Botnet Uses Default Passwords To Conduct "Internet Census 2012"

An anonymous reader writes "By using four different login combinations on the default Telnet port (root/root, admin/admin, root/[no password], and admin/[no password]), an anonymous researcher was able to log into (and upload a binary to) 'several hundred thousand unprotected devices' and run 'a super fast distributed port scanner' to scan the enitre IPv4 address space." From the report: "While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study."

So this is what?

267 months in federal prison?

Re:So this is what?

[Hatta]

The FBI only cares if you embarass a major campaign contributor. e.g. AT&T is the largest campaign contributor in the country, beating out even Goldman Sachs.

Re:So this is what?

more like "until the sun goes cold"

Re:So this is what?

[bobthesungeek76036]

They pretty much have to go after this just so others can't use it as a defense. Otherwise, every other hack will cite this case.

Re:So this is what?

[juancn]

He did 420000 intrusions, it's probably a lot more than that. In NY it would be up to 420000 years just for unauthorized computer use I believe.

Still, really cool hack (in the classic sense), it is conceptually similar to a Von Neumman probe.

Re:So this is what?

[moeinvt]

"The FBI only cares if you embarass a major campaign contributor..."

Unauthorized access to a government computer is a crime, even if you don't do any damage. The degree to which they will go after you and any resulting penalty will depend on whether or not the government likes you.

Re:So this is what?

[bhlowe]

AT&T Is not the largest campaign contributor.. Act Blue, Nation Educational Association, and American Fedn employees unions all spend more. AT&T is the biggest "non-partisan" campaign contributor. Source: http://www.opensecrets.org/orgs/list.php The Republican's complain of union money... the Democrats complain of the Koch brothers and the NRA..

Re:So this is what?

[Spiridios]

"The FBI only cares if you embarass a major campaign contributor..."

Unauthorized access to a government computer is a crime, even if you don't do any damage. The degree to which they will go after you and any resulting penalty will depend on whether or not the government likes you.

J-walking is a crime. Just because it's illegal doesn't mean you will be prosecuted for it.

Re:So this is what?

Technically, it's an infraction and not a criminal offense.

Re:So this is what?

Still, really cool hack (in the classic sense), it is conceptually similar to a Von Neumman probe [wikipedia.org].

If you think this is a "cool hack", you don't know your computing history. It's the same incredibly stupid idea that got Robert Morris in deep shit 25 years ago.

Re:So this is what?

[viperidaenz]

I would like to say the FBI doesn't care if you're not in their jurisdiction.

Re:So this is what?

You've just qualified for a "grumpy old man"-card! Collect it on the way out, where you can also hand in your geek card. Your new card qualifies you to such delightful activities as being angry and dismissive about new technology and hacks. I'm sure you'll find it much more useful than all that boring technical wonder and curiosity the old card involved.

correction

[slashmydots]

All data gathered during our research is released into the public domain for further study

More like: All data gathered during our research is released into the public domain for further getting the researchers arrested for unauthorized access and usage of computers systems. It adds up to almost 1 million years in prison if it's under current US law (I used that high school teacher who loaded a folding @ home calculating screen saver onto all school computers as a rough basis for the math. He was on the hook for like 300 years in prison).

Re:correction

[ls671]

So he is the guy responsible for all these logs on my firewall. I am glad he is over with his research. Those nasty log lines and the alerts I get should now go away!

Mar 19 14:08:29 myhost sshd[15477]: Failed password for root from 58.247.50.59 port 33203 ssh2
Mar 19 14:08:26 myhost sshd[15475]: Failed password for root from 58.247.50.59 port 60725 ssh2
Mar 19 14:08:24 myhost sshd[15473]: Failed password for root from 58.247.50.59 port 59984 ssh2
Mar 19 14:08:22 myhost sshd[15471]: Failed password for root from 58.247.50.59 port 59254 ssh2
Mar 19 14:08:19 myhost sshd[15469]: Failed password for root from 58.247.50.59 port 58527 ssh2
Mar 19 14:08:17 myhost sshd[15465]: Failed password for root from 58.247.50.59 port 57790 ssh2
Mar 19 14:08:16 myhost sshd[15463]: Failed password for root from 58.247.50.59 port 57082 ssh2
Mar 19 14:08:13 myhost sshd[15461]: Failed password for root from 58.247.50.59 port 56363 ssh2
Mar 19 14:08:11 myhost sshd[15459]: Failed password for root from 58.247.50.59 port 55647 ssh2
Mar 19 14:08:09 myhost sshd[15457]: Failed password for root from 58.247.50.59 port 54922 ssh2
Mar 19 14:08:06 myhost sshd[15455]: Failed password for root from 58.247.50.59 port 54195 ssh2
Mar 19 14:08:04 myhost sshd[15453]: Failed password for root from 58.247.50.59 port 53487 ssh2
Mar 19 14:08:01 myhost sshd[15449]: Failed password for root from 58.247.50.59 port 52734 ssh2
Mar 19 14:07:59 myhost sshd[15447]: Failed password for root from 58.247.50.59 port 52018 ssh2
Mar 19 14:07:57 myhost sshd[15445]: Failed password for root from 58.247.50.59 port 49218 ssh2
Mar 19 14:08:38 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12700 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
Mar 19 14:08:32 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12699 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
Mar 19 14:08:29 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12698 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0

Re:correction

[butalearner]

Why no fail2ban or DenyHosts? I suppose my sshd doesn't allow root login so stuff like that showing up on my logs is not a big concern anyway.

Re:correction

[Lumpy]

After 1 attempt for ROOT I blackhole the ip address for 90 days Nobody should ever try to log in as root, so any login attempt should black hole that IP forever. 3 minutes of script writing is all it takes to do that.

Re:correction

[ShaunC]

I doubt it. Most of these are automated scanning from compromised machines in general, not this guy's one project, and from what I gather, the "census" was more polite about the number of login attempts. I've been getting random scans for years and I don't foresee them stopping anytime soon.

Re:correction

So he is the guy responsible for all these logs on my firewall. I am glad he is over with his research. Those nasty log lines and the alerts I get should now go away!

Unless you set up your sshd to listen on port 23 and added support for plaintext authentication, the answer is "no, it was not this guy,".On the other hand, if you did all that, you re-invented telnetd.

Re:correction

blacklisting an IP forever is not a good idea as someone usually doesn't keeps an IP forever....

Re:correction

[Lost+Race]

99.9% of the time those are (1) someone goofing around, not a real threat, or (2) drive-by from a botnet, never going to hit from that address again. So you're adding complexity and extra points of potential failure to your router with no real benefit.

Obviously I pulled that "99.9%" figure out of my ass, but seriously, whom do you think you're protecting yourself from with this script?

Re:correction

[michelcolman]

Lots of people use dynamic IP addresses. The address you are blocking now, may well belong to a perfectly innocent user tomorrow. You're blocking the wrong people.

Re:correction

[jimwelch]

Sounds like a good way for someone to shutdown your internet. Fake a root login attempt from every IP. You will lose all incoming internet for 90 days.

Re:correction

[Menkhaf]

Yeah, good luck trying to guess the sequence number needed to establish a TCP connection. This hasn't been an issue since, I don't know, the 90s?

Re:correction

That's actually a lot more trivial than you might think.

Re:correction

[viperidaenz]

Just take a root login attempt from slashdots hosts. Then we won't have to hear from him for 90 days.

Re:correction

[ls671]

look at the last lines in my OP:

I use iptable to achieve the same...

Mar 19 14:08:29 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12698 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0

Re:correction

Yeah, I noticed the traffic on our firewall too. It was a whole ton of it, man, they were really hammering me.

Re:correction

good luck trying to guess the sequence number needed to establish a TCP connection

Ever troubleshoot a network with windowing issues? It only takes a handful of connections to get the range of likely window sizes. It is simple math to get the likely sequence number range for a connection of your own creation. After that, just replay the range for every IP. It's messy, easily detected, would take forever, and would add two or three zeroes to the number of attempts required for every IP you want borked.

It gets real interesting if you traceroute through from several proxies/locations and only masquerade as the last couple of hops. POOF! You just got the target to blacklist their own ISP and IDR.

I reckon a small script could lock Lumpy's network to their own backyard in less time than it took to write.

Re:correction

[melikamp]

And when you get snail spam, you blacklist the area code for 6 months? Feels like an overreaction to me.

