklisted.

Re:

[GameboyRMH]

The hacker's system has to be vulnerable to the "counter measure." So for a telnet connection for example, there would have to be a vulnerability in the telnet client. There is such a thing as an offensive strike but it's not like IRL kinetic warfare where you can just hurl a thing at another thing.

Re:

[bbartlog]

I think the technical difficulties are greater than you are making them out to be. You're talking about trying to automatically pwn some unknown box that just contacted yours. Unless the hacker is really stupid, he's not going to have the kinds of open ports, services, and other associated vulnerabilities that many internet machines would have. The utmost you could plausibly do is DDoS the attacker, if you happen to have your own botnet handy. Furthermore, the odds that the attacker is using some third part

Fiction

[Lost Race]

I'm pretty sure this story is a very elaborate piece of fiction. That makes way more sense than somebody clearly so smart going to so much trouble to earn themselves a life sentence in prison.

Maybe last year we could expect someone to do this for real, but not this post-1/11 world.

Announced a free DDOS engine

[mattr]

The only result I can see from this guy's "research" is to announce to the world the existence of a low barrier to entry DDOS platform.
What could possibly go wrong...
I'm tired of seeing people jailed who are curious about security. But he needs a clue. Guys like this are why I expect Bill Joy wrote his treatise. One man's Epic h4ck is another man's Epic FAIL.
Of course his ethics are canted at an angle to reality, but if he had just gone a bit farther off the deep end and actually fixed all the password vuln

Where is the manufacturer's responsibility?

[sl4shd0rk]

I see a lot of people complaining about the actions of the researcher, but what about the actions of the manufacturer? If Medeco made a lock that had the equivalent of "admin/admin telnet" on it, they'd be strung up. I'm not saying the researcher is not responsible for his actions, however putting all the blame on him isn't reasonable either.

Re:"researcher"? Hardly.

[plover]

If an unnamed biologist did his research this way (constructed a virus that infects creatures around the world), he wouldn't be called an "anonymous researcher", he'd be called a "mad scientist".

And how do you know he didn't conduct these scans from his underground lair? For all we know, he may even own a Persian cat!

Re:

[tqk]

If an unnamed biologist did his research this way (constructed a virus that infects creatures around the world) ...

What "infection" did this researcher transmit to his "victims"? Isn't this more like someone offering free susceptability tests? They're on the net, meaning they're open to the offer. The net's always a potentially dangerous place if you're connected to it. Researcher tests to see if they're in any way vulnerable. Shazam, they are. Where's the story?

Re:

[malakai]

He uploaded a binary to 'insecure' devices, to run his code and build his own 'ethical' botnet.

This isn't just checking ports and default logins and reporting back.

Re:

[tqk]

He uploaded a binary to 'insecure' devices ...

Ah. I'll take a slap to the back of the head for not RTFA or understanding the summary. /. SOP bites again. Thx.

Re:Door

[NeutronCowboy]

Man, some people are a paranoid bunch. If someone leaves a flyer on my door that says "You had 2 open windows and one unlocked door", and a similar flyer is on everyone's door, I'll actually thank the good Samaritan. If I see someone looking at doors and windows, taking notes, then putting a flyer on my door, I'll ask him what he's doing, why, and find out what he's actually up to. If he's friendly and forthcoming, I'll thank him and send him on his way. If he's belligerent, then maybe I'll start to consider self-defense.

But to shoot someone just because they are walking around the neighborhood, surveying every house? Yeah, the US doesn't have a gun problem. We have a response problem.

Re:

[berashith]

They did slightly more than look to see what was open. This is more like, "you had 2 open windows and one unlocked door, so I left some yogurt in your fridge and took pictures of your wife while she was sleeping. I will be posting the pictures to the world as proof, you are welcome for the yogurt. Enjoy!"

Re:Door

[NeutronCowboy]

Except he did not activate any webcams or gathered any data beyond what ports were available and whether he was able to install his rootkit. Why didn't you extend the analogy even further to raping my daughters and defecating in my bed? I mean, why not go all out in the attempt to generate an emotional response to a completely unrelated problem? Does your post also mean that you would shoot the writer of this study, if you found out who he was?

And I feel again confirmed that the US doesn't have a gun problem, but a response problem: you conflate one thing with something vastly different, then determine response based on the emotional reaction you have to the vastly different thing.

Re:

[Beardo the Bearded]

Why didn't you extend the analogy even further to cyber-raping my daughters and cyber-defecating in my bed? I mean, why not go all out in the attempt to generate an emotional response to a completely unrelated problem?

FTFY

Re:Door

[malakai]

This wasn't a simple port scan. I RTFA, so let me help you out.

He ( there is no They or We, read the end of the article ) compromised devices and uploaded his own code. He was 'nice' about it, in the sense he set the priority to 'NICE' and he put in some watchdogs and throttled bandwidth usage. He then used those compromised devices to further utilize other devices to do even more work ( like using your Router HTTP interface to execute Traceroute on his behalf, possibly inside your network ).

For the vast majority of the IP's he just NMAP/ICMP sure, that's nothing these days. For the half a million devices he turned into his own bot net.... that's illegal.

Also, he then released all the data. You could say that's good, or you can say that as a script kiddie, all I have to do is d/l that torrent to get a list IP's that run a version/flavor that I have a 0day on. No more need to scan the net myself.

This is going to accelerate bot net growth. That may be good, maybe we'll finally figure out some way to detach/block IP's that fail to patch.

