The Search Engine More Dangerous Than Google

← Back to Stories (view on slashdot.org)

The Search Engine More Dangerous Than Google

Posted by Soulskill on Tuesday April 9, 2013 @07:45AM from the or-perhaps-a-catalog-of-people-doing-dangerous-things dept.

mallyn writes "This is an article about a search engine that is designed to look for devices on the net that are not really intended to be viewed and used by the general public. Devices include pool filters, skating rink cooling system, and other goodies. 'Shodan runs 24/7 and collects information on about 500 million connected devices and services each month. It's stunning what can be found with a simple search on Shodan. Countless traffic lights, security cameras, home automation devices and heating systems are connected to the Internet and easy to spot. Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan. ... A quick search for "default password" reveals countless printers, servers and system control devices that use "admin" as their user name and "1234" as their password. Many more connected systems require no credentials at all — all you need is a Web browser to connect to them.'"

210 comments

Min score:

Reason:

Sort:

dangerous? by schlachter · 2013-04-09 07:48 · Score: 3, Insightful

Is google dangerous? Sure, it can be used to do bad things. But that's like saying we've discovered a liquid more dangerous than water.

--
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
1. Re:dangerous? by The+MAZZTer · 2013-04-09 07:51 · Score: 5, Funny
  
  Dihydrogen Monoxide is no laughing matter.
2. Re:dangerous? by interkin3tic · 2013-04-09 07:54 · Score: 2
  
  But imagine if someone googled "how to clone hitler"!!! ~
3. Re:dangerous? by swb · 2013-04-09 07:58 · Score: 5, Funny
  
  Dinitrous Monoxide however is quite a laughing matter.
4. Re:dangerous? by schlachter · 2013-04-09 08:09 · Score: 1
  
  damn it. i laughed.
  
  --
  My God can beat up your God. Just kidding...don't take offense. I know there's no God.
5. Re:dangerous? by Anonymous Coward · 2013-04-09 08:09 · Score: 0
  
  The proper, IUPAC-suggested name is o x i d a n e !
  Some people will never learn >.
6. Re:dangerous? by Anonymous Coward · 2013-04-09 08:17 · Score: 0
  
  Indeed it's not, as demonstrated by these recent events.
7. Re:dangerous? by Anonymous Coward · 2013-04-09 08:34 · Score: 1
  
  But imagine if someone googled "how to clone hitler"!!! ~
  It would pull up pictures of job and George bush
8. Re:dangerous? by INT_QRK · 2013-04-09 08:48 · Score: 1
  
  A little sunshine may serve to wake up some of the "Critical Infrastructure" and SCADA numbskulls.
9. Re:dangerous? by poetmatt · 2013-04-09 08:52 · Score: 3, Insightful
  
  Google isn't dangerous. People being asinine with computers is dangerous, as any search engine can clearly indicate.
10. Re:dangerous? by StatureOfLiberty · 2013-04-09 08:56 · Score: 2
  
  Dihydrogen Monoxide is no laughing matter.
  Neither is hydrogen hydroxide
11. Re:dangerous? by Anonymous Coward · 2013-04-09 09:26 · Score: 0
  
  The leading cause of death for sailors.
12. Re:dangerous? by Anonymous Coward · 2013-04-09 09:27 · Score: 0
  
  Asinine people shouldn't be able to access anything that is dangerous.
  I've taken a little comfort in the fact that none of our production machines and equipment were networked. Recently, some really "bright" boy has convinced some rather dull managers that efficiency can be improved if everything is networked. I'm watching all of our stuff being connected to a WIFI network these days. The very same workstation that the shift managers use to access the equipment status also connects to the internet, using the same WIFI router.
  It's only a matter of time before someone discovers our crap, and tries to manipulate it.
  I've not even looked to see if things are using default passwords, or if someone has been smart enough to use decent passwords. But, it is my position that only a moron connects ANYTHING to an internet accessible network. Traffic lights? Good God - that move makes my people look like geniuses by comparison.
13. Re:dangerous? by fustakrakich · 2013-04-09 09:41 · Score: 1
  
  Bush is a bit player in the pages of history. Another man has been chosen to carry on the mission, and is doing so exquisitely, following his every step to the t, as expected, no, demanded, for he can not keep the job any other way. Forget about Bush, please. He is gone.
  
  --
  “He’s not deformed, he’s just drunk!”
14. Re:dangerous? by Anonymous Coward · 2013-04-09 09:47 · Score: 0
  
  sounds like a dangerous corrosive combustible, I like that !
  if oxidane is the IUPAC-suggested name for dihydrogen monoxide, oxidane it is !
15. Re:dangerous? by idji · 2013-04-09 09:54 · Score: 0
  
  But Dinitrogen Monoxide is!
16. Re:dangerous? by hduff · 2013-04-09 10:09 · Score: 1
  
  Is shodanhq.com dangerous?
  I just tried to establish an account and got this warning:
  403 Forbidden
  Access was denied to this resource.
  Cross-site request forgery detected, request denied.
  
  --
  "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
17. Re:dangerous? by Anonymous Coward · 2013-04-09 13:43 · Score: 1
  
  I thought you were joking but it really is dangerous
  http://www.dhmo.org/facts.html
18. Re:dangerous? by Anonymous Coward · 2013-04-14 15:34 · Score: 0
  
  This whole thread is hilarious! Thanks for the laughs!
Obligatory by Anonymous Coward · 2013-04-09 07:49 · Score: 2, Funny

L-L-Look at you, hacker: a pathetic creature of meat and bone, panting and sweating as you run through my corridors.
1. Re:Obligatory by firex726 · 2013-04-09 08:08 · Score: 0
  
  I miss SS2, Bioshock is just too dumbed down.
2. Re:Obligatory by Zargg · 2013-04-09 08:28 · Score: 1
  
  grrr, I just got goosebumps from reading this and hearing her voice in my head. Time to dig up the cd...
3. Re:Obligatory by Opportunist · 2013-04-09 08:32 · Score: 0
  
  As if Xerxes' announcements were any less scary, not to mention that face. Then again, it was her all along, so...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:Obligatory by Anonymous Coward · 2013-04-09 08:41 · Score: 1
  
  I think more than the console-friendly design choices, the atmosphere of these games suffers from the excessive violence brought on by going after the "action genre" rather than "horror". Bioshock and Bioshock infinite have some very interesting and imaginative worlds that get smothered by combat as a filler between the actually interesting portions of the game. I wish Irrational had the mandate to make these games as adventure games instead while holding onto their budget, so that I could interact with this interesting society in forms other than shooting the bejeezus out of it.
5. Re:Obligatory by Hsien-Ko · 2013-04-09 09:10 · Score: 1
  
  Daedalus would make more sense, to be honest.
6. Re:Obligatory by ifiwereasculptor · 2013-04-09 11:45 · Score: 0
  
  Bioshock, by itself, could be much better were it quite a lot harder. If you felt like you couldn't survive another encounter (or could not spare the resources for it), like System Shock 2, then navigating the hallways would be a lot more memorable and enemies would be more frightening. I also think Big Daddies should have been treated like those monster-thingies from Amnesia: something you could not defeat. It would add a much needed layer of caution to a game that's already incredibly atmospheric and involving but doesn't exploit those characteristics often enough.
7. Re:Obligatory by Anonymous Coward · 2013-04-09 13:20 · Score: 1
  
  The website doesn't mention the origin of the name.
  The article doesn't mention the origin of the name
  The summary doesn't mention the origin of the name
  And the comments relevant to the origin of the name are being downvoted?
  What the fuck is going on here?
8. Re:Obligatory by Jade_Wayfarer · 2013-04-09 18:04 · Score: 1
  
  I think we all know answer to this one, right, my fellow meatbag?
  
  --
  Absence of proof != proof of absence.
9. Re:Obligatory by jftitan · 2013-04-10 13:57 · Score: 1
  
  I miss running around the Citadel Station. Trying to survive and destroy the mining station from destroying mankind. And they NAME this search engine Shodan? Where is Edward Diago? and can I get my military spec hardware installed if I take out the ethical constraints of Shodan. Maybe I can get her to rapidly deploy herself into every device still using default passwords.
  
  --
  "Don't Forget to Salt the Fries"
10. Re:Obligatory by jftitan · 2013-04-10 13:58 · Score: 1
  
  Xerxes was a pushover.
  Shodan was floating around space for a long time before Xerxes was given a shinking ship. Rickenbocker... Sheeesh.. and it couldn't even FTL
  
  --
  "Don't Forget to Salt the Fries"
astounding that defaults are not tougher by swschrad · 2013-04-09 07:50 · Score: 1, Insightful

I mean, how hard is it to ship new devices with something tougher than admin and 1234?