Re:correction

It will stop about 95% of the hackers out there. so he is highly effective. Do you even know anything about internet security?

Re:correction

[Lumpy]

feel free to try.

you can pick any address in the 11.*.*.* address pool to attempt this on.

Re:correction

Snail spam..... Area Code.....

I think you need to learn your terminology there kiddo.

Area Codes are for telephones.

Just because you are not clever enough to do something you have to whine about it?

Re:correction

Knowing how to blackhole via iptables doesn't guarantee that you know shit about security. Or networking, come to think of it.

Re:correction

[hobarrera]

Disabling password logins has always been the best solution when it comes to SSH.

Re:correction

[dontclapthrowmoney]

+1.

For those too lazy to check: http://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks

11.0.0.0/8 DoD Intel Information Systems

Re:correction

[ls671]

just use whois...

whois 11.0.0.0

The following results may also be obtained via:
http://whois.arin.net/rest/nets;q=11.0.0.0?showDetails=true&showARIN=false&ext=netref2

NetRange: 11.0.0.0 - 11.255.255.255
CIDR: 11.0.0.0/8
OriginAS:
NetName: DODIIS
NetHandle: NET-11-0-0-0-1
Parent:
NetType: Direct Allocation
RegDate: 1984-01-19
Updated: 2007-08-22
Ref: http://whois.arin.net/rest/net/NET-11-0-0-0-1

OrgName: DoD Network Information Center
OrgId: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
RegDate:
Updated: 2011-08-17
Ref: http://whois.arin.net/rest/org/DNIC

OrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: 1-614-692-2708
OrgTechEmail: HOSTMASTER@nic.mil
OrgTechRef: http://whois.arin.net/rest/poc/MIL-HSTMST-ARIN

OrgTechHandle: REGIS10-ARIN
OrgTechName: Registration
OrgTechPhone: 1-800-365-3642
OrgTechEmail: registra@nic.mil
OrgTechRef: http://whois.arin.net/rest/poc/REGIS10-ARIN

OrgAbuseHandle: REGIS10-ARIN
OrgAbuseName: Registration
OrgAbusePhone: +1-800-365-3642
OrgAbuseEmail: registra@nic.mil
OrgAbuseRef: http://whois.arin.net/rest/poc/REGIS10-ARIN

ARIN WHOIS data and services are subject to the Terms of Use
available at: https://www.arin.net/whois_tou.html

Re:correction

[1110110001]

Shutdown the server - stopping 100% of the hackers. Less work -> much more effective.

Ahahahaha (horrormirth)

[inode_buddha]

I don't know if it's hilarious or frightening that they did this with default words. I *do* wonder if they;re going to get into some trouble for doing this tho. You could make some serious money off a botnet like that.

I can see where this is going

[Daetrin]

Useful research into vulnerabilities, wasn't used for personal gain, was reported to educate others and so security lapses could be fixed.

They're so going to jail.

Re:I can see where this is going

[AvitarX]

To be fair, they uploaded files and used the resources of the devices.

Talking about it is super ballsy. I personally am curious what the density f used addresses is though, as we're running low.

Re:I can see where this is going

[Virtucon]

That's what I was thinking, if the CFAA doesn't apply in this case, it needs to be retooled or scrapped altogether. They've now made their findings public, which strangely enough is just the kind of case the DOJ has been going after.

Re:I can see where this is going

[Anubis+IV]

If you're an ethical researcher wanting to run a distributed scan of the 'net, the proper way to do it is to use something like PlanetLab, which has been designed for uses like that and is freely available for research use. It's what everyone else uses, and it works great. Either that, or go and use your grant money to provision yourself appropriately for a job like this, which is what we did when I was in grad school. Commandeering routers and other devices for personal use is inexcusable.

Honestly, my first thought was, "What research ethics committee gave him the go-ahead?" My guess: the researcher didn't ask, because none of them would ever let him do it. Besides consuming bandwidth for tens or hundreds of thousands of Internet users without their consent (some of whom were likely capped), he's also loaded code onto their machines: code which they have no guarantee will work as expected in all circumstances. In fact, for all they know, they may have bricked tens of thousands of devices without realizing they did so, then taken their lack of response later as a simple incompatibility with his code.

When I was in grad school, we were doing web crawler and search engine research that was considered to be a bit on the edge of what was permissible (and our work resulted in serious threats of lawsuits aimed at our university), but we would never consider doing something like what they did. No credible conference or journal would publish this sort of work either, which is as it should be. Researchers have a responsibility to act responsible, and this anonymous one didn't.

Also, you've said it was useful research, but it really wasn't. These vulnerabilities are widely documented, and those researchers were not only able to publish earlier, they were also able to do so without engaging in gross ethical violations.

Re:I can see where this is going

[Baloroth]

Useful research into vulnerabilities, wasn't used for personal gain, was reported to educate others and so security lapses could be fixed. They're so going to jail.

Of course. They used broke into others computers, uploaded and executed binary files on them, without their permission, for their own purposes. That is both illegal and unethical. They should be punished for that.

The reason why they did it is not terribly relevant (although it doesn't make it worse, since the end was not itself a crime). The ends do not justify the means. Breaking the door of a house down to tell the owners their door is easily broken down is still breaking and entering.

Re:I can see where this is going

[ak3ldama]

My question: he posted his PGP public key, is that enough evidence to try to find and bust him? If I was him, i wouldn't care at all if someone else wanted to claim credit.

Just in case someone else tries to take credit for my work: My PGP public key

Re:I can see where this is going

[jeffmeden]

It was included in the very interesting report... 400 million or so that replied to pings (about 15% of all the possible valid addresses). That suggests either a LOT of the IPV4 space is blocking pings, or that a lot of it is poorly allocated (I bet it's a little of the former and a lot of the latter). Many huge blocks are allocated to groups that couldn't possibly use them, such as developing nations or specific institutions with a relatively small number of users/servers.

Re:I can see where this is going

[Hentes]

They deployed a botnet using other people's machines for their research. While I find it cool at some level, it's also definitely illegal.

Re:I can see where this is going

Beauty of the internet: you don't need the cooperation of a responsible conference or journal to get published.

Re:I can see where this is going

It's not enough to find the "researcher" but if they find someone who has the corresponding private key on one of his or her machines it will be incredibly incriminating.

Re:I can see where this is going

[DarkOx]

I would be willing to entrain the argument if your device is set the the manufacturers default published password with no banner making it clear the service is supposed to be publicly accessible; its not very analogue to breaking and entering.

Its much more like you have locks on your house but don't use them; and someone lets themselves in, has a look around does no harm and does not remove anything. No its still not allowed, you can't just march around someones private property with no expectation you would reasonably be permitted and wanted there. That said its not a serious crime either, its simple trespassing.

That is really all this amounted to here. Everyone here getting so bent about it needs to get a sense of proportion.

Re:I can see where this is going

The reason why they did it is not terribly relevant (although it doesn't make it worse, since the end was not itself a crime).

It would be relevant to sentencing, because when that time comes if it's obvious you broke the law to be an asshat and say you'd do it again and want a huge sentence, you shouldn't be surprised if you get 41 months.

Re:I can see where this is going

[mcgrew]

No, they left binaries on the devices and took data. That's more analogous to someone going into your unlocked house and trading your copy of LOTR with a candy bar wrapper left on the floor. Much more than simple trespass, it's trespassing, littering, vandalism, and theft.

Re:I can see where this is going

They should go to jail, because no matter what their intent was they broke many laws in many countries.

If you think they shouldn't be punished for these actions answer this question: what if a government or large company had done this but claimed they did it for the same reasons as this "researcher"? Would you still think it wasn't outrageous behavior and that someone shouldn't be held accountable?

Re:I can see where this is going

But, but, they were only implementing ipscan@home ... kind of ... but they had everyone's implicit permission because they never changed their passwords ... and everyone knows that if you don't do everything you possibly can to protect things then it's your fault that something happened ... and they even 'pinky swore' that they didn't do anything bad and only had the best of intentions.

Surely this is the fault of the device owners (for not changing their passwords), the device manufacturers (for installing default user/pass sets that weren't unique by device), and even those guys who invented the internet (for making it so easy to script this kind of thing). Won't someone think of the hackers, um, researchers?

Re:I can see where this is going

[0123456]

That suggests either a LOT of the IPV4 space is blocking pings, or that a lot of it is poorly allocated (I bet it's a little of the former and a lot of the latter).

