Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Vigilante Hackers Could Stop the Internet of Things Botnet (vice.com)

Posted by BeauHD on from the white-hat dept.

An anonymous reader quotes a report from Motherboard: Some have put forth a perhaps desperate -- and certainly illegal -- solution to stop massive internet outages, like the one on Friday, from happening: Have white-hat vigilante hackers take over the insecure Internet of Things that the Mirai malware targets and take them away from the criminals. Several hackers and security researchers agree that taking over the zombies in the Mirai botnet would be relatively easy. After all, if the "bad guys" Mirai can do it, a "good guys" Mirai -- perhaps even controlled by the FBI -- could do the same. The biggest technical hurdle to this plan, as F-Secure chief research officer Mikko Hypponen put it, is that once it infects a device, Mirai "closes the barn door behind it." Mirai spreads by scanning the internet for devices that have the old-fashioned remote access telnet protocol enabled and have easy to guess passwords such as "123456" or "passwords." Then, once it infects them, it disables telnet access, theoretically stopping others from doing the same. The good news is that the code that controls this function actually doesn't at times work very well, according to Darren Martyn, a security researcher who has been analyzing the malware and who said he's seen some infected devices that still have telnet enabled and thus can be hacked again. Also, Mirai disappears once an infected device is rebooted, which likely happens often as owners of infected cameras and DVRs try to fix their devices that suddenly have their bandwidth saturated. The bad news is that the Mirai spreads so fast that a rebooted, clean, device gets re-infected in five minutes, according to the estimates of researchers who've been tracking the botnets. So a vigilante hacker has a small window before the bad guys come back. The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning. The real challenge of this whole scenario, however, is that despite being for good, this is still illegal. "No one has any real motivation to do so. Anyone with the desire to do so, is probably afraid of the potential jail time. Anyone not afraid of the potential jail time...can think of better uses for the devices," Martyn told Motherboard, referring to criminals who can monetize the Mirai botnet.

64 comments

  1. Transfer the Responsibility by Anonymous Coward · · Score: 1

    Re: "Anyone with the desire to do so, is probably afraid of the potential jail time."

    Transfer the responsibility back to where it belongs, the manufacturers and vendors. Make them liable if they do not start patching their own devices. The cost of their devices might go up a little but that's their issue, regardless.

    This problem is like pollution. It's pollution of the Internet and the device manufacturers are the root cause. The purchasers of the products might have some secondary responsibility, but we need to be careful what we ask of the consumer. Many consumers aren't very tech savvy and they will never, in most cases, become so. These IoT devices are mostly sold as plug-and-play devices. They need to stay that way.

    If the problem is pollution of the Internet then we need a rule, or even a law: Polluter Pays. The polluter is responsible for the pollution and thus liability accrues to them. Since they are the manufacturer they need not be concerned about going to jail for patching their devices. We might need to make them concerned about going to jail for not patching their devices though.

    1. Re:Transfer the Responsibility by amicusNYCL · · Score: 4, Insightful

      Make them liable if they do not start patching their own devices.

      That's the long-term solution, which wouldn't do much for the current problem devices that are out there.

      Personally, I like the idea of changing the default password. Some people may never see any change, but if someone realizes that they no longer have access to their device then they do a factory reset (1 or more times, depending on how quickly they catch on) before changing the default password themselves.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:Transfer the Responsibility by david_bonn · · Score: 1

      The problem is using something as lame and ancient and telnet and sending a password in the clear.

      Using something as rudimentary as ssh and having each device have a unique password (probably generated with the mac address of the device as an input) would be a big improvement. A remote attacker wouldn't have a good way to guess the mac address of such a device.

      Better would be a mechanism for booting such devices in "management mode" (by holding a switch down while powering up the device, or maybe if the device sees a magic ethernet packet within a minute or so of powering up -- note that said packet shouldn't be an IP packet so nobody can send one remotely and that said packet should contain some password that is again a function of the device's mac address).