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
1. Re:astounding that defaults are not tougher by Em+Adespoton · 2013-04-09 07:54 · Score: 5, Funny
  
  I mean, how hard is it to ship new devices with something tougher than admin and 1234?
  they should at least change the account name from "admin" to "luggage"....
2. Re:astounding that defaults are not tougher by Hatta · 2013-04-09 07:54 · Score: 5, Insightful
  
  Using a complex default will fool people into thinking the default is secure, and more people will fail to change it. If you're using the same default for every device, it doesn't matter what you use, it's not secure and needs to be changed.
  Now they could issue a different default for every device, but that would require printing a unique card for each device, which is significantly more effort than just telling users to change the default login.
  
  --
  Give me Classic Slashdot or give me death!
3. Re:astounding that defaults are not tougher by Dr.+Sheldon+Cooper · 2013-04-09 07:55 · Score: 0
  
  1 2 3 4 is no less secure than 4 t & q, mathematically speaking.
  
  --
  Bazinga.
4. Re:astounding that defaults are not tougher by jeffmeden · 2013-04-09 07:55 · Score: 4, Funny
  
  I mean, how hard is it to ship new devices with something tougher than admin and 1234?
  We tried using "12345" as the default but that turned out to be a bad idea, too.
5. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 07:56 · Score: 0
  
  My router has a unique default password per device that's printed on the label of the machine. This would be a major inconvenience if that label ever got damaged or I transplanted the innards into another shell.
6. Re:astounding that defaults are not tougher by femtobyte · 2013-04-09 07:58 · Score: 3, Insightful
  
  So the person setting it up is lulled into thinking that the default "4nk^&nW3)(&" is secure and doesn't need to be reset (despite any attacker being just one web search away from learning the "better" default)? Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.
7. Re:astounding that defaults are not tougher by jeffmeden · 2013-04-09 08:03 · Score: 5, Interesting
  
  So the person setting it up is lulled into thinking that the default "4nk^&nW3)(&" is secure and doesn't need to be reset (despite any attacker being just one web search away from learning the "better" default)? Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.
  To that end, the best option (but scarcely used on hardware interfaces) is to force someone to login as the admin before the device is functional, and during that login to force them to set a new password (with certain password rules prohibiting foolishly simple passwords). Do this, and the problem almost goes away, but the new problem of constant password recovery questions flooding tech support will commence. Most companies, sadly, choose the less secure/less pesky route of just letting it run with the default perpetually.
8. Re:astounding that defaults are not tougher by sinij · 2013-04-09 08:03 · Score: 4, Insightful
  
  No default password could be secure. The only way is to force password change on first use.
9. Re:astounding that defaults are not tougher by Attila+Dimedici · 2013-04-09 08:04 · Score: 5, Insightful
  
  You hit a good point. There is a corollary to it, most devices have a method of resetting the login to the default (usually something that requires physical access to the device) because there are a significant number of times when for one reason or another the correct login credentials have been lost. If the manufacturer does not use the same default login credentials for every one of a particular device and the end user has lost the card they sent with it that has the default credentials (an eventuality that is likely in those cases where the changed credentials have been lost) the company will either have to have maintained a database of the default credentials for every one of their devices they have shipped, or the end user will be SOL (which will probably result in them being very unhappy with the manufacturer).
  The fact of the matter is that a lot of these devices are going to be things which are infrequently accessed, so even if you file the credentials away in a "safe, secure" location by the time you need them again you may have forgotten where that was.
  
  --
  The truth is that all men having power ought to be mistrusted. James Madison
10. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 08:05 · Score: 1
  
  Using a complex default will fool people into thinking the default is secure, and more people will fail to change it. If you're using the same default for every device, it doesn't matter what you use, it's not secure and needs to be changed.
  Now they could issue a different default for every device, but that would require printing a unique card for each device, which is significantly more effort than just telling users to change the default login.
  Not that any of this bullshit matters anyway, as evidenced by the very existence of the search engine we're discussing, and the thousands of devices found with the default password...
11. Re:astounding that defaults are not tougher by HCase · 2013-04-09 08:06 · Score: 2, Insightful
  
  That would be a bad idea.
  1. A default password is a default password, and should be assumed to be public knowledge.
  2. A complicated default password will accidentally trick user into thinking it is more secure than admin/1234. For example, you have already been tricked.
  3. If the device is reset to factory default, the password won't be easily remembered, so a device may be stranded in a default or even unusable state until the owner can find the password via documentation, help-desk, or internet database of default passwords.
  A partial fix that is sometimes used, is to give each individual device a separate password, and include this password inside the packaging or attached via sticker. This is somewhat more secure but can lead to problems itself. The user may keep the password, and the password may not be truly unique, or may be guessable. If the password is damaged/lost, the device may be rendered unusable if reset to its default state.
12. Re:astounding that defaults are not tougher by gthazmatt · 2013-04-09 08:07 · Score: 1
  
  No, defaults should be as easy as they are. However, you should be forced to change the default password before connecting to your ISP.
13. Re:astounding that defaults are not tougher by Joce640k · 2013-04-09 08:09 · Score: 1, Interesting
  
  They could keep "admin" but print a unique password on the router.
  
  --
  No sig today...
14. Re:astounding that defaults are not tougher by bbcisdabomb · 2013-04-09 08:11 · Score: 1, Interesting
  
  Instead of making the manufacturers print a unique card for each device, how about people change their credentials and print their own cards? Complex machenery in secure locations can be well served by a laminated card with the credentials printed on it.
  
  --
  Please put some pants on before you post again.
15. Re:astounding that defaults are not tougher by bbcisdabomb · 2013-04-09 08:12 · Score: 1
  
  I tend to use 12345 as the admin password. . . to my luggage.
  
  --
  Please put some pants on before you post again.
16. Re:astounding that defaults are not tougher by Joce640k · 2013-04-09 08:13 · Score: 1
  
  They could have a unique default but a special uber-reset that sets it to '1234'.
  
  --
  No sig today...
17. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 08:14 · Score: 0
  
  Or use all or part of the device serial number, mac address or ESN as the password. Which are typically printed on the device anyway. Just change the quick start guide to let the user know what number on the device to use.
18. Re:astounding that defaults are not tougher by swb · 2013-04-09 08:16 · Score: 2
  
  For network devices, what about some compromise that combined some part of the serial number and last 3 bytes of the MAC address? Most devices have the serial number machine readable and presumably the MAC address is as well.
  This would make guessing far more complicated, especially if there was some effort made in production to "randomize" serial number and MAC address relationships so they didn't march in linear lockstep.
  These values should be easily found on the equipment if there was any question as to what they were, and the ROM could be configured in such a way that any "factory reset" would use this combination automatically.
  This wouldn't be perfect security -- brute forcing attacks would probably be less hard as the MAC and S/N space would be known, but with a non-linear association between serial numbers and MACs it might still be time-consuming -- a 12 character password of even known value ranges but semi-random relationships would still be time-consuming.
19. Re:astounding that defaults are not tougher by Rogue974 · 2013-04-09 08:16 · Score: 1
  
  I was going to make your point #1 and agree with you #2 and #3.
  You last paragraph though is a HUGE problem. If you loose that piece of paper because it was separated from the packaging, or got wet while sitting in the warehouse and maintenance pulls it off the shelf to install it and it is useless, then the manufacturer gets a huge ear full because the facility was down because they were stupid enough to write the unique password on a slip of paper that was tossed with the packaging.
  In the world of instrumentation, as your first point said, the defaults are well known and if you want to find them out, all you have to do is google the name of the device + manual.
20. Re:astounding that defaults are not tougher by tlhIngan · 2013-04-09 08:23 · Score: 2
  
  You hit a good point. There is a corollary to it, most devices have a method of resetting the login to the default (usually something that requires physical access to the device) because there are a significant number of times when for one reason or another the correct login credentials have been lost. If the manufacturer does not use the same default login credentials for every one of a particular device and the end user has lost the card they sent with it that has the default credentials (an eventuality that is likely in those cases where the changed credentials have been lost) the company will either have to have maintained a database of the default credentials for every one of their devices they have shipped, or the end user will be SOL (which will probably result in them being very unhappy with the manufacturer).
  If resetting the device requires physical access. then just engrave the default password on the case like you do the serial number and other vital details. That way, when you reset the box, the details to log in are there on the case.
  If you manufacture it right, the reset button will be above the details of that device (serial number MAC address, etc) and the technician need only to look further down for the password.
  No cards to lose, even if it's dirty it's still readable, no sticker to fall off, etc.
21. Re:astounding that defaults are not tougher by interval1066 · 2013-04-09 08:25 · Score: 1
  
  Done with the Netgear router I recently bought.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
22. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 08:31 · Score: 0
  
  Sheldon, if you were forced to choose one of these two for your master password, which would it be, mathematically speaking?
23. Re:astounding that defaults are not tougher by PSVMOrnot · 2013-04-09 08:32 · Score: 2
  