I believe you'll find that Windows 7 defaults to blocking pings now. None of our Windows 7 machines respond to them.

Re:I can see where this is going

[ThatsNotPudding]

Honestly, my first thought was, "What research ethics committee gave him the go-ahead?"

The Google Street View ethics commitee?

Re:I can see where this is going

[Beardo+the+Bearded]

My router drops all ping requests.

Re:I can see where this is going

[fuzzywig]

They left the binaries in RAM, so just a reboot would remove them. They also left a text file with contact info and an explanation in, and they didn't take data from the affected systems, they used the systems to probe other IPs.

There's not really a physical analogy that fits here but the only damage they did to each individual device would be to slightly raise it's power consumption and bandwidth usage. Insignificant to any individual, although it might well have added up to quite a lot.

Re:I can see where this is going

Except that, while he was in your house, he made a few thousand phone calls using whatever phone he could find, and didn't bother to check if you had unlimited minutes or if you got charged for long distance calls. Oh, and he hung up some new pictures on the walls while he did it. But it's ok, becuase he took the pictures down when he left.

It's not *just* trespassing, because it also involved stealing resources which may well have involved a real cost.

Re:I can see where this is going

[Flea+of+Pain]

Oh ya? My router drops ALL requests...

It may be time for a new router.

Re:I can see where this is going

[Lazere]

The internet's a bad neighborhood. If you're in a bad neighborhood and don't lock your doors, then you do deserve some of the blame. Yes, the people that actually did it are horrible and should never have done it, but you knew where you were, and you knew the potential consequences for leaving your door unlocked.

Re:I can see where this is going

[wolrahnaes]

That depends on what you answer when asked what type of a network you're on. Public puts the firewall in to lockdown mode, Home and Work are pretty much identical and allow normal local network traffic.

If they're directly internet connected and answered correctly they should be blocking most traffic, but directly connecting a machine to the internet these days is rare due to the general demand for wireless and multiple devices.

Blocking ping outright is pretty dumb overall, IMO. It removes a useful diagnostic tool while only blocking threats from 1996 that have been fixed on anything you should ever consider connecting to the internet. If a machine is still vulnerable to ping-of-death type things, it is trash and should be discarded immediately (as well as finding those responsible for it and beating them severely for leaving that crap around).

Re:I can see where this is going

Oh ya? I don't even have a router.

Re:I can see where this is going

Beauty of the internet: you don't need the cooperation of a responsible conference or journal to get published.

Quoted for solidarity.

Re:I can see where this is going

[nullchar]

But do you have any open ports on your router?

From the paper:

420 Million pingable IPs + 36 Million more that had one or more ports open

Your router may be counted in the 36 million non-pingable but still had an open port.

Re:I can see where this is going

The Google van doesn't change the road on which it drives.

Re:I can see where this is going

[AvitarX]

Also, there's probably a lot of static IPs with ISPs that allocate a network, we had a /30 with a broadcast, a network, a gateway, and our IP adress (I did do the math right on /30 I think here). That's 25% of the addresses reachable by IP from the internet (maybe 50%, I can't talk for the Comcast gateway). We now have a /29 with 5 usable, of which we use 3, so that's 3/8ths, but we needed the extra two for liability reasons.

A lot of routers deny ping requests by default too.

Re:I can see where this is going

[Anubis+IV]

Thank you for sharing your teletype thoughts. Personally, I believe that responding to trolls is a greater drain on our society than anything you've specifically cited so far, but because I am responding to a troll at this moment, I suppose you may have a point in suggesting that I, and others like me who likewise respond to trolls, are the cause for an eventual loss in a cyberwar. I'll endeavor to do better in ignoring trolls, such as yourself, in the future, with the hope that we will one day win a hypothetical war in cyberspace. In fact, in an effort to contribute to the war cause, allow me to put forward the following as a rallying cry:

"China wins the Internet every time you feed a troll."

Re:I can see where this is going

[rahvin112]

It's not simple trespass, it's breaking and entering in most states. The way the breaking and entering (or equivalent) statue is enacted in most states does not require both actions. Simply entering an unlocked property is breaking and entering as defined by most states in the US.

What the researcher did was illegal under the terms of CFAA, any unauthorized access to a computer system is punishable under CFAA. The law was enacted at a time that the only ones with remote accessible computers were large government or corporations. As such the law is written such that even accidental access is illegal.

Their research basically is a written admission of guilt, all they need is a single complainant to step forward and the "researchers" could all end up in jail or facing financial ruin.

Re:I can see where this is going

[countach]

Well, there is some grayness in the law as far as breaking and entering. I mean, squatting is a legal and recognised activity. While I agree it is unethical, the reason DOES matter. If he is careful not to do damage, and he is doing it for research, its a lot less unethical than a lot of other possible reasons and activities. More like being a squatter in your house than a burglar.

Re:I can see where this is going

[jonadab]

> The ends do not justify the means.

Agreed.

> Breaking the door of a house down to tell the owners
> their door is easily broken down is still breaking and entering.

Using a default or null password to log in is hardly breaking the door down. It's more like, I don't know, unlocking the door with a plastic toy key that's available for a few cents at every major toy store chain, or something.

It's entering without permission -- trespassing, in other words -- but I'm not so sure about the breaking part. Honestly, what they did after they entered (using other people's system resources for their own purposes, without permission) seems like the real crime here.

Good tester , A+++++

[alphatel]

Thanks for your test of the internet devices. Although I do not know what this means we have been able to determine that you have committed several criminal acts, and should expect at least a few years of jail time. Don't worry though, it's all for the greater good.

Uhm.. you probably broke the law

Despite your noble intent, this might lead to trouble for you. I would contact a criminal defense attorney.

Door

[SJHillman]

I don't like the idea of someone going around testing all of these devices any better than I like the idea of some guy going around my neighborhood checking to see if all the doors and windows are locked. There are a lot of places where that will get you shot.

Re:Door

You don't like the idea of this because
1.) you are afraid of what the person(s) testing the doors would do if one was open?
2.) you don't want other people to know that certain doors are left unlocked?

If it's 1.) then they found some open doors and recruited the inhabitant of the house to come help knock on other doors.
If it's 2.) then whoops someone (not me) is right now running the same scan and is uploading a binary which will "fix" the default password problem for fun and for profit

Re:Door

[NeutronCowboy]

Man, some people are a paranoid bunch. If someone leaves a flyer on my door that says "You had 2 open windows and one unlocked door", and a similar flyer is on everyone's door, I'll actually thank the good Samaritan. If I see someone looking at doors and windows, taking notes, then putting a flyer on my door, I'll ask him what he's doing, why, and find out what he's actually up to. If he's friendly and forthcoming, I'll thank him and send him on his way. If he's belligerent, then maybe I'll start to consider self-defense.

But to shoot someone just because they are walking around the neighborhood, surveying every house? Yeah, the US doesn't have a gun problem. We have a response problem.

Re:Door

[tqk]

I don't like the idea of someone going around testing all of these devices any better than I like the idea of some guy going around my neighborhood checking to see if all the doors and windows are locked.

Ah, the ostrich plan. Don't run away; don't protect yourself; just stick your head in the sand, or put on the Beeblebrox safety glasses.

If he can do this, *please* imagine what a true black hat could do with it. FFS!!!111

BTW, seeing if a doorknob turns != opening the door.

Re:Door

Only in third world countries where they allow anyone to have firearms in their houses.

Re:Door

[Eunuchswear]

If I see someone looking at doors and windows, taking notes, then putting a flyer on my door, I'll ask him what he's doing, why, and find out what he's actually up to.

He's a double glazing salesman. Shoot first!

Re:Door

[berashith]

They did slightly more than look to see what was open. This is more like, "you had 2 open windows and one unlocked door, so I left some yogurt in your fridge and took pictures of your wife while she was sleeping. I will be posting the pictures to the world as proof, you are welcome for the yogurt. Enjoy!"

Re:Door

Doesn't the ostrich plan involve leaving your rear end out in the open while keeping your eyes unawares of who's raping you from behind?

Re:Door

[malakai]

This wasn't a simple port scan. I RTFA, so let me help you out.

He ( there is no They or We, read the end of the article ) compromised devices and uploaded his own code. He was 'nice' about it, in the sense he set the priority to 'NICE' and he put in some watchdogs and throttled bandwidth usage. He then used those compromised devices to further utilize other devices to do even more work ( like using your Router HTTP interface to execute Traceroute on his behalf, possibly inside your network ).