      Neither of those mechanisms are perfect and both can be defeated by determined attackers. But it would make attackers work to build a million-host botnet.

    3. Re:Transfer the Responsibility by locofungus · · Score: 1

      Make them liable if they do not start patching their own devices.

      Don't necessarily even need the cost to go up.

      Your device is found vulnerable to hackers. a) release a fix or b) release the source code in a form that allows others to fix it.

      In a dream world I could imagine a time where the source code is released with the device. How much IP can there really be in a webcam? The vast majority of the work involved in writing a firmware from scratch would be researching how to address the hardware.

      --
      God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
    4. Re:Transfer the Responsibility by Anonymous Coward · · Score: 0

      The problem is that like Windows XP in 2001, the minute the thing is connected to the internet it gets re-infected.

      The "right solution" is finding infected devices and DDoS'ing the security hole so they can't get infected, and trying to take over the device first and shut down the remote access.

      But who should be doing this, you ask. Well it would be helpful if IoT devices were behind a firewall in the first place. But UPnP basically made that a not-happening.

      IoT devices should be setup in "defaults mode" and if they detect they are connected to the internet BEFORE being configured, they should remove the default gateway so that the devices can't reach the internet.

    5. Re:Transfer the Responsibility by Anonymous Coward · · Score: 0

      Those devices spend almost all their time without any user connected, nobody would spend their time trying to tcpdump a password from telnet.
      A rate limit on the login attempts like tomato offers is enough.

    6. Re:Transfer the Responsibility by houstonbofh · · Score: 1

      The problem is that like Windows XP in 2001, the minute the thing is connected to the internet it gets re-infected.

      Not if the password is changed like they said in the summery...

    7. Re:Transfer the Responsibility by Rakarra · · Score: 1

      That's the long-term solution, which wouldn't do much for the current problem devices that are out there.

      We'll get over the current problem. We always do.
      But we never seem to get around to that 'long-term solution.'
      I think at this point implementing the long-term solution is more important than stopping the bleeding. Otherwise the neverending cycle will continue.

  2. Brick 'em by duke_cheetah2003 · · Score: 4, Insightful

    The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning.

    I say brick them. Perhaps when bad security starts costing ordinary people time and money, they'll take it more seriously.

    1. Re:Brick 'em by thegarbz · · Score: 2

      People would only move to the next device and it would open the hacker to liabilities.

    2. Re:Brick 'em by Opportunist · · Score: 1

      So people get pissed at the white hats, after all the black hats kept them functional...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Brick 'em by amicusNYCL · · Score: 1

      after all the black hats kept them functional...

      The black hats kept what functional, the devices? What about the rest of the internet? They aren't all that worried about keeping things like DNS servers functional. So maybe your camera gets knocked offline until you figure out how to change the default password so that your camera can stop attacking the internet.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    4. Re:Brick 'em by Opportunist · · Score: 2

      Welcome to the wonderful world of egoistic, selfish assholes where nobody gives a fuck if the whole world goes to hell as long as my stuff works. And this is how people are, they don't care that they are a danger to the whole internet and them being knocked off is a service to the world. What they care about is their stupid little gimmicky toy.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Brick 'em by Obfuscant · · Score: 2

      And this is how people are, they don't care that they are a danger to the whole internet and them being knocked off is a service to the world. What they care about is their stupid little gimmicky toy.

      How people really are is that they don't know what the Internet is so they don't know that their "stupid little gimmicky toy" could possibly be a problem because of some distant and unknown infrastructure issue. It's not a deliberate decision to cause harm, and it's not selfish.

      What you think is a "gimmicky toy" may be a security cam they use to keep track of the house while they're gone because they've had issues before. It certainly is NOT something that was sold with a big warning notice that attaching it to the network in their house, behind a cable router that stops everything else from getting in, will cause death and destruction, or problems of any kind to anyone. They certainly did NOT say "fuck you" to any idea of trouble and forge ahead maliciously.

      And I'd hate to think that maybe they are thinking that YOUR use of the Internet is for "gimmicky toys" like "why do you need to run your own mail server when Gmail does it for free"?