  1 2 3 4 is no less secure than 4 t & q, mathematically speaking.
  Only in the naive combinations case, when we discard the priors.
  In other words, the probablility of 1234 being the password is not just 1/num_possible_combinations, but also the probability of 1234 being the default chapter AND the default password not having been changed.
24. Re:astounding that defaults are not tougher by Opportunist · 2013-04-09 08:36 · Score: 0
  
  Mathematically speaking, the lottery numbers 1 2 3 4 5 6 should net you the same reward in case of them being picked, too. Welcome to the human factor.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
25. Re:astounding that defaults are not tougher by F.+Lynx+Pardinus · 2013-04-09 08:38 · Score: 1
  
  A partial fix that is sometimes used, is to give each individual device a separate password, and include this password inside the packaging or attached via sticker. This is somewhat more secure but can lead to problems itself. The user may keep the password,
  I believe this is what Verizon FIOS does with their routers--there's a sticker on the side with a (looks like random) WPA key and admin password. I assumed that it would be fine to just leave it as is--is there a downside to not changing the info?
26. Re:astounding that defaults are not tougher by Opportunist · 2013-04-09 08:39 · Score: 2
  
  Fine with a "real" computer, not really doable with a router. I don't even want to know how many of them are used without ever anyone having connected to them.
  And no, setting them up in a way that they don't "just work" out of the box is not really a solution either. Then the box is "too complicated" and people stop buying them in favor of a competitor's product, try to get that past marketing.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
27. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 08:41 · Score: 0
  
  Actually 1 2 3 4 is far less secure than 4 t & q because the character set present in the second is much larger.
28. Re:astounding that defaults are not tougher by WindBourne · 2013-04-09 08:41 · Score: 4, Insightful
  
  I will pay u a dime for every system that currently has 4t&q for password, if u pay me a penny for those with 1234 password. Deal?
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
29. Re:astounding that defaults are not tougher by Opportunist · 2013-04-09 08:43 · Score: 1
  
  Then your box will sit like lead on the shelf because your competitor's box "just works" while I'd have to actually know something to use yours.
  Hell, did Apple really teach us nothing? They don't sell 'cause of the shiny, they sell because they "just work". That's what people want and that's what they'll buy, to hell with security.
  Doesn't say that I agree with that, far from it. But when ease of use competes with security, ease of use will win. Every single time. Unless you can make that box somehow pop up a window on the user's PC where he has to do NOTHING but enter some kind of password and then it just works, people will not accept it.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
30. Re:astounding that defaults are not tougher by scubamage · 2013-04-09 08:43 · Score: 1
  
  I have to agree with you. A number of MSO's supply routers and modems whose default username/password are based on the mac address, so every device has a unique combination.
31. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 08:47 · Score: 2, Insightful
  
  Instead of making the manufacturers print a unique card for each device, how about people change their credentials and print their own cards?.
  That happens to be the way it's done already. Ask Shodan how well it's working out.
32. Re:astounding that defaults are not tougher by sinij · 2013-04-09 08:48 · Score: 1
  
  You really think something like redirect to "type in a new password" page on first use would kill sales? Most people understand that you need to have wireless password or your neighbors use up your megabytes, is adding router password such a stretch?
33. Re:astounding that defaults are not tougher by AvitarX · 2013-04-09 08:52 · Score: 1
  
  They could program it (in ROM) that a blank password meant to check against any of the mac addresses.
  this would mean local access setup CDs would be easier to use, and that nobody outside of LAN would know the default password. This would make sure the types that use setup CDs have it even easier, and would not require burning a unique password into Rom for a hard reset to still match.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
34. Re:astounding that defaults are not tougher by EZLeeAmused · 2013-04-09 08:54 · Score: 1
  
  I mean, how hard is it to ship new devices with something tougher than admin and 1234?
  No doubt. They should ship new devices with the default loginname "ImAnIgnorantFool" and the password "andEveryoneKnowsIt"
  
  --
  Some see the vessel as half full; others see it as half-empty; We pour it out on the floor and laugh
35. Re:astounding that defaults are not tougher by greg1104 · 2013-04-09 08:57 · Score: 1
  
  Most of the broadband modem/router devices I see now have a little sticker with unique information like the SSID, MAC address, and WPA key printed on them. You could usefully improve things just by making the default router password be the WPA key. People you've given the WPA key to would then also be able to reconfigure the router in the default config, but that's basically how it works now. When I visit someone non-technical and they invite me to read the WPA key from the router, invariably once I'm on the network I find I can then administer the router using its default, shared by every model password.
  It would be nice to have a separate admin password printed on the sticker though. The main problem with using one derived from information the client computers know is that trojans on those clients can still be smart enough to hack into the router they're behind, and then open up the whole network from there.
36. Re:astounding that defaults are not tougher by cstdenis · 2013-04-09 09:00 · Score: 3, Insightful
  
  Too expensive in lost sales.
  "I want to return this device. I plugged it in and it doesn't work"
  
  --
  1984 was not supposed to be an instruction manual.
37. Re:astounding that defaults are not tougher by retchdog · 2013-04-09 09:01 · Score: 2
  
  mathematically speaking, they're incomparable until you define a probability space.
  
  --
  "They were pure niggers." – Noam Chomsky
38. Re:astounding that defaults are not tougher by Opportunist · 2013-04-09 09:04 · Score: 1
  
  Where do those "Most people" live and can I move there? I'd love to live in a neighborhood with a hint of a clue. Then again, I don't, I'd lose my free WiFi access.
  Trust me, "most people" don't even understand why to have a password on their WiFi. And more than a few have no WiFi because their router/AP combo needs to have that configured before use and they couldn't figure it out, but the router "worked", so they stick with wired.
  Yes, I'm fairly sure such a requirement would label your routers as "complicated", compared to those "easy to use", insecure, ones. At the very least, you should prepare for a lot of incoming support calls.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
39. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 09:06 · Score: 0
  
  That's funny, I use the same combination for my air shield.
40. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 09:13 · Score: 2, Interesting
  
  They could keep "admin" but print a unique password on the router.
  Admin and Root are so commonly used across so many different hardware platforms and software applications that it's best to default to something else and immediately treat any login attempt by either as a hostile intrusion attempt.
  But as for why hardware ships with such easy defaults, it's because it's a default and as such, you should assume that damn near anybody on the planet who wants it, will get it eventually. So unless you're going to ship a different login/pw with every last unit, there's not really much of a point. And doing that is a sheer nightmare from a technical support perspective, and frankly isn't worth doing unless you have a very limited list of customers.
  It's better to go with an easy default and some kind of mechanism that will constantly bother the user until it gets changed.
41. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 09:19 · Score: 0
  
  Yep, this is the fundamental problem with security in consumer grade hardware.
  Consumers aren't capable of maintaining secure hardware, so in order to sell enough to be worthwhile you need to make the system hilariously insecure (usually by adding easy bypasses to whatever security systems you added because marketing wanted the checkbox on the package).
42. Re:astounding that defaults are not tougher by gbjbaanb · 2013-04-09 09:25 · Score: 2
  
  I have a new netgear router, the username and password was printed on the bottom along with the serial number (which I assume is unique). If they can do this, then making a random default password of 2 or 3 words concatenated together (as is the case with the netgear password) can't be too hard.
  In the case of a truly lost password, like the serial number sticker was damaged or stupidly removed for "safekeeping", then you could always re-flash the firmware with an update, last I remember you only need physical access to the emergency reset pinhole on the device (after all, sometimes the device is unwilling to let you logon even if you do know the password - I've had this happen to me after a power blackout)
  Besides, you think the companies won't be happy with a policy of "we're sorry, but you need to purchase another one, here's a link to our online store".
43. Re:astounding that defaults are not tougher by folderol · 2013-04-09 09:29 · Score: 1
  
  Instead of forcing how about nagging, wherever possible bring up a reminder message saying the the default is set, is the same as many others and *bad* people will know it is admin:12345
44. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 09:35 · Score: 0
  
  Or default to the device serial #. No unique card needed then.
45. Re:astounding that defaults are not tougher by EmperorArthur · 2013-04-09 09:36 · Score: 2
  
  Some companies do this.
  I was pleasantly surprised to see a Century Link DSL modem/wifi router come preconfigured with a WPA2, and a random passwords. Both the admin password and the WPA2 password were printed on the sticker on the bottom.
  If Century Link can do it, anyone should be able to.
  
  --
  So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
46. Re:astounding that defaults are not tougher by dpdjvan · 2013-04-09 09:36 · Score: 1
  
  I don't think it should be too difficult, having something like the device MAC address, serial number or other items printed on the device would allow it to be straight forward for technical support as you can always require the serial number to provide support. This should also enusre that the chance of two defaults being indentical would be very low.
47. Re:astounding that defaults are not tougher by MMC+Monster · 2013-04-09 09:37 · Score: 1
  
  How about making the default password something that is physical on the device but unique to each device?
  You know, something like a serial number.
  