For the vast majority of the IP's he just NMAP/ICMP sure, that's nothing these days. For the half a million devices he turned into his own bot net.... that's illegal.

Also, he then released all the data. You could say that's good, or you can say that as a script kiddie, all I have to do is d/l that torrent to get a list IP's that run a version/flavor that I have a 0day on. No more need to scan the net myself.

This is going to accelerate bot net growth. That may be good, maybe we'll finally figure out some way to detach/block IP's that fail to patch.

Re:Door

[mjr167]

Since testing doors and windows requires trespassing... Besides, I am allowed to leave my door unlocked and still have the expectation of random people not opening it.

Re:Door

If someone leaves that flyer on your door and then you come home to a house with 2 open windows, one open door, and no personal property left inside then you might change your tune.

A better plan would be to put a piece of paper in the mail slot in the door or mailbox so that it is most likely that only the owners would be informed of the insecurity of the house. That said, regardless of intent, a stranger walking around touching all the doors and windows in a neighborhood would most likely be getting... "interviewed" by the police shortly thereafter.

Re:Door

[NeutronCowboy]

Except he did not activate any webcams or gathered any data beyond what ports were available and whether he was able to install his rootkit. Why didn't you extend the analogy even further to raping my daughters and defecating in my bed? I mean, why not go all out in the attempt to generate an emotional response to a completely unrelated problem? Does your post also mean that you would shoot the writer of this study, if you found out who he was?

And I feel again confirmed that the US doesn't have a gun problem, but a response problem: you conflate one thing with something vastly different, then determine response based on the emotional reaction you have to the vastly different thing.

Re:Door

[NeutronCowboy]

The end-result was a list of ports that I may have open on my router/computers. Yes, the process used was illegal. Big fucking deal, so are a lot of things that are ok among civilized people. See for example betting on sports. But there was zero impact while his scan was on-going, and there was zero footprint left behind.

As for your comment that know a script kiddie has a list of unsecured IPs: that's my problem if my IP is on that list. He did a trivial scan, and if I take my security seriously, I should not be on there. If anything, it should be a test whether I can even talk about security in my own house, and I should be thankful for it.

Was it all clear, and would I have liked to get a heads-up? Sure. But if he did find my network, it's an incentive for me take a closer look at security. Not to shoot the guy.

Re:Door

[NeutronCowboy]

But should you shoot anybody who opens your door? Every time? Think carefully about it.

Re:Door

[mark-t]

Ostriches do not stick their heads in sand or ever try to simply ignore danger.

Ostriches are not cowardly, they will definitely put up a fight when they believe they have a good chance of winning. If you have ever seen an ostrich close up, you probably realize that they are big-ass birds that could easily wipe the floor with a good percentage of other creatures in the animal kingdom. If they encounter a situation that they cannot mitigate, however, then they will run away... being exceptionally good at it (they are the fastest running creature on two legs).

If, and only if, they have nowhere to run to, and they cannot mitigate the danger themselves, then they will lie very still, presumably in the hope that they will be ignored. They do not pretend that the danger is not there, however... and will generally resort to fleeing at the first opportunity. Their practice of lying still is where the myth that they stick their head in the sand comes from, and it's ironic that what is actually a very atypical behavior for that type of bird ever got to be somehow associated as something that they generally practice.

Re:Door

[mjr167]

If you did it in the dead of night... then yes. I might shoot you. the OP did not say you would get shot every time, but that you run the risk of getting shot.

Re:Door

BTW, seeing if a doorknob turns != opening the door.

No, but logging in, uploading a binary and using your device to do the same to others is a lot more than just 'turning the knob' or even 'opening the door'.

How can party X prove that it wasn't really his doing that his IP tried logging in to thousands of other devices, many of which were successful? What if party X happened to log into the device of party Z, who wishes to press charges? What if party Z is some municipal government, or a state or federal office ... or even a military facility? Sure their security should be better, but if party X can't prove it wasn't him then he's got himself a fat legal bill just to stay out of jail.

Re:Door

[Beardo+the+Bearded]

Why didn't you extend the analogy even further to cyber-raping my daughters and cyber-defecating in my bed? I mean, why not go all out in the attempt to generate an emotional response to a completely unrelated problem?

FTFY

Re:Door

[SJHillman]

If all he did was see if the doorknob turned, then how is it he turned it into a botnet?

Re:Door

If you did it in the dead of night... then yes. I might shoot you. the OP did not say you would get shot every time, but that you run the risk of getting shot.

Mod parent up. We may have "response" problems, but some of them are "response to perceiving a response problem" problems.

Re:Door

[Byrel]

Better than second-world countries, where they forbid possession of weapons.

Re:Door

[tqk]

Doesn't the ostrich plan involve leaving your rear end out in the open while keeping your eyes unawares of who's raping you from behind?

And you're already bent over presenting. Enjoy. Hum God Save The Queen if it helps.

Re:Door

[OneAhead]

You insensitive clod! Depending on where you live, double glazing can decrease your power bill and the country's carbon emissions by a lot.

Re:Door

[vettemph]

Expanding on that...

  Seeing how the internet is more of a virtual thing, I think the physical location of the router is not relevant in this case. Having a router unsecured is like leaving a box of cookies on the sidewalk, in the middle of town. Folks can't get upset when someone has a look at the contents of the box. The 'intruder' has no idea where the router is physically located.

It's like the following differences...
1) Someone peeking into your window.
2) You standing naked in front of your window.
3) You standing naked in town.

The unsecured router would be 3 more so than 2. definitely not 1. :)

Re:Door

[tqk]

Ostriches do not stick their heads in sand or ever try to simply ignore danger.

Actually, I knew all of that, but the concept is what I was trying to use. Blame the Brits for not understanding what they were seeing. Perhaps that's akin to racism or stereotyping of some kind. I applaud your eloquent defence of that mighty bird (or dinosaur remnant, whatever :-).

Re:Door

[tqk]

BTW, seeing if a doorknob turns != opening the door.

Note, I've since been educated to the fact that he UL'd a binary. I missed that.

If all he did was see if the doorknob turned, then how is it he turned it into a botnet?

Interesting question.

For example (no cars, sorry), if I embed a URL in my /. .sig that goes to a malicious iframe (or whatever), did I do anything wrong? I didn't ask anyone to click on it. If that URL adds them to a botnet, was that really my fault? They chose to click on it. I just stuck it out there offering it to them, and *everyone knows* that clicking on that sort of thing is anathema, right? Who's more guilty: the fraudster, or the too greedy mark?

Re:Door

Better that than taking pictures of my fridge and leaving yogurt in my sleeping wife..

Re:Door

Nice analogy, but it's been made before. It's not looking to see if the windows are open. It's knocking on every window, testing whether or not they are locked properly and judging how thick the pane of glass is that's protecting the empty hole in the wall and deciding whether or not you can exploit it later on.

I'd come knocking your head around with a baseball bat if I caught you doing this to my house. For Starters.

Re:Door

[melikamp]

Alright, let's play the analogy game :) If they did what you say, then it would be closer to grey hat territory, but they didn't.

What they did was more like walking down the street and trying doors. If unlocked, they go inside, steal some valuables, and fund "research" with the proceeds. Grey hats my ass. They say they took care to make it as gentle as possible and put things back where they were, but that's like a house thief saying: I only stole $1 from each house, and I closed doors behind me.

I don't care about the legality. Considering how little harm they did, prosecution is unnecessary, IMHO (a fine would be OK). It is more pertinent that their "research" and conclusions are total trash. If they think it's OK to trespass, steal resources, potentially harm, and then present it as a "hack" and a valid research methodology (they are obviously proud of themselves), why should I believe in their academic integrity?

Re:Door

[melikamp]

They never say it's a "hack". But they clearly mean it.

Re:Door

[Eunuchswear]

Double (or, rather triple) glazing good.

Double glazing salesmen - spawn of the devil.

"researcher"? Hardly.

"Anonymous researcher" indeed.

If an unnamed biologist did his research this way (constructed a virus that infects creatures around the world), he wouldn't be called an "anonymous researcher", he'd be called a "mad scientist".

Re:"researcher"? Hardly.

[plover]

If an unnamed biologist did his research this way (constructed a virus that infects creatures around the world), he wouldn't be called an "anonymous researcher", he'd be called a "mad scientist".