      So, maybe notch the venom down a bit and accept that the problem is not the fault of the people who buy the devices and use them as instructed. People don't need to be, and shouldn't have to be, leet haxor neckbeards with in-depth knowledge of the Internet to use a network-connected device. This is why the idea of having white-hat hackers brick the devices is so tragically wrong. As soon as they start doing that to protect their turf they lose any ethical high ground because they are hurting innocent people and not the ones who produced the faulty devices.

      But they'll all call the manufacturer and complain, right? Probably not. They'll take the thing back to the store they bought it from (also not network experts) and get a new one. When it stops working again, they'll get their money back. They won't search out the manufacturer, and are unlikely to find who actually built and programmed it anyway considering it is probably a Chinese company to start with. For example, I have some internet power switches that I caught sending data off to China. Don't know who, and I have no idea who built them. I know the store I bought them from. That's where the trail to the culprits ends.

    6. Re: Brick 'em by Anonymous Coward · · Score: 0

      He meant corporations behind this mess. You know, the personal entities with severe limitations of responsibility..

    7. Re:Brick 'em by dargaud · · Score: 1

      I'd say turn them off. If by 'brick' you mean make them unusable unless you reflash the firmware, why not simply turn them off ? Yes, the owner will notice and turn it back on, but after a few times like that he'll probably sent it back to manufacturer. And you can't be accused to damaging the device for simply turning it off.

      --
      Non-Linux Penguins ?
    8. Re:Brick 'em by Anonymous Coward · · Score: 0

      Which, oddly enough, is the reason many hackers 'claim' they hit & destroy websites in the first place.
      - "We brought websiteX.com down to show them that they aren't invincible."
      - "I found a vulnerability on CompanyX's website & emailed some low-schmuck at the 'Contact Us' page and it was not fixed after one day. Therefore it is appropriate that I destroy them in order to save them. I am a good guy see? A citizen hero with script superpowers and I'm ethical!"

      Now your (also appreciated by others) idea:
      - "Let's brick consumer's devices, that'll teach the company!" Sound familiar? (see above)

      No, it won't. It will make regular people mad. Get involved with legislation, community cyber-safety groups, host a webpage/facebook discussion group, or start industrial best practices standardization- whatever your professional capability is... get companies (who have yet to be hit) the education on how to fix things, and citizens the education to move beyond defaults.

      Just lighting more of the world on fire does not help. It just adds to peoples' anger & bitterness, they do not care between white hat or black. Do not use people as pawns in a commercial/digital 'safety war'. They do it to us enough as it is. Be one of us, and teach us.
      That is the most humane & human thing to do. (and actually harder than hacking, but we know you can do it with us!).
      thank you

    9. Re:Brick 'em by duke_cheetah2003 · · Score: 1

      Now your (also appreciated by others) idea:
      - "Let's brick consumer's devices, that'll teach the company!" Sound familiar? (see above)

      No, it won't. It will make regular people mad.

      Yes, it most certainly will. And we all know shit gets done when a large enough group of people are getting mad. I don't wanna teach the 'company,' I want to teach everyone. Security is serious and needs to be taken seriously, and you should have at least some what of a clue what the fuck you're doing before you go plugging your garbage into the Internet.

  3. A more amusing approach by somenickname · · Score: 2

    Why not take a more amusing spin on this idea: Tell all the nodes in the botnet to attack 192.168.0.0/16. Basically, have them attack their own local network.

    Then change the telnet password.

    1. Re:A more amusing approach by thegarbz · · Score: 1

      Anytime you start a sentence with "A more amusing" straight away put the word liability after it and then realise it is not an idea that would get you any kudos.

    2. Re:A more amusing approach by Anonymous Coward · · Score: 0

      A more amusing idea might be to pull the stick out of your ass.

    3. Re:A more amusing approach by Anonymous Coward · · Score: 0

      If it's actually a stick then I would be liable for a torn anus if I simply pull. It's amazing how relevant my comment was even in the face of trolling.