  --
  Help! I'm a slashdot refugee.
48. Re:astounding that defaults are not tougher by dcollins117 · 2013-04-09 09:41 · Score: 1
  
  Now they could issue a different default for every device, but that would require printing a unique card for each device, which is significantly more effort than just telling users to change the default login.
  They already print (and track) a different physical serial number for each device, that's how they manage warranties. It can't be that hard to do the same using electronic hardware and computers. Sounds a lot easier, actually.
49. Re:astounding that defaults are not tougher by Charliemopps · 2013-04-09 09:44 · Score: 2
  
  That would require the consumer to spend more than $9.95 on the router, and we can't have that. This is ENTIRELY the consumers fault.
50. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 09:50 · Score: 0
  
  Cisco has been doinghttp://search.slashdot.org/story/13/04/09/1828230/the-search-engine-more-dangerous-than-google# this for years, makes you wonder why others aren't. How much could it possible cost to implement that?
51. Re:astounding that defaults are not tougher by laitcg · 2013-04-09 10:08 · Score: 1
  
  "No default password could be secure. The only way is to force password change on first use." Normally I'd agree with this, however a sibling of mine passed away and I wound up with a laptop that I could not change the BIOS. Fortunately through a quick google search, I was able to find default passwords used by the manufactures to allow access to the issue. Problem solved.
  
  --
  When you want a computer system that works, just choose Linux. When you want a computer system that works, just, choose
52. Re:astounding that defaults are not tougher by c++0xFF · 2013-04-09 10:09 · Score: 1
  
  The serial number would work, as long as the device never publishes it to the outside world.
53. Re:astounding that defaults are not tougher by maxwell+demon · 2013-04-09 10:17 · Score: 1
  
  Wrong. The character set of the first contains four characters, namely "1", "2", "3" and "4". The character set of the second also contains four characters, namely "4", "t", "q" and "&". In both cases, each character from the set occurs exactly once.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
54. Re: astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 10:22 · Score: 0
  
  how to create a hyperlink
55. Re:astounding that defaults are not tougher by mspohr · 2013-04-09 10:22 · Score: 1
  
  A few cheap Belkin routers that I bought for my family do just this.
  They have a sticker on the bottom with a (hopefully) unique username and password.
  
  --
  I don't read your sig. Why are you reading mine?
56. Re:astounding that defaults are not tougher by maxwell+demon · 2013-04-09 10:28 · Score: 1
  
  You are assuming that the very first thing someone tries to do is to open a http connection. What if someone doesn't even connect his router to the internet, but only uses it to connect his desktop and laptop to his network capable printer? He'll then only find "it doesn't work" without ever seeing the password page. And even if the first thing he does is surf the web, it might be an https site.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
57. Re: astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 10:37 · Score: 0
  
  no. you don't undersyand
  A four digit code of only numbers has only ten thousand possible combinations.
  Add letters and\or symbols and that combination gets harder to break.
58. Re:astounding that defaults are not tougher by c++0xFF · 2013-04-09 10:40 · Score: 1
  
  This will work as long as the serial number isn't sequential (which makes brute-forcing much easier) and steps have been taken to prevent the device from publishing its serial number to anybody who happens to ask.
59. Re: astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 10:59 · Score: 1
  
  You missed the parent's point. Without knowing the alphabet from which the string is selected, we can't say anything about how quickly the string would be guessed. For example, if the alphabet is ASCII, into which both strings fall, they are just as good as each other, from a mathematical perspective.
60. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 11:00 · Score: 0
  
  Verizon has started doing the same. Once implimented, I had to start sending out at least 10 new modems a shift because of it. Never under estimate consumer stupidity.
61. Re:astounding that defaults are not tougher by cusco · 2013-04-09 11:03 · Score: 1
  
  That's the default for every Panasonic IP security camera. You would be amazed at the number of different pieces of security equipment with the defaults of admin/admin, and the enormous percentage of that equipment which is installed without changing that configuration. When we take over a customer site installed by others we can almost always take over the equipment by just looking up the default passwords on the web.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
62. Re:astounding that defaults are not tougher by cusco · 2013-04-09 11:08 · Score: 1
  
  Axis cameras are the ONLY security camera that I've run into which insists that you set a password the first time that you log in, one of many reasons why they're our preferred brand. Unfortunately they don't insist on a secure password, so most installers end up configuring them as root/root or root/pass (their old default).
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
63. Re:astounding that defaults are not tougher by Snotnose · 2013-04-09 11:19 · Score: 1
  
  ATT Uverse does this. The default password is a string of numbers, printed on a sticker on the side of the box.
64. Re:astounding that defaults are not tougher by gnapster · 2013-04-09 11:27 · Score: 1
  
  Sure, I'll take you up on it. Let me just finish this script I'm working on, then we can count up the machines. On an unrelated note, the Shodan API is actually quite nice to work with...
65. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 11:59 · Score: 0
  
  Why not have the user set the password to something other than the default before the device does what it's supposed to do?
  If it's a router, it shouldn't connect to the internet until after the default password has been changed. If it's a particle accelerating cyclotron, it shouldn't accelerate particles. If it's a nuclear power plant, it shouldn't generate power.
  Regardless, there's no better motivation to change the password than "it doesn't work."
66. Re:astounding that defaults are not tougher by lahvak · 2013-04-09 12:43 · Score: 1
  
  Now they could issue a different default for every device, but that would require printing a unique card for each device...
  As noted by others, lot of consumer devices that people buy for their homes or offices do that. However, things like traffic light, pool water system or nuclear power plant control systems are supposed to be installed by some sort of qualified technician, and they should know better than to leave the default login and password in place.
  
  --
  AccountKiller
67. Re:astounding that defaults are not tougher by russotto · 2013-04-09 12:47 · Score: 1
  
  I believe this is what Verizon FIOS does with their routers--there's a sticker on the side with a (looks like random) WPA key and admin password. I assumed that it would be fine to just leave it as is--is there a downside to not changing the info?
  Not sure about current routers, but older FIOS routers had a "random" password easily derived from the broadcast MAC address.
68. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 12:52 · Score: 0
  
  Which would explain why the OP said CURRENTLY.
69. Re:astounding that defaults are not tougher by maharvey · 2013-04-09 12:53 · Score: 1
  
  Oh, that's just great. Now I'll have to manually set the credentials to admin / 1234, like God intended them to be.
70. Re: astounding that defaults are not tougher by tqk · 2013-04-09 13:02 · Score: 1
  
  You missed the parent's point. Without knowing the alphabet from which the string is selected, we can't say anything about how quickly the string would be guessed. For example, if the alphabet is ASCII, into which both strings fall, they are just as good as each other, from a mathematical perspective.
  I don't understand either. I suspect you're both splitting hairs, but I can't tell whether they're blond, brown, or red from here.
  (0) infidel /home/keeling_ calcme 10*10*10*10 10000 (0) infidel /home/keeling_ calcme 10*52*22*52 594880
  The latter is a significantly larger number than the former; more than ten times larger. The "10"s are the integers from 0 to 9. "52" == 26 letters in the alphabet * 2 (upper and lower case). "22" is the 11 punctuation keys * 2 (ibid.).
  I hope you're not suggesting something stupid like, "Given the choice between 1234 and 4t&q, either is just as likely to be chosen as the other." Well, duh.
  
  --
  "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
71. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 13:06 · Score: 0
  
  Well, that is still better than just using "password" as password. Sure, it's dumb against someone standing in front of your house with a laptop, but will do just fine against someone trying to access your router over the Internet.
72. Re:astounding that defaults are not tougher by PyroMosh · 2013-04-09 14:41 · Score: 1
  
  This is 2013. Some people are stupid, yes. But information often gets out there even to stupid people. We live in a world where people think all kinds of things about "hackers" and identity theft, etc. They may not have a deep understanding, but they know that 20/20 did a story on it, so they should be afraid of... whatever. "Hackers".
  Anecdotaly, excluding my own network, there are 14 networks within range of me as I type this from my home. All of them are secured with (mostly WPA, 1 WEP) and there is one Open "guest" network (with an identical name to one of the secure networks), which presumably is open by design, but has restrictions when connected.
  Granted, only 5 of these networks have names that were obviously user-selected. So perhaps some of these networks were set up by the ISP, or the devices shipped with security on by default. But regardless, I see more secure networks than I do open ones today.
  Who cares if the user selected it or not? As long as the password is unique and it works for them. They don't need to know unless they have a reason to. If the ISP or the device manufacturer has figured out a scheme to get them secured without a major hassle, it's a win-win. Those who care to know more will go out and learn more.
  For what it's worth, I live in central New Jersey. Maybe things are radically different in Scranton, PA or Las Vegas or the suburbs of Atlanta, but I kind of have my doubts.
  