And how do you know he didn't conduct these scans from his underground lair? For all we know, he may even own a Persian cat!

enitre

[1u3hr]

"scan the enitre IPv4 address space."

Slashdot "editors".

Otherwise, this seems even more blatant than the case a few days ago: 41 Months In Prison For Man Who Leaked AT&T iPad Email Addresses. And these guys actually cracked passwords, despite them being trivial defaults, that still crossed over a legal line.

Re:enitre

[SJHillman]

If they scanned the entire (or enitre) IPv4 space, I wonder if they found an unsecured router at 192.168.1.1. That's where I usually find one.

Re:enitre

[Nadaka]

ha, mine is at 192.168.1.2, good luck cracking that one open!

Re:enitre

And these guys actually cracked passwords

While your correcting the editors, let me correct you.

They did not "actually cracked passwords", they used DEFAULT passwords on the devices.

Try reading, it actually helps.

Re:enitre

Yeah, but what about the all the people who actually *chose* those passwords?

Re:enitre

ha, mine is at 192.168.1.2, good luck cracking that one open!

The IPv4 test is coming from 192.168.1.3 ... GET OUT OF THE HOUSE!!!

Re:enitre

[NatasRevol]

Mine's on the SUPER secret 172 address space. No way I'm giving out the rest of the octets!

Re:enitre

Well, its like real life, where if you leave your car with open with the keys in it, its your fault for a thief stealing it. The guy gets to keep the car, and also if the keys to your house are in there he gets to move in and take over your family. We applaud these noble "car security researchers" for walking up and down the street, then opening car doors, and using your car for ramming other cars and seeing if they too are locked. Nothing should happen to them ever, and if you didn't lock the car you need to get spit on and punched directly in the mouth.

Re:enitre

Just shows how ignorant you are: 10.*.*.* and 192.168.*.* are NON-routable ranges.

Re:enitre

[Megane]

Oh yeah, well mine's on 128.212.42.13! I'm not hiding my octets, just go ahead and try to hack me!

Re:enitre

[fuzzywig]

Ignoring your sarcasm, if you leave your car keys in the door to your car and it gets nicked, your insurance company won't pay up.

Sure the thief is still liable to get punished (if caught), but stupidity has it's own reward.

Re:enitre

[SJHillman]

You must be a moron for it to go so far over your head. And you forgot 172.16.x.x-172.31.x.x and 169.254.x.x

Even if it's non-routable, it'd still be part of IPv4

Re:enitre

you're*

Re:enitre

Hey.. that's mine!!

Re:enitre

way to miss the joke!

This is a crime

The author just admitted to "several hundred thousand" counts of unauthorized access to a computer (or whatever the crime is technically called; I think I'm close)

Internet Census 2012 Botnet now confirms...

[tangent3]

...BSD is dying

ARIN

Probably just ARIN updating their records.

As a tax payer, don't waste my money

If no actual harm was done then chasing after the researchers for prosecution is a waste of public money in my opinion, speaking as a tax payer.

And I mean actual harm, not the made-up harm of "unlawful use of computer equipment" or similar ones which are just infringements in principle, without actual harm done.

There are so many really bad guys out there to chase that this researcher should be way down on the priority list for enforcement, or using a bit of commonsense, not on it at all. And if he is identified then all he really deserves is a rap across the knuckles just for being unethical.

Re:As a tax payer, don't waste my money

[TheSkepticalOptimist]

Oh buddy, if you only new how much of your taxes were wasted you would die several hundred deaths from apoplexy. This would be a drop is a very very large bucket.

Re:As a tax payer, don't waste my money

[RandomFactor]

If s/he was truly careful enough that no systems showed issues and noone noticed, it is entirely possible law enforcement won't pay much attention (no complaints, bigger fish). Just needs to be careful not to fall into their laps.

Still, I wouldn't be surprised if some of the security research community doesn't take at least a passing look at things to see if they can track back to the author.

Re:As a tax payer, don't waste my money

[moeinvt]

As long as you pay the taxes in full and on time, the government doesn't give a damn about what you think.

Re:As a tax payer, don't waste my money

[Farmer+Pete]

I would say that about 50% of your tax money could be literally burnt in a fire and no one would notice a change in the services provided. Of the remaining 50%, I would guess that half of that is used for programs the government has no business dealing with. So I'd guess that only about 25% of the total you pay in taxes is really necessary. The number would be incredibly less if you aren't considering SS.

Re:As a tax payer, don't waste my money

I would say that about 50% of your tax money could be literally burnt in a fire and no one would notice a change in the services provided.

I would say that 100% of your opinions are not based on reality.

BitTorrent

[kramer2718]

The FBI only cares if you embarass a major campaign contributor. e.g. AT&T is the largest campaign contributor in the country, beating out even Goldman Sachs.

Or if you use BitTorrent for completely lawful purposes.

Re:BitTorrent

Yep, and both of those users are pissed about the bad rap they are getting from the other several million users who are not using it for lawful purposes. And yeah, I know there are legitimate uses for BitTorrent just like you know that the overwhelming majority of BitTorrent use is for downloading copyrighted material.

A bad reputation does not a criminal make...

The founding fathers of the US rightly observed that it is better to watch 9 guilty men go free than convict one single who is innocent. Bittorrent must stay legal for the few who use it legally even if it means that there will certainly be those that use it illegally.

That, or you hate freedom and the terrorists have already won. 'MERICA!

Re:BitTorrent

[Farmer+Pete]

I agree that it's better to watch 9 guilty men go free than convict one single man who is innocent, but that argument is flawed. Given the opportunity, I would come up with a new system to convict the 9 guilty men and let the one innocent go free. Or in this case, if BitTorrent is 95% used for illegal activity, there is no reason that bittorrent can't be made illegal, as long as a suitable replacement for the 5% legal use of Bittorrent.

Re:BitTorrent

You know where to put it.

Re:BitTorrent

[AaronLS]

This is the same principle for a good spam filter.

Re:BitTorrent

[Byrel]

Downloading copyrighted material? You mean, like everything? This post is copyrighted under US law! It's actually a matter of licensing.

Re:BitTorrent

[spire3661]

What is flawed is thinking you can develop a perfect justice system. When you wield life and death, it will ALWAYS be better to let 9 guilty go free vs imposing your tyranny on one. Why on earth would we outlaw an extremely well thought out tech to prop up THE ARTS?????? Seriously, fuck off you luddite.

Re:BitTorrent

[Farmer+Pete]

There is no justice system that has 0% chance of convicting an innocent person. I'd love to see it, but it does not exist. Having said that, I don't want to live in a country that refuses to prosecute the guilty for fear of convicting the innocent. I'm saying that it's wrong to do illegal things, and if something is being used primarily for illegal things, than we have problems. You can argue the merits of the laws all you want, because quite frankly, I don't care. It is illegal today, and bittorrent is being used primarily for illegal things. I am not in favor of the lawsuits and crap from the record companies, but I do think that there needs to be a way to stop the IP theft.

Re:BitTorrent

"it's wrong to do illegal things"

You can't think of any time in history where a law was injust?

Re:BitTorrent

[spire3661]

You really should stop talking about governance and law, you are in WAY over your head. Do not understand that bittorrent has SUBSTANTIAL non-commercial uses? Even on the commercial side, Blizzard Entertainment uses Bittorrent to distribute its (very large) patches and has for years. Most linux distros are available via bitorrent. These are not insignificant use-cases. Further, HTTP is used to facilitate a vast amount of piracy as does FTP, IRC, email etc so on and so forth. Should we ban them too?

Re:BitTorrent

[viperidaenz]

and 3 days later, that replacement will be 95% used for illegal purposes.
Please describe a network that can't be used for illegal purposes, yet removes the burden of bandwidth from a central source.
I just downloaded 8GB via Bittorrent from Blizzard. If every one who bought Heart of the Swarm downloaded it at the same time from a small number of user, the internet would fall apart. Or at least the international links will slow down considerably. (the installer insisted on downloading it all, even though the DVD was in the drive)

Re:BitTorrent

[viperidaenz]

No one is refusing to prosecute illegal activity on peer to peer networks. There is a 3 strikes law in my country with the specific purpose of doing exactly this.

What is wrong is making the mechanism illegal because it can be used for illegal purposes. It's like banning teaspoons and lighters because people use them to take drugs.

Should it be illegal to buy steak knives, because people use them to commit murder?