  4. I'm thinking..... by bobbied · · Score: 1

    Convert them to BitCoin mining operations and PROFIT! Yea.....

    Oh, wait....

    Sarcasm aside... As the fine article points out, hacking someone else's device, regardless of the reason, is not a legal activity. And as my mother always said "two wrongs don't make a right" applies here. Where this is an interesting thought experiment, unless you can get the legal authorities to approve this kind of activity, let's not develop this idea too far. Perhaps you'd get by with a way to remove the affliction and reboot the device, they are likely to never find you, it would be all to easy to get your hat color misinterpreted should ISP's start monitoring this kind of thing.

    Perhaps it's time to put some legal safeguards in place for users to force device manufacturers into having liability when they ship stuff with gaping holes like this. But I'm not going to hold my breath waiting for Congress to draft and pass anything reasonable in this regard and I loath that they would likely make a bloody mess of things if they even tried. Maybe some kind of regulation on ISP's to monitor and deal with such garbage coming from their networks? Again, I wouldn't trust Congress to write that law either.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:I'm thinking..... by moeinvt · · Score: 1

      "hacking someone else's device, regardless of the reason, is not a legal activity"

      I was waiting for this comment. "Access" is the crime regardless of what you do to the system.
      The hacker Max Butler wrote a worm to patch a vulnerability in BIND, but the FBI prosecuted him for "unauthorized access" to government computer systems. "Hey! I made your system MORE secure!" didn't fly as a defense.

    2. Re: I'm thinking..... by Anonymous Coward · · Score: 0

      Max Butler installed backdoors on BIND servers when he was fixing security issues, this is clearly not the same ! You can't deny Max's malicious intentions (and he didn't himself)

  5. Temporarily Brick 'em by Okian+Warrior · · Score: 3, Informative

    The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning.

    I say brick them. Perhaps when bad security starts costing ordinary people time and money, they'll take it more seriously.

    If I understand the process correctly, most hacked IoT devices aren't firmware hacked, the exploits live in volatile memory while the device is powered. The exploit can't get into the firmware because that's much more difficult, and in many cases the firmware is read-only.

    Power cycling the device will clear the hack, but it can be taken over again using the same exploit.

    Bricking the device, or perhaps making the device access an online site intended to catch the owner's attention(*) seems like a reasonable solution when used in concert with all the other solutions - going after the perpetrators legally, going after the device manufacturers, changing net rules to disallow IP address spoofing, and so on.

    (*) Lead to a website with a landing page alerting the owner of the issue, or (for cameras) upload video to the user's account alerting the owner to the issue, and so on.

    1. Re:Temporarily Brick 'em by Anonymous Coward · · Score: 1

      ... perhaps making the device access an online site intended to catch the owner's attention(*) seems like a reasonable solution when used in concert with all the other solutions - going after the perpetrators legally, going after the device manufacturers, changing net rules to disallow IP address spoofing, and so on.

      (*) Lead to a website with a landing page alerting the owner of the issue, or (for cameras) upload video to the user's account alerting the owner to the issue, and so on.

      At last! a constructive use for Goatse.

    2. Re:Temporarily Brick 'em by ceoyoyo · · Score: 1

      It seems like changing the admin password to something random would work perfectly well. If the clueless user needed to change something they'd have to reset to factory defaults and in learning how to do that perhaps they'd learn about changing the password. Likely the vast majority would never even notice.

    3. Re:Temporarily Brick 'em by Anonymous Coward · · Score: 0

      Also change the SSID and PSK.

    4. Re:Temporarily Brick 'em by anegg · · Score: 1

      How about the "Internet Police" take the device into "protective custody" because its creating a "public nuisance" and "being a threat to public safety". Then charge the original manufacturer a fine each time one of their devices has to be taken into "protective custody" due to a manufacturer's flaw in the device.