  --
  Touch everywhere, even when inappropriate.
73. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 14:55 · Score: 0
  
  Evidently, not as hard as getting dumbshit users to remember their passwords.
  protecting people from themselves is the goverments job.
  private industry prefers the "no user servicable parts inside" model
74. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 14:58 · Score: 0
  
  Shouldn't that read "no serviceable user outside"?
75. Re:astounding that defaults are not tougher by blueg3 · 2013-04-09 15:19 · Score: 2
  
  All the companies using non-trivial "default" passwords use unique passwords anyway.
  It's actually, from my limited, anecdotal experience, pretty effective. The people that don't know to change the password are the same ones that just look up the password on the bottom of the router -- the one or two times (ever) they need it. For the cost of a single sticker, you can force them to (once) use an arbitrarily secure password.
76. Re:astounding that defaults are not tougher by blueg3 · 2013-04-09 15:22 · Score: 1
  
  Using a default of '1234' is a great way of reminding even minimally competent people that the password needs to be changed from default *right now.* Unfortunately, there are enough people out there not even minimally competent about security that this continues to be a problem.
  Clearly you've both identified and failed to identify the problem. Minimally-competent people *don't* recognize "1234", or other static passwords, as a flag that they need to change the password. You either need to *make* them do it or supply a unique password from the get-go.
77. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 15:46 · Score: 0
  
  MAC address isn't a great choice, as it can be readily determined remotely.
  If all I have to do to compromise your "secure default" is an ARP lookup to know the password, that's no good. Some devices make it even easier, and show the MAC or ESN or... on a default (unsecured) status page.
78. Re:astounding that defaults are not tougher by aaarrrgggh · 2013-04-09 15:56 · Score: 1
  
  I'd say I am pretty tech savvy. One particular Motorola router stumped me into calling tech support though. Intuitive, obvious, and clear are not universal. I understand how to configure a Cisco ASA (reasonably well)... But this stumped me. (You had to go to the router's home page to accept its terms and conditions or some such nonsense.)
  I was ready to go out and buy another unit...
79. Re:astounding that defaults are not tougher by surd1618 · 2013-04-09 16:02 · Score: 1
  
  This might be a horrible idea just for adding yet another standard, but devices could ship with a thing like WPS, but designed to be so godawfully annoying to use that users tend to follow the suggestion prompts and replace it with a good wpa2 password.
80. Re:astounding that defaults are not tougher by Khyber · 2013-04-09 16:02 · Score: 1
  
  Already done on my Belkin.
  Problem is that if you just hit SUBMIT the router inputs the default password for you, no typing required, and you're in.
  What shit fucking security. I'll never touch another Belkin product.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
81. Re:astounding that defaults are not tougher by wvmarle · 2013-04-09 16:20 · Score: 1
  
  My WiFi router, now about 10 years old, does have a default password and a reset button to reset the device to that password.
  However the only way to access that router's inernals is to be on the LAN side (either WiFi or cable), then point a browser to 192.168.123.254, and enter the password. To get the router to connect via WiFi, you must first connect by cable, to even enable WiFi.
  Can't do much better than that. It's secure out of hte box: physical local connection needed to do anything to the device, after that it's up to the user to set up their WiFi network properly.
82. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 18:25 · Score: 0
  
  You cannot successfully force people to care about security. The sooner programmers figure this out, the better our lives will be. It's not any different than Word insisting that the next letter after a period be capitalized. I don't want you trying to guess what I want. I know what I'm doing.
83. Re: astounding that defaults are not tougher by maxwell+demon · 2013-04-09 19:08 · Score: 2, Insightful
  
  No, the point is that the whole thread was about "mathematically speaking". You are making a choice of character sets which is in no way mathematically founded. For mathematics, there's no significant difference between, e.g., the sets {'0','1','2','3','4','5','6','7','8','9'} and {'1','8','t','q'.'&','%',':','X'}
  The minimum set which contains all characters of the password "1234" is {'1', '2', '3', '4'}, and the minimal set which contains all the characters of the password "t4q&" is {'4', 't', 'q', '&'}. Both have the same number of characters, namely 4, in in their respective set therefore each of the passwords has the probability 1/4^4 = 1/256.
  The minimum set which contains the letters of both passwords is {'1', '2', '3', '4', 't', 'q', '&'}. In that set, both passwords have the same probability 1/7^4=1/2401.
  Of course when evaluating the security of passwords in the real world, we don't just use mathematics, but also the non-mathematical knowledge that we, as humans, denote special significance to certain sets of characters, like the digits, the lowercase characters, and the uppercase characters, and that the hackers know that and therefore tailor their search for those sets. Therefore we define the special sets
  Digits, LowercaseLetters, UppercaseLetters and SpecialCharacters (i.e. all others). Then we take as base set to approximate(!) the security of a password the union of all the sets that intersects with the set of characters in the password.
  For "1234" all characters lie in Digits, therefore we get a security of 1/10^4. For "4t&q", the letters are in the sets Digits, LowercaseLetters and SpecialCharacters, therefore (assuming ASCII printable characters as base) we get a security of 1/69^4. (Note that your calculation is still wrong in that case because you assumed a strict rule of which positions contain letters, digits and special characters, which is unrealistic in practice, and also you didn't split between lowercase and uppercase characters.)
  Note that even this is just an approximation of the real security, as it assigns "1234" the same security as "3945", and "password" the same security as "hyjtmxsk". In reality, of course "1234" is less secure than "3945", and "password" is vastly less secure than "hyjtmxsk". But the point is, that you need non-mathematical knowledge for those considerations. Mathematically speaking, there's really no difference between "1234" and "4t&q".
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
84. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-09 20:57 · Score: 0
  
  So you suggest that people buy two boxes ("just in case"), then use the one that just works and put the other one on the shelf?
85. Re:astounding that defaults are not tougher by F.+Lynx+Pardinus · 2013-04-09 23:19 · Score: 1
  
  You're right, it looks like a few years ago, the Verizon FIOS routers had WEP security enabled and a default WEP key that was the broadband MAC address. Nowadays (I got FIOS last June), it looks like the routers have WPA2 security enabled and a long random WPA2 key on the sticker. Well done, Verizon.
86. Re:astounding that defaults are not tougher by leuk_he · 2013-04-09 23:27 · Score: 1
  
  MAC addres? If they manage to sniff the local (WLAN) then that is no good security as wel..
87. Re:astounding that defaults are not tougher by Phrogman · 2013-04-09 23:38 · Score: 1
  
  How about making the defaults be set to:
  username: ChangeYourUsername
  password: ChangeYourPassword
  How clueless do you have to be to ignore that?
  
  --
  "The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
88. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-10 00:36 · Score: 0
  
  Which is why when the network security guys asked me (lowly routing and wireless guy) for help with bizarre traffic hitting our firewall from the inside, I was able to quickly figure out why.
  The devices still had default credentials, so I just looked through the configuration. Nice for easy troubleshoot, but it's a huge vulnerability for a set of devices that are critical to business operation.
89. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-10 01:05 · Score: 0
  
  Trust me, "most people" don't even understand why to have a password on their WiFi.
  "Most people" want a fast connection. A good password will keep the freeloaders from slowing their network down. Perhaps "most people" actually need to have that explained to them, but I just did in a single sentence. Feel free to print that sentence on the box, where "most people" will see it.
90. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-10 01:06 · Score: 0
  
  How clueless do you have to be to think that would help?
91. Re:astounding that defaults are not tougher by parkinglot777 · 2013-04-10 01:12 · Score: 1
  
  Well, that is still better than just using "password" as password.
  "Better" does not mean it is "good enough" in the sense of security. If security is breached, do you still say "better" is "good"? This issue keeps occurring due to negligence and/or laziness of users who supposedly need to change the default password. Also, if someone intends to take control of/hijack your device, the person will find a way to get to your device and may or may not need to physically present by your house. Normally, the first thing to try is to probe with the default configuration...
  In term of Verizon router, it is now publicly known as MAC address as the default password. Is it really different from '1234' in term of security?
92. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-10 01:21 · Score: 0
  
  They could have a unique default but a special uber-reset that sets it to '1234'.
  The special uber-reset sets it to '42.'
93. Re:astounding that defaults are not tougher by sinij · 2013-04-10 01:40 · Score: 1
  
  Then your particular laptop is not a secure product. Imagine scenario where it was stolen.
94. Re:astounding that defaults are not tougher by alexo · 2013-04-10 02:27 · Score: 1
  
  I will pay u (sic) a dime for every system that currently has 4t&q for password, if u (sic) pay me a penny for those with 1234 password.
  --
  I prefer the "u" in honour as it seems to be missing these days.
  You seem to prefer the "u" in other places as well.
95. Re:astounding that defaults are not tougher by V+for+Vendetta · 2013-04-10 04:02 · Score: 1
  
  How clueless do you have to be to ignore that?
  