Re:BitTorrent

[viperidaenz]

It was perfectly just to burn a woman at the stake because they voiced an opinion the church didn't agree with. They must have been a witch.

Wait a minute...

Re:BitTorrent

[Stalks]

Bittorrent is an easily replaceable protocol. Going after it isn't going to stop any piracy. Its like outlawing a model of car because they're being used to traffic drugs.

Bittorrent is just a vehicle, of which there are 100's of different types to choose from that will replace it.

Re:BitTorrent

Those are horrible analogies because the vast majority (99.99%) of uses for teaspoons, lighters, and steak knives are legal purposes. This is more like banning a Flame Throwers.

Re:BitTorrent

[Gideon+Fubar]

I sense a car analogy coming on.

Re:BitTorrent

Should it be illegal to buy steak knives, because people use them to commit murder?

Who uses a steak knife for murder? I much rather use a butter knife, fork, or even spork...

This is all very bad

[houghi]

Postings all go about how this is illegal and not about the technical situation.

It is sad times when people are more worried about the legal thread and ruining their lives and not about the technical implications.

How many people do not dare to bring solutions because they might be punished?

Re:This is all very bad

[byeley]

I don't see any surprising or useful technical implication. Do you?

Re:This is all very bad

Sure there's prolly blackhat uses for the info and someone wants it all archived somewhere public so it doesn't have to be gathered every time they want access to it. Also public so it doesn't look suspicious to be accessing it, plausible deniability n such.

Re:This is all very bad

[malakai]

Only new technical implementation is via the Torrent link, you can download his database which has the responses for different Ports. With a simple query of his DB, you can tell the vulnerability of an IP address...

Takes the guess work out of it really... That's something new, in the sense that the every day script kiddie didn't have this prior to this research release.

Re:This is all very bad

Let me put it this way ... would you want someone logging into your (mistakenly) open networked devices and running their code on them? How would you react?

If it's not illegal it sure is unethical. And if it's not unethical, I sure as hell wouldn't want someone doing this on my network. Also, the technical implications are obvious: a lot of people need to improve their security and new equipment/software installs shouldn't ship with default *dumb* passwords (i.e. constant and predictable ones) or none at all. What else is new?

After a reboot ...original state

[Dareth]

"After a reboot the device was back in its original state including weak or no password with none of our binaries or data stored on the device anymore."

How do you calculate damages for lost uptime?

Re:After a reboot ...original state

[malakai]

They didn't force the reboot. So they don't need to calculate for lost uptime.
But they do concede what bandwidth they used and processing time. You could argue they used extra energy, CPU load, and bandwidth, and that equates to money.

What they really got 'lucky' on, is that they didn't code in a fatal flaw and accidentally create something that had a race condition that resulted in distributed DOS to every IP on the network. We've seen things come close to that in the past with worms. I put quotes around lucky, because I think these guys did their homework, and specifically validated their experiment in a limited environment before releasing it.

That said, your test environment is rarely a perfect simulacrum for the real world.

It's a very scary grey hat project. I thought this finding was interesting though:

So, how big is the Internet?
That depends on how you count. 420 Million pingable IPs + 36 Million more that had one or more ports open, making 450 Million that were definitely in use and reachable from the rest of the Internet. 141 Million IPs were firewalled, so they could count as "in use". Together this would be 591 Million used IPs. 729 Million more IPs just had reverse DNS records. If you added those, it would make for a total of 1.3 Billion used IP addresses. The other 2.3 Billion addresses showed no sign of usage.

Based in their rather thorough analysis, only about half the IPV4 address space is being actively used.

I kind of feel this is a little akin to working with scientific research that comes from morally grey or even black experiments...

Another thing to consider about this, is based on the platform they built, they could go for the Black Knight approach, and rescue all the flawed devices without their consent. You could easily see taking this project and saying "How do we patch the devices in a way that causes the least amount of harm, and adds the most amount of security".....

Inoculation can kill though...

Fine line... very fine line. End of the day, these guys hacked and compromised systems with their own binaries, and then used them to compromise other devices. They'd go to jail if they were discovered. Simple truth.

Re:After a reboot ...original state

End of the day, these guys hacked and compromised systems with their own binaries, and then used them to compromise other devices. They'd go to jail if they were discovered. Simple truth.

This depends very strongly on who discovers them.

Re:After a reboot ...original state

[melikamp]

It's a very scary grey hat project.

This is a black hat project because computers and resources were used without owners' knowledge or consent. They said they reverted them to the pre-hack state, but they can't even begin to justify this claim, since they have not a slightest idea about the respective OS configurations. The motive had a selfish component: fame. I would call it a grey-hat hack if it provided significant benefit to people whose computers got hacked, but this is not the case here.

Guy deserves any jail time he gets

[byeley]

While I personally support this kind of research,

The author is presumably an academic or industry professional (based on the formatting). As such, he knew what he was doing was illegal and had a significantly detrimental effect on low-resource systems. Furthermore, he can't blame a conviction on over-zealous prosecution or recent anti-hacker sentiment because he's obviously emulating Robert Morris (who received three years jail time for the Morris worm - convicted in 1990).

I also question how useful his scientific contribution is. While arguably more complete than other sources of data, there are a multitude of other projects offering data of similar(if not better) accuracy.

Re:Guy deserves any jail time he gets

The scientific contribution is the triviality of being able to do an inter-wide action. IPv6 is a slightly different beast, but the internet (the IPv4 one) that we all use is a small place now. It can be easily demonstrated that the internet isn't a wide expanse with lots of nooks and crannies, it is small congested collection of systems. The researcher apparently did something benign with the systems he took over, but realistically, if the method is reproducible, it would be possible to cripple the internet if someone was so inclined.

I don't recall having a real whole-internet-scale event, but I would imagine it is closer than we think... I'd expect those on IPv6 will go, "what, the internet is down, not for me..."

Re:Guy deserves any jail time he gets

[abuelos84]

Really?
I get that it was not a lawful action, and I can understand some of the affected to want some sort of "punishment", but fucking JAIL????
So the guy should be stripped of his freedom and spend several years bahind bars being raped by Big-Cell-Buddy for this?
Isn't that a bit overkill?

What are all these devices?

Home routers with factory defaults (linksys, netgear, etc)? Something else? Like single board computers in the desert collecting rainfall data?

Re:What are all these devices?

[byeley]

+ lots of smart meters, ect. I imagine.

Re:What are all these devices?

[Rob+the+Bold]

Home routers with factory defaults (linksys, netgear, etc)? Something else? Like single board computers in the desert collecting rainfall data?

TFA:

The vast majority of all unprotected devices are consumer routers or set-top boxes which can be found in groups of thousands of devices. A group consists of machines that have the same CPU and the same amount of RAM. However, there are many small groups of machines that are only available a few to a few hundred times. We took a closer look at some of those devices to see what their purpose might be and quickly found IPSec routers, BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems, big Cisco/Juniper equipment and so on. We decided to completely ignore all traffic going through the devices and everything behind the routers. This implies no arp, dhcp statistics, no monitoring or counting of traffic, no port scanning of LAN devices and no playing around with all the fun things that might be waiting in the local networks.

As I (cursorily) read it, they're targeting MIPS-based devices for the botnet.

If these were WINDOWS machines

If these were WINDOWS machines and not linux, y'all would be saying: "See! Windoze is teh Evil!!"

But since these machines mostly ran Linux, you don't blame Linux.

Re:If these were WINDOWS machines

[characterZer0]

Windows machines compromised via remote exploits in Windows: Windows sucks!
Windows machines compromised via stupid users who install anything? Windows users suck!
Linux machines compromised via default passwords: Administrators suck!

Some other variants of this project

How about using this trick to determine how unique Mac addresses really are?

Paperboy

This brings back fond memories of being a paperboy in the mid-80s. My route was small, about 80 customers IIRC. In that small sample there was one person who routinely fell asleep in front of the TV with the door ajar. On any given morning there could be keys left in any door. I knew who the drunk drivers were. I was in their front yard before they moved the car from its telltale catty-corner position in the driveway. Habitual drunk drivers had tire tracks in the grass next to the driveway.

Of course I never "tested" any of the doors. I suspect that if I had it would have revealed even more opportunity for theft.

I was the last youth carrier providing service to the door. After me they went to immigrants using cars, who always wrapped the paper whether it was raining or not, and tossed it into the driveway. I think that guy covered 500+ on his route.