      By extension, if the problem device is a problem because of Joe/Jill Homeowner, do the same but charge them the fine, not the manufacturer. A bit murkier to handle since there will be so many Joe/Jill Homeowners and they will be so hard to track down, but perhaps someone can find a good way to handle this.

      Exercise for the reader: Define/organize the "Internet Police" - perhaps its a division of the FTC (Federal Trade Commission) in the United States, define their scope: devices on IP addresses allocated to entities operating within the United States of America for the US Internet Police, for example. Constrain their duties: the Internet Police are charged with addressing threats to the health and well-being of the Internet caused by poorly configured devices (for example).

  6. Brick em by Anonymous Coward · · Score: 0

    How about write a few bytes of junk to every block file found under /dev then reboot, if you've left it internet exposed with admin/admin as the creds you deserve nothing less than a bricked device.

  7. This brings back memories by thegarbz · · Score: 1

    Where have I heard of hackers with Chaotic Good before?

    Blaster's worst enemy

  8. Wrong approach by Opportunist · · Score: 2

    Two wrongs don't make a right.

    What we need is to grasp the careless morons that made those devices by the balls and squeeze 'til patches materialize.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Wrong approach by Anonymous Coward · · Score: 1

      Even ignoring the second wrong in such an act, it is still one more step of escalation that in the end is guaranteed to be pointless.

      Once the first wave of white hat intrusions is performed, now begins an arms race such that which ever side exploits a device first and closes the door behind them wins the device.

      There are way more black hats than there are white hats, and the black hats are exponentially better funded, and the majority of the black hats have much more time on their hands.

      Given those odds, the black hats WILL win that war.

      In the end we will be right back where we are now, where the black hats have control over more devices than the white hats have secured, only the black hats will have secured the devices behind them while still having a rootkit installed to do the same actions as right now.

      The only difference will be that the devices won't be fixable after the fact by the white hats, since the door will be closed. The root kitted devices will still be just as capable for DDoS attacks and spam and bouncing to obscure real source IPs as is the case now.

      It really is a pointless bar to raise things to. The problem needs to be solved at its source.

    2. Re:Wrong approach by Anonymous Coward · · Score: 0

      Shodan lists a ton of IoT devices and far as I can tell people have indeed been busy attempting to secure most of the internet cameras after the whole thing with those last year. (don't care enough to find the /. article for it). Not saying it's legal but from a national security standpoint and morally I think it's the right thing to do for the rogue DVR's too. If I heard in the mainstream media that vigilantes are going around securing these devices I would be in full support of it even though it's ethically questionable. Let's face it the hacker community has done a lot worse with a lot less. This is actually a chance to do something good for nations of the world (my opinion).

    3. Re:Wrong approach by Anonymous Coward · · Score: 0

      > Two wrongs don't make a right.

      OK, yeah.

      > grasp the [...] morons [...] by the balls and squeeze [...]

      I mean... ouch! That's the third wrong? Making right now?

    4. Re:Wrong approach by AHuxley · · Score: 1

      Get AV brands, free and pay to scan every device on the local network by default. Test with all expected passwords and report on junk apps and hardware.
      Ban the IoT apps from cell phones and desktops so users are forced to upgrade, buy new or cant network with a power on.

      --
      Domestic spying is now "Benign Information Gathering"
  9. Send new password to manufacturer? by CannonballHead · · Score: 1

    If they have access to the internet, couldn't manufacturers setup an API endpoint that accepts a serial number and a password... so that the password could be changed and the manufacturer could be sent the new one?

    The owner, when locked out, can call the manufacturer, they can look up the password, etc.

    Not totally sure how one might secure said API so it doesn't just get spammed as well, but... :P

    1. Re:Send new password to manufacturer? by AHuxley · · Score: 1

      If firmware upgrades are that networked, malware will seek the same pathway in and re update all found devices rather than just swarm networking output.

      --
      Domestic spying is now "Benign Information Gathering"
  10. This reminds me of this story by itsownreward · · Score: 1

    I wondered when this was going to come up. It totally reminds me of this short story.