  Perhaps as clueless as assuming that every person on this planet speaks English and gets the hint ...
96. Re:astounding that defaults are not tougher by WindBourne · 2013-04-10 07:49 · Score: 1
  
  I will pay u (sic) a dime for every system that currently has 4t&q for password, if u (sic) pay me a penny for those with 1234 password. -- I prefer the "u" in honour as it seems to be missing these days.
  You seem to prefer the "u" in other places as well.
  LOL. I was on a smart phone for that one, and wanted to type in as little as possible, but good point.
  
  --
  I prefer the "u" in honour as it seems to be missing these days.
97. Re:astounding that defaults are not tougher by laitcg · 2013-04-10 14:30 · Score: 1
  
  Then your particular laptop is not a secure product. Imagine scenario where it was stolen.
  Good point. It's a Dell. But if I did not have HD encryption anyway, what good would changing the bios do? Allow them to boot whatever external OS of their choosing? So be it. I would have lost the box, but not the data on my HD (unless they really, really, really, want it). :)
  
  --
  When you want a computer system that works, just choose Linux. When you want a computer system that works, just, choose
98. Re:astounding that defaults are not tougher by strikethree · 2013-04-11 15:16 · Score: 1
  
  I bought a device once (about a decade ago) that had the username as admin and the default password was some generic word combined with the serial number of the device.
  There is no excuse for across-the-board default passwords.
  
  --
  "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
99. Re:astounding that defaults are not tougher by Attila+Dimedici · 2013-04-12 00:14 · Score: 1
  
  As long as you can change both of those, what difference does it make?
  
  --
  The truth is that all men having power ought to be mistrusted. James Madison
100. Re:astounding that defaults are not tougher by pjfontillas · 2013-04-12 05:17 · Score: 1
  
  When I got Verizon Fios the router came with a unique password, but only for Wi-Fi. The actual device login was a default (actually technically just one of the "default" logins techs commonly used; I had to Google this).
  I think this can be helped by not allowing remote access until the default password has been changed. If you're going to require remote access you should know enough that you should try to secure your device.
  Obviously, this doesn't help the problem with weak password or technicians commonly changing the device default and then re-using that device in another household. But it's a start.
  
  --
  Life. Is. Good.
101. Re:astounding that defaults are not tougher by Anonymous Coward · 2013-04-12 05:46 · Score: 0
  
  ATT Uverse does this. The default password is a string of numbers, printed on a sticker on the side of the box.
  And they're 10 digits long. I've had to put a stick note on my computers with the PW just so I know it in case I have "issues". Issues? hmm...what could those be...
Dangerous? Hah by GameboyRMH · 2013-04-09 07:54 · Score: 3, Interesting

There are some more dangerous than this that don't put silly search limitations on their users and are geared specifically for black hat use.

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
1. Re:Dangerous? Hah by Anonymous Coward · 2013-04-09 08:44 · Score: 1, Funny
  
  Any specific ones? I'm not trying to sabotage a water park or anything, just curious...
Internet of things by Hentes · 2013-04-09 07:55 · Score: 3, Insightful

But that's the next big thing, haven't you heard? Giving net access to unsecured hardware is the way forward!
Shodan by Anonymous Coward · 2013-04-09 07:55 · Score: 0, Insightful

"Look at you, Hacker. A pathetic creature of meat and bone. Panting and sweating as you run through my corridors. How can you challange a perfect, immortal machine?"
Great resource by MaxDollarCash · 2013-04-09 07:58 · Score: 0

Its a great resource to find exploitable machines specific to your exploit version. The paid model does make it a bit less accessible for general public. They also offer a nice API that allows you to to query for IP's directly from within your exploit, allowing you to build scanners for automatic exploitation. Its a powerfull tool but with great power comes great resonsibility
Great research, but two nitpicks by jeffmeden · 2013-04-09 07:59 · Score: 1

How many of these are clever honeypots deployed by whitehats? Probably not a significant proportion, but certainly some are.
And two: if there really are so many unprotected, highly critical, easily discovered devices why is e-havoc not common place? Could the threat from internet connectivity be overstated? Surely if a service doesnt need to be on the internet at large, it shouldn't be. These kinds of reports presume that every system is vulnerable (and that's an appropriate assumption if you are in the security business) but is it the reality? Past performance would suggest otherwise. How often do traffic lights go haywire?
1. Re:Great research, but two nitpicks by F.+Lynx+Pardinus · 2013-04-09 08:42 · Score: 2
  
  And two: if there really are so many unprotected, highly critical, easily discovered devices why is e-havoc not common place?
  Well, there's lots of unprotected, highly critical, easily discovered people and places in the US, but real-world havoc is also relatively uncommon. Probably for the same reasons--most people aren't evil, and there are harsh consequences for those who are.
2. Re:Great research, but two nitpicks by cusco · 2013-04-09 11:30 · Score: 1
  
  How many of these are clever honeypots deployed by whitehats?
  
  Almost none. This stuff is installed by guys with coveralls and ladders, with as little interaction with the customer's IT department as they can get away with. Really. I've worked in the physical security industry for seven years, and every one of our competitors will avoid dealing with the IT staff if at all possible. Having server and network admins on staff is one of our selling points.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
3. Re:Great research, but two nitpicks by thejynxed · 2013-04-11 11:51 · Score: 1
  
  Wait until someone with enough financial or fanatical interest decides that this is the way to get attention to their cause or extort payments from governments/corporate interests.
  Sounds like a bad movie script, but it can, and probably will, happen sooner or later.
  
  --
  @Mindless Drivel: 100% of Twitter posts ever Tweeted.
Old news by Anonymous Coward · 2013-04-09 08:01 · Score: 0

This is outdated news... wasn't it 2 DEFCON's ago they had Shodan on display?
Though, yea.. it is interesting watching the security cameras that are set up in my local police department. Big Brother is watching you.. who is watching Big Brother? Me.
Slashdot brings you yesterday's news today by damn_registrars · 2013-04-09 08:06 · Score: 1, Insightful

I was reading this same CNN article yesterday. I considered submitting it here but figured people had already read it... guess not. Glad I can still come here to find yesterday's news, though.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. Re:Slashdot brings you yesterday's news today by Anonymous Coward · 2013-04-09 08:33 · Score: 0
  
  I was reading this same CNN article yesterday. I considered submitting it here but figured people had already read it... guess not. Glad I can still come here to find yesterday's news, though.
  You must be new here.
2. Re:Slashdot brings you yesterday's news today by Daniel+Dvorkin · 2013-04-09 08:51 · Score: 2
  
  Believe it or not, we live in a world in which interesting stories often take more than twenty-four hours to play out, and are still worth discussing some time after the CNN blurb appears.
  
  --
  The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
3. Re:Slashdot brings you yesterday's news today by flimflammer · 2013-04-09 09:01 · Score: 1
  
  You sound like an ass.
4. Re:Slashdot brings you yesterday's news today by damn_registrars · 2013-04-09 09:02 · Score: 0
  
  Believe it or not, we live in a world in which interesting stories often take more than twenty-four hours to play out, and are still worth discussing some time after the CNN blurb appears.
  Believe it or not, but slashdot used to be a site that got tech news before it broke in the mainstream outlets. A story being featured on slashdot used to be an accomplishment for a story, showing it was important to geek culture. Now, slashdot just fishes old headlines from drudgereport, breitbart, fox news, and occasionally CNN.
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
5. Re:Slashdot brings you yesterday's news today by Anonymous Coward · 2013-04-09 09:27 · Score: 0
  
  BURN!!!
6. Re:Slashdot brings you yesterday's news today by fustakrakich · 2013-04-09 10:04 · Score: 3, Interesting
  
  ...slashdot used to be a site that got tech news before it broke in the mainstream outlets.
  You mean, like this?
  
  --
  “He’s not deformed, he’s just drunk!”
7. Re:Slashdot brings you yesterday's news today by Daniel+Dvorkin · 2013-04-09 10:15 · Score: 1
  
  Believe it or not, but slashdot used to be a site that got tech news before it broke in the mainstream outlets. A story being featured on slashdot used to be an accomplishment for a story, showing it was important to geek culture. Now, slashdot just fishes old headlines from drudgereport, breitbart, fox news, and occasionally CNN.
  I've been on Slashdot since the last century, and I remember quite clearly that there have always been stories here which I'd first seen elsewhere. The value of the site has always been more in the discussion than in the headlines.
  
  --
  The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
8. Re: Slashdot brings you yesterday's news today by Anonymous Coward · 2013-04-09 10:18 · Score: 0
  
  Area man misses chance to get front page on obscure website. Currently seen moping.
  We'll have more on this story as it develops.
9. Re:Slashdot brings you yesterday's news today by PuZZleDucK · 2013-04-09 11:16 · Score: 1
  
  hey... I steal all my submissions from http://abc.net.au/, there are websites outside of the US 'ya know! :p
  
  --
  Can a person program a new solution to a problem? Why should anyone be able to stop such a thing? -Richard Stallman
L-look at you, Hacker... by Andrio · 2013-04-09 08:07 · Score: 1

...panting and sweating as you browse through my indexes.