Re:

[NeutronCowboy]

The end-result was a list of ports that I may have open on my router/computers. Yes, the process used was illegal. Big fucking deal, so are a lot of things that are ok among civilized people. See for example betting on sports. But there was zero impact while his scan was on-going, and there was zero footprint left behind.

As for your comment that know a script kiddie has a list of unsecured IPs: that's my problem if my IP is on that list. He did a trivial scan, and if I take my security seriously, I should n

Re:

[mjr167]

Since testing doors and windows requires trespassing... Besides, I am allowed to leave my door unlocked and still have the expectation of random people not opening it.

Re:

[NeutronCowboy]

But should you shoot anybody who opens your door? Every time? Think carefully about it.

Re:

[mjr167]

If you did it in the dead of night... then yes. I might shoot you. the OP did not say you would get shot every time, but that you run the risk of getting shot.

Re:

[mjr167]

Oddly there are plenty of houses with no front garden... Not to mention people are generally allowed (and expected) to walk up to a door and then politely knock. Just not actually turn the handle.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[tqk]

I don't like the idea of someone going around testing all of these devices any better than I like the idea of some guy going around my neighborhood checking to see if all the doors and windows are locked.

Ah, the ostrich plan. Don't run away; don't protect yourself; just stick your head in the sand, or put on the Beeblebrox safety glasses.

If he can do this, *please* imagine what a true black hat could do with it. FFS!!!111

BTW, seeing if a doorknob turns != opening the door.

Re:Door

[mark-t]

Ostriches do not stick their heads in sand or ever try to simply ignore danger.

Ostriches are not cowardly, they will definitely put up a fight when they believe they have a good chance of winning. If you have ever seen an ostrich close up, you probably realize that they are big-ass birds that could easily wipe the floor with a good percentage of other creatures in the animal kingdom. If they encounter a situation that they cannot mitigate, however, then they will run away... being exceptionally good at it (they are the fastest running creature on two legs).

If, and only if, they have nowhere to run to, and they cannot mitigate the danger themselves, then they will lie very still, presumably in the hope that they will be ignored. They do not pretend that the danger is not there, however... and will generally resort to fleeing at the first opportunity. Their practice of lying still is where the myth that they stick their head in the sand comes from, and it's ironic that what is actually a very atypical behavior for that type of bird ever got to be somehow associated as something that they generally practice.

Re:

[tqk]

Ostriches do not stick their heads in sand or ever try to simply ignore danger.

Actually, I knew all of that, but the concept is what I was trying to use. Blame the Brits for not understanding what they were seeing. Perhaps that's akin to racism or stereotyping of some kind. I applaud your eloquent defence of that mighty bird (or dinosaur remnant, whatever :-).

Re:

[SJHillman]

If all he did was see if the doorknob turned, then how is it he turned it into a botnet?

Re:

[tqk]

BTW, seeing if a doorknob turns != opening the door.

Note, I've since been educated to the fact that he UL'd a binary. I missed that.

If all he did was see if the doorknob turned, then how is it he turned it into a botnet?

Interesting question.

For example (no cars, sorry), if I embed a URL in my /. .sig that goes to a malicious iframe (or whatever), did I do anything wrong? I didn't ask anyone to click on it. If that URL adds them to a botnet, was that really my fault? They chose to click on it. I just stuck it out there offering it to them, and *everyone knows* that clicking on that sort of thing is anathema, right? Who's more guilty: the f

Re:

[tqk]

Doesn't the ostrich plan involve leaving your rear end out in the open while keeping your eyes unawares of who's raping you from behind?

And you're already bent over presenting. Enjoy. Hum God Save The Queen if it helps.

Re:

[Byrel]

Better than second-world countries, where they forbid possession of weapons.

Re:

[characterZer0]

Windows machines compromised via remote exploits in Windows: Windows sucks!
Windows machines compromised via stupid users who install anything? Windows users suck!
Linux machines compromised via default passwords: Administrators suck!

Re:

[characterZer0]

What should the punishment be? A fine? Prison? Banned from the Internet?

He should be punished. Jail time is expensive for the taxpayers and harsh for somebody who, however misguided, was trying not to hurt anybody. I would suggest lots of community service.

Re:

[Score Whore]

He should have to, at his own expense, visit each individual whose equipment he access and apologize as well as explain to whatever technical detail they desire exactly what he did with their equipment. Plus he should have to pay any incurred costs from his access. And he should have to do this beginning now and engage in continuous effort and not do anything else -- beyond the fundamental tasks of living (eat/sleep/crap) -- until he is done.

Fundamentally accessing someone's property without their consent i

Re:

[GameboyRMH]

But but but, he BROKE the RULES!

Re:

[Rob the Bold]

Home routers with factory defaults (linksys, netgear, etc)? Something else? Like single board computers in the desert collecting rainfall data?

TFA:

The vast majority of all unprotected devices are consumer routers or set-top boxes which can be found in groups of thousands of devices. A group consists of machines that have the same CPU and the same amount of RAM. However, there are many small groups of machines that are only available a few to a few hundred times. We took a closer look at some of those devices to see what their purpose might be and quickly found IPSec routers, BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems, big Cisco/Juniper equipment and so on. We decided to completely ignore all traffic going through the devices and everything behind the routers. This implies no arp, dhcp statistics, no monitoring or counting of traffic, no port scanning of LAN devices and no playing around with all the fun things that might be waiting in the local networks.

As I (cursorily) read it, they're targeting MIPS-based devices for the botnet.