  11. FBI as good guys by Anonymous Coward · · Score: 0

    If you think the FBI are "good guys" who don't violate the law you haven't been paying attention since it was founded. Hoover (who was actually around when the FBI was just the BI) was only the head of the FBI for so long because he kept blackmail files on anyone of improtance.

  12. Umm... by Anonymous Coward · · Score: 1

    "a "good guys" Mirai -- perhaps even controlled by the FBI -- could do the same."

    I think I see a flaw here....

  13. ISPs should blackball insecure devices by Anonymous Coward · · Score: 2, Interesting

    Much easier to have ISP's run an automated white-hat type scan against new devices the first time a home user attempts to connect one to the Internet. This device "registration" process would look for open telnet, insecure hard coded passwords, etc. Failing devices would be blackballed and confined behind the home router. The ISP could generate a report for the user suggesting corrective action, etc. to fix the offending device. Not perfect, but it would reduce the footprint of low-hanging IoT devices.

    1. Re:ISPs should blackball insecure devices by gweihir · · Score: 2

      You are talking about the same ISPs that are unable to implement egress filtering (a basic requirement for any halfway secure network installation), thereby allowing source-spoofing, right?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  14. Naive approach by Anonymous Coward · · Score: 0

    Botnet infection software typically patches the vulnerability it exploits to infect any given device. This is due to botnet operators attempting to block their competitors from stealing away bots they have already pwned. This can actually work against the botnet operators since any device known to be exploitable that cannot be exploited has likely already been pwned and should be blacklisted.A truly sophisticated attacker would patch the vulnerability they exploited while mascarading as still being vulnerable. Unless you have a fresh 0-day exploit to get root on the devices you wish to patch you are likely wasting your time.

    1. Re:Naive approach by gweihir · · Score: 1

      And yet, if you had read up on Mirai, you would know that after a reboot these devices are open again, because it is memory-only. Talk about posting an irrelevant generic statement because of cluelessness.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  15. Insecure by default by Anonymous Coward · · Score: 0

    Is criminal negligence for profit. Jail.

    1. Re: Insecure by default by Anonymous Coward · · Score: 0

      Exactly. Why would any self respecting hacker of any hat color want to get in the way of this absolute demonstrable proof that the internet of things is made up bullshit designed to push out shoddy third world (read: India and China) "engineered" devices quickly with no responsibility?

      You don't need hackers. You need jails for CEOs and Silicon Valley VCs.

  16. As always when institutions f**k up... by Anonymous Coward · · Score: 0

    ...they wait and hope for the good people to clean up their mess.

    I'd like to see one admission of responsibility from manufacturers, who made all this possible by designing the flimsiest security features possible on their devices (a common default password for all devices ? Seriously ?). They created the mess, and are now trying to stay out of the spotlight by nominating other people to clean it up, for free might I add.

    Manufacturers made a lot of profits by skimping on security costs (thanks to cheaper processes, hardware and technical support). In short, they made a lot of profits by endangering their customers' and other Internet users' privacy. And now, God forbid they do something with those profits to help with the situation they created.

    Will this be exactly the same as the 2008 bailout ? Will the people pay the price while the responsible parties once again walk away richer ? I hope not, but I've come to expect little from this society.

  17. I would prefer bricking the devices by gweihir · · Score: 1

    And I think we should make that something globally legal. Put in some safeguards, like a 48h observation period and a requirement to record logs and upload them with your identity to some legal entity that a device owner can then find out from what happened (but not who did it).

    But if that is all fulfilled, make it legal for anyone to secure the hazard presented by these devices. After all, you are allowed, say, to put out a fire by yourself too.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  18. Simplistic by Anonymous Coward · · Score: 0

    This is an over-simplified article from a misinformed journalist You can't "protect" routers with malware because the "protective" malware will be wiped out when the router is restarted, along with the malicious malware. Only firmware patches can protect devices #vice

  19. Doorlock advertisiment by Anonymous Coward · · Score: 0

    Welcome to the IoT connected Doorlock! With this fantastic device, you will be able to unlock your door from anywhere in the world, including (wait for it) at the doorlock!
    This amazing, feature rich, inventor tested technology has been proven 1% secure against the most well intentioned script kiddies out there. By using a simple Telnet session and a 1995 version of the BBS software "Remote Access," these kiddies can gain remote access to your front door. Amazing! All this convenience for the rock bottom price of $200 per lock. Act now, because convenience always sells better than security.