--
The Internet King? I wonder if he could provide faster nudity.
1. Re:L-look at you, Hacker... by Anonymous Coward · 2013-04-09 08:41 · Score: 0
  
  Third redundancy!! Isn't anyone reading before moderating? REDUNDANT, motherfuckers, learn it! This exact comment was posted THREE TIMES yet you mod it up.
Server Down by Anonymous Coward · 2013-04-09 08:08 · Score: 0

I think the \. community just took down the server :)
1. Re:Server Down by wierd_w · 2013-04-09 08:13 · Score: 1
  
  But SHODAN uses fractal data storage technology! She will just regenerate the damaged nodes, then fire the mining laser at earth, just like she promised to!
  Fools left its control systems using the default passwords!
  (Giggle)
Particle accelerator - may not be so bad by joe_frisch · 2013-04-09 08:11 · Score: 1

The mention of a "cyclotron particle accelerator" control system sounds scary, but may not be. At least here at SLAC there are several levels of control systems, and the ones involved in life safety required physical access to locked areas. Even if someone somehow broke both electronic and physical security machines like this are not very dangerous, similar risk to a typical factory.
I expect that nuclear reactors are far more secure. The "command and control" system may not actually control the reactor, but just provide monitoring.
1. Re:Particle accelerator - may not be so bad by Tablizer · 2013-04-09 08:41 · Score: 1
  
  "Click here to create mini black-holes that will eventually swallow Earth."
  Andromeda is already printing Earth's Darwin Award.
  
  --
  Table-ized A.I.
2. Re:Particle accelerator - may not be so bad by Anonymous Coward · 2013-04-09 08:52 · Score: 0
  
  Sorry about that, this is my get-punched-in-the-face-over-internet experiment. Feel free to use it, but I suggest staying away from "not the face" setting, it is kind of glitchy. Cyclotron particle accelerator was my last project and I didn't get around to renaming.
Demon Seed by tedgyz · 2013-04-09 08:11 · Score: 1

Now if only we can gain access to Proteus IV and stop the "Demon Seed" from spawning.

--
"No matter where you go, there you are." -- Buckaroo Banzai
Or wind turbines by RobinH · 2013-04-09 08:11 · Score: 1

This is older news now. We've known for a while that wind turbines could be found on Shodan.

--
"I have never let my schooling interfere with my education." - Mark Twain
Shodan ... by dougmc · 2013-04-09 08:14 · Score: 0, Redundant

"Look at you, hacker. A pathetic creature of meat and bone. Panting and sweating as you run through my corridors. How can you challenge a perfect immortal machine?"
So ... many ... great ... quotes!.
Shodan was one of the best computer game villains ever!
but Rodan is even more dangerous by Spy+Handler · 2013-04-09 08:16 · Score: 2

than Shodan
Make yourself comfortable, Hacker. by Chris+Mattern · 2013-04-09 08:24 · Score: 1

Stay a while.
Signup needed by MindPrison · 2013-04-09 08:26 · Score: 2

You need to sign up and register if you actually want to use it. Which technically will hold you liable for anything you search for, smart - and yet useless. Services doesn't work, constantly fails, down for maintenance etc... shoddy'an...

--
What this world is coming to - is for you and me to decide.
You Know What They Say About Obscurity... by Anonymous Coward · 2013-04-09 08:30 · Score: 0

Security through obscurity is not security at all.
This is why my toilet is disconnected from the net by GrueMaster · 2013-04-09 08:31 · Score: 4, Funny

Don't need any nefarious remote flushing going on.
Even scarier by Beorytis · 2013-04-09 08:36 · Score: 4, Interesting

Even scarier is that if you follow one of the Shodan search results and login with admin:1234, you might end up in federal prison.
1. Re:Even scarier by Anonymous Coward · 2013-04-09 08:54 · Score: 0
  
  Even scarier is that if you follow one of the Shodan search results and login with admin:1234, you might end up in federal prison.
  and make Shodan's owner an accomplice to the crime
  I would sue
2. Re:Even scarier by Hillgiant · 2013-04-09 09:28 · Score: 5, Funny
  
  Which begs the question: Why are our prisons accessible from the internet in the first place?
  
  --
  -
3. Re:Even scarier by gbjbaanb · 2013-04-09 09:30 · Score: 1
  
  not if you're accessing it from, say, North Korea.
4. Re:Even scarier by iggymanz · 2013-04-09 09:45 · Score: 1
  
  the internet is how governments can watch everyone, for the time when they need to target someone
5. Re:Even scarier by Anonymous Coward · 2013-04-09 09:57 · Score: 0
  
  Shhh!!!
  Now that I have the door IP from this site, and the default password of 1234 from a post up above, I'm trying to break my mom out!
  Plz don't say anything to them till I'm done ktnx
6. Re:Even scarier by PuZZleDucK · 2013-04-09 11:19 · Score: 1
  
  Fingers crossed you get sent to a prison with a default login for the doors.... then your buddy can just Shodan you out!
  
  --
  Can a person program a new solution to a problem? Why should anyone be able to stop such a thing? -Richard Stallman
7. Re:Even scarier by Anonymous Coward · 2013-04-09 14:36 · Score: 1
  
  You mean "raises the question".
The new FiOS routers ship with a random pass by eksith · 2013-04-09 08:40 · Score: 1

Also a random SSID and has remote login disabled. Of course, they had other issues with UPnP and stuff, but at least this makes remote attacks a little bit harder since they're more difficult to discover (still security through obscurity; if they have a dumb device that responds outside NAT, it's still game over). Nothing will stop people from making devices that should be private available publicly for the sake of convenience though.

--
If computers were people, I'd be a misanthrope.
Don't blame the internet by sl4shd0rk · 2013-04-09 08:43 · Score: 1

because you are lazy, inept or hungover. Default passwords or "admin:admin" is braindead. You're a terrible admin if you do this, and you should feel terrible if you get cracked.

--
Join the Slashcott! Feb 10 thru Feb 17!
Of course this happens. by wilson_c · 2013-04-09 08:46 · Score: 4, Interesting

This is not at all surprising. We contracted a major premises security company to build out the entry-access systems in our company's new buildings a few years ago. Just to be clear, these control the locks to every door into all of the buildings as well as higher security areas within the buildings. The installers insisted that the control boxes for every building needed to have fixed public IP addresses and could not be behind a firewall in order to work. With little understanding of what they were actually asking, they would only enable service if we provided exactly that to them. Do I even need to mention that they left all of these control units running with default username and password?
Needless to say, once functioning service had been established, I immediately moved everything behind a firewall with no forwarding whatsoever to the NAT private address range. Of course, everything works just fine. I later double-checked the installation guide, which allowed for even wider flexibility in installation, with no real network restrictions of the sort that the installers demanded. I'm sure, however, that if they had ever consulted that document, they would not have understood anything about the network installation instructions.
A big part of the problem with things like this is that the systems are installed by people with next to no real network knowledge. They see their job as alarm, plumbing, cabling, construction, or whatever. So when they get to the networked component, they install it in the simplest, most straightforward manner that has been prescribed by someone only slightly more knowledgeable than they are. They are instructions designed to work in every situation for the dimmest of installers, making it possible to complete the contract as possible, even when the client has no one with network knowledge available. The installers, not understanding networks, see them as impenetrably cryptic and therefore secure from intrusion. In most situations there is no one whose job it is to assess security of these connected devices at the completion of the contract, much less tell the customer that they've left them with a risk.
Sadly, the only real advice for these situations is to make companies (the client companies, I mean, not the vendors) understand that they need to be responsible for their own security. If they don't have the necessary expertise on staff, then they absolutely *need* to hire someone - no, not the damn Geek Squad - to check that any network connected device is secure. If they don't then they own the resultant problems. I suppose, in the long run, that insurance companies will require some sort of compliance if potential risk is to be insured.
1. Re:Of course this happens. by Anonymous Coward · 2013-04-09 09:34 · Score: 0
  
  Or, maybe they moonlight as thieves.
2. Re:Of course this happens. by Zymophideth · 2013-04-09 12:56 · Score: 1
  
  A friend of mine is in the physical security field and I noticed when they started to IP stuff for the DVRs, and he would ask me about port forwarding and all sorts of networking stuff. I told him they really should start paying him more since he has to learn networking now and really they should be sending him to classes. Of course they never did and just expect the low-voltage wiring guys to figure out IP routing on their own.
3. Re:Of course this happens. by noc007 · 2013-04-10 00:38 · Score: 1
  