Re:Paperboy

This brings back fond memories of being a paperboy in the mid-80s. My route was small, about 80 customers IIRC.

I had a similar sized paper route...in the mid-1960's, in what was then a far suburb. It certainly wasn't as exciting or tempting as your route! No drunks, keys-in-the-lock, or open doors that I can remember. Many of the doors were probably unlocked (my parents didn't start locking the house until about 1970), but as a kid it never even occurred to me to test them. The most excitement was an unleashed German shepherd that always chased my bike and nipped me once. The most annoying was a family of sabbath keepers who wouldn't open their door if I came collecting on Saturday (which was my normal day for collecting the subscription fee)--insisted I make a special trip for them on some other day.

Which is why

[Overzeetop]

Which is why I always use admin/root for username and password on my systems. You'd think these people would learn not to be so careless. :-)

That is cool!

[Novogrudok]

Very nice work. The article is well written too.

Expand this into survey research

[coldsalmon]

Have a team go door-to-door during working hours, when most people are not home. If they find an empty house with an unlocked door, go inside and use the phone to call a bunch of people and conduct your research. As long as you publish the addresses of all of the houses for academic purposes, nobody should mind.

Re:Expand this into survey research

As long as we are talking analogies, let's go door to door probing women's genitals, and in those we find open for bussines, deploy a small sample of genetic material....

A computer is not a house, fuck you and your Goebbels friend...

Re:Expand this into survey research

[vettemph]

Not so much, It's like this (from my previous post...)

    Seeing how the internet is more of a virtual thing, I think the physical location of the router is not relevant in this case. Having a router unsecured is like leaving a box of cookies on the sidewalk, in the middle of town. Folks can't get upset when someone has a look at the contents of the box. The 'intruder' has no idea where the router is physically located.

It's like the following differences...
1) Someone peeking into your window.
2) You standing naked in front of your window.
3) You standing naked in town.

The unsecured router would be 3 more so than 2. definitely not 1. :)

Re:Expand this into survey research

Why would there be a phone in an empty house? My phone almost always comes with me when I leave the house. It's 2013.

Why are there no counter attacks?

[TheSkepticalOptimist]

I mean it should be possible to create a system that emulates an "open" server, but when a hacker opens up a connection and tries to upload or download data, then fire off a counter measure that will cripple the hacker's system?

I mean after 30+ years of connected networks there is no such thing as an offensive strike in cyber terrorism?

I can't believe that hackers are that smart as to outwit servers attempting to back-deploy payloads onto their systems, or even could block a counter attack. I mean with the mentioned botnet hack, it would seem pretty easy that if it "broke" into an unprotected server that server could send back a crippling packet or something. The botnet is running a service that scans and returns data so the violated server should be able to exploit that and dump terabytes of garbage data back to cripple the botnet. A Denial of Hack.

Actually if I was an active hacker I would rather enjoy luring other hackers to my "unprotected" servers only to f**k with them and mess up their systems.

Re:Why are there no counter attacks?

I mean it should be possible to create a system that emulates an "open" server, but when a hacker opens up a connection and tries to upload or download data, then fire off a counter measure that will cripple the hacker's system?

I mean after 30+ years of connected networks there is no such thing as an offensive strike in cyber terrorism?

I can't believe that hackers are that smart as to outwit servers attempting to back-deploy payloads onto their systems, or even could block a counter attack. I mean with the mentioned botnet hack, it would seem pretty easy that if it "broke" into an unprotected server that server could send back a crippling packet or something. The botnet is running a service that scans and returns data so the violated server should be able to exploit that and dump terabytes of garbage data back to cripple the botnet. A Denial of Hack.

Actually if I was an active hacker I would rather enjoy luring other hackers to my "unprotected" servers only to f**k with them and mess up their systems.

Who says they haven't?

Re:Why are there no counter attacks?

[_bug_]

The problem of launching a counter attack isn't technical, it's legal. A user broke into my system, they've broken the law. If I retaliate and break into their system, I'm now guilty of the same offense.

Could a case for self-defense be made? Maybe, but IANAL and I don't think a court would consider it in the same way they would a physical confrontation.

Re:Why are there no counter attacks?

[Stuarticus]

I have a program that will do all this and make the hackers computer explode, email me $500 to buy it.

Re:Why are there no counter attacks?

Think about this for a minute, the chances are good that you are being attacked via someone elses comprimised system. What is the advantage os DOSing some random residential user that is only involved because they picked a bad password? What are the risks of attacking a (comprimised)corprate entity that has the resources to sue you and/or launch its own retaliatory strike? To make a lose analogy its like bombing the AA headquarters after 9/11.

Re:Why are there no counter attacks?

Even for a self defence argument the court will expect you to explain why you didn't run away instead. There are lots of reasons you might have, but if asked you've got to persuade a jury that you reasonably believed running away wasn't an option, wouldn't make you safer, whatever. Except in "Stand your ground" states where the law is bonkers and frankly it's a wonder anyone's lived through that.

So there is no virtual equivalent, you always have the option to run away, switch things off, shut things down if you don't like what's happening.

Re:Why are there no counter attacks?

[Jah-Wren+Ryel]

I mean after 30+ years of connected networks there is no such thing as an offensive strike in cyber terrorism?

Because it is a terrible, terrible idea. If automated counter-attacks were to become the norm, then all it would take to start a "war" between two groups is for someone to compromise just one system at the first group and set it to attacking the second group. Think mutual assured destruction except Anonymous has their finger on the button and it's labeled "lulz."

Re:Why are there no counter attacks?

[bbartlog]

I think the technical difficulties are greater than you are making them out to be. You're talking about trying to automatically pwn some unknown box that just contacted yours. Unless the hacker is really stupid, he's not going to have the kinds of open ports, services, and other associated vulnerabilities that many internet machines would have. The utmost you could plausibly do is DDoS the attacker, if you happen to have your own botnet handy. Furthermore, the odds that the attacker is using some third party's platform as a launch pad is probably pretty high. If you did manage to trample all over such a device, they'd just chuckle and use some other zombie under their control.

Re:Why are there no counter attacks?

[Cassini2]

This used to be done, back in the early dails of email and usenet. If someone was sending spam, someone else would send their server 10,000 email messages and knock if off line.

It doesn't really work anymore:
a) Users are dumb - they don't even know their account/computer has been compromised, and might not care even if it has.
b) One mail server serves millions of users. That means millions of people pay the price for the actions of one bozo.
c) Revenge mails look like spam. It gets the sender blacklisted.

Re:Why are there no counter attacks?

[TheMattRay]

Was "Golden Eye" on TBS recently or something? Your approach sounds as educated as suggesting that we can simply erradicate the flu virus using the Dr. Mario method.

Re:Why are there no counter attacks?

[GameboyRMH]

The hacker's system has to be vulnerable to the "counter measure." So for a telnet connection for example, there would have to be a vulnerability in the telnet client. There is such a thing as an offensive strike but it's not like IRL kinetic warfare where you can just hurl a thing at another thing.

Re:Why are there no counter attacks?

[FuzzyDustBall]

You could allow login for any account but if the password or user is incorrect they end up in a private VM which has files that look enticing to hackers... All these files would actually be trojans. The hacker would then take back the trojan to his own computer and bang hacker pwned.

Re:Why are there no counter attacks?

hmm - but confirm you're not going to kill your neighbor because they passed the flu onto you?

Re:"researcher"? Hardly.

[tqk]

If an unnamed biologist did his research this way (constructed a virus that infects creatures around the world) ...

What "infection" did this researcher transmit to his "victims"? Isn't this more like someone offering free susceptability tests? They're on the net, meaning they're open to the offer. The net's always a potentially dangerous place if you're connected to it. Researcher tests to see if they're in any way vulnerable. Shazam, they are. Where's the story?

xkcd

[tippe]

Way to go xkcd, you've been referenced in a legitimate research paper!

To get a visual overview of ICMP records we converted the one-dimensional, 32-bit IP addresses into two dimensions using a Hilbert Curve, inspired by xkcd.

Re:xkcd

[Kurast]

Way to go xkcd, you've been referenced in a legitimate research paper!

To get a visual overview of ICMP records we converted the one-dimensional, 32-bit IP addresses into two dimensions using a Hilbert Curve, inspired by xkcd.

There, I am fixing it for you: illegitimate paper

Re:xkcd

One can do this kind of research without hacking into other peoples machines as well as reference xkcd, e.g. look at here or here. The second one is also far more comprehensive in terms of alive IPs discovered.

Nevertheless, I enjoyed reading this "research paper".

You can't do this

You can't break into someone's house in the middle of the night and then say you were simply being benevolent in calling a security vulnerability to their attention.

These people are criminals and deserve to go to prison for what they have done.

Re:You can't do this

You can't break into someone's house in the middle of the night and then say you were simply being benevolent in calling a security vulnerability to their attention.

Indeed you can't. And these people didn't. You can go back to Youtube now.

Re:"researcher"? Hardly.

[malakai]

He uploaded a binary to 'insecure' devices, to run his code and build his own 'ethical' botnet.

This isn't just checking ports and default logins and reporting back.

re: not about the technical situation

[King_TJ]

I have to disagree with you on this....

First of all, I'm not sure there's really that much useful gained from such a project? An Internet Census for 2012 made with questionable code loaded onto all sorts of devices in unknown states without anyone's permission? How much validity can I put into those results? (How many devices didn't perform as intended while doing the port scans due to all sorts of possibilities outside the control of the people doing this research? Anything from people having firewalls blocking results from coming back on some of them to people realizing something was wrong when their bandwidth was consumed for no known reason and shutting the devices down would affect the information.....)

Beyond that, it's not even something all that original.... Plenty of people have attempted to estimate the number of IP addresses in use and who has which IP blocks, etc. Plenty more have looked at all of these studies, shrugged,and said "Who cares?" After all, the Internet is so dynamic, any tallies taken are but mere snapshots in time of a rapidly changing landscape. How many people will it really affect to know the approximate number of users/devices out there as long as they know it numbers in the "many millions" or more?

Jail

[Lawrence_Bird]

This is blatant unauthorized access and he went further than just "checking the door knob". He went into the house and left a gift behind too. Seriously, this guy should face charges. I'm pretty libertarian when it comes to most things but this is just over the top.

Re:Jail

[characterZer0]

What should the punishment be? A fine? Prison? Banned from the Internet?

He should be punished. Jail time is expensive for the taxpayers and harsh for somebody who, however misguided, was trying not to hurt anybody. I would suggest lots of community service.

Re:Jail

Yes, let's charge people for doing unnoticeable things that cause no damage because, well, fuck them... It only costs 44K a year to house a prisoner. A bargain when you consider that zero damage was caused.

Re:Jail

[Score+Whore]

He should have to, at his own expense, visit each individual whose equipment he access and apologize as well as explain to whatever technical detail they desire exactly what he did with their equipment. Plus he should have to pay any incurred costs from his access. And he should have to do this beginning now and engage in continuous effort and not do anything else -- beyond the fundamental tasks of living (eat/sleep/crap) -- until he is done.

Fundamentally accessing someone's property without their consent is harm. Even if, by your own estimates, you cause no harm.

Re:Jail

[GameboyRMH]

But but but, he BROKE the RULES!

Re:Jail

[Lawrence_Bird]

Yes he should face jail time. To not give any just encourages (or perhaps, fails to discourage) future similar behavior. And what happens the day that someone thinks 'oh I'll do this it will be cool and won't fuck anything up' and well.. it does?

Mind you I'm not saying put the guy away for 25 years but I think 2 years and an equal amount of post jail community service would be appropriate. That it costs something to put him in jail is not reason enough to not put him there.

Re:Jail

[Lawrence_Bird]

Well I picked up the gun and pointed it at you and pull the trigger. But damn it, I missed. Guess I should go scott free because well, zero damage was caused? No? Ok, suppose I knew there were no bullets in the gun and nothing would happen to you? Now can I go free?

Re:Jail

[characterZer0]

Consider that people (especially non-violent offenders) come out of prison more likely to commit a greater crime than before they went in.

Re:Jail

[Lawrence_Bird]

Consider that some may come out more likely to commit another crime. And again, that alone is not a reason not to incarcerate. And there are any number of nonviolent crimes which society should reconsider if they are crimes at all and if still so, make the punishment more in line with the offense.

I do find many of the mandatory minimums to be far to long, while it does seem that some very violent offenders get far too short a stay. But again, we can't as a society just give what amount to free passes when laws are broken, egregiously in this case. The jail time is not just a punishment but also a deterent to others.

The problem I have here is that this was a person who really knew better than to do what they did. This wasn't some 15 year old without the exposure to or full understanding of the possible ramifcations of the act. Instead, he did it because a) he wanted to and b) he decided that his view that the 'research' was valuable was to take precedent over society saying unauthorized access is a nono.

Fiction

[Lost+Race]

I'm pretty sure this story is a very elaborate piece of fiction. That makes way more sense than somebody clearly so smart going to so much trouble to earn themselves a life sentence in prison.

Maybe last year we could expect someone to do this for real, but not this post-1/11 world.

Re:Fiction

I have not checked the data yet but everyone should find references in their logs of their servers when the scan took place.

Public Internet ends at your router

Testing doors and windows is only equivalent if your house stands right on the public pathway (no front garden), so the testing can be done while standing on public property.

Electronically, the public Internet extends all the way to your router, it doesn't end on the public path outside, so the door analogy isn't really a good one.

Re:Public Internet ends at your router

[mjr167]

Oddly there are plenty of houses with no front garden... Not to mention people are generally allowed (and expected) to walk up to a door and then politely knock. Just not actually turn the handle.

Announced a free DDOS engine

[mattr]

The only result I can see from this guy's "research" is to announce to the world the existence of a low barrier to entry DDOS platform.
What could possibly go wrong...
I'm tired of seeing people jailed who are curious about security. But he needs a clue. Guys like this are why I expect Bill Joy wrote his treatise. One man's Epic h4ck is another man's Epic FAIL.
Of course his ethics are canted at an angle to reality, but if he had just gone a bit farther off the deep end and actually fixed all the password vulnerabilities he might have made history. Not that I am recommending anyone do it.

So what

Complaining about someone logging in with default passwords is like complaining that someone found your "hidden" web page with no links to it.

Where is the manufacturer's responsibility?

[sl4shd0rk]

I see a lot of people complaining about the actions of the researcher, but what about the actions of the manufacturer? If Medeco made a lock that had the equivalent of "admin/admin telnet" on it, they'd be strung up. I'm not saying the researcher is not responsible for his actions, however putting all the blame on him isn't reasonable either.

Re:Where is the manufacturer's responsibility?

Funny you should say that. Many lock manufacturers ship 'all zeroes' to locksmiths. They open with a blank key. The assumption is any competent locksmith will immediately recombinate to suit their client's needs.

In this case a systems manufacturer ships a product with a default, easy login. The assumption is that any competent adminstrator will immediately reconfigure to suit their client's needs.

Two Guesses

You get two guesses who is behind this: Kaminksy or HD Moore.

still using telnet?

not trying to be rude, but people still use telnet? just asking. or did someone forget to turn off the telnet server? I thought people would use instant messaging or text messaging on cell phones and tablets.

Re:still using telnet?

A lot of BusyBox configurations are set up to allow telnet-login with no password. After you log in the first time you change the root-password, and this will automatically trigger SSH to be started and telnet to be turned off. From then on the box is secure.

However, when people don't know this or realize that they should log in to set a password, the telnet stays open and will happily let anyone in.

In the case of routers though, telnet *should* only accept connections from the LAN side. In the case of "internet of things"-devices though, there usually are just one interface.

Re:"researcher"? Hardly.

[tqk]

He uploaded a binary to 'insecure' devices ...

Ah. I'll take a slap to the back of the head for not RTFA or understanding the summary. /. SOP bites again. Thx.

nothing new

blackhats already know all this..

Your analogy breaks down because it is an analogy

The internet is not a road and servers are not houses.

You are pro-rape

So, under your "logic", a woman deserves the blame for being raped if she isn't dressed like a nun at all times.

The only person to blame for an action is the person who took the action. Nobody else.

Re:You are pro-rape

So under your "logic" every install of Apache or IIS is like a sign out the front of your house offering free sex?

Fantastic project

This is one of the most amazing things I've read on slashdot - a very interesting dataset gathered in a just as interesting way, with fascinating results, all fully documented and released to the public domain. The nay-sayers who can't see past the legality issue to the technical achievement and gold-mine of a dataset below, should hand in their geek-card on they way out. This is news for nerds, not news for lawyers.