  20. Teach them the hard way. by Anonymous Coward · · Score: 0

    There is no reason to keep a default password on something that connects to the internet, and excuses cause problems for others. I say brick the device or sabotage its internet connectivity.

  21. Re:How to remove the INJECTED ADS from Slashdot by JustAnotherOldGuy · · Score: 1

    What worked for me was:

    hxxps://slashdot.org/ajax.pl?op=nel

    --
    Just cruising through this digital world at 33 1/3 rpm...
  22. option - c, none of the above by Anonymous Coward · · Score: 0

    There are changes that can be made that make them useless as a botnet without impacting the hardware owner.

    How about random wait times in the communication that make DDOS a trickle not a roar?
    How about tell a security site when someone scans them with a bad password, or patches them, so the owner of Mirai can be tracked?
    How about a counter-botnet for tracking Mirai during floods, like receiving bad IP's and flooding them - make it eat itself.

    There are 100 things that could be done to the firmware besides "bricking" the device.

  23. Letters of Marque, eh? by Anonymous Coward · · Score: 0

    "Yes, you are accusing me of being a hacker, but really I'm the good guy trying to stop all those bad hackers! See my permission letter from the NSA! No, these credit card numbers on my system are just monitoring of some other *bad* operator who was stealing them."

    OK, next stupid idea. I much prefer the notion of requiring a backdoor brick code that authorized law enforcement may utilize on any device determined to be engaged in illegal activity. That is also a stupid idea, but it is better than this one from the ivory tower.

  24. i dont see what the problem is. by Anonymous Coward · · Score: 0

    So having lots of easily accessible hosts to use yourself, for example as a http redirect maze or an ever-changing lattice of encrypted tunnels or what else your imagination can output is.. bad?

    Y'all crazy if you can not see the value of a free, distributed and unreliable/unmaintainable infrastructure.

  25. Just have a Democrat do it! by Anonymous Coward · · Score: 0

    Just have a Democrat do it. Everybody knows THEY don't have to fear jail time!

    1. Re:Just have a Democrat do it! by jeremy.brown3327 · · Score: 1

      idiot

  26. Hooray! by Toad-san · · Score: 1

    I for one am VERY glad to see ANY sort of suggested solution to this huge problem. I've always had the motto, "Don't bitch unless you have a solution." I had no solution (other than "sue the careless hardware vendors until they fix it", and that's no solution at all), so I just kept quiet. But this is a good one. Liability be damned: white hats, go for it! Brick them sons of bitches!

    Alternatively, force a second "Internet Of Things" Internet, used ONLY by inhuman devices. If you want to talk to your goddamned front door lock, use THAT Internet. Stay the hell off mine: I need it for WoW!

  27. There certainly IS motivation... by Anonymous Coward · · Score: 0

    Anyone who wants to use the Internet for their own normal uses would be motivated to mount such an "attack"... if you fix the IoT, it means that the Internet will actually work if you don't fix the IoT, the Internet is pretty much doomed.

    I'd say that's motivation not only for white hats to get involved, but also for politicians to revise the laws governing this sort of thing, and voters to support such changes.

  28. Alpha Marketplace by Anonymous Coward · · Score: 0

    From CyberScoop: https://www.cyberscoop.com/mirai-botnet-for-sale-ddos-dark-web/

    So why not just turn this thing on the Alpha Marketplace itself? Isn't the "dark web" just as vulnerable to attack?

  29. Wrong hat colors by Anonymous Coward · · Score: 0

    "white-hat vigilante" is an oxymornon. How about "the 16,000psi vacuum at the bottom of the ocean".