  Perhaps next time try and pass off 172.16.0.0/12 addresses as public IPs. Most people are familiar with 192.168.0.0/16 and 10.0.0.0/8 is common enough. 172.16.0.0/12 is rarely known by the mass populace in my experience.
4. Re:Of course this happens. by Anonymous Coward · 2013-04-10 01:41 · Score: 0
  
  Perhaps next time try and pass off 172.16.0.0/12 addresses as public IPs. Most people are familiar with 192.168.0.0/16 and 10.0.0.0/8 is common enough. 172.16.0.0/12 is rarely known by the mass populace in my experience.
  Class B for the man who will settle for nothing less than second best.
5. Re:Of course this happens. by Anonymous Coward · 2013-04-10 22:57 · Score: 0
  
  This is not at all surprising. We contracted a major premises security company to build out the entry-access systems in our company's new buildings a few years ago. Just to be clear, these control the locks to every door into all of the buildings as well as higher security areas within the buildings. The installers insisted that the control boxes for every building needed to have fixed public IP addresses and could not be behind a firewall in order to work. With little understanding of what they were actually asking, they would only enable service if we provided exactly that to them. Do I even need to mention that they left all of these control units running with default username and password?
  Needless to say, once functioning service had been established, I immediately moved everything behind a firewall with no forwarding whatsoever to the NAT private address range. Of course, everything works just fine. I later double-checked the installation guide, which allowed for even wider flexibility in installation, with no real network restrictions of the sort that the installers demanded. I'm sure, however, that if they had ever consulted that document, they would not have understood anything about the network installation instructions.
  A big part of the problem with things like this is that the systems are installed by people with next to no real network knowledge. They see their job as alarm, plumbing, cabling, construction, or whatever. So when they get to the networked component, they install it in the simplest, most straightforward manner that has been prescribed by someone only slightly more knowledgeable than they are. They are instructions designed to work in every situation for the dimmest of installers, making it possible to complete the contract as possible, even when the client has no one with network knowledge available. The installers, not understanding networks, see them as impenetrably cryptic and therefore secure from intrusion. In most situations there is no one whose job it is to assess security of these connected devices at the completion of the contract, much less tell the customer that they've left them with a risk.
  Sadly, the only real advice for these situations is to make companies (the client companies, I mean, not the vendors) understand that they need to be responsible for their own security. If they don't have the necessary expertise on staff, then they absolutely *need* to hire someone - no, not the damn Geek Squad - to check that any network connected device is secure. If they don't then they own the resultant problems. I suppose, in the long run, that insurance companies will require some sort of compliance if potential risk is to be insured.
  Unless, of course, they knew exactly what they were doing.. This would allow them to access your company and rob it or get intel anytime they wanted.
Only used for good. Yeah right! by Platinumrat · 2013-04-09 08:52 · Score: 1

From the article.
"The good news is that Shodan is almost exclusively used for good. ... Penetration testers, security professionals, academic researchers and law enforcement agencies are the primary users of Shodan. "
Like Law Enforcement can be considered to only use this for good. And whose law enforcement...(USoA, China, UK, France, ....)? Will they follow due process and obtain warrants, where necessary. I think not.
slashdotted? by houghi · 2013-04-09 08:54 · Score: 1

From what I see on the site by clicking on the link in the summery:
This page (http://www.shodanhq.com/) is currently offline. However, because the site uses CloudFlare's Always Onlineâ technology you can continue to surf a snapshot of the site. We will keep checking in the background and, as soon as the site comes back, you will automatically be served the live version.

--
Don't fight for your country, if your country does not fight for you.
What is wrong with you mods!? by Anonymous Coward · 2013-04-09 09:07 · Score: 2, Insightful

He states, and I quote:

no laughing matter.
And you go ahead and mod him "Funny"
1. Re:What is wrong with you mods!? by Fesh · 2013-04-09 10:02 · Score: 0
  
  Whoosh...?
  
  --
  --Fesh
  Kill -9 'em all, let root@localhost sort 'em out.
2. Re:What is wrong with you mods!? by Hunter+Shoptaw · 2013-04-10 02:38 · Score: 1
  
  Well there was certainly a whoosh, but I think it was primarily on your part.
Shodan HQ Slashdotted! by some+old+guy · 2013-04-09 09:34 · Score: 1

404 City!

--
Scruting the inscrutable for over 50 years.
Blaming the messenger, as usual by gmuslera · 2013-04-09 09:35 · Score: 2

Since the start of internet is pretty common to see in logs hosts that do ip scanning. Having in the open one that shows to the public the kind of information that gets most of them since the beginning just put into the light how vulnerable are the guys without a clue. The good guys that have a clue had a firewall since the start, and the bad guys with a clue had that database compiled from long ago.
So, its responsibility of the people that have devices on public ip addresses to block/filter/password them, and maybe to the cluelest government that is pushing a cyberwar since last decade to warn, educate, and assist on fixing their citizens on not be so trivially vulnerable. And, of course, thank, not punish, the people behind Shodan for this warning.
Re:This is why my toilet is disconnected from the by new+death+barbie · 2013-04-09 09:49 · Score: 1

But I like a fresh bowl...

--

It's supposed to be completely automatic, but actually you have to press this button.
Re:This is why my toilet is disconnected from the by fustakrakich · 2013-04-09 09:55 · Score: 1

Not nearly as bad as having the bidet hooked up

--
“He’s not deformed, he’s just drunk!”
maybe it's TROUT. ? by Thud457 · 2013-04-09 09:57 · Score: 4, Funny

This is Kevin Flynn, can somebody please run the TROFF subroutine on the particle accelerator in lab EC4328 on the fourth floor ? That'd be a big help. thx

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
who is SHodan? by Anonymous Coward · 2013-04-09 10:03 · Score: 1

So I can login to shodan's search engine by using my google, twitter etc. ID's? or I can make a free account. SO this guy wants everyone's login/pass combos for other sites to use his search engine that barely works as far as I can see.
Sure thing buddy. sounds good!
It's not the search engine that's dangerous by Bugler412 · 2013-04-09 10:14 · Score: 2

It's the inept and stupid implementers of these systems that are dangerous, not the search engine
1. Re:It's not the search engine that's dangerous by VortexCortex · 2013-04-09 14:31 · Score: 1
  
  It's the inept and stupid implementers of these systems that are dangerous, not the search engine
  Maybe you didn't read between the lines hard enough. Go to that serach engine, access ANY of those devices without permission, and thanks to the Computer Fraud and Abuse Act, you've just committed a fucking fellony, Fool!
Who's the master??!! by Anonymous Coward · 2013-04-09 10:28 · Score: 0

Sho'Nuff!
Re:Oh yeah, here it is my homies by xevioso · 2013-04-09 12:02 · Score: 2

Christ in a chicken basket, shut up already.
Re:Oh yeah, here it is my homies by Anonymous Coward · 2013-04-09 12:54 · Score: 0

You mean about the religious nut or Slashdot's sycophantic participation in the Microsoft anti-Google smear campaign?
It's cringeworthy stuff, akin to seeing "Get the facts" presented hare as gospel truth.
Really..do you take CNN, CNBC, CBS, ABC seriously? by Anonymous Coward · 2013-04-09 13:30 · Score: 0

Do I need to say more than that? They are fabricating the next BIG lie (911 style) to close free access to the internet. WHO THE F#$%CK TAKES MASS MEDIA SERIOUSLY?
CAN'T ANY OF YOU SEE WHERE THIS IS AIMING?
even by Slashdot standards, this is old news. by Anonymous Coward · 2013-04-09 13:37 · Score: 0

Wait a damn minute.
It was launched in 2009, and there were articles about it in major newspapers a year ago
Why is this NEWS?
Also, the wiki article needs some love: http://en.wikipedia.org/wiki/Shodan_(website)
1. Re:even by Slashdot standards, this is old news. by Georules · 2013-04-09 14:08 · Score: 1
  
  I was also unimpressed by the results on the website. Yeah, there are insecure devices out there. I was surprised by how few these searches would turn up.
Did visiting Shodan's site make my Firefox CRASH? by ivi · 2013-04-09 14:30 · Score: 1

Only a few minutes after visiting Shodan, via its Anniversary promo link (from a Google search),
Firefox 20.0 cashed
Coincidence or cause & effect...? You decide?
Hoped an entry would exist for my former HS by bedouin · 2013-04-09 18:09 · Score: 1

I had hi-res goatse pics ready and everything. No wireless. Less space than a nomad. Lame.
Shodan... by PiMuNu · 2013-04-09 19:17 · Score: 1

If anyone didn't spot the reference: http://www.giantbomb.com/shodan/3005-423/ Shodan was the baddy AI from System Shock, classic 90s FPS.
Let the fun begin! by sproketboy · 2013-04-10 04:32 · Score: 1

NTR
A Better Default PW by MoeDumb · 2013-04-12 10:33 · Score: 1

PW: ChangeMeNow!

--
Mod Me Up. You'll make a grown man